Red Hat Security Advisory 2023-3455-01

Red Hat Security Advisory 2023-3455-01: Posted Jun 6, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3455-01 - OpenShift Serverless version 1.29.0 contains a moderate security impact. Issues addressed include a denial of service vulnerability.; tags | advisory, denial of service; systems | linux, redhat; advisories | CVE-2022-36227, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0361, CVE-2023-0767, CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939; SHA-256 | fb699e506aa118c17dbd87137af0d14f01a829ce5c8b64ec9846e9ca82990b0b; Download | Favorite | View

Red Hat Security Advisory 2023-3455-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless 1.29.0
Advisory ID:       RHSA-2023:3455-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3455
Issue date:        2023-06-05
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-36227 
                   CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-0767 CVE-2023-21930 CVE-2023-21937 
                   CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 
                   CVE-2023-21967 CVE-2023-21968 CVE-2023-24534 
                   CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 
                   CVE-2023-25173 CVE-2023-27535 
=====================================================================

1. Summary:

OpenShift Serverless version 1.29.0 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- - golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding(CVE-2022-41723)
- - golang: net/http, mime/multipart: denial of service from excessive
resource consumption(CVE-2022-41725)
- - golang: crypto/tls: large handshake records may cause
panics(CVE-2022-41724)
- - golang: html/template: backticks not treated as string
delimiters(CVE-2023-24538)
- - golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption(CVE-2023-24536)
- - golang: net/http, net/textproto: denial of service from excessive memory
allocation(CVE-2023-24534)
- - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE pages
linked from the References section.

3. Solution:

For instructions on how to install and use OpenShift Serverless, see
documentation linked from the References section.

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185507 - Release of OpenShift Serverless Serving 1.29.0
2185509 - Release of OpenShift Serverless Eventing 1.29.0

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-21930
https://access.redhat.com/security/cve/CVE-2023-21937
https://access.redhat.com/security/cve/CVE-2023-21938
https://access.redhat.com/security/cve/CVE-2023-21939
https://access.redhat.com/security/cve/CVE-2023-21954
https://access.redhat.com/security/cve/CVE-2023-21967
https://access.redhat.com/security/cve/CVE-2023-21968
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZH521tzjgjWX9erEAQicLg/+JJY0iROByNwBz9upWD+qDC+ffNd+85c+
VIj8Gpp3Zy6lgGokmtp6YzlZgJvJ/HROOYp2Hy+8eTCwkBQsV/7zdEmT1DfYMFYL
yH8k3Gmf+fxaoL4LuY457Pdn2w2Szhj5sUWnUCw/8UTQfO3msNya0zK0Z3+KJ9Nz
fIdRMQb0wI2JN1y+kISdSTqfOJKuWuhCQ5H5yhnxV74H9d8jC59jOCpz84fZ3VE2
atrDnYRZV/URzkCDMTcLFbqewgC+O4dX953F91RyycAaVEP2+wHCLMF6QfsnU0se
6zFFvuUbsgWgxlFyrovylnmm6CGGQ/Tkp9olpnLZp0eXK67tt4KTbL/N8iPt7qYt
9S5VlN1IS6jA8DpyF1AxQNng6yJmjGCGhOp2n2F25cz6IYbz5hmFLluDkdCkeyzu
xSGQ9bT+K2ih6W4UwAMy3eI0YtZ8qC4e8GIP9EBgLsNowblR76IjkpKI8lrt+XSW
tI+cz6XT0HaMkEJhzOnlm4uxJAQqpde/hwlQ4GdlMR4F13yX44UMEglwaJSkIrMZ
dg7tfZ1t1K4+JOjXET4F22/RZnu+Bc6QDkA4BboRyB68/WLhmUfUy+Z7wsIgKif+
yFCqUE+2sRu6Xn3Y6bfAZem41gLXBhKV5tvdhmm+PrdB3jQAt/ISjXSGdYLxmC4X
1hDAf16dj7Y=
=YctY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 235 files
Ubuntu 50 files
Debian 19 files
LiquidWorm 16 files
Apple 9 files
Gentoo 5 files
Alter Prime 3 files
Google Security Research 3 files
Pierre Kim 2 files
EQSTLab 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,945)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,987)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Red Hat Security Advisory 2023-3455-01

Red Hat Security Advisory 2023-3455-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2023-3455-01

Share This

Red Hat Security Advisory 2023-3455-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems