-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift GitOps security update Advisory ID: RHSA-2022:0580-01 Product: Red Hat OpenShift GitOps Advisory URL: https://access.redhat.com/errata/RHSA-2022:0580 Issue date: 2022-02-17 CVE Names: CVE-2016-4658 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14145 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 CVE-2021-3521 CVE-2021-3572 CVE-2021-3580 CVE-2021-3712 CVE-2021-3800 CVE-2021-20231 CVE-2021-20232 CVE-2021-20271 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-27645 CVE-2021-28153 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-37750 CVE-2021-39241 CVE-2021-40346 CVE-2021-42574 CVE-2021-43527 CVE-2021-44790 CVE-2022-24348 ===================================================================== 1. Summary: An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 1.2. (GitOps v1.2.2) Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Security Fix(es): * gitops: Path traversal and dereference of symlinks when passing Helm value files (CVE-2022-24348) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files 5. References: https://access.redhat.com/security/cve/CVE-2016-4658 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14145 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3426 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3572 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-27645 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-33574 https://access.redhat.com/security/cve/CVE-2021-35942 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/cve/CVE-2021-39241 https://access.redhat.com/security/cve/CVE-2021-40346 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-43527 https://access.redhat.com/security/cve/CVE-2021-44790 https://access.redhat.com/security/cve/CVE-2022-24348 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYg8cxtzjgjWX9erEAQh+MA//Z2h99jxMHmmgFJr/RGbgIv2O6LNJjAi5 nSRxu6EBAbyDYkagGTZ1HZ+99f4qPiqRCf7HHNfEAJVpGWBgaDPoK6zimmn/mJAV yuYbmsrlxRASB9p1i0dxjMxv0MEQpwGayIghoZpMf74RiO8rjOIURppJLAeBGp4f 3Pb9JPZ1Ww3tj1CYpJiRCuLi5LsFFyqwrKJM3SnqZ1Sj45hR4zOgtUsS7ZQaxnug W0UcSByxSq7J3S/p9+reSKc7WySKE+k+CxYU9gMCMMyFFg5BKMnPFrimC16tIQXp 26icWiC3fJe2Z/lC86CPBRQkFx3/BimqvBt5dSrXyewcVVg2aznw+KinBc4F3bXi XZLDy8u4d/01oT0QHpnUV7+PebIToVByaPUl04ewOFFDS+dMIK2tzXs2dnnq+t8S DkW9Xcvw/iWOPYXKvV8vOwMHV3W3bCbwrFnfxsLmwvxiqYZtjfkJH7nItyxQZ1S9 tXoNrck75h1ZuiI3Cvu/hIMoCOqqr3dYQmUPGV0RHBzi0EzYWpXqNpx3Xwi/tVcf VhyD/yNSBM8sAEHTtufJEennedAV4LhAyGk4ZWVuCJER0K7DnaL8xIzr3IjM2AEf Evc4zHUEzEtIwSOFh9EPgrPiflqUmrquDJdGL2EbYiv3ZHFghQJas4ymHfE0xYVT zkgyLyA+uwM= =rtez -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce