-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Service Mesh Containers for 2.4.0 Advisory ID: RHSA-2023:3644-01 Product: RHOSSM Advisory URL: https://access.redhat.com/errata/RHSA-2023:3644 Issue date: 2023-06-15 CVE Names: CVE-2021-4235 CVE-2022-1705 CVE-2022-2795 CVE-2022-2879 CVE-2022-2880 CVE-2022-2995 CVE-2022-3162 CVE-2022-3172 CVE-2022-3204 CVE-2022-3259 CVE-2022-3466 CVE-2022-27664 CVE-2022-30631 CVE-2022-32148 CVE-2022-32189 CVE-2022-32190 CVE-2022-36227 CVE-2022-39229 CVE-2022-41715 CVE-2023-24540 CVE-2023-27535 ==================================================================== 1. Summary: Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Security Fix(es): * golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace 5. JIRA issues fixed (https://issues.redhat.com/): OSSM-1094 - Htpasswd secret created in control plane namespace is using SHA1 OSSM-1667 - Remove deprecated cipher suites OSSM-2128 - Exclude some accessible namespaces in Kiali CR with some labelSelector OSSM-2215 - istio-cni-node never updates kubeconfig causing error adding container to network \"v2-0-istio-cni\": Unauthorized OSSM-2221 - Gateway injection does not work in control plane namespace OSSM-2254 - Fix and deprecate IOR OSSM-2274 - If two SMCPs exist in a namespace and you delete one, all child resources are deleted OSSM-2325 - Disable prometheus in the minimal example CR OSSM-2339 - Deprecated istio-operator API call in CNV OSSM-2420 - Pod locality controller fails to update pod OSSM-2436 - istio-operator reports as ready before it really is OSSM-3246 - Promote ClusterWide to GA OSSM-3288 - Implement prometheus extension provider OSSM-3291 - Implement envoyExtAuthzHttp extension provider OSSM-331 - Service Mesh IPv6 Single Stack Support OSSM-3419 - Align OSSM 2.4 with latest upstream Istio 1.16.5 release OSSM-3747 - Duplicate env vars in egress gateway deployment OSSM-3784 - Bad ownerReference in k8s Gateway Deployment & Service OSSM-3802 - GA discoverySelectors (move out of techPreview.meshConfig) OSSM-3803 - Move extensionProviders to SMCP.spec.meshConfig.extensionProviders OSSM-3870 - OSSM must-gather improvements OSSM-3873 - [KIALI] Kiali ingress.host accepted in the SMCP but is not configured properly in Kiali CR OSSM-3934 - Prometheus and grafana not reachable from kiali OSSM-3986 - Kiali does not display all the data when SMCP is deployed with Cluster Wide mode OSSM-4037 - kiali operator base image bump OSSM-4069 - Kiali route is missing with 2.2 Control Plane in 2.4 Operator on OpenShift 4.13 OSSM-566 - Supported integration with OpenShift Monitoring and BYO Prometheus OSSM-568 - Integration with (external) cert-manager 6. References: https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-2995 https://access.redhat.com/security/cve/CVE-2022-3162 https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-3204 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-3466 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZIuxO9zjgjWX9erEAQhxLg//cqi5JYtCAvOoMpkcoFT/rTGhn2s7EmPX gCNYy/Gv1EESdc4WLJs/96vXWpnRF1XA1Z+Jrn6Ojd1OcRVikWjpXtzM+2cKNoCA HZMvyxRe4R0QlcBb17XZYDN0plU+H24UGDMHengwY45K5ZRWfw7/vb3Gna3VwUgk QALQk0WLqiJUSDy0CAaFwZNKUZKZmKCmQudm8dbECA+pCKTYS22bfbuE4o2jtcTA PmFZ5sDIKTuWuzHtxT5Urbx+g6rgijP3xP1JqZXzuI9ExH7eeS7e1Sk8rH2MOXH2 E9VDmAsi2p7ffdaLRILHYPdLtt88wiE0kLjBof7i7OMBSoX70l3UEwvy9g96udbl a/GsvnKkrpEnxXyPxUm4HQQ5xHPEaFIZlAwGSwnZ7CPS0wkWu3vN513ccMF+wsgx BokeK739WjxblJRsf/fTujflEMmOzIzsM6N3yDY51hs2lAl1NFZSCjFUTwjuoNNK 7CgMoWkbCDRc0tGWvu82gJfZPnlw7lRPHYAVSNkMAPQsODTyk8FEoY9Sj8UtnI5C qKwo7TdYjTwrivRCoQJJcNZJxW6RY2NSZNev3WviJuM+tssXXkOCJaD6Eguy6UhO PElcfkRdRJW5HevW+u56ngGfBUb091Zyes7bN8E0AwFBI1CBvjzWgEFTM1i2Ce/+ A6ybAfZVB68=0l+j -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce