-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless 1.29.0 Advisory ID: RHSA-2023:3455-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2023:3455 Issue date: 2023-06-05 CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-36227 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 CVE-2023-0767 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-25173 CVE-2023-27535 ===================================================================== 1. Summary: OpenShift Serverless version 1.29.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score. 2. Description: Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13. This release includes security and bug fixes, and enhancements. Security Fixes in this release include: - - containerd: Supplementary groups are not set up properly(CVE-2023-25173) - - golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding(CVE-2022-41723) - - golang: net/http, mime/multipart: denial of service from excessive resource consumption(CVE-2022-41725) - - golang: crypto/tls: large handshake records may cause panics(CVE-2022-41724) - - golang: html/template: backticks not treated as string delimiters(CVE-2023-24538) - - golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption(CVE-2023-24536) - - golang: net/http, net/textproto: denial of service from excessive memory allocation(CVE-2023-24534) - - golang: go/parser: Infinite loop in parsing(CVE-2023-24537) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE pages linked from the References section. 3. Solution: For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section. 4. Bugs fixed (https://bugzilla.redhat.com/): 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing 2185507 - Release of OpenShift Serverless Serving 1.29.0 2185509 - Release of OpenShift Serverless Eventing 1.29.0 5. References: https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0767 https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZH521tzjgjWX9erEAQicLg/+JJY0iROByNwBz9upWD+qDC+ffNd+85c+ VIj8Gpp3Zy6lgGokmtp6YzlZgJvJ/HROOYp2Hy+8eTCwkBQsV/7zdEmT1DfYMFYL yH8k3Gmf+fxaoL4LuY457Pdn2w2Szhj5sUWnUCw/8UTQfO3msNya0zK0Z3+KJ9Nz fIdRMQb0wI2JN1y+kISdSTqfOJKuWuhCQ5H5yhnxV74H9d8jC59jOCpz84fZ3VE2 atrDnYRZV/URzkCDMTcLFbqewgC+O4dX953F91RyycAaVEP2+wHCLMF6QfsnU0se 6zFFvuUbsgWgxlFyrovylnmm6CGGQ/Tkp9olpnLZp0eXK67tt4KTbL/N8iPt7qYt 9S5VlN1IS6jA8DpyF1AxQNng6yJmjGCGhOp2n2F25cz6IYbz5hmFLluDkdCkeyzu xSGQ9bT+K2ih6W4UwAMy3eI0YtZ8qC4e8GIP9EBgLsNowblR76IjkpKI8lrt+XSW tI+cz6XT0HaMkEJhzOnlm4uxJAQqpde/hwlQ4GdlMR4F13yX44UMEglwaJSkIrMZ dg7tfZ1t1K4+JOjXET4F22/RZnu+Bc6QDkA4BboRyB68/WLhmUfUy+Z7wsIgKif+ yFCqUE+2sRu6Xn3Y6bfAZem41gLXBhKV5tvdhmm+PrdB3jQAt/ISjXSGdYLxmC4X 1hDAf16dj7Y= =YctY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce