what you don't know can hurt you

Red Hat Security Advisory 2021-0145-01

Red Hat Security Advisory 2021-0145-01
Posted Jan 14, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-0145-01 - Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.12.0, and includes security and bug fixes and enhancements. For more information, see the release notes listed in the References section. Issues addressed include code execution and cross site scripting vulnerabilities.

tags | advisory, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-24553, CVE-2020-28362, CVE-2020-28366, CVE-2020-28367
MD5 | 84bd3c7609f304afda32dcf7e6933684

Red Hat Security Advisory 2021-0145-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0
Advisory ID: RHSA-2021:0145-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0145
Issue date: 2021-01-14
CVE Names: CVE-2020-24553 CVE-2020-28362 CVE-2020-28366
CVE-2020-28367
=====================================================================

1. Summary:

Red Hat OpenShift Serverless Client kn 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - x86_64

3. Description:

Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux
platforms.

Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.12.0, and includes security and bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

4. Solution:

See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

5. Bugs fixed (https://bugzilla.redhat.com/):

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906386 - Release of OpenShift Serverless Client 1.12.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:
openshift-serverless-clients-0.18.4-2.el8.src.rpm

x86_64:
openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/installing-openshift-serverless-1#installing-kn

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYABJwtzjgjWX9erEAQiEFg//VA66Q5K3IfNl5ky03WPvGpN0lbcOGu7e
tL77eEw6lr4co45+8G38PlVQCf3EGE2OR6rYXFrEozirJvhiR0pljFz82GQjzYWx
BStrXhfcw4TSI95+rLmuOc2yxKda2F2CSRfO1lGJJDugCoVrZrAS2elBzObAv6eI
Gekll4TC37MhLw2d8gCNvjKbT6b0khDoAXntr/WzceqTRpPUuhvOcxDMzD6AWJDE
5ljIwGCCNii/HO3+UHK1zdCu965R9unr3JmfPvrJaRaYTHQMsmrxLlv0R59aTOPp
6MgHLy0Qx1tA5hdABYNkwDB7UjDaUvoQPuDN7djgMPFL1R4XBun0kNsfibt0P+5g
rYvvClNeKga822jlTVrMDEGHb69++Ba+mYXwsf1TUhII7wGBxm93ytrVIABblqnf
HO5AoT7qBsONj5Sm03YEbJ1SZ4KgLA2U9L1xBssg6I4N9KDo5mfLJJxzmOemd2Dp
7Vzjefb7WIaVxleSHW7aZngyRC5O0a2nWcFYCjm8/lKRUhn1egRyC5Z8I62bFvs4
iejUveFz4yRV8WtKuY9u2ey7xNtuxpBDGDF3zxwzXvOqa7gYKkN38XobAS3OR5bm
aeCR1Th4MopuHjqFldtE0BjBYQ7mPZ/VKzROXyU5zIibV89dIZz5lwpi45/BSZ/Y
6/zPPdn2CC0=
=Tj70
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    12 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close