-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID:       RHSA-2022:2183-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:2183
Issue date:        2022-05-11
CVE Names:         CVE-2018-25032 CVE-2019-11253 CVE-2019-19794
                   CVE-2020-15257 CVE-2021-29482 CVE-2021-32760
                   CVE-2022-1154 CVE-2022-1271
====================================================================
1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director Operator containers are
available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* golang:  kubernetes: YAML parsing vulnerable to "Billion Laughs" attack,
allowing for remote (CVE-2019-11253)
* golang: golang-github-miekg-dns: predictable TXID can lead to response
forgeries (CVE-2019-19794)
* golang: containerd: unrestricted access to abstract Unix domain socket
can lead to privileges (CVE-2020-15257)
* golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of
service (CVE-2021-29482)
* golang: containerd: pulling and extracting crafted container image may
result in Unix file permission changes (CVE-2021-32760)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

3. Solution:

OSP 16.2 Release - OSP Director Operator Containers tech preview

4. Bugs fixed (https://bugzilla.redhat.com/):

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries
1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes
2079447 - Rebase tech preview on latest upstream v1.2.x branch

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-11253
https://access.redhat.com/security/cve/CVE-2019-19794
https://access.redhat.com/security/cve/CVE-2020-15257
https://access.redhat.com/security/cve/CVE-2021-29482
https://access.redhat.com/security/cve/CVE-2021-32760
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnvx49zjgjWX9erEAQifFg//TCQNGh/8hkZ1S3v71P6N+j3RHuuxNg3G
1vq4Per7WcfFjeyBw/LCFp+Ul8Qb7XgtAAY1L5FW4m6uUgrgqcd3RtGS1m5xbO9/
jyRo90kvUEfh1kIJXFVBf5OOI9r0BaYcxlmdAmL7nDZTTQJyjjSHKv0XN/4Ic7r7
+R6TtwDNy2RlcPY6pggctR6MuxxUqsgkVWcfHBABcdvMyF2XEmrPkC9tzQXx6BdP
8HpxlvD2J/MXthqAcKxqPEmszOV41JTwsi/SFdk+5aA5XLlFwrNHvCRyK0FANO0P
sM1EdU1ZnUK/Jo0G2xmMG+aExLC1IPaAQ0yA0LvBoV0Wh0oh3pJDB+8BVjnCJk3o
AwdcNb+FOUaI4ZHlJ0wMQki97HyBazTG3NMVCfvko8/LCgkBA8ROQRSxOOjxhG0J
T5uO0QYi16wWUQMmBj9S2LW0IX/iTpI4POTlVXD6b9PUR3WQ4bki4s1D61Ub7Uny
/QCRDMAxQSZ4xFhfX+d3Q3V35C9Kyg3Bhce5KdDGmp1mVZRh1NmG46IW/1/GWfpv
JljVcvbWH/4+rRF3fN7h2jAULRRziCeLin+noj1hqPTR+5DnNbGammKZjU8RafcA
4WbJO5kCqE4mjSfzPgyd26CxzES5vtlIpjYlglGfNwcCOc/oXshtARjrusOHfb1r
uegJW1UHUAo=ny/g
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce