Red Hat Security Advisory 2022-6042-01

Red Hat Security Advisory 2022-6042-01: Posted Aug 11, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-6042-01 - Red Hat OpenShift Serverless Client kn 1.24.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.24.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Issues addressed include bypass and denial of service vulnerabilities.; tags | advisory, denial of service, vulnerability; systems | linux, redhat; advisories | CVE-2022-1705, CVE-2022-1962, CVE-2022-1996, CVE-2022-21698, CVE-2022-24675, CVE-2022-24921, CVE-2022-28131, CVE-2022-28327, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635; SHA-256 | a0fb90802eb4af19bdbeb9ff04bf6db0048a42b54fb373556a4d125e2aecf5cb; Download | Favorite | View

Red Hat Security Advisory 2022-6042-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: Release of OpenShift Serverless Client kn 1.24.0
Advisory ID:       RHSA-2022:6042-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6042
Issue date:        2022-08-10
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-1996
                   CVE-2022-21698 CVE-2022-24675 CVE-2022-24921
                   CVE-2022-28131 CVE-2022-28327 CVE-2022-30629
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148
====================================================================
1. Summary:

Release of OpenShift Serverless Client kn 1.24.0

Red Hat Product Security has rated this update as having a security impact
of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Serverless Client kn 1.24.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.24.0. The kn CLI is delivered as an RPM
package for installation on RHEL platforms, and as binaries for non-Linux
platforms.

Security Fix(es):
- - prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
- - go-restful: Authorization Bypass Through User-Controlled Key
(CVE-2022-1996)
- - golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
- - golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
- - golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
- - golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
- - golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
- - golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
- - golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
- - golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
- - golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
- - golang: regexp: stack exhaustion via a deeply nested expression
(CVE-2022-24921)
- - golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
- - golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
- - golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact; a CVSS
score; acknowledgments; and other related information refer to the CVE
page(s)
listed in the References section.

4. Solution:

See the Red Hat OpenShift Container Platform 4.6 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
See the Red Hat OpenShift Container Platform 4.8 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
See the Red Hat OpenShift Container Platform 4.9 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
See the Red Hat OpenShift Container Platform 4.10 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

5. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2108527 - Release of Openshift Serverless Client 1.24.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:
openshift-serverless-clients-1.3.1-4.el8.src.rpm

ppc64le:
openshift-serverless-clients-1.3.1-4.el8.ppc64le.rpm

s390x:
openshift-serverless-clients-1.3.1-4.el8.s390x.rpm

x86_64:
openshift-serverless-clients-1.3.1-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-1996
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24921
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYvPzqtzjgjWX9erEAQgc+Q/+LS0mBwSovaPnOAfn9R0Cmqc4t3wXKiE+
uMOdrU+GM1EbmNCT+XKOHOkB7I6IIeWilWOfBbb7eRXGnU6td6RtEFe7ob3aeR/b
wzpFZbQjL5qKvldOYr56QRxAcnTQUkiGp3CnCIB/hxtR9YbA4d9sLf4GdmXNCnCf
ycrnqNgMIM70rCUdtyuKrfGpxyX5VZe23PbXG4lADUJNe8p1uAF3BOrKp0RdFOP4
lYHJYme9hB1mg0D4UgFAT5VjQZ+EPrbl2eTMT+9JMz1cxh0ehepbVMP3iap6bdtF
YA6ZLelZjpck55JyhAehsDQvxXyuY8JB9uYPlGpLDKinS1r7uakitlh6prauKiKc
LcTd+wSrwM721sQEgpO239U/YRssdn5rwfTRTNjxuwm/ZYHT4EUk31nsolehB1/k
nkP/Jir7vAwo72i4d2wPDscMRcROcW4HKkfrEXN3aseo9YFi3IlK4YKKx2sLeec2
AGSrTFccaOVpW01lwzogzk236G2jqq4Z2iovM9v8GA/N1RjeiF2tg+WytZymKGA4
g6aVlxOLaBU4X4s5XnIP9k1Hf9Hxn7mVxlfo8p7MBogBvbEFSE75Pcq3EhQI9tbt
arhiTmJVHd8OM8agRPfHTrp8+F19duyqlo4oGju/ocv8f4tuc3rRaK6TdK6qWaBy
mIhJcSGSjmc=NN3u
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Red Hat Security Advisory 2022-6042-01

Red Hat Security Advisory 2022-6042-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2022-6042-01

Share This

Red Hat Security Advisory 2022-6042-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems