-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0 Advisory ID: RHSA-2021:0145-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2021:0145 Issue date: 2021-01-14 CVE Names: CVE-2020-24553 CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 ===================================================================== 1. Summary: Red Hat OpenShift Serverless Client kn 1.12.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Relevant releases/architectures: Openshift Serverless 1 on RHEL 8Base - x86_64 3. Description: Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.12.0, and includes security and bug fixes and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS (CVE-2020-24553) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) * golang: malicious symbol names can lead to code execution at build time (CVE-2020-28366) * golang: improper validation of cgo flags can lead to code execution at build time (CVE-2020-28367) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 4. Solution: See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index 5. Bugs fixed (https://bugzilla.redhat.com/): 1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time 1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time 1906386 - Release of OpenShift Serverless Client 1.12.0 6. Package List: Openshift Serverless 1 on RHEL 8Base: Source: openshift-serverless-clients-0.18.4-2.el8.src.rpm x86_64: openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-24553 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2020-28366 https://access.redhat.com/security/cve/CVE-2020-28367 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/installing-openshift-serverless-1#installing-kn 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYABJwtzjgjWX9erEAQiEFg//VA66Q5K3IfNl5ky03WPvGpN0lbcOGu7e tL77eEw6lr4co45+8G38PlVQCf3EGE2OR6rYXFrEozirJvhiR0pljFz82GQjzYWx BStrXhfcw4TSI95+rLmuOc2yxKda2F2CSRfO1lGJJDugCoVrZrAS2elBzObAv6eI Gekll4TC37MhLw2d8gCNvjKbT6b0khDoAXntr/WzceqTRpPUuhvOcxDMzD6AWJDE 5ljIwGCCNii/HO3+UHK1zdCu965R9unr3JmfPvrJaRaYTHQMsmrxLlv0R59aTOPp 6MgHLy0Qx1tA5hdABYNkwDB7UjDaUvoQPuDN7djgMPFL1R4XBun0kNsfibt0P+5g rYvvClNeKga822jlTVrMDEGHb69++Ba+mYXwsf1TUhII7wGBxm93ytrVIABblqnf HO5AoT7qBsONj5Sm03YEbJ1SZ4KgLA2U9L1xBssg6I4N9KDo5mfLJJxzmOemd2Dp 7Vzjefb7WIaVxleSHW7aZngyRC5O0a2nWcFYCjm8/lKRUhn1egRyC5Z8I62bFvs4 iejUveFz4yRV8WtKuY9u2ey7xNtuxpBDGDF3zxwzXvOqa7gYKkN38XobAS3OR5bm aeCR1Th4MopuHjqFldtE0BjBYQ7mPZ/VKzROXyU5zIibV89dIZz5lwpi45/BSZ/Y 6/zPPdn2CC0= =Tj70 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce