-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: RHSA: Submariner 0.13 - security and enhancement update Advisory ID: RHSA-2022:6346-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2022:6346 Issue date: 2022-09-06 CVE Names: CVE-2021-38561 CVE-2021-40528 CVE-2022-1292 CVE-2022-1586 CVE-2022-1705 CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 CVE-2022-2526 CVE-2022-25313 CVE-2022-25314 CVE-2022-28131 CVE-2022-29824 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 CVE-2022-32206 CVE-2022-32208 ===================================================================== 1. Summary: Submariner 0.13 packages that fix security issues and bugs, as well as adds various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/. This advisory contains bug fixes and enhancements to the Submariner container images. Security fixes: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30630 golang: io/fs: stack exhaustion in Glob * CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob * CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal * CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working * CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 3. Solution: For details on how to install Submariner, refer to: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/add-ons/submariner#submariner-deploy-console and https://submariner.io/getting-started/ 4. Bugs fixed (https://bugzilla.redhat.com/): 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal 5. References: https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYxd1B9zjgjWX9erEAQjg3g//Z6F4XwGtGZPH4jDe5igGa7E/9HTHBewn dFddZJk/RwVHfq2lKUuFIKYwOi7Bc9xSNoxgminoGK2cIw6adyCxt8QKUBhoDuht J6xYdCNR/CtEl9IGQuEGe9Rh7YYKWNeIX0t22XCjtmoy2AIuZoeApTeRkWaizx4Y IXIf+lwvrG8/h5CtuQem0hW40MZiPZq7O0gWBy/+NoFBhQ5xO5ZTMaRe/PGQfD+9 JrgtmY6eb3bNQRBIQfvtZWNOa4S+pzMTGNjMj9/G42IJwDzOtEUktUwcoRXxyA0S 8xUGdwADk+UMvWseMBNmAq/HPEQ3j4clg0aYQdpAVmvwdQkHjY3FeZxY60gx9QB0 u/dptUHlEr/HZhjiz5Cl0TaiK7jpuQbCUn0qMiVaj0B3w59W+DOWNnv3MiShfD8U iQkEuupzYgLqMwmu1LqHaeaOFPvGoO8MZAGUxYtcwWWDz4fq+J2HQTpnrUXVypnT Hvm+DK7+dceLGDvlR/GCE8A6lGY8bURzhctuEAe0L/s7t5eEsfjQtciJ3bIBFDob RCA6SdjxgdGEGVh6JiknyACHmHPQTuPhGGcJnCRn7zG5GGXOTx9Ja0+nPGDwUcXh IM/TcEXXmj/PfAKMlee8hS4aHhHthm0Izlk6OLPZPMvtQhfdf9cKMdNAPmQf8sj4 Ao8aXSQ99fM= =j+9x -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce