-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless 1.27.0 Advisory ID: RHSA-2023:0709-01 Product: RHOSS Advisory URL: https://access.redhat.com/errata/RHSA-2023:0709 Issue date: 2023-02-09 CVE Names: CVE-2016-3709 CVE-2021-46848 CVE-2022-1304 CVE-2022-2509 CVE-2022-2879 CVE-2022-2880 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27664 CVE-2022-30293 CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 CVE-2022-41715 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 CVE-2023-21835 CVE-2023-21843 ==================================================================== 1. Summary: Release of OpenShift Serverless 1.27.0 The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score. 2. Description: Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. This release includes security and bug fixes, and enhancements. * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879) For more details about the security issues, including the impact; a CVSS score; acknowledgments; and other related information refer to the CVE pages linked in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2154755 - Release of OpenShift Serverless Eventing 1.27.0 2154757 - Release of OpenShift Serverless Serving 1.27.0 5. References: https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2023-21835 https://access.redhat.com/security/cve/CVE-2023-21843 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY+VrqNzjgjWX9erEAQi1Nw/8DCVirnZtM1Wq+2yFNXI8UDqXZ2iQr3mC Zu8qwulEdB1Lv1RavqLNg6xPZtSUdf8JC3Mti4efHr1GQJQjKS5mqSa8aVWhaqr9 g/Gm/FuPI6Twnmnvq3HfjWVNkh+UmBn71slp9orIFEisTZ+IoMB0FNVz7NoKYgiV kvGI6phyDRjXTfYNpMvxAKvxo8mTK3WoZ62ziP4QUHykiqTFczDi41HjdzIfMmAg CvCLLVthmeVqty5CpHhqYE1cnTUIxD/mXLBYHmp8SySIfG0wp7k7zkUAP++Gfln5 srlrk7sSvJvalu09HleDbP88eZpqYV7UmU2RF4zgFS/zOMQhTwCKiE/ttu2D7H0c TJejLaru9mKLkA6FPG5pakeTstPhVNWl7RoYEJKkdNIw55SR0TxRgK5Pw6ZYyOyU RPfTr3vLGvxpg2bWy4rUb9sBzoRlRbhVMCy0JIjoNTGEmzVnA1NeBcx7oyrAFnRr p83xfVKRa7/x8JTeE+34y9Klup0DH48Q5JMlDlaIM2UpKzkjJInMvKAkTv95Y10e T2Wc6ssEeGN9XkNPguyrfGtE/i6czWDZJ7Fm2/YHJAjdXFREImPNS0FwBT8fb4vt 0/E2JjVdhe5X7Xz2AX0DdH7QIQlC4DO8j0qcD+ySj3ns3muWjvlbGdVSaZwGsuiP DRfusJZsblI=WWWr -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce