-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Advanced Cluster Security 3.74 for Kubernetes security update Advisory ID: RHSA-2023:3435-01 Product: Red Hat Advanced Cluster Security for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:3435 Issue date: 2023-06-05 CVE Names: CVE-2022-2795 CVE-2022-36227 CVE-2023-2491 CVE-2023-24539 CVE-2023-24540 CVE-2023-27535 CVE-2023-29400 ===================================================================== 1. Summary: An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of RHACS 3.74.4 includes a fix for CVE-2023-24540 by building RHACS with updated Golang. Security Fix(es): * golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540) * golang: html/template: improper sanitization of CSS values (CVE-2023-24539) * golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the links listed in the References section. 3. Solution: If you are using an earlier version of RHACS 3.74, you are advised to upgrade to patch release 3.74.4. 4. Bugs fixed (https://bugzilla.redhat.com/): 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes 5. JIRA issues fixed (https://issues.redhat.com/): ROX-17405 - Release RHACS 3.74.4 6. References: https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZH4ju9zjgjWX9erEAQg3fRAAkO+FEfLakb0S4TU8LlX1eSmOlJ/BvldZ MUQjwbvgowtED2JEmSITjc1SdzkWQTF3QmAKyEgLkVb35cgQVdzGykDUJA+A0ch3 1hdCG8J9nAIkLrQjlUXLXlW3QKgY9YM7ywfoI2pAdZZoJfqwVtAPNO1dQ2VqMEgp OBGmpZZMx4UkENcQatYPrmo5NC10wyS2+poT3v5YjXEWERzSHKXy/R7DkRQ0748J VbOZ471JAytN2k7QXfYkWyUhSWzIF+XE1M8CyQj7L4JJt8dNlVXiFtShjMDld+ok /f2jcZufgTWm/fwGuCdJeHxhi+uwrnyT+KxblIl7h4xG/7UjgawG7x5T8qPYUjXY GvQaLhOlPw+u1biCoyRQbPVjxB2sMhJQYCs6a9tyFn4kaNBC5GuCI05PgxoSmtn4 7elzgI7HDMvWIZ3UEWWDuRcyBIGpE76W0JLJAnbuXdkc0G31lyAlgIBHx9aNt9dw zakxW321SnBhZcdvcpWl61Upds82qi0Pj/NSMlIrkPtJAum0LDZsczbsERJ6p9oF V3GQh/d6ik3759EwgIjdnht5uM8JqErYkYPyhJLXvLDTJR+LZMR+29zn8d3QUm2d OvXLWjoSa/aWi63fFCD97AfNCC7RZWj2bIaxi/j8VimwLEP4KX4roVuEB6PI6sPj 74zX1/jLbJ4= =i6g4 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce