RedHat: RHSA-2021-0145:01 Moderate: Red Hat OpenShift Serverless Client kn
Summary
Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux
platforms.
Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.12.0, and includes security and bug
fixes and enhancements. For more information, see the release notes listed
in the References section.
Security Fix(es):
* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)
* golang: math/big: panic during recursive division of very large numbers(CVE-2020-28362)
* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)
* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)
For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.
Summary
Solution
See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index
References
https://access.redhat.com/security/cve/CVE-2020-24553 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2020-28366 https://access.redhat.com/security/cve/CVE-2020-28367 https://access.redhat.com/security/updates/classification/#moderate
Package List
Openshift Serverless 1 on RHEL 8Base:
Source:
openshift-serverless-clients-0.18.4-2.el8.src.rpm
x86_64:
openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
Red Hat OpenShift Serverless Client kn 1.12.0Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.
Topic
Relevant Releases Architectures
Openshift Serverless 1 on RHEL 8Base - x86_64
Bugs Fixed
1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906386 - Release of OpenShift Serverless Client 1.12.0