-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless 1.12.0
Advisory ID:       RHSA-2021:0146-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0146
Issue date:        2021-01-14
CVE Names:         CVE-2018-20843 CVE-2019-5018 CVE-2019-13050 
                   CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 
                   CVE-2019-16168 CVE-2019-19221 CVE-2019-19906 
                   CVE-2019-19956 CVE-2019-20218 CVE-2019-20387 
                   CVE-2019-20388 CVE-2019-20454 CVE-2020-1730 
                   CVE-2020-1751 CVE-2020-1752 CVE-2020-1971 
                   CVE-2020-6405 CVE-2020-7595 CVE-2020-9327 
                   CVE-2020-10029 CVE-2020-13630 CVE-2020-13631 
                   CVE-2020-13632 CVE-2020-24553 CVE-2020-24659 
                   CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 
====================================================================
1. Summary:

Release of OpenShift Serverless 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat OpenShift Serverless 1.12.0 is a generally available release of the
OpenShift Serverless Operator. 

This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform version 4.6,
and includes security and bug fixes and enhancements. For more information,
see the documentation listed in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

3. Solution:

See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906381 - Release of OpenShift Serverless Serving 1.12.0
1906382 - Release of OpenShift Serverless Eventing 1.12.0

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAB9FtzjgjWX9erEAQhy4w/8DkWBfDN8NTwDn5G3DQm7avlhwkCoRMUQ
Vt2xCRU6oj06m1xmmixHjbXldN9E8xmJCA9MPfRolKfqFvgxgLs0ZfQNo51qZu2B
IlnB/flgg2xT6j5LRSB6gUILkgeKnnTQOoldrc6W4snz+TwPxVUDGLWx4UlaO2n1
giniC6RESaACoMBZYijKjaM/PAo665Fajfs91bgcg7YnnYtu6Zbs561CoRDg7rR1
nC9zqJDfPQXj01GhKqkscVxDjhWRxo9Dvk7bdT9fSMK9o6EZiRnE4HXNm4FjzLIw
FXQ1Pd7T6Car3iwN0ZMRLn/aEYPzc3h4d3tAMQj+NwHLX0MnXB61+e2bkoFGEluF
PCTis0uhfQaL9unbrQ1NVKMMcbbztlGh9hjY//RLX/aTvYrGqi2sBlnA6n14dRPy
rc6fdK3GdVI4doC1SnIMI7ZvWv3Jt5Wq5l/AnxWm/+pn68ibIMPyC0vU82bffUtA
aiei6JPY7u3O+JqrlQYVQ2tICySnM2bEbP98emg0bedzkD9JfFOQpg8sxkm+V1qm
Tu2xl/v5jHr70nICzVUF3paztwCvMyeD63pYbtWXPqQmc1IIpCUgTQQwpC+G93Uf
wu2FJ4Vqb2tiqRkI4Ju3WJd1qKyTz+83pkuKHwe845n7D8kRFxEYpmE50lT7eAab
A3H5xDIIYLk=2gLp
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-0146:01 Moderate: Release of OpenShift Serverless 1.12.0

Release of OpenShift Serverless 1.12.0 Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Red Hat OpenShift Serverless 1.12.0 is a generally available release of the OpenShift Serverless Operator.
This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform version 4.6, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section.
Security Fix(es):
* golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS (CVE-2020-24553)
* golang: math/big: panic during recursive division of very large numbers(CVE-2020-28362)
* golang: malicious symbol names can lead to code execution at build time (CVE-2020-28366)
* golang: improper validation of cgo flags can lead to code execution at build time (CVE-2020-28367)
For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.



Summary


Solution

See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index

References

https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2019-5018 https://access.redhat.com/security/cve/CVE-2019-13050 https://access.redhat.com/security/cve/CVE-2019-13627 https://access.redhat.com/security/cve/CVE-2019-14889 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-16168 https://access.redhat.com/security/cve/CVE-2019-19221 https://access.redhat.com/security/cve/CVE-2019-19906 https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20218 https://access.redhat.com/security/cve/CVE-2019-20387 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2019-20454 https://access.redhat.com/security/cve/CVE-2020-1730 https://access.redhat.com/security/cve/CVE-2020-1751 https://access.redhat.com/security/cve/CVE-2020-1752 https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-6405 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/cve/CVE-2020-9327 https://access.redhat.com/security/cve/CVE-2020-10029 https://access.redhat.com/security/cve/CVE-2020-13630 https://access.redhat.com/security/cve/CVE-2020-13631 https://access.redhat.com/security/cve/CVE-2020-13632 https://access.redhat.com/security/cve/CVE-2020-24553 https://access.redhat.com/security/cve/CVE-2020-24659 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2020-28366 https://access.redhat.com/security/cve/CVE-2020-28367 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2021:0146-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0146
Issued Date: : 2021-01-14
CVE Names: CVE-2018-20843 CVE-2019-5018 CVE-2019-13050 CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 CVE-2019-16168 CVE-2019-19221 CVE-2019-19906 CVE-2019-19956 CVE-2019-20218 CVE-2019-20387 CVE-2019-20388 CVE-2019-20454 CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 CVE-2020-1971 CVE-2020-6405 CVE-2020-7595 CVE-2020-9327 CVE-2020-10029 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-24553 CVE-2020-24659 CVE-2020-28362 CVE-2020-28366 CVE-2020-28367

Topic

Release of OpenShift Serverless 1.12.0Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS

1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time

1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time

1906381 - Release of OpenShift Serverless Serving 1.12.0

1906382 - Release of OpenShift Serverless Eventing 1.12.0


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved