RedHat: RHSA-2021-3229:01 Moderate: Red Hat OpenShift Jaeger 1.20.5...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Jaeger 1.20.5 security update
Advisory ID:       RHSA-2021:3229-01
Product:           Red Hat OpenShift Jaeger
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3229
Issue date:        2021-08-19
CVE Names:         CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 
                   CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 
                   CVE-2021-20271 CVE-2021-27218 CVE-2021-33195 
                   CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 
                   CVE-2021-34558 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Jaeger 1.20.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.

Security Fix(es):

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: archive/zip: Malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.8/jaeger/jaeger_install/rhb
jaeger-updating.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

5. JIRA issues fixed (https://issues.jboss.org/):

TRACING-2083 - Rebuild product images to address CVE-2021-33910 - Jaeger components 1.20
TRACING-2087 - Jaeger agent sidecar injection failed due to missing configmaps in the application namespace

6. References:

https://access.redhat.com/security/cve/CVE-2021-3516
https://access.redhat.com/security/cve/CVE-2021-3517
https://access.redhat.com/security/cve/CVE-2021-3518
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3537
https://access.redhat.com/security/cve/CVE-2021-3541
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYSe+U9zjgjWX9erEAQjimg/9Fug7VxW34Ep6HrD5PdEIRglBG98d8LnX
H3oeBRggdW+aazEy+HFWOAgsU3P2eCJ4EA+dRDoyv+mcZQ/qj1k+VEsc38kEmRbY
7nilI3qmi4TXZnpsP7x0eERC5FOOXNP3yIRE1c8+4+BNab1kXSFn7JwFZTZKHjAP
5K0YGRcKwIYKIkn0tZHQD52m/OwQCtoc+qaVuG3ommwVOhzfp0Wn8w/6iPqvHoMV
9C6bklRT4XiCWbhi/TQrUondiLb0KizypqwMSyMbEcuJqRKxvCJDdM7cyzgIGdRg
7hKaFwSV+VgD8Z4z+YlUyKA4aScWC9/cAvrew2+pWO1ieMKh3lWTbRQmMd5vlEe5
Ff6WWnrdpt7A+Zgue9sAae4o9orTPVoIvPfHmPBnMX7ehq/wrya7R5R8riqPwH35
nyZxM1Ob0Abi2qHMwkAAbAndTJoUkIfD0p+xJr80yWWFDYx+a/jAKt/BmkIhUWnj
qZVQjCX6QlrPQ+zdOtFtKCZ0sSvxdSv8S24BpAAVPxW50fLqXbffPMropAwfheRe
5VvW/EUJq89HjB1ZNI7C7Rq0AJsH1T3KvikWVXkyWVok5l5CkVG2//2PQlTWK+cW
hvcQVN5Kc1RuHdZvW/uP9aE3nSPlV7d7zNLDCHoIV9fyLUM++11odYqye13APtj3
2/+L9sCWFcs=
=JVDm
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3229:01 Moderate: Red Hat OpenShift Jaeger 1.20.5

An update is now available for Red Hat OpenShift Jaeger 1.20

Summary

Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project, tailored for installation into an on-premise OpenShift Container Platform installation.
Security Fix(es):
* golang: net: lookup functions may return invalid host names (CVE-2021-33195)
* golang: archive/zip: Malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
* golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://docs.openshift.com/container-platform/4.8/jaeger/jaeger_install/rhbjaeger-updating.html

References

https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2021:3229-01
Product: Red Hat OpenShift Jaeger
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3229
Issued Date: : 2021-08-19
CVE Names: CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-20271 CVE-2021-27218 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558

Topic

An update is now available for Red Hat OpenShift Jaeger 1.20.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic

1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names

1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

5. JIRA issues fixed (https://issues.jboss.org/):

TRACING-2083 - Rebuild product images to address CVE-2021-33910 - Jaeger components 1.20

TRACING-2087 - Jaeger agent sidecar injection failed due to missing configmaps in the application namespace

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.