Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Red Hat OpenShift Serverless 1.17.0 RHSA-2021:3556-01 Moderate Threat

red hat
Calendar Grey September 16, 2021
Dist Redhat Esm H88
Cautious notice regarding the roll-out of OpenShift Serverless version 1.17.0, which includes various patch updates for security vulnerabilities. Explore further for additional information.
Release of OpenShift Serverless 1.17.0 Red Hat Product Security has rated this update as having a security impact of Moderate

Solution

See the Red Hat OpenShift Container Platform 4.6 documentation at: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21 4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21 4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21 4.8/html/serverless/index

Summary

Red Hat OpenShift Serverless 1.17.0 release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7 and 4.8, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section.
Security Fix(es):
* golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703).
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory moderate red hat security fixes openshift container platform

References

https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3421 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 Read the Full Advisory

Package List


Advisory ID: RHSA-2021:3556-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3556
Issue date: 2021-09-16

Topic

Release of OpenShift Serverless 1.17.0Red Hat Product Security has rated this update as having a security impactofModerate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVElink(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate red hat security fixes openshift container platform

Relevant Releases Architectures

Bugs Fixed

1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic

1983651 - Release of OpenShift Serverless Serving 1.17.0

1983654 - Release of OpenShift Serverless Eventing 1.17.0

1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names

1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here