-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update
Advisory ID:       RHSA-2022:0580-01
Product:           Red Hat OpenShift GitOps
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0580
Issue date:        2022-02-17
CVE Names:         CVE-2016-4658 CVE-2019-5827 CVE-2019-13750 
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 
                   CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 
                   CVE-2020-12762 CVE-2020-13435 CVE-2020-14145 
                   CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 
                   CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 
                   CVE-2021-3521 CVE-2021-3572 CVE-2021-3580 
                   CVE-2021-3712 CVE-2021-3800 CVE-2021-20231 
                   CVE-2021-20232 CVE-2021-20271 CVE-2021-22876 
                   CVE-2021-22898 CVE-2021-22925 CVE-2021-27645 
                   CVE-2021-28153 CVE-2021-33560 CVE-2021-33574 
                   CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 
                   CVE-2021-36086 CVE-2021-36087 CVE-2021-37750 
                   CVE-2021-39241 CVE-2021-40346 CVE-2021-42574 
                   CVE-2021-43527 CVE-2021-44790 CVE-2022-24348 
=====================================================================

1. Summary:

An update for openshift-gitops-applicationset-container,
openshift-gitops-container, openshift-gitops-kam-delivery-container, and
openshift-gitops-operator-container is now available for Red Hat OpenShift
GitOps 1.2. (GitOps v1.2.2)

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.

Security Fix(es):

* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files

5. References:

https://access.redhat.com/security/cve/CVE-2016-4658
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14145
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-39241
https://access.redhat.com/security/cve/CVE-2021-40346
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2021-43527
https://access.redhat.com/security/cve/CVE-2021-44790
https://access.redhat.com/security/cve/CVE-2022-24348
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYg8cxtzjgjWX9erEAQh+MA//Z2h99jxMHmmgFJr/RGbgIv2O6LNJjAi5
nSRxu6EBAbyDYkagGTZ1HZ+99f4qPiqRCf7HHNfEAJVpGWBgaDPoK6zimmn/mJAV
yuYbmsrlxRASB9p1i0dxjMxv0MEQpwGayIghoZpMf74RiO8rjOIURppJLAeBGp4f
3Pb9JPZ1Ww3tj1CYpJiRCuLi5LsFFyqwrKJM3SnqZ1Sj45hR4zOgtUsS7ZQaxnug
W0UcSByxSq7J3S/p9+reSKc7WySKE+k+CxYU9gMCMMyFFg5BKMnPFrimC16tIQXp
26icWiC3fJe2Z/lC86CPBRQkFx3/BimqvBt5dSrXyewcVVg2aznw+KinBc4F3bXi
XZLDy8u4d/01oT0QHpnUV7+PebIToVByaPUl04ewOFFDS+dMIK2tzXs2dnnq+t8S
DkW9Xcvw/iWOPYXKvV8vOwMHV3W3bCbwrFnfxsLmwvxiqYZtjfkJH7nItyxQZ1S9
tXoNrck75h1ZuiI3Cvu/hIMoCOqqr3dYQmUPGV0RHBzi0EzYWpXqNpx3Xwi/tVcf
VhyD/yNSBM8sAEHTtufJEennedAV4LhAyGk4ZWVuCJER0K7DnaL8xIzr3IjM2AEf
Evc4zHUEzEtIwSOFh9EPgrPiflqUmrquDJdGL2EbYiv3ZHFghQJas4ymHfE0xYVT
zkgyLyA+uwM=
=rtez
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce