-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update
Advisory ID:       RHSA-2022:0580-01
Product:           Red Hat OpenShift GitOps
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0580
Issue date:        2022-02-17
CVE Names:         CVE-2016-4658 CVE-2019-5827 CVE-2019-13750 
                   CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 
                   CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 
                   CVE-2020-12762 CVE-2020-13435 CVE-2020-14145 
                   CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 
                   CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 
                   CVE-2021-3521 CVE-2021-3572 CVE-2021-3580 
                   CVE-2021-3712 CVE-2021-3800 CVE-2021-20231 
                   CVE-2021-20232 CVE-2021-20271 CVE-2021-22876 
                   CVE-2021-22898 CVE-2021-22925 CVE-2021-27645 
                   CVE-2021-28153 CVE-2021-33560 CVE-2021-33574 
                   CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 
                   CVE-2021-36086 CVE-2021-36087 CVE-2021-37750 
                   CVE-2021-39241 CVE-2021-40346 CVE-2021-42574 
                   CVE-2021-43527 CVE-2021-44790 CVE-2022-24348 
====================================================================
1. Summary:

An update for openshift-gitops-applicationset-container,
openshift-gitops-container, openshift-gitops-kam-delivery-container, and
openshift-gitops-operator-container is now available for Red Hat OpenShift
GitOps 1.2. (GitOps v1.2.2)

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.

Security Fix(es):

* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files

5. References:

https://access.redhat.com/security/cve/CVE-2016-4658
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14145
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-39241
https://access.redhat.com/security/cve/CVE-2021-40346
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2021-43527
https://access.redhat.com/security/cve/CVE-2021-44790
https://access.redhat.com/security/cve/CVE-2022-24348
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYg8cxtzjgjWX9erEAQh+MA//Z2h99jxMHmmgFJr/RGbgIv2O6LNJjAi5
nSRxu6EBAbyDYkagGTZ1HZ+99f4qPiqRCf7HHNfEAJVpGWBgaDPoK6zimmn/mJAV
yuYbmsrlxRASB9p1i0dxjMxv0MEQpwGayIghoZpMf74RiO8rjOIURppJLAeBGp4f
3Pb9JPZ1Ww3tj1CYpJiRCuLi5LsFFyqwrKJM3SnqZ1Sj45hR4zOgtUsS7ZQaxnug
W0UcSByxSq7J3S/p9+reSKc7WySKE+k+CxYU9gMCMMyFFg5BKMnPFrimC16tIQXp
26icWiC3fJe2Z/lC86CPBRQkFx3/BimqvBt5dSrXyewcVVg2aznw+KinBc4F3bXi
XZLDy8u4d/01oT0QHpnUV7+PebIToVByaPUl04ewOFFDS+dMIK2tzXs2dnnq+t8S
DkW9Xcvw/iWOPYXKvV8vOwMHV3W3bCbwrFnfxsLmwvxiqYZtjfkJH7nItyxQZ1S9
tXoNrck75h1ZuiI3Cvu/hIMoCOqqr3dYQmUPGV0RHBzi0EzYWpXqNpx3Xwi/tVcf
VhyD/yNSBM8sAEHTtufJEennedAV4LhAyGk4ZWVuCJER0K7DnaL8xIzr3IjM2AEf
Evc4zHUEzEtIwSOFh9EPgrPiflqUmrquDJdGL2EbYiv3ZHFghQJas4ymHfE0xYVT
zkgyLyA+uwM=rtez
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0580:01 Important: Red Hat OpenShift GitOps security

An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now availab...

Summary

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* gitops: Path traversal and dereference of symlinks when passing Helm value files (CVE-2022-24348)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-4658 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14145 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3426 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3572 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-27645 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-33574 https://access.redhat.com/security/cve/CVE-2021-35942 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/cve/CVE-2021-39241 https://access.redhat.com/security/cve/CVE-2021-40346 https://access.redhat.com/security/cve/CVE-2021-42574 https://access.redhat.com/security/cve/CVE-2021-43527 https://access.redhat.com/security/cve/CVE-2021-44790 https://access.redhat.com/security/cve/CVE-2022-24348 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2022:0580-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0580
Issued Date: : 2022-02-17
CVE Names: CVE-2016-4658 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14145 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2021-3200 CVE-2021-3426 CVE-2021-3445 CVE-2021-3521 CVE-2021-3572 CVE-2021-3580 CVE-2021-3712 CVE-2021-3800 CVE-2021-20231 CVE-2021-20232 CVE-2021-20271 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-27645 CVE-2021-28153 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-37750 CVE-2021-39241 CVE-2021-40346 CVE-2021-42574 CVE-2021-43527 CVE-2021-44790 CVE-2022-24348

Topic

An update for openshift-gitops-applicationset-container,openshift-gitops-container, openshift-gitops-kam-delivery-container, andopenshift-gitops-operator-container is now available for Red Hat OpenShiftGitOps 1.2. (GitOps v1.2.2)Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved