RedHat: RHSA-2022-2183:01 Moderate: Release of containers for OSP 16.2.z
Summary
Release osp-director-operator images
Security Fix(es):
* golang: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack,
allowing for remote (CVE-2019-11253)
* golang: golang-github-miekg-dns: predictable TXID can lead to response
forgeries (CVE-2019-19794)
* golang: containerd: unrestricted access to abstract Unix domain socket
can lead to privileges (CVE-2020-15257)
* golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of
service (CVE-2021-29482)
* golang: containerd: pulling and extracting crafted container image may
result in Unix file permission changes (CVE-2021-32760)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Summary
Solution
OSP 16.2 Release - OSP Director Operator Containers tech preview
References
https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2019-19794 https://access.redhat.com/security/cve/CVE-2020-15257 https://access.redhat.com/security/cve/CVE-2021-29482 https://access.redhat.com/security/cve/CVE-2021-32760 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
Red Hat OpenStack Platform 16.2 (Train) director Operator containers areavailable for technology preview.
Topic
Relevant Releases Architectures
Bugs Fixed
1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries
1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes
2079447 - Rebase tech preview on latest upstream v1.2.x branch