RedHat: RHSA-2022-2183:01 Moderate: Release of containers for OSP 1...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID:       RHSA-2022:2183-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:2183
Issue date:        2022-05-11
CVE Names:         CVE-2018-25032 CVE-2019-11253 CVE-2019-19794 
                   CVE-2020-15257 CVE-2021-29482 CVE-2021-32760 
                   CVE-2022-1154 CVE-2022-1271 
=====================================================================

1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director Operator containers are
available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* golang:  kubernetes: YAML parsing vulnerable to "Billion Laughs" attack,
allowing for remote (CVE-2019-11253)
* golang: golang-github-miekg-dns: predictable TXID can lead to response
forgeries (CVE-2019-19794)
* golang: containerd: unrestricted access to abstract Unix domain socket
can lead to privileges (CVE-2020-15257)
* golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of
service (CVE-2021-29482)
* golang: containerd: pulling and extracting crafted container image may
result in Unix file permission changes (CVE-2021-32760)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

3. Solution:

OSP 16.2 Release - OSP Director Operator Containers tech preview

4. Bugs fixed (https://bugzilla.redhat.com/):

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries
1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes
2079447 - Rebase tech preview on latest upstream v1.2.x branch

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-11253
https://access.redhat.com/security/cve/CVE-2019-19794
https://access.redhat.com/security/cve/CVE-2020-15257
https://access.redhat.com/security/cve/CVE-2021-29482
https://access.redhat.com/security/cve/CVE-2021-32760
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnvx49zjgjWX9erEAQifFg//TCQNGh/8hkZ1S3v71P6N+j3RHuuxNg3G
1vq4Per7WcfFjeyBw/LCFp+Ul8Qb7XgtAAY1L5FW4m6uUgrgqcd3RtGS1m5xbO9/
jyRo90kvUEfh1kIJXFVBf5OOI9r0BaYcxlmdAmL7nDZTTQJyjjSHKv0XN/4Ic7r7
+R6TtwDNy2RlcPY6pggctR6MuxxUqsgkVWcfHBABcdvMyF2XEmrPkC9tzQXx6BdP
8HpxlvD2J/MXthqAcKxqPEmszOV41JTwsi/SFdk+5aA5XLlFwrNHvCRyK0FANO0P
sM1EdU1ZnUK/Jo0G2xmMG+aExLC1IPaAQ0yA0LvBoV0Wh0oh3pJDB+8BVjnCJk3o
AwdcNb+FOUaI4ZHlJ0wMQki97HyBazTG3NMVCfvko8/LCgkBA8ROQRSxOOjxhG0J
T5uO0QYi16wWUQMmBj9S2LW0IX/iTpI4POTlVXD6b9PUR3WQ4bki4s1D61Ub7Uny
/QCRDMAxQSZ4xFhfX+d3Q3V35C9Kyg3Bhce5KdDGmp1mVZRh1NmG46IW/1/GWfpv
JljVcvbWH/4+rRF3fN7h2jAULRRziCeLin+noj1hqPTR+5DnNbGammKZjU8RafcA
4WbJO5kCqE4mjSfzPgyd26CxzES5vtlIpjYlglGfNwcCOc/oXshtARjrusOHfb1r
uegJW1UHUAo=
=ny/g
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-2183:01 Moderate: Release of containers for OSP 16.2.z

Red Hat OpenStack Platform 16.2 (Train) director Operator containers are available for technology preview

Summary

Release osp-director-operator images
Security Fix(es):
* golang: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote (CVE-2019-11253) * golang: golang-github-miekg-dns: predictable TXID can lead to response forgeries (CVE-2019-19794) * golang: containerd: unrestricted access to abstract Unix domain socket can lead to privileges (CVE-2020-15257) * golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * golang: containerd: pulling and extracting crafted container image may result in Unix file permission changes (CVE-2021-32760)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Solution

OSP 16.2 Release - OSP Director Operator Containers tech preview

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-11253 https://access.redhat.com/security/cve/CVE-2019-19794 https://access.redhat.com/security/cve/CVE-2020-15257 https://access.redhat.com/security/cve/CVE-2021-29482 https://access.redhat.com/security/cve/CVE-2021-32760 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:2183-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:2183
Issued Date: : 2022-05-11
CVE Names: CVE-2018-25032 CVE-2019-11253 CVE-2019-19794 CVE-2020-15257 CVE-2021-29482 CVE-2021-32760 CVE-2022-1154 CVE-2022-1271

Topic

Red Hat OpenStack Platform 16.2 (Train) director Operator containers areavailable for technology preview.

Relevant Releases Architectures

Bugs Fixed

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service

1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries

1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation

1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service

1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes

2079447 - Rebase tech preview on latest upstream v1.2.x branch

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.