-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh 2.1.3 Containers security update
Advisory ID:       RHSA-2022:5006-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5006
Issue date:        2022-06-13
CVE Names:         CVE-2018-25032 CVE-2021-3634 CVE-2021-3737 
                   CVE-2021-3981 CVE-2021-4189 CVE-2021-25219 
                   CVE-2021-38185 CVE-2021-43813 CVE-2022-1154 
                   CVE-2022-1271 CVE-2022-1650 CVE-2022-23772 
                   CVE-2022-23773 CVE-2022-23806 CVE-2022-24675 
                   CVE-2022-24785 CVE-2022-28327 CVE-2022-29224 
                   CVE-2022-29225 CVE-2022-29226 CVE-2022-29228 
                   CVE-2022-31045 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.1.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* golang: crypto/elliptic IsOnCurve returns true for invalid field elements
(CVE-2022-23806)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information

5. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1609 - Rebuild Kiali Server and Operator container 1.36 to pick up base image CVE fixes
OSSM-1617 - Container release for Maistra 2.1.3

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-3981
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-25219
https://access.redhat.com/security/cve/CVE-2021-38185
https://access.redhat.com/security/cve/CVE-2021-43813
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1650
https://access.redhat.com/security/cve/CVE-2022-23772
https://access.redhat.com/security/cve/CVE-2022-23773
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29224
https://access.redhat.com/security/cve/CVE-2022-29225
https://access.redhat.com/security/cve/CVE-2022-29226
https://access.redhat.com/security/cve/CVE-2022-29228
https://access.redhat.com/security/cve/CVE-2022-31045
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYqd659zjgjWX9erEAQifPxAAlxZB6rF/+H2JF2eHvJaWukV5e5ebEVUh
Yh5nxUd2nWBtnm3ysQWDZBnJtbgLeQiwczp610K1wWWY7CEX/whFZp6V3OjTvyy5
wmF9kIKW2Y8faKf0P4WzPgI2Z0eJoNVO4EbwDyrA2IHsiYRrVpLJAhhEpq7jWrK5
NKs/v5Av7Y2wv5lJheU6vYWPnasXLVr+ufnD1hklYwj6UdKXsskRtRsafZvsxpye
UOz7fFJjxub+q2w/QiOoUPQguoRZ7UsCYrFkjswA6rvJPQf9onyfEFouM9JTH+DE
7KCyzMmSP8PTYlvZFAd+HPqRRBAZDm0LKK5jfU7kEAlMxUJocQQAbD2ea7StWABq
DqIj+6k7+5UOpVY/bzqwU0PkxlBthTMhp6rLCLHbzzvhf4fZqsLJIXkb1WmgEOSq
xmIAJ4nUGN3zdA9AJyhXMwcQz2sqz5VAZv5XBaDOYr5UnQWRiV3yK6Nw7hRA7elZ
xgQlMRGKZjy8JCzD0pGtP0ns6sSBI3af/GBPhpZlQN3X5G94BRyj5f5AB/NDN6vV
s1wXZxZVxXGwFplxgIrixoo/EONpkvVGjyFyEFdNmyoCAQ6o3CUyHXAYRWIactNY
MAhvlMjncKZRu2O3/V5BRZhWA63NSL9FxZ+gj7w2NeNSj64ZmV6urLiL2V8DgLdh
wW6jHTm7WOk=NQsF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5006:01 Important: Red Hat OpenShift Service Mesh 2.1.3

Red Hat OpenShift Service Mesh 2.1.3

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* eventsource: Exposure of Sensitive Information (CVE-2022-1650) * golang: crypto/elliptic IsOnCurve returns true for invalid field elements (CVE-2022-23806) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-3981 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-25219 https://access.redhat.com/security/cve/CVE-2021-38185 https://access.redhat.com/security/cve/CVE-2021-43813 https://access.redhat.com/security/cve/CVE-2022-1154 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-23772 https://access.redhat.com/security/cve/CVE-2022-23773 https://access.redhat.com/security/cve/CVE-2022-23806 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29224 https://access.redhat.com/security/cve/CVE-2022-29225 https://access.redhat.com/security/cve/CVE-2022-29226 https://access.redhat.com/security/cve/CVE-2022-29228 https://access.redhat.com/security/cve/CVE-2022-31045 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2022:5006-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5006
Issued Date: : 2022-06-13
CVE Names: CVE-2018-25032 CVE-2021-3634 CVE-2021-3737 CVE-2021-3981 CVE-2021-4189 CVE-2021-25219 CVE-2021-38185 CVE-2021-43813 CVE-2022-1154 CVE-2022-1271 CVE-2022-1650 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24675 CVE-2022-24785 CVE-2022-28327 CVE-2022-29224 CVE-2022-29225 CVE-2022-29226 CVE-2022-29228 CVE-2022-31045

Topic

Red Hat OpenShift Service Mesh 2.1.3.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements

2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information

5. JIRA issues fixed (https://issues.jboss.org/):

OSSM-1609 - Rebuild Kiali Server and Operator container 1.36 to pick up base image CVE fixes

OSSM-1617 - Container release for Maistra 2.1.3


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved