-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.4.3 - Red Hat OpenShift security update
Advisory ID:       RHSA-2022:5556-01
Product:           RHOL
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5556
Issue date:        2022-07-18
CVE Names:         CVE-2020-28915 CVE-2021-38561 CVE-2021-40528 
                   CVE-2022-1271 CVE-2022-1621 CVE-2022-1629 
                   CVE-2022-22576 CVE-2022-25313 CVE-2022-25314 
                   CVE-2022-26691 CVE-2022-27666 CVE-2022-27774 
                   CVE-2022-27776 CVE-2022-27782 CVE-2022-29824 
====================================================================
1. Summary:

Logging Subsystem 5.4.3 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.4.3 - Red Hat OpenShift

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,
which will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.4, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2536 - Setting up ODF S3 for loki 
LOG-2640 - [release-5.4] FluentdQueueLengthIncreasing rule failing to be evaluated.
LOG-2757 - [release-5.4] index rollover cronjob fails on openshift-logging operator
LOG-2762 - [release-5.4]Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `
LOG-2780 - Loki cannot send logs after upgrade to 5.4.3 from 5.4.2 with 'http'
LOG-2781 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.
LOG-2786 - [release-5.4] Token not added to Vector config when forwarding logs to Lokistack with Token+CA bundle.
LOG-2791 - [release-5.4] ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image

6. References:

https://access.redhat.com/security/cve/CVE-2020-28915
https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1621
https://access.redhat.com/security/cve/CVE-2022-1629
https://access.redhat.com/security/cve/CVE-2022-22576
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/cve/CVE-2022-27666
https://access.redhat.com/security/cve/CVE-2022-27774
https://access.redhat.com/security/cve/CVE-2022-27776
https://access.redhat.com/security/cve/CVE-2022-27782
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYuFkANzjgjWX9erEAQj0ZRAAn4XL+QhuyVQ5G+XzACk10EOuIUfBONR7
BWzj5OkoIb1x5FMvRAaeUyilnh9klyM0940AG2pmkqNCAtnkTX5SnJJTHAzzJkon
tg55o71rOhQiOR5DaaqY7PXL/eXE7UP9QmpPK05qVJMklFvgwuNR+ETBcyKC7Yxy
ic8Chqtt4rLMsYAQRwfsL5rYoL6sssj4yIp/dCgjl2J0hcMnkFejP2nHLuT4npFl
IoxkWd6ipXEmV7NjtcFgp2rw3v2a45tvt2KhDt9drCMLdckYlMi10tKyr3JfoW/A
yjzF9JfrEXYv4+ZUaQecKS/hjD9eQtydIF8uGB5gYPmq2qGD6fASXgc2z2FJH23j
DTEIdJb2R9jqCqZPVB5addeyt/LY6hLi7CG2HOl6uK6p9mmDj/JASPdXVf02qD25
F7SbfCsFDzvykXbFdXsbszMku92aStFW6c0PlBmDYY93+uAZfj2+QB+at2J8v+4g
cPEZHrar++fM96ubtP3ABxGqSpCMVErqeGinPN2geDy49ZWMQTjxwRfK3epO9Vkf
9+JdwuEahDtjo8eZji6djUN1xw5ARftrukS5mqYAlgrcl8EImsFuM2+Y1Boz5w0S
uUCxE0cXU2oc6x26fy4zKbssvj6tl31qJKZAc39t+xOJYm/F0yit+psNWoNzqx2q
eBX5tmvYQ+s=9knG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5556:01 Moderate: Logging Subsystem 5.4.3 - Red Hat

Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Logging Subsystem 5.4.3 - Red Hat OpenShift
Security Fix(es):
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly, for detailed release notes:
https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-release-notes.html
For Red Hat OpenShift Logging 5.4, see the following instructions to apply this update:
https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2020-28915 https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1621 https://access.redhat.com/security/cve/CVE-2022-1629 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/cve/CVE-2022-27666 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:5556-01
Product: RHOL
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5556
Issued Date: : 2022-07-18
CVE Names: CVE-2020-28915 CVE-2021-38561 CVE-2021-40528 CVE-2022-1271 CVE-2022-1621 CVE-2022-1629 CVE-2022-22576 CVE-2022-25313 CVE-2022-25314 CVE-2022-26691 CVE-2022-27666 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-29824

Topic

Logging Subsystem 5.4.3 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2536 - Setting up ODF S3 for loki

LOG-2640 - [release-5.4] FluentdQueueLengthIncreasing rule failing to be evaluated.

LOG-2757 - [release-5.4] index rollover cronjob fails on openshift-logging operator

LOG-2762 - [release-5.4]Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `

LOG-2780 - Loki cannot send logs after upgrade to 5.4.3 from 5.4.2 with 'http'

LOG-2781 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.

LOG-2786 - [release-5.4] Token not added to Vector config when forwarding logs to Lokistack with Token+CA bundle.

LOG-2791 - [release-5.4] ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved