-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update
Advisory ID:       RHSA-2022:6152-01
Product:           OSSO
Advisory URL:      Issue date:        2022-09-01
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-24675 
                   CVE-2022-28131 CVE-2022-28327 CVE-2022-30629 
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 
====================================================================
1. Summary:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact
of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

2. Description:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

3. Solution:

For Secondary Scheduler Operator 1.1.0 see the following documentation,
which
will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift
1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

4. Bugs fixed (https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.redhat.com/):

WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxCI69zjgjWX9erEAQhXXxAAosQlZxGWGILaGuYUJr/S/jXROYtor0Wv
z8na9oZNTgJG086tiPehf+HAUIbwIRlExUg/fI0TkkQILou0JDqDKbMfxuvZ3You
vgUzKoLHnf541JJp1tjLFbHl+dcG1ohoXEFdh6UpmhxILu56hnC7jB7hfAXnye/E
wIwwtRkG7tzS2f81vFG1TwWunVddvtNy6ITnqkBLWvjRP0ihk6mBt4iBz4NOKYFi
x/7TRZUGV+ILeP++g7qsbehOwZLj2p9NzqE2cRw/A1DP3WVRglKaGuhd46kR9mtn
o0LK9jSBJ0QMPXDvEk52PU4J8yDqhhvTWSeCrFg0rwC3Xd3/41xxKTo9htbLOHfQ
Ei359sevhBTpLH1sdS7/jjmd8jMYe9CZXxk0Ck87e+T17MXOyKVHSsMFjZR1Pgfu
wXAMZaIut1l23RA+3T79jYUnrbB+zD4rDk5mwLuurO8n6y7Bw1Dr1Rr2r1mKgr7N
rxIpHDhw2nWjEhnhl91+2r2ucLvfD6qqsdnV58XTKdLUqNbYAOL1p3tGljqmUVsH
f2YWDoEc3LpbVoT12xbxqnmJRQGmWwfsNRY4tr6w+qVHgKjBAjMGaDhd4gIVEuGi
08mdVFBRqUPBbkIZu9ku5Eh8dgg2NcOFN1naDYb3AaNJp7+garNbcGFL1lIK0cBM
ZO93shdrUmc=3goO
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6152:01 Important: Secondary Scheduler Operator for Red

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0
Security Fix(es):
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For Secondary Scheduler Operator 1.1.0 see the following documentation, which will be updated shortly, for detailed release notes:
For more information on Secondary Scheduler Operator for Red Hat OpenShift 1.1.0, see the following release notes:
https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

References

https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2022:6152-01
Product: OSSO
Advisory URL: Issued Date: : 2022-09-01
CVE Names: CVE-2022-1705 CVE-2022-1962 CVE-2022-24675 CVE-2022-28131 CVE-2022-28327 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148

Topic

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0Red Hat Product Security has rated this update as having a security impactofImportant. A Common Vulnerability Scoring System (CVSS) base score, whichgives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.redhat.com/):

WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved