-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Node Maintenance Operator 4.11.1 security update
Advisory ID:       RHSA-2022:6188-01
Product:           RHWA
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6188
Issue date:        2022-08-25
CVE Names:         CVE-2022-1292 CVE-2022-1586 CVE-2022-1705 
                   CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 
                   CVE-2022-28131 CVE-2022-30630 CVE-2022-30631 
                   CVE-2022-30632 CVE-2022-30633 CVE-2022-32148 
====================================================================
1. Summary:

An update for node-maintenance-must-gather-container,
node-maintenance-operator-bundle-container, and
node-maintenance-operator-container is now available for Node Maintenance
Operator 4.11 for RHEL 8. This Operator is delivered by Red Hat Workload
Availability.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This is an updated release of the Node Maintenance Operator. The Node
Maintenance Operator cordons off nodes from the rest of the cluster and
drains all the pods from the nodes. By placing nodes under maintenance,
administrators can proactively power down nodes, move workloads to other
parts of the cluster, and ensure that workloads do not get interrupted.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE page(s)
listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, see:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. References:

https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYwe6gdzjgjWX9erEAQiS+g/+IhfsKqfRH2EJsNNn/WFyeLJxogITZN4l
W5egpFt9cNMXkx9RsKZR287l9vrT7BkhLsNRKkzWsYg1RMPEa36ko5Xf1sGchLHt
mMLJ26mnolPtSVseJgdeczeaMZYo6xvSzx1lmV6MKJJZBAjkhddewYlbijSz8znf
8T+yEG0kMNYzI0Mj8pLb6fldYyYVdKfLwFCXpqA9YxDAN38RtrJiF15R0MD8rhYT
FsIpnthidpK6cKpHHkeOB3R7wN7Opjz92mEzwedFpTJT/gfIiOtCbgpCEjq4Ry3u
rMn4ziM9CknQtk4KMjiJm3/Rv+8osFpWYLsitg4+t0DERCDMhTSCyhPoG6XD1EVH
2T0sY5ZhvH1C9Y0fhCKyx7aJ/0iNsGB/uYgPCo9rkuTpvtfaDdsxhPOZ5kQO6+sN
a21rS1HtWXqXSWBaEQIJRat0HGsSowVsOa9YZc5eXPvedWiCzBCag6Fuqa6ht1wI
+0EKC3O+2G7tk2wbm2mvueQmke9v93aA1ucNCWOE5V4GbbRy6yJKsQbVCErTa+YR
OH/R8n6fBZdTcgPZvKng90Mg94Tkf6fauyTiwkESMiIR3qCMf4M7rC+jQMZnss9v
+4XElYdV1K1f9S7TJ+YpueoXBJaPi+ASbLqAzPey712GAyo/LKIyzJQXkgVlMRF6
CAU70Y4WQpQ=+GUz
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6188:01 Important: Node Maintenance Operator 4.11.1

An update for node-maintenance-must-gather-container, node-maintenance-operator-bundle-container, and node-maintenance-operator-container is now available for Node Maintenance Oper...

Summary

This is an updated release of the Node Maintenance Operator. The Node Maintenance Operator cordons off nodes from the rest of the cluster and drains all the pods from the nodes. By placing nodes under maintenance, administrators can proactively power down nodes, move workloads to other parts of the cluster, and ensure that workloads do not get interrupted.
Security Fix(es):
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, see the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, see:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2022:6188-01
Product: RHWA
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6188
Issued Date: : 2022-08-25
CVE Names: CVE-2022-1292 CVE-2022-1586 CVE-2022-1705 CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 CVE-2022-28131 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-32148

Topic

An update for node-maintenance-must-gather-container,node-maintenance-operator-bundle-container, andnode-maintenance-operator-container is now available for Node MaintenanceOperator 4.11 for RHEL 8. This Operator is delivered by Red Hat WorkloadAvailability.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved