-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh 2.2.2 Containers security update
Advisory ID:       RHSA-2022:6283-01
Product:           Red Hat OpenShift Service Mesh
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6283
Issue date:        2022-08-31
CVE Names:         CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-1962 
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-28131 
                   CVE-2022-30630 CVE-2022-30632 CVE-2022-30633 
                   CVE-2022-30635 CVE-2022-31107 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.2.2 Containers
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

The OpenShift Service Mesh Release Notes provide information on the
features and known issues:

https://docs.openshift.com/container-platform/4.14/service_mesh/v2x/servicemesh-release-notes.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1105 - IOR doesn't support a host with namespace/ prefix
OSSM-1205 - Specifying logging parameter will make istio-ingressgateway and istio-egressgateway failed to start
OSSM-1668 - [Regression] jwksResolverCA field in SMCP is missing 
OSSM-1718 - Istio Operator pauses reconciliation when gateway deployed to non-control plane namespace
OSSM-1775 - [Regression] Incorrect 3scale image specified for 2.0 control planes
OSSM-1800 - IOR should copy labels from Gateway to Route
OSSM-1805 - Reconcile SMCP when Kiali is not available
OSSM-1846 - SMCP fails to reconcile when enabling PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
OSSM-1868 - Container release for Maistra 2.2.2

6. References:

https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-31107
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYw/gG9zjgjWX9erEAQgz3A//Qf/frHx3IhsND00J1kGPomQ0jE1Z1GDN
23bbfOdyHwzNL36LeVglOnMcMHNmYnesiinGyZlsma4qKd1beYpB2tr5/teaTXm1
I0eP6E9phMfhGk20nNinkIy/nH9TTuLuB4bIZ0wc8IYliYwiwfx02uYtwqa6IqSY
PfzsVhNTF+G6NO2fJh77uiR/imiiZ29OUMkVgBzzxBCzouIXvVgMYMuqNZ8zHiEA
hlq1nmNpoNG+8n7xiOy+yEX0yxco66T6msPb0i5fMUCEFC7WJbqQnOkIJnMtK+XQ
9pl8DiOasdEIudYvKbjE3ikWu6KtUH9TMF6RhZbUGVRgR9MQW4vQVcB+6qjeadmb
WxW3uvOJvtmFAMHYU+7WQrlsemmiGt7hVxl5OOiuRHeKWM84PkWgM1k5RqNXsPEz
xklIWIBqHSUL0fKAgSmFTiC3zf8hgmcvqNDiOvon0nTBAHm2r1seQHQnO6h9oCW+
+pGxR3pa0DIX4aaZnmsb0LOOvjuvm0zP4CX5oIRXXxcS14q2N9VrDAN+G/asj7Rb
RIeHzFGXW74/YzSfn0ssg2SeVOjorihTx7NNQpXDKV0OeWH9WgkJuARnRiNJ5Amb
cklWTIWIYxDJkTUV15NNfASyaTC+rnKzQIz0+D4JkLQZyDUiID0nNhO9iBW+aLyG
pPvbYFQAjaQ=UXg5
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6283:01 Moderate: Red Hat OpenShift Service Mesh 2.2.2

Red Hat OpenShift Service Mesh 2.2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation.
This advisory covers the RPM packages for the release.
Security Fix(es):
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962) * golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131) * golang: io/fs: stack exhaustion in Glob (CVE-2022-30630) * golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632) * golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

The OpenShift Service Mesh Release Notes provide information on the features and known issues:
https://docs.openshift.com/container-platform/4.14/service_mesh/v2x/servicemesh-release-notes.html

References

https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31107 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:6283-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6283
Issued Date: : 2022-08-31
CVE Names: CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-1962 CVE-2022-2068 CVE-2022-2097 CVE-2022-28131 CVE-2022-30630 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-31107

Topic

Red Hat OpenShift Service Mesh 2.2.2 ContainersRed Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1105 - IOR doesn't support a host with namespace/ prefix

OSSM-1205 - Specifying logging parameter will make istio-ingressgateway and istio-egressgateway failed to start

OSSM-1668 - [Regression] jwksResolverCA field in SMCP is missing

OSSM-1718 - Istio Operator pauses reconciliation when gateway deployed to non-control plane namespace

OSSM-1775 - [Regression] Incorrect 3scale image specified for 2.0 control planes

OSSM-1800 - IOR should copy labels from Gateway to Route

OSSM-1805 - Reconcile SMCP when Kiali is not available

OSSM-1846 - SMCP fails to reconcile when enabling PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER

OSSM-1868 - Container release for Maistra 2.2.2


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved