-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.5.4 - Red Hat OpenShift security update
Advisory ID:       RHSA-2022:7434-01
Product:           Logging Subsystem for Red Hat OpenShift
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7434
Issue date:        2022-11-10
CVE Names:         CVE-2020-35525 CVE-2020-35527 CVE-2022-0494 
                   CVE-2022-1353 CVE-2022-2509 CVE-2022-2588 
                   CVE-2022-3515 CVE-2022-21618 CVE-2022-21619 
                   CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 
                   CVE-2022-23816 CVE-2022-23825 CVE-2022-29900 
                   CVE-2022-29901 CVE-2022-32149 CVE-2022-37434 
                   CVE-2022-39399 CVE-2022-40674 
====================================================================
1. Summary:

Logging Subsystem 5.5.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.4 - Red Hat OpenShift

Security Fix(es):

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time
to parse complex tags (CVE-2022-32149)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

For Red Hat OpenShift Logging 5.5, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2674 - Many `can't remove non-existent inotify watch for: /var/log/pods/xxxxxx` errors in logfilesmetricexporter container.
LOG-3042 - Logging view plugin removes part of LogQL query
LOG-3049 - [release-5.5] Resources associated with collector / fluentd keep on getting recreated
LOG-3127 - The alerts are Fluentd when type=vector
LOG-3138 - [release-5.5] the content of secret elasticsearch-metrics-token is recreated continually
LOG-3175 - [release-5.5] Vector healthcheck fails when forwarding logs to Cloudwatch 
LOG-3213 - must-gather is empty for logging with CLO image
LOG-3234 - [release-5.5] Loki gateway is crashing because cipher-suites are not set
LOG-3251 - [release-5.5] Adding Valid Subscription Annotation

6. References:

https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2022-0494
https://access.redhat.com/security/cve/CVE-2022-1353
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2588
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-21618
https://access.redhat.com/security/cve/CVE-2022-21619
https://access.redhat.com/security/cve/CVE-2022-21624
https://access.redhat.com/security/cve/CVE-2022-21626
https://access.redhat.com/security/cve/CVE-2022-21628
https://access.redhat.com/security/cve/CVE-2022-23816
https://access.redhat.com/security/cve/CVE-2022-23825
https://access.redhat.com/security/cve/CVE-2022-29900
https://access.redhat.com/security/cve/CVE-2022-29901
https://access.redhat.com/security/cve/CVE-2022-32149
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-39399
https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY2ygY9zjgjWX9erEAQjsqhAAnWipfbePJjzeNKhBdSB8+KuuFOdDosVl
TM83jx5ov3yumRWxBORPOlN85R1Pfw2Kh7kT669wrbDL91YUU9WTYlONhiubL/oa
MR5Eq6TscAzh1aiy1BRZporGnddlpX5xNmHxl0G65CwisChuB8aom5uR0kymu8V1
4oH5wScZKshX9HgAylMerT7mO31Ya3xKOCPx9j39jP1G1DFM1c5NwYqHPVt3ioLJ
4kwnkt59USHi4AHxj9ELEJ2lHBNF9QTD7BITNuWITac+sCK55OEWKjLzerE7yaNy
4ZGy0ERDwRPScnVSnvtsZYGcuJPAth9eX7c9hxwDxiCdTL5nli0NI5e3MuU3gU/W
yBsDFe8DDi/bnzSw5T8ofT5IfOyc/6PuncZUO3QKF/fGwaN/xD+0Gj5+J7kZKTnq
lxbBOPpn52omWVDittRYxAouYn++CEHbJsUIznJDLOMKYXjuhZ/ERePl0pZAeiao
CScdIGNt6fDFCzNSYgdXJGbw/NPqYSQNpsJjzM2TdwVxaOguVRKXm5EJR7cTJzXm
hA3H3BlP0Bzq5UsW4GifQF3jyv6tOQFd/mMvGv3d+08S/JUKKCzJBdlp9nw6eXqp
TV+8Q4YCRXU5enul8DZGfKH7P7UYvSZ+cBBhxIkcnkhs2MT21ezopxubJs5KG035
qXp/7zyXsVs=t8JW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-7434:01 Moderate: Logging Subsystem 5.5.4 - Red Hat

Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate

Summary

Logging Subsystem 5.5.4 - Red Hat OpenShift
Security Fix(es):
* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags (CVE-2022-32149)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html
For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update:
https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html

References

https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2022-0494 https://access.redhat.com/security/cve/CVE-2022-1353 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2588 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-21618 https://access.redhat.com/security/cve/CVE-2022-21619 https://access.redhat.com/security/cve/CVE-2022-21624 https://access.redhat.com/security/cve/CVE-2022-21626 https://access.redhat.com/security/cve/CVE-2022-21628 https://access.redhat.com/security/cve/CVE-2022-23816 https://access.redhat.com/security/cve/CVE-2022-23825 https://access.redhat.com/security/cve/CVE-2022-29900 https://access.redhat.com/security/cve/CVE-2022-29901 https://access.redhat.com/security/cve/CVE-2022-32149 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-39399 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2022:7434-01
Product: Logging Subsystem for Red Hat OpenShift
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7434
Issued Date: : 2022-11-10
CVE Names: CVE-2020-35525 CVE-2020-35527 CVE-2022-0494 CVE-2022-1353 CVE-2022-2509 CVE-2022-2588 CVE-2022-3515 CVE-2022-21618 CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900 CVE-2022-29901 CVE-2022-32149 CVE-2022-37434 CVE-2022-39399 CVE-2022-40674

Topic

Logging Subsystem 5.5.4 - Red Hat OpenShiftRed Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-2674 - Many `can't remove non-existent inotify watch for: /var/log/pods/xxxxxx` errors in logfilesmetricexporter container.

LOG-3042 - Logging view plugin removes part of LogQL query

LOG-3049 - [release-5.5] Resources associated with collector / fluentd keep on getting recreated

LOG-3127 - The alerts are Fluentd when type=vector

LOG-3138 - [release-5.5] the content of secret elasticsearch-metrics-token is recreated continually

LOG-3175 - [release-5.5] Vector healthcheck fails when forwarding logs to Cloudwatch

LOG-3213 - must-gather is empty for logging with CLO image

LOG-3234 - [release-5.5] Loki gateway is crashing because cipher-suites are not set

LOG-3251 - [release-5.5] Adding Valid Subscription Annotation


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved