-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: Image Builder security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:7548-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7548
Issue date:        2022-11-08
CVE Names:         CVE-2022-32189 
====================================================================
1. Summary:

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client
is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Image Builder is a service for building customized OS artifacts, such as VM
images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2059867 - Update osbuild to the newest upstream version in RHEL 8.7
2059868 - Update osbuild-composer to the newest upstream version in RHEL 8.7
2060063 - Rebase cockpit-composer to newest release for RHEL 8.7
2062694 - [cockpit-composer] RHEL 8.7 Tier 0 Localization
2065734 - Build fails for packages in blueprint that contain conditional dependencies
2104464 - [osbuild] Image builder does not support the use of a dot inside a username
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2118829 - Backport test changes for new osbuild-composer

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
cockpit-composer-41-1.el8.src.rpm
osbuild-65-1.el8.src.rpm
osbuild-composer-62-1.el8.src.rpm
weldr-client-35.5-4.el8.src.rpm

aarch64:
osbuild-composer-62-1.el8.aarch64.rpm
osbuild-composer-core-62-1.el8.aarch64.rpm
osbuild-composer-core-debuginfo-62-1.el8.aarch64.rpm
osbuild-composer-debuginfo-62-1.el8.aarch64.rpm
osbuild-composer-debugsource-62-1.el8.aarch64.rpm
osbuild-composer-dnf-json-62-1.el8.aarch64.rpm
osbuild-composer-tests-debuginfo-62-1.el8.aarch64.rpm
osbuild-composer-worker-62-1.el8.aarch64.rpm
osbuild-composer-worker-debuginfo-62-1.el8.aarch64.rpm
weldr-client-35.5-4.el8.aarch64.rpm
weldr-client-debuginfo-35.5-4.el8.aarch64.rpm
weldr-client-debugsource-35.5-4.el8.aarch64.rpm
weldr-client-tests-debuginfo-35.5-4.el8.aarch64.rpm

noarch:
cockpit-composer-41-1.el8.noarch.rpm
osbuild-65-1.el8.noarch.rpm
osbuild-luks2-65-1.el8.noarch.rpm
osbuild-lvm2-65-1.el8.noarch.rpm
osbuild-ostree-65-1.el8.noarch.rpm
osbuild-selinux-65-1.el8.noarch.rpm
python3-osbuild-65-1.el8.noarch.rpm

ppc64le:
osbuild-composer-62-1.el8.ppc64le.rpm
osbuild-composer-core-62-1.el8.ppc64le.rpm
osbuild-composer-core-debuginfo-62-1.el8.ppc64le.rpm
osbuild-composer-debuginfo-62-1.el8.ppc64le.rpm
osbuild-composer-debugsource-62-1.el8.ppc64le.rpm
osbuild-composer-dnf-json-62-1.el8.ppc64le.rpm
osbuild-composer-tests-debuginfo-62-1.el8.ppc64le.rpm
osbuild-composer-worker-62-1.el8.ppc64le.rpm
osbuild-composer-worker-debuginfo-62-1.el8.ppc64le.rpm
weldr-client-35.5-4.el8.ppc64le.rpm
weldr-client-debuginfo-35.5-4.el8.ppc64le.rpm
weldr-client-debugsource-35.5-4.el8.ppc64le.rpm
weldr-client-tests-debuginfo-35.5-4.el8.ppc64le.rpm

s390x:
osbuild-composer-62-1.el8.s390x.rpm
osbuild-composer-core-62-1.el8.s390x.rpm
osbuild-composer-core-debuginfo-62-1.el8.s390x.rpm
osbuild-composer-debuginfo-62-1.el8.s390x.rpm
osbuild-composer-debugsource-62-1.el8.s390x.rpm
osbuild-composer-dnf-json-62-1.el8.s390x.rpm
osbuild-composer-tests-debuginfo-62-1.el8.s390x.rpm
osbuild-composer-worker-62-1.el8.s390x.rpm
osbuild-composer-worker-debuginfo-62-1.el8.s390x.rpm
weldr-client-35.5-4.el8.s390x.rpm
weldr-client-debuginfo-35.5-4.el8.s390x.rpm
weldr-client-debugsource-35.5-4.el8.s390x.rpm
weldr-client-tests-debuginfo-35.5-4.el8.s390x.rpm

x86_64:
osbuild-composer-62-1.el8.x86_64.rpm
osbuild-composer-core-62-1.el8.x86_64.rpm
osbuild-composer-core-debuginfo-62-1.el8.x86_64.rpm
osbuild-composer-debuginfo-62-1.el8.x86_64.rpm
osbuild-composer-debugsource-62-1.el8.x86_64.rpm
osbuild-composer-dnf-json-62-1.el8.x86_64.rpm
osbuild-composer-tests-debuginfo-62-1.el8.x86_64.rpm
osbuild-composer-worker-62-1.el8.x86_64.rpm
osbuild-composer-worker-debuginfo-62-1.el8.x86_64.rpm
weldr-client-35.5-4.el8.x86_64.rpm
weldr-client-debuginfo-35.5-4.el8.x86_64.rpm
weldr-client-debugsource-35.5-4.el8.x86_64.rpm
weldr-client-tests-debuginfo-35.5-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY2pShNzjgjWX9erEAQiA5g/+INhThcOhn6BKpM/vrdLV9/2VkjIAfM2T
tk8cUhCDRrgJexvXzAugexPMMDpvlho5JTW6Jwhkx9bWRqER6rlMMIqawD0b6mNT
BwPSyERnHyJjXupx+XzdSSsy6W1ZqnQfDNW3boIHUmA5MCt8mwkUe4jGhJzS1rWZ
7qtQU/j08E+MgiKFbTgjMJHSCwQHz/FE/w+Og9QL9t+dbf4Z2sIMDgr0cS8yKrsl
6c3EMM0BXGvfPO+Ja0QI/15lD5xkPpdk8MceoYCH8TeJ9abiqzKH4HyebdOubTVB
cgrvLK20AuF2Bx4kbbm7RPsM6ZvqIIXthmkHuGTou5Imseb+FoCAxmt/Av9ZqaPW
NgvCdx9Ga9JPNm9jb8nGkJDZZ/1wlQa8/QJFIPIBQRZH2yck7nngfMOK/fovlvOh
f+4tzQ3UdhNFdWIRlSkEkGK37o+xYGcGjcNpoA1LRZN0ziG2tx+ZhY6Pu3FKMZCW
wE2DSm/qR2YvoD28ouVquo9AGN+uGd5aXUhWVHnsQZz0O9kUxXT6s56BemZ3ZPAJ
P/Aap8cuiYEFav9GhvMbV2Y/fj7RWxFjS65XfkgGtnvn44H3YiPKO4Tfffda1zev
XR3v2rmC7RkgJNEt2N8osrMv8bE2GydAe1d4B/wz6DQQO0Zb1aAyPoGeqf37dNh0
l7B8d7/fcGo=nPMt
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-7548:01 Low: Image Builder security, bug fix,

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 8

Summary

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: cockpit-composer-41-1.el8.src.rpm osbuild-65-1.el8.src.rpm osbuild-composer-62-1.el8.src.rpm weldr-client-35.5-4.el8.src.rpm
aarch64: osbuild-composer-62-1.el8.aarch64.rpm osbuild-composer-core-62-1.el8.aarch64.rpm osbuild-composer-core-debuginfo-62-1.el8.aarch64.rpm osbuild-composer-debuginfo-62-1.el8.aarch64.rpm osbuild-composer-debugsource-62-1.el8.aarch64.rpm osbuild-composer-dnf-json-62-1.el8.aarch64.rpm osbuild-composer-tests-debuginfo-62-1.el8.aarch64.rpm osbuild-composer-worker-62-1.el8.aarch64.rpm osbuild-composer-worker-debuginfo-62-1.el8.aarch64.rpm weldr-client-35.5-4.el8.aarch64.rpm weldr-client-debuginfo-35.5-4.el8.aarch64.rpm weldr-client-debugsource-35.5-4.el8.aarch64.rpm weldr-client-tests-debuginfo-35.5-4.el8.aarch64.rpm
noarch: cockpit-composer-41-1.el8.noarch.rpm osbuild-65-1.el8.noarch.rpm osbuild-luks2-65-1.el8.noarch.rpm osbuild-lvm2-65-1.el8.noarch.rpm osbuild-ostree-65-1.el8.noarch.rpm osbuild-selinux-65-1.el8.noarch.rpm python3-osbuild-65-1.el8.noarch.rpm
ppc64le: osbuild-composer-62-1.el8.ppc64le.rpm osbuild-composer-core-62-1.el8.ppc64le.rpm osbuild-composer-core-debuginfo-62-1.el8.ppc64le.rpm osbuild-composer-debuginfo-62-1.el8.ppc64le.rpm osbuild-composer-debugsource-62-1.el8.ppc64le.rpm osbuild-composer-dnf-json-62-1.el8.ppc64le.rpm osbuild-composer-tests-debuginfo-62-1.el8.ppc64le.rpm osbuild-composer-worker-62-1.el8.ppc64le.rpm osbuild-composer-worker-debuginfo-62-1.el8.ppc64le.rpm weldr-client-35.5-4.el8.ppc64le.rpm weldr-client-debuginfo-35.5-4.el8.ppc64le.rpm weldr-client-debugsource-35.5-4.el8.ppc64le.rpm weldr-client-tests-debuginfo-35.5-4.el8.ppc64le.rpm
s390x: osbuild-composer-62-1.el8.s390x.rpm osbuild-composer-core-62-1.el8.s390x.rpm osbuild-composer-core-debuginfo-62-1.el8.s390x.rpm osbuild-composer-debuginfo-62-1.el8.s390x.rpm osbuild-composer-debugsource-62-1.el8.s390x.rpm osbuild-composer-dnf-json-62-1.el8.s390x.rpm osbuild-composer-tests-debuginfo-62-1.el8.s390x.rpm osbuild-composer-worker-62-1.el8.s390x.rpm osbuild-composer-worker-debuginfo-62-1.el8.s390x.rpm weldr-client-35.5-4.el8.s390x.rpm weldr-client-debuginfo-35.5-4.el8.s390x.rpm weldr-client-debugsource-35.5-4.el8.s390x.rpm weldr-client-tests-debuginfo-35.5-4.el8.s390x.rpm
x86_64: osbuild-composer-62-1.el8.x86_64.rpm osbuild-composer-core-62-1.el8.x86_64.rpm osbuild-composer-core-debuginfo-62-1.el8.x86_64.rpm osbuild-composer-debuginfo-62-1.el8.x86_64.rpm osbuild-composer-debugsource-62-1.el8.x86_64.rpm osbuild-composer-dnf-json-62-1.el8.x86_64.rpm osbuild-composer-tests-debuginfo-62-1.el8.x86_64.rpm osbuild-composer-worker-62-1.el8.x86_64.rpm osbuild-composer-worker-debuginfo-62-1.el8.x86_64.rpm weldr-client-35.5-4.el8.x86_64.rpm weldr-client-debuginfo-35.5-4.el8.x86_64.rpm weldr-client-debugsource-35.5-4.el8.x86_64.rpm weldr-client-tests-debuginfo-35.5-4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2022:7548-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2022:7548

Issued Date: : 2022-11-08

CVE Names: CVE-2022-32189

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-clientis now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2059867 - Update osbuild to the newest upstream version in RHEL 8.7

2059868 - Update osbuild-composer to the newest upstream version in RHEL 8.7

2060063 - Rebase cockpit-composer to newest release for RHEL 8.7

2062694 - [cockpit-composer] RHEL 8.7 Tier 0 Localization

2065734 - Build fails for packages in blueprint that contain conditional dependencies

2104464 - [osbuild] Image builder does not support the use of a dot inside a username

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

2118829 - Backport test changes for new osbuild-composer