RedHat: RHSA-2022-7950:01 Low: Image Builder security, bug fix, | L...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Image Builder security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:7950-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7950
Issue date:        2022-11-15
CVE Names:         CVE-2022-32189 
=====================================================================

1. Summary:

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client
is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Image Builder is a service for building customized OS artifacts, such as VM
images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2059869 - Update osbuild to the newest upstream version in RHEL 9.1
2059870 - Update osbuild-composer to the newest upstream version in RHEL 9.1
2060061 - Rebase cockpit-composer to newest release for RHEL 9.1
2062597 - [cockpit-composer] RHEL 9.1 Tier 0 Localization
2064087 - suggest to exclude dracut-config-rescue in rhel ec2 images
2088459 - [osbuild-composer] cannot build an edge container with sssd
2105961 - edge-installer (anaconda) fails if user has ssh-key defined
2110864 - edge-installer ISO image can't boot on BIOS VM
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2118831 - Backport test changes for new osbuild-composer
2123055 - edge images default to LVM
2123210 - podman network backend does not switch to netavark when embedding container in image

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
cockpit-composer-41-1.el9.src.rpm
osbuild-65-1.el9.src.rpm
osbuild-composer-62.1-1.el9.src.rpm
weldr-client-35.5-4.el9.src.rpm

aarch64:
osbuild-composer-62.1-1.el9.aarch64.rpm
osbuild-composer-core-62.1-1.el9.aarch64.rpm
osbuild-composer-core-debuginfo-62.1-1.el9.aarch64.rpm
osbuild-composer-debugsource-62.1-1.el9.aarch64.rpm
osbuild-composer-dnf-json-62.1-1.el9.aarch64.rpm
osbuild-composer-tests-debuginfo-62.1-1.el9.aarch64.rpm
osbuild-composer-worker-62.1-1.el9.aarch64.rpm
osbuild-composer-worker-debuginfo-62.1-1.el9.aarch64.rpm
weldr-client-35.5-4.el9.aarch64.rpm
weldr-client-debuginfo-35.5-4.el9.aarch64.rpm
weldr-client-debugsource-35.5-4.el9.aarch64.rpm
weldr-client-tests-debuginfo-35.5-4.el9.aarch64.rpm

noarch:
cockpit-composer-41-1.el9.noarch.rpm
osbuild-65-1.el9.noarch.rpm
osbuild-luks2-65-1.el9.noarch.rpm
osbuild-lvm2-65-1.el9.noarch.rpm
osbuild-ostree-65-1.el9.noarch.rpm
osbuild-selinux-65-1.el9.noarch.rpm
python3-osbuild-65-1.el9.noarch.rpm

ppc64le:
osbuild-composer-62.1-1.el9.ppc64le.rpm
osbuild-composer-core-62.1-1.el9.ppc64le.rpm
osbuild-composer-core-debuginfo-62.1-1.el9.ppc64le.rpm
osbuild-composer-debugsource-62.1-1.el9.ppc64le.rpm
osbuild-composer-dnf-json-62.1-1.el9.ppc64le.rpm
osbuild-composer-tests-debuginfo-62.1-1.el9.ppc64le.rpm
osbuild-composer-worker-62.1-1.el9.ppc64le.rpm
osbuild-composer-worker-debuginfo-62.1-1.el9.ppc64le.rpm
weldr-client-35.5-4.el9.ppc64le.rpm
weldr-client-debuginfo-35.5-4.el9.ppc64le.rpm
weldr-client-debugsource-35.5-4.el9.ppc64le.rpm
weldr-client-tests-debuginfo-35.5-4.el9.ppc64le.rpm

s390x:
osbuild-composer-62.1-1.el9.s390x.rpm
osbuild-composer-core-62.1-1.el9.s390x.rpm
osbuild-composer-core-debuginfo-62.1-1.el9.s390x.rpm
osbuild-composer-debugsource-62.1-1.el9.s390x.rpm
osbuild-composer-dnf-json-62.1-1.el9.s390x.rpm
osbuild-composer-tests-debuginfo-62.1-1.el9.s390x.rpm
osbuild-composer-worker-62.1-1.el9.s390x.rpm
osbuild-composer-worker-debuginfo-62.1-1.el9.s390x.rpm
weldr-client-35.5-4.el9.s390x.rpm
weldr-client-debuginfo-35.5-4.el9.s390x.rpm
weldr-client-debugsource-35.5-4.el9.s390x.rpm
weldr-client-tests-debuginfo-35.5-4.el9.s390x.rpm

x86_64:
osbuild-composer-62.1-1.el9.x86_64.rpm
osbuild-composer-core-62.1-1.el9.x86_64.rpm
osbuild-composer-core-debuginfo-62.1-1.el9.x86_64.rpm
osbuild-composer-debugsource-62.1-1.el9.x86_64.rpm
osbuild-composer-dnf-json-62.1-1.el9.x86_64.rpm
osbuild-composer-tests-debuginfo-62.1-1.el9.x86_64.rpm
osbuild-composer-worker-62.1-1.el9.x86_64.rpm
osbuild-composer-worker-debuginfo-62.1-1.el9.x86_64.rpm
weldr-client-35.5-4.el9.x86_64.rpm
weldr-client-debuginfo-35.5-4.el9.x86_64.rpm
weldr-client-debugsource-35.5-4.el9.x86_64.rpm
weldr-client-tests-debuginfo-35.5-4.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY3PhT9zjgjWX9erEAQg9fhAAkAAGWeWiPDsQJ/TXFnrTis24eChQ9WHU
XGffqSbHSQAjupkyGhzPsn8jau+HPOfvUARnI77Fz6hKM+pt8IdVWmM0cVfXKVqE
CFL78X2pLnSnn3fIld5gEvPrLv6VzrxJ8wlm6wNln43KaZ//z9mrJ7qPW6RpIWvE
c+A5Xx14tTMUMZ/Wh21DA2mKEgSO40wfPEXvBu0pb2XbN/+oaCmUmJV6oMx88b3U
onMnRqvl+kFl1SCI8158AvkZj6NKMNeD23cjuHyT0KttoIOft+I0DCsDI5W/qRup
Q0JYQ0VTbPx7hQHc/TOSO6bg1dBJbrwWHdqgjoQhP9inhdKFWUtnFj0/nw5Ddc76
IOL88AneTceR/5vomLl5dCCM4kCOHzqnwCK/G/zINkoeRyHn8zsWJ83M34Pxatr/
hWUugBz8lw0rL38qwEbssFCLXUYHLCIpr+pPnMiy90lwGDPY2Ydg1vfujMbZL9q9
BNl9U7Olz4rIH+libn8Q7VkBOEz9DpYXGnWA+CbIDgUosHyixzEvNlZxemoGtQYI
n36mwgE/QbNaAhfrzXL7DZ20tGcZHzBrsoGHZImu5CQwheSO+cdm3Wx2+y6u4lk9
1N2xHiG/VRkOPxDZX1OLQ8jBPq+2ZyGIuwYNP7QOCU2wgIDUBnbOI0gAUZO1dZnK
x3zLrMtLyho=
=zP99
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-7950:01 Low: Image Builder security, bug fix,

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9

Summary

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 9):
Source: cockpit-composer-41-1.el9.src.rpm osbuild-65-1.el9.src.rpm osbuild-composer-62.1-1.el9.src.rpm weldr-client-35.5-4.el9.src.rpm
aarch64: osbuild-composer-62.1-1.el9.aarch64.rpm osbuild-composer-core-62.1-1.el9.aarch64.rpm osbuild-composer-core-debuginfo-62.1-1.el9.aarch64.rpm osbuild-composer-debugsource-62.1-1.el9.aarch64.rpm osbuild-composer-dnf-json-62.1-1.el9.aarch64.rpm osbuild-composer-tests-debuginfo-62.1-1.el9.aarch64.rpm osbuild-composer-worker-62.1-1.el9.aarch64.rpm osbuild-composer-worker-debuginfo-62.1-1.el9.aarch64.rpm weldr-client-35.5-4.el9.aarch64.rpm weldr-client-debuginfo-35.5-4.el9.aarch64.rpm weldr-client-debugsource-35.5-4.el9.aarch64.rpm weldr-client-tests-debuginfo-35.5-4.el9.aarch64.rpm
noarch: cockpit-composer-41-1.el9.noarch.rpm osbuild-65-1.el9.noarch.rpm osbuild-luks2-65-1.el9.noarch.rpm osbuild-lvm2-65-1.el9.noarch.rpm osbuild-ostree-65-1.el9.noarch.rpm osbuild-selinux-65-1.el9.noarch.rpm python3-osbuild-65-1.el9.noarch.rpm
ppc64le: osbuild-composer-62.1-1.el9.ppc64le.rpm osbuild-composer-core-62.1-1.el9.ppc64le.rpm osbuild-composer-core-debuginfo-62.1-1.el9.ppc64le.rpm osbuild-composer-debugsource-62.1-1.el9.ppc64le.rpm osbuild-composer-dnf-json-62.1-1.el9.ppc64le.rpm osbuild-composer-tests-debuginfo-62.1-1.el9.ppc64le.rpm osbuild-composer-worker-62.1-1.el9.ppc64le.rpm osbuild-composer-worker-debuginfo-62.1-1.el9.ppc64le.rpm weldr-client-35.5-4.el9.ppc64le.rpm weldr-client-debuginfo-35.5-4.el9.ppc64le.rpm weldr-client-debugsource-35.5-4.el9.ppc64le.rpm weldr-client-tests-debuginfo-35.5-4.el9.ppc64le.rpm
s390x: osbuild-composer-62.1-1.el9.s390x.rpm osbuild-composer-core-62.1-1.el9.s390x.rpm osbuild-composer-core-debuginfo-62.1-1.el9.s390x.rpm osbuild-composer-debugsource-62.1-1.el9.s390x.rpm osbuild-composer-dnf-json-62.1-1.el9.s390x.rpm osbuild-composer-tests-debuginfo-62.1-1.el9.s390x.rpm osbuild-composer-worker-62.1-1.el9.s390x.rpm osbuild-composer-worker-debuginfo-62.1-1.el9.s390x.rpm weldr-client-35.5-4.el9.s390x.rpm weldr-client-debuginfo-35.5-4.el9.s390x.rpm weldr-client-debugsource-35.5-4.el9.s390x.rpm weldr-client-tests-debuginfo-35.5-4.el9.s390x.rpm
x86_64: osbuild-composer-62.1-1.el9.x86_64.rpm osbuild-composer-core-62.1-1.el9.x86_64.rpm osbuild-composer-core-debuginfo-62.1-1.el9.x86_64.rpm osbuild-composer-debugsource-62.1-1.el9.x86_64.rpm osbuild-composer-dnf-json-62.1-1.el9.x86_64.rpm osbuild-composer-tests-debuginfo-62.1-1.el9.x86_64.rpm osbuild-composer-worker-62.1-1.el9.x86_64.rpm osbuild-composer-worker-debuginfo-62.1-1.el9.x86_64.rpm weldr-client-35.5-4.el9.x86_64.rpm weldr-client-debuginfo-35.5-4.el9.x86_64.rpm weldr-client-debugsource-35.5-4.el9.x86_64.rpm weldr-client-tests-debuginfo-35.5-4.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:7950-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7950
Issued Date: : 2022-11-15
CVE Names: CVE-2022-32189

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-clientis now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2059869 - Update osbuild to the newest upstream version in RHEL 9.1

2059870 - Update osbuild-composer to the newest upstream version in RHEL 9.1

2060061 - Rebase cockpit-composer to newest release for RHEL 9.1

2062597 - [cockpit-composer] RHEL 9.1 Tier 0 Localization

2064087 - suggest to exclude dracut-config-rescue in rhel ec2 images

2088459 - [osbuild-composer] cannot build an edge container with sssd

2105961 - edge-installer (anaconda) fails if user has ssh-key defined

2110864 - edge-installer ISO image can't boot on BIOS VM

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

2118831 - Backport test changes for new osbuild-composer

2123055 - edge images default to LVM

2123210 - podman network backend does not switch to netavark when embedding container in image

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.