Alerts This Week
Warning Icon 1 914
Alerts This Week
Warning Icon 1 914

Red Hat Enterprise Linux 9 RHSA-2022-7950-01 Low: Image Builder DoS

red hat
Calendar Grey November 15, 2022
Dist Redhat Esm H88
Red Hat releases minor update addressing vulnerability in Image Builder linked to cockpit-composer and osbuild for RHEL 9.
An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client is now available for Red Hat Enterprise Linux 9

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Image Builder is a service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood.
Security Fix(es):
* golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section.

Topics%20covered

Topics Covered

security advisory Red Hat Enterprise Linux doS low severity osbuild image builder bug fix cockpit-composer

References

https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

Package List

Red Hat Enterprise Linux AppStream (v. 9):
Source: cockpit-composer-41-1.el9.src.rpm osbuild-65-1.el9.src.rpm osbuild-composer-62.1-1.el9.src.rpm weldr-client-35.5-4.el9.src.rpm
aarch64: osbuild-composer-62.1-1.el9.aarch64.rpm osbuild-composer-core-62.1-1.el9.aarch64.rpm osbuild-composer-core-debuginfo-62.1-1.el9.aarch64.rpm osbuild-composer-debugsource-62.1-1.el9.aarch64.rpm osbuild-composer-dnf-json-62.1-1.el9.aarch64.rpm osbuild-composer-tests-debuginfo-62.1-1.el9.aarch64.rpm osbuild-composer-worker-62.1-1.el9.aarch64.rpm osbuild-composer-worker-debuginfo-62.1-1.el9.aarch64.rpm weldr-client-35.5-4.el9.aarch64.rpm weldr-client-debuginfo-35.5-4.el9.aarch64.rpm weldr-client-debugsource-35.5-4.el9.aarch64.rpm weldr-client-tests-debuginfo-35.5-4.el9.aarch64.rpm
noarch: cockpit-composer-41-1.el9.noarch.rpm osbuild-65-1.el9.noarch.rpm osbuild-luks2-65-1.el9.noarch.rpm osbuild-lvm2-65-1.el9.noarch.rpm osbuild-ostree-65-1.el9.noarch.rpm osbuild-selinux-65-1.el9.noarch.rpm python3-osbuild-65-1.el9.noarch.rpm
ppc64le: osbuild-composer-62.1-1.el9.ppc64le.rpm osbuild-composer-core-62.1-1.el9.ppc64le.rpm osbuild-composer-core-debuginfo-62.1-1.el9.ppc64le.rpm osbuild-composer-debugsource-62.1-1.el9.ppc64le.rpm osbuild-composer-dnf-json-62.1-1.el9.ppc64le.rpm

Read the Full Advisory


Severity
low
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2022:7950-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7950
Issue date: 2022-11-15

Topic

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-clientis now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat Enterprise Linux doS low severity osbuild image builder bug fix cockpit-composer

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2059869 - Update osbuild to the newest upstream version in RHEL 9.1

2059870 - Update osbuild-composer to the newest upstream version in RHEL 9.1

2060061 - Rebase cockpit-composer to newest release for RHEL 9.1

2062597 - [cockpit-composer] RHEL 9.1 Tier 0 Localization

2064087 - suggest to exclude dracut-config-rescue in rhel ec2 images

2088459 - [osbuild-composer] cannot build an edge container with sssd

2105961 - edge-installer (anaconda) fails if user has ssh-key defined

2110864 - edge-installer ISO image can't boot on BIOS VM

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

2118831 - Backport test changes for new osbuild-composer

2123055 - edge images default to LVM

2123210 - podman network backend does not switch to netavark when embedding container in image

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here