-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.12.0 RPMs security update
Advisory ID:       RHSA-2023:0407-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0407
Issue date:        2023-01-24
CVE Names:         CVE-2021-38561 CVE-2021-44716 CVE-2021-44717 
                   CVE-2022-1705 CVE-2022-1962 CVE-2022-24921 
                   CVE-2022-28131 CVE-2022-30629 CVE-2022-30630 
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 
                   CVE-2022-30635 CVE-2022-32148 
====================================================================
1. Summary:

Updated release packages that fix several bugs and add various enhancements
are now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CNV 4.12 for RHEL 7 - x86_64
CNV 4.12 for RHEL 8 - x86_64

3. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform. This advisory contains OpenShift
Virtualization 4.12.0 RPMs.

Security Fix(es):

* golang: net/http: limit growth of header canonicalization cache
(CVE-2021-44716)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)

* golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* golang: regexp: stack exhaustion via a deeply nested expression
(CVE-2022-24921)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error
2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression
2089804 - 4.12.0 rpms
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

6. Package List:

CNV 4.12 for RHEL 7:

Source:
kubevirt-4.12.0-1057.el7.src.rpm

x86_64:
kubevirt-virtctl-4.12.0-1057.el7.x86_64.rpm
kubevirt-virtctl-redistributable-4.12.0-1057.el7.x86_64.rpm

CNV 4.12 for RHEL 8:

Source:
kubevirt-4.12.0-1057.el8.src.rpm

x86_64:
kubevirt-virtctl-4.12.0-1057.el8.x86_64.rpm
kubevirt-virtctl-redistributable-4.12.0-1057.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2021-44716
https://access.redhat.com/security/cve/CVE-2021-44717
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-24921
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY9AIldzjgjWX9erEAQh8WA//YE0cJROgL3/MlSO99DsdGO2yoe1qZIep
PkqvBbFyJgTLqF85C+SbEFMKDE88qRq6z06XXDBXzAfgdlJPzmp+9w/T76nqtOtF
SAqsO8R/uHs5k66+wWgWacxrKoakl75Zma+U753GpZQYzTe7rj4buqr2nil5ujYd
tLsladpUdlPIUZC123BTd9azgwFVJi7rmkmpG7bJ6UNS2LlBoy4eprZofEUnN/zA
cNG+c8rVo+P69rB2nO4MSleB7IrnScxheIv6xumFu8LDG6BwwOHz+p2t+SL1zXhK
ckOLyaBqe8z1rY0nALHTmfigIerTzT9hzBmHAC1yOeNdYDPuuhh9n9k6V0W/Pn31
eDLFJDNs4bzGMAAv9AdqwkBMCQSdN+gXHXu76MctAesLBzwdy4TgVI2HOaTpMI3M
V8TfyIGPdMHcojiaMZxYMyGT51GQ2qM7xntavlUiQqmJQLDI57+tRVaXIWFgXWwr
29ug/num4/FaVDgppUyxb93Cf8TcnlgwSLnPmLqY/OSbVgj6b51j/QvNORPN2uPG
PC+ZxnT9XDanQzZD7nMRX/aPCztQ/in/C+uRp1AnyW4QpefBGzsht9o9S613ZYp0
0k9fcWFsmm3AEqbqAjdyHVBxHDtdUIg/WTCMerFnzUTcPTB3az9Vl4wBTqHLWzGo
93mcr8zrPdI=lwhL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0407:01 Moderate: OpenShift Virtualization 4.12.0 RPMs

Updated release packages that fix several bugs and add various enhancements are now available

Summary

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.12.0 RPMs.
Security Fix(es):
* golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)
* golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)
* golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)
* golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-24921 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/updates/classification/#moderate

Package List

CNV 4.12 for RHEL 7:
Source: kubevirt-4.12.0-1057.el7.src.rpm
x86_64: kubevirt-virtctl-4.12.0-1057.el7.x86_64.rpm kubevirt-virtctl-redistributable-4.12.0-1057.el7.x86_64.rpm
CNV 4.12 for RHEL 8:
Source: kubevirt-4.12.0-1057.el8.src.rpm
x86_64: kubevirt-virtctl-4.12.0-1057.el8.x86_64.rpm kubevirt-virtctl-redistributable-4.12.0-1057.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:0407-01
Product: cnv
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0407
Issued Date: : 2023-01-24
CVE Names: CVE-2021-38561 CVE-2021-44716 CVE-2021-44717 CVE-2022-1705 CVE-2022-1962 CVE-2022-24921 CVE-2022-28131 CVE-2022-30629 CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148

Topic

Updated release packages that fix several bugs and add various enhancementsare now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

CNV 4.12 for RHEL 7 - x86_64

CNV 4.12 for RHEL 8 - x86_64


Bugs Fixed

2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache

2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error

2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression

2089804 - 4.12.0 rpms

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal


Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved