-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless 1.27.0
Advisory ID:       RHSA-2023:0709-01
Product:           RHOSS
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0709
Issue date:        2023-02-09
CVE Names:         CVE-2016-3709 CVE-2021-46848 CVE-2022-1304 
                   CVE-2022-2509 CVE-2022-2879 CVE-2022-2880 
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 
                   CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 
                   CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 
                   CVE-2022-26719 CVE-2022-27664 CVE-2022-30293 
                   CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 
                   CVE-2022-41715 CVE-2022-42010 CVE-2022-42011 
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680 
                   CVE-2023-21835 CVE-2023-21843 
====================================================================
1. Summary:

Release of OpenShift Serverless 1.27.0
The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12. 

This release includes security and bug fixes, and enhancements.
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879)

For more details about the security issues, including the impact; a CVSS
score;
acknowledgments; and other related information refer to the CVE pages
linked in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2154755 - Release of OpenShift Serverless Eventing 1.27.0
2154757 - Release of OpenShift Serverless Serving 1.27.0

5. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2023-21835
https://access.redhat.com/security/cve/CVE-2023-21843
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY+VrqNzjgjWX9erEAQi1Nw/8DCVirnZtM1Wq+2yFNXI8UDqXZ2iQr3mC
Zu8qwulEdB1Lv1RavqLNg6xPZtSUdf8JC3Mti4efHr1GQJQjKS5mqSa8aVWhaqr9
g/Gm/FuPI6Twnmnvq3HfjWVNkh+UmBn71slp9orIFEisTZ+IoMB0FNVz7NoKYgiV
kvGI6phyDRjXTfYNpMvxAKvxo8mTK3WoZ62ziP4QUHykiqTFczDi41HjdzIfMmAg
CvCLLVthmeVqty5CpHhqYE1cnTUIxD/mXLBYHmp8SySIfG0wp7k7zkUAP++Gfln5
srlrk7sSvJvalu09HleDbP88eZpqYV7UmU2RF4zgFS/zOMQhTwCKiE/ttu2D7H0c
TJejLaru9mKLkA6FPG5pakeTstPhVNWl7RoYEJKkdNIw55SR0TxRgK5Pw6ZYyOyU
RPfTr3vLGvxpg2bWy4rUb9sBzoRlRbhVMCy0JIjoNTGEmzVnA1NeBcx7oyrAFnRr
p83xfVKRa7/x8JTeE+34y9Klup0DH48Q5JMlDlaIM2UpKzkjJInMvKAkTv95Y10e
T2Wc6ssEeGN9XkNPguyrfGtE/i6czWDZJ7Fm2/YHJAjdXFREImPNS0FwBT8fb4vt
0/E2JjVdhe5X7Xz2AX0DdH7QIQlC4DO8j0qcD+ySj3ns3muWjvlbGdVSaZwGsuiP
DRfusJZsblI=WWWr
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce