-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container) security update
Advisory ID:       RHSA-2023:1079-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1079
Issue date:        2023-03-06
CVE Names:         CVE-2021-46848 CVE-2022-2879 CVE-2022-4415 
                   CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 
                   CVE-2022-41715 CVE-2022-41717 CVE-2022-47629 
====================================================================
1. Summary:

An update for osp-director-downloader-container,
osp-director-agent-container and osp-director-operator-container is now
available for Red Hat OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879)

* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

* net/http: An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

OSPK8-664 - Unexpected "unassigned" hostRefs in OSBMS halt further reconcile loops

6. References:

https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZAYw69zjgjWX9erEAQhpKw/+IoljDi48GfOED0GN7xDhf0dClmlzuPnM
ozrwsuBpcFWlY62saZacWkG4UBfLTubkMEdkuWlNrP0TNxSFOzWRDBZpsp6KHzsg
5t8doz9jHTsPP60q/PEOni6Jw8Z5zCN9qVRprNPObEAZdoHaPZpQI6dJkZMSd6Pf
q40hJkI0nu+GEknlJtUbJqaCf7sED6/Tn2uGrFYuL+uKEcw7Dh8Up0c3QFYjHxCH
H4kTOyiBCsbQNztdDhR+/hBEezSFSw/WgXynvzS2SyP4gQ/AhV5af53KJ0nJieC7
KnH9RKVR2h5PkRRGiH3yBG/Vl4Y13P4fh3rwjUWZGCp4LhjzS0pqjsyYzBnFJODT
GjX+nEi5z15OMuxO6YrignuDfMMisz2OUY1XZa2M9CQUDBkQyikwSOdMfDk2LVS+
dznlfqNejn7CDA4mUwkpQ1NsQXi9MEVI9UhN5sf/SASoIj1uGG20fot1w1gQyEka
kFpwz2FyvXA8xGruJbRmV6QuWLxZmXeosjRWQZhJL9KcuuAdQgVSfqFQYHrEGOxa
oJbqdOv1GAauwPPhH49eoShzi3jwRyzuEQIsxwz73nY+TSOHmTdnynn+nSSREXb0
qNkHwGMi9RsC+HmXj/qzmwge5BjChwLQxLsAj+6FOCwFvtyU9jbr/y4hq8CAmGFa
eAniE3J/0sc=r2R4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-1079:01 Moderate: Red Hat OpenStack Platform 16.2

An update for osp-director-downloader-container, osp-director-agent-container and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2 (Train)

Summary

Security Fix(es):
* archive/tar: unbounded memory consumption when reading headers(CVE-2022-2879)
* regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
* net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:1079-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1079
Issued Date: : 2023-03-06
CVE Names: CVE-2021-46848 CVE-2022-2879 CVE-2022-4415 CVE-2022-35737 CVE-2022-40303 CVE-2022-40304 CVE-2022-41715 CVE-2022-41717 CVE-2022-47629

Topic

An update for osp-director-downloader-container,osp-director-agent-container and osp-director-operator-container is nowavailable for Red Hat OpenStack Platform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

OSPK8-664 - Unexpected "unassigned" hostRefs in OSBMS halt further reconcile loops


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved