-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Serverless Client kn 1.29.0 release
Advisory ID:       RHSA-2023:3450-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3450
Issue date:        2023-06-05
CVE Names:         CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 
                   CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 
                   CVE-2023-24538 CVE-2023-25173 
====================================================================
1. Summary:

OpenShift Serverless 1.29.0 has been released. The References section
contains CVE links providing detailed severity ratings for each
vulnerability. Ratings are based on a Common Vulnerability Scoring System
(CVSS) base score.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Serverless Client kn 1.29.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.29.0. The kn CLI is delivered as an RPM
package for installation on RHEL platforms, and as binaries for non-Linux
platforms.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- - golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding(CVE-2022-41723)
- - golang: net/http, mime/multipart: denial of service from excessive
resource consumption(CVE-2022-41725)
- - golang: crypto/tls: large handshake records may cause
panics(CVE-2022-41724)
- - golang: html/template: backticks not treated as string
delimiters(CVE-2023-24538)
- - golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption(CVE-2023-24536)
- - golang: net/http, net/textproto: denial of service from excessive memory
allocation(CVE-2023-24534)
- - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
pages linked in the References section.

4. Solution:

For instructions on how to install and use OpenShift Serverless, see
documentation linked from the References section.

5. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185511 - Release of Openshift Serverless Client 1.29.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:
openshift-serverless-clients-1.8.1-3.el8.src.rpm

ppc64le:
openshift-serverless-clients-1.8.1-3.el8.ppc64le.rpm

s390x:
openshift-serverless-clients-1.8.1-3.el8.s390x.rpm

x86_64:
openshift-serverless-clients-1.8.1-3.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZH4ih9zjgjWX9erEAQh+Yg/+PDm+1yYCXhOyWTi9zy956XzrW6BDI8Y9
R/WNJQas9dBuJSj0BAfmxMTm+YjpnvuKzJ9ihs2v9ZR+CeWmy9CZCWJ+Tf7PmAS2
XwOq72vn0nQ0/KyNJCtkv5QxRVaRW+bK8Gefq7+pyc4Obe0g96WywlQ9JHGy0LCP
IWAMn7QPG/RoQiK0GcQ7keUtmoncr6EjtBV3++/vt3QpsadYky88A+C6wifsELnE
/JocA77xnAq4wB3jUXI8Z+9EQ57jbhQH2pyhOUo2NOi3WnYRdPxWpmIVyf9bjUPy
CUbdrPVmokkVVpimH7x7uYZaYO5dbHd8LGFSTcER7t8D9zGFAYPv4cdhdOkfHX4u
X2GHrJe9lGUrLvVj4OJK0Ye9hn6B+T4fg5XBDq4vhuFoQ9ldjNcd7UBHUH9MUT70
VfkLA55ORgk0UatLCLkB6yQ7dlRTEVvVVC9IUSbVFXQbL6o/KoJzbWbc5AWL8Q1v
D4BN9jJ/516ECqBYxkZBXUEIWB8mrzSzmFNxgYa164fBGji8ddfEzicTrepoFDSd
9VotcWkZi2hbhVNsPYDUvOsdqspXU9GqLj1vIq6k4stF7DlQdoX0QeG8w92MD456
QvHeOShs3ju/2w20PwF00xvMZcIoZGjnfGEwSpqxt8IPxyr6pmCq3xvWvYN9ID+/
h8gBX6JtGgw=/4jU
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3450:01 Moderate: OpenShift Serverless Client kn 1.29.0

OpenShift Serverless 1.29.0 has been released

Summary

Red Hat OpenShift Serverless Client kn 1.29.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.29.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.
This release includes security and bug fixes, and enhancements.
Security Fixes in this release include:
- - containerd: Supplementary groups are not set up properly(CVE-2023-25173) - - golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding(CVE-2022-41723) - - golang: net/http, mime/multipart: denial of service from excessive resource consumption(CVE-2022-41725) - - golang: crypto/tls: large handshake records may cause panics(CVE-2022-41724) - - golang: html/template: backticks not treated as string delimiters(CVE-2023-24538) - - golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption(CVE-2023-24536) - - golang: net/http, net/textproto: denial of service from excessive memory allocation(CVE-2023-24534) - - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE pages linked in the References section.



Summary


Solution

For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section.

References

https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

Package List

Openshift Serverless 1 on RHEL 8Base:
Source: openshift-serverless-clients-1.8.1-3.el8.src.rpm
ppc64le: openshift-serverless-clients-1.8.1-3.el8.ppc64le.rpm
s390x: openshift-serverless-clients-1.8.1-3.el8.s390x.rpm
x86_64: openshift-serverless-clients-1.8.1-3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:3450-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3450
Issued Date: : 2023-06-05
CVE Names: CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-25173

Topic

OpenShift Serverless 1.29.0 has been released. The References sectioncontains CVE links providing detailed severity ratings for eachvulnerability. Ratings are based on a Common Vulnerability Scoring System(CVSS) base score.


Topic


 

Relevant Releases Architectures

Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64


Bugs Fixed

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption

2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation

2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing

2185511 - Release of Openshift Serverless Client 1.29.0


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved