-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Service Mesh Containers for 2.4.0
Advisory ID:       RHSA-2023:3644-01
Product:           RHOSSM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3644
Issue date:        2023-06-15
CVE Names:         CVE-2021-4235 CVE-2022-1705 CVE-2022-2795 
                   CVE-2022-2879 CVE-2022-2880 CVE-2022-2995 
                   CVE-2022-3162 CVE-2022-3172 CVE-2022-3204 
                   CVE-2022-3259 CVE-2022-3466 CVE-2022-27664 
                   CVE-2022-30631 CVE-2022-32148 CVE-2022-32189 
                   CVE-2022-32190 CVE-2022-36227 CVE-2022-39229 
                   CVE-2022-41715 CVE-2023-24540 CVE-2023-27535 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh Containers for 2.4.0

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.

This advisory covers container images for the release.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1094 - Htpasswd secret created in control plane namespace is using SHA1
OSSM-1667 - Remove deprecated cipher suites
OSSM-2128 - Exclude some accessible namespaces in Kiali CR with some labelSelector
OSSM-2215 - istio-cni-node never updates kubeconfig causing error adding container to network \"v2-0-istio-cni\": Unauthorized
OSSM-2221 - Gateway injection does not work in control plane namespace
OSSM-2254 - Fix and deprecate IOR
OSSM-2274 - If two SMCPs exist in a namespace and you delete one, all child resources are deleted
OSSM-2325 - Disable prometheus in the minimal example CR
OSSM-2339 - Deprecated istio-operator API call in CNV
OSSM-2420 - Pod locality controller fails to update pod
OSSM-2436 - istio-operator reports as ready before it really is
OSSM-3246 - Promote ClusterWide to GA
OSSM-3288 - Implement prometheus extension provider
OSSM-3291 - Implement envoyExtAuthzHttp extension provider
OSSM-331 - Service Mesh IPv6 Single Stack Support
OSSM-3419 - Align OSSM 2.4 with latest upstream Istio 1.16.5 release
OSSM-3747 - Duplicate env vars in egress gateway deployment
OSSM-3784 - Bad ownerReference in k8s Gateway Deployment & Service
OSSM-3802 - GA discoverySelectors (move out of techPreview.meshConfig)
OSSM-3803 - Move extensionProviders to SMCP.spec.meshConfig.extensionProvidersOSSM-3870 - OSSM must-gather improvements
OSSM-3873 - [KIALI] Kiali ingress.host accepted in the SMCP but is not configured properly in Kiali CR
OSSM-3934 - Prometheus and grafana not reachable from kiali
OSSM-3986 - Kiali does not display all the data when SMCP is deployed with Cluster Wide mode
OSSM-4037 - kiali operator base image bump
OSSM-4069 - Kiali route is missing with 2.2 Control Plane in 2.4 Operator on OpenShift 4.13
OSSM-566 - Supported integration with OpenShift Monitoring and BYO Prometheus
OSSM-568 - Integration with (external) cert-manager

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-2995
https://access.redhat.com/security/cve/CVE-2022-3162
https://access.redhat.com/security/cve/CVE-2022-3172
https://access.redhat.com/security/cve/CVE-2022-3204
https://access.redhat.com/security/cve/CVE-2022-3259
https://access.redhat.com/security/cve/CVE-2022-3466
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-39229
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZIuxO9zjgjWX9erEAQhxLg//cqi5JYtCAvOoMpkcoFT/rTGhn2s7EmPX
gCNYy/Gv1EESdc4WLJs/96vXWpnRF1XA1Z+Jrn6Ojd1OcRVikWjpXtzM+2cKNoCA
HZMvyxRe4R0QlcBb17XZYDN0plU+H24UGDMHengwY45K5ZRWfw7/vb3Gna3VwUgk
QALQk0WLqiJUSDy0CAaFwZNKUZKZmKCmQudm8dbECA+pCKTYS22bfbuE4o2jtcTA
PmFZ5sDIKTuWuzHtxT5Urbx+g6rgijP3xP1JqZXzuI9ExH7eeS7e1Sk8rH2MOXH2
E9VDmAsi2p7ffdaLRILHYPdLtt88wiE0kLjBof7i7OMBSoX70l3UEwvy9g96udbl
a/GsvnKkrpEnxXyPxUm4HQQ5xHPEaFIZlAwGSwnZ7CPS0wkWu3vN513ccMF+wsgx
BokeK739WjxblJRsf/fTujflEMmOzIzsM6N3yDY51hs2lAl1NFZSCjFUTwjuoNNK
7CgMoWkbCDRc0tGWvu82gJfZPnlw7lRPHYAVSNkMAPQsODTyk8FEoY9Sj8UtnI5C
qKwo7TdYjTwrivRCoQJJcNZJxW6RY2NSZNev3WviJuM+tssXXkOCJaD6Eguy6UhO
PElcfkRdRJW5HevW+u56ngGfBUb091Zyes7bN8E0AwFBI1CBvjzWgEFTM1i2Ce/+
A6ybAfZVB68=0l+j
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3644:01 Important: Red Hat OpenShift Service Mesh

Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important

Summary

Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.
This advisory covers container images for the release.
Security Fix(es):
* golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-2995 https://access.redhat.com/security/cve/CVE-2022-3162 https://access.redhat.com/security/cve/CVE-2022-3172 https://access.redhat.com/security/cve/CVE-2022-3204 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-3466 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39229 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:3644-01
Product: RHOSSM
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3644
Issued Date: : 2023-06-15
CVE Names: CVE-2021-4235 CVE-2022-1705 CVE-2022-2795 CVE-2022-2879 CVE-2022-2880 CVE-2022-2995 CVE-2022-3162 CVE-2022-3172 CVE-2022-3204 CVE-2022-3259 CVE-2022-3466 CVE-2022-27664 CVE-2022-30631 CVE-2022-32148 CVE-2022-32189 CVE-2022-32190 CVE-2022-36227 CVE-2022-39229 CVE-2022-41715 CVE-2023-24540 CVE-2023-27535

Topic

Red Hat OpenShift Service Mesh Containers for 2.4.0Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

5. JIRA issues fixed (https://issues.redhat.com/):

OSSM-1094 - Htpasswd secret created in control plane namespace is using SHA1

OSSM-1667 - Remove deprecated cipher suites

OSSM-2128 - Exclude some accessible namespaces in Kiali CR with some labelSelector

OSSM-2215 - istio-cni-node never updates kubeconfig causing error adding container to network \"v2-0-istio-cni\": Unauthorized

OSSM-2221 - Gateway injection does not work in control plane namespace

OSSM-2254 - Fix and deprecate IOR

OSSM-2274 - If two SMCPs exist in a namespace and you delete one, all child resources are deleted

OSSM-2325 - Disable prometheus in the minimal example CR

OSSM-2339 - Deprecated istio-operator API call in CNV

OSSM-2420 - Pod locality controller fails to update pod

OSSM-2436 - istio-operator reports as ready before it really is

OSSM-3246 - Promote ClusterWide to GA

OSSM-3288 - Implement prometheus extension provider

OSSM-3291 - Implement envoyExtAuthzHttp extension provider

OSSM-331 - Service Mesh IPv6 Single Stack Support

OSSM-3419 - Align OSSM 2.4 with latest upstream Istio 1.16.5 release

OSSM-3747 - Duplicate env vars in egress gateway deployment

OSSM-3784 - Bad ownerReference in k8s Gateway Deployment & Service

OSSM-3802 - GA discoverySelectors (move out of techPreview.meshConfig)

OSSM-3803 - Move extensionProviders to SMCP.spec.meshConfig.extensionProvidersOSSM-3870 - OSSM must-gather improvements

OSSM-3873 - [KIALI] Kiali ingress.host accepted in the SMCP but is not configured properly in Kiali CR

OSSM-3934 - Prometheus and grafana not reachable from kiali

OSSM-3986 - Kiali does not display all the data when SMCP is deployed with Cluster Wide mode

OSSM-4037 - kiali operator base image bump

OSSM-4069 - Kiali route is missing with 2.2 Control Plane in 2.4 Operator on OpenShift 4.13

OSSM-566 - Supported integration with OpenShift Monitoring and BYO Prometheus

OSSM-568 - Integration with (external) cert-manager


Related News

1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved