Red Hat OpenShift Service Mesh 2.2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh 2.2.7 security update
Advisory ID:       RHSA-2023:3645-01
Product:           RHOSSM
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3645
Issue date:        2023-06-15
CVE Names:         CVE-2021-20329 CVE-2021-43138 CVE-2022-2880 
                   CVE-2022-4304 CVE-2022-4450 CVE-2022-24999 
                   CVE-2022-25858 CVE-2022-27664 CVE-2022-36227 
                   CVE-2022-39229 CVE-2022-41715 CVE-2023-0215 
                   CVE-2023-0286 CVE-2023-0361 CVE-2023-27535 
====================================================================
1. Summary:

Red Hat OpenShift Service Mesh 2.2.7

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated
(CVE-2021-20329)
* async: Prototype Pollution in async (CVE-2021-43138)
* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)
* terser: insecure use of regular expressions leads to ReDoS
(CVE-2022-25858)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated
2126276 - CVE-2021-43138 async: Prototype Pollution in async
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

OSSM-3596 - Port istio-cni fix for RHEL9 to maistra-2.2
OSSM-3720 - Port egress-gateway wrong network gateway endpoints fix in maistra-2.2
OSSM-3783 - operator can deadlock when istiod deployment fails [maistra-2.2]

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329
https://access.redhat.com/security/cve/CVE-2021-43138
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-24999
https://access.redhat.com/security/cve/CVE-2022-25858
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-39229
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZIuxJdzjgjWX9erEAQglEg/6A7Ceu4fLKvXl+RRcBZs1TAFYReXxYOcd
KGEDPmEuS2YCS3pn4CN/CqPYcgp1YmtTrpUZxmzKoAZjInJ3kc4zG7XGim3eLBiC
LUWMl7DUM9voriHCmrktjr3sMfryng7FL5i9NT8Sh0YxyeJ0DEr/3Pziyae5JezY
BC1uColX7LtZUa0dLgP3Tl7lW/tEn2TwOUldmLAJwjzvECzsCelLT57DOUbeibV0
TrmGs6ZOhUDNzbLHRZuvtLXIJlL0LquR/B/KzOT7ZuawEAxMmh70t2AdS3mD4YXq
GxG9b4mfq7zIYa6nvUnTcaKxM/gE0TE0Vrrk9FdUfXcpyQfZnVakLf3i5ll0XmqA
7YSSdBJIj8kccbz7DV9siJVyCMmlN/7KB0QYont4MiIvY4/ovS9pytDtuJ2xvOZ4
pTe6tF2i8S+XvI5D173I7+QoN8fUGiP3gdArRKFu7GlFXZfrgq4Yfl4wQR26tbpE
CCrT1ct9Bj1IdvFSOexBzaNArh60Vpi0uUYfYg2smVPJslCNhKY9c1D0T/pLZL3b
mO5ytnq/zaNPFSYS4LpuBn9qX1TXJmlNQlpm/Pnzs//YVaZbxXwvzzGC4vVr7F+r
+VVlfI43X4bLKseuxToheH9UrMIJRW+aE6bFHE1ss22m9y5n/kHRK8oDb5FRur3b
LOOJa1Oil6M=4VhL
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.