Red Hat 9036 Published by

A Red Hat OpenShift Serverless Client kn 1.12.0 security update has been released.



RHSA-2021:0145-01: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0
Advisory ID: RHSA-2021:0145-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:0145
Issue date: 2021-01-14
CVE Names: CVE-2020-24553 CVE-2020-28362 CVE-2020-28366
CVE-2020-28367
=====================================================================

1. Summary:

Red Hat OpenShift Serverless Client kn 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base - x86_64

3. Description:

Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux
platforms.

Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.12.0, and includes security and bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

4. Solution:

See the documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

5. Bugs fixed (  https://bugzilla.redhat.com/):

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906386 - Release of OpenShift Serverless Client 1.12.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:
openshift-serverless-clients-0.18.4-2.el8.src.rpm

x86_64:
openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2020-24553
  https://access.redhat.com/security/cve/CVE-2020-28362
  https://access.redhat.com/security/cve/CVE-2020-28366
  https://access.redhat.com/security/cve/CVE-2020-28367
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/installing-openshift-serverless-1#installing-kn

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.