Red Hat 9036 Published by

An OpenShift Serverless 1.12.0 security update has been released.



RHSA-2021:0146-01: Moderate: Release of OpenShift Serverless 1.12.0



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.12.0
Advisory ID: RHSA-2021:0146-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:0146
Issue date: 2021-01-14
CVE Names: CVE-2018-20843 CVE-2019-5018 CVE-2019-13050
CVE-2019-13627 CVE-2019-14889 CVE-2019-15903
CVE-2019-16168 CVE-2019-19221 CVE-2019-19906
CVE-2019-19956 CVE-2019-20218 CVE-2019-20387
CVE-2019-20388 CVE-2019-20454 CVE-2020-1730
CVE-2020-1751 CVE-2020-1752 CVE-2020-1971
CVE-2020-6405 CVE-2020-7595 CVE-2020-9327
CVE-2020-10029 CVE-2020-13630 CVE-2020-13631
CVE-2020-13632 CVE-2020-24553 CVE-2020-24659
CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
=====================================================================

1. Summary:

Release of OpenShift Serverless 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat OpenShift Serverless 1.12.0 is a generally available release of the
OpenShift Serverless Operator.

This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform version 4.6,
and includes security and bug fixes and enhancements. For more information,
see the documentation listed in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

3. Solution:

See the documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906381 - Release of OpenShift Serverless Serving 1.12.0
1906382 - Release of OpenShift Serverless Eventing 1.12.0

5. References:

  https://access.redhat.com/security/cve/CVE-2018-20843
  https://access.redhat.com/security/cve/CVE-2019-5018
  https://access.redhat.com/security/cve/CVE-2019-13050
  https://access.redhat.com/security/cve/CVE-2019-13627
  https://access.redhat.com/security/cve/CVE-2019-14889
  https://access.redhat.com/security/cve/CVE-2019-15903
  https://access.redhat.com/security/cve/CVE-2019-16168
  https://access.redhat.com/security/cve/CVE-2019-19221
  https://access.redhat.com/security/cve/CVE-2019-19906
  https://access.redhat.com/security/cve/CVE-2019-19956
  https://access.redhat.com/security/cve/CVE-2019-20218
  https://access.redhat.com/security/cve/CVE-2019-20387
  https://access.redhat.com/security/cve/CVE-2019-20388
  https://access.redhat.com/security/cve/CVE-2019-20454
  https://access.redhat.com/security/cve/CVE-2020-1730
  https://access.redhat.com/security/cve/CVE-2020-1751
  https://access.redhat.com/security/cve/CVE-2020-1752
  https://access.redhat.com/security/cve/CVE-2020-1971
  https://access.redhat.com/security/cve/CVE-2020-6405
  https://access.redhat.com/security/cve/CVE-2020-7595
  https://access.redhat.com/security/cve/CVE-2020-9327
  https://access.redhat.com/security/cve/CVE-2020-10029
  https://access.redhat.com/security/cve/CVE-2020-13630
  https://access.redhat.com/security/cve/CVE-2020-13631
  https://access.redhat.com/security/cve/CVE-2020-13632
  https://access.redhat.com/security/cve/CVE-2020-24553
  https://access.redhat.com/security/cve/CVE-2020-24659
  https://access.redhat.com/security/cve/CVE-2020-28362
  https://access.redhat.com/security/cve/CVE-2020-28366
  https://access.redhat.com/security/cve/CVE-2020-28367
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.