Red Hat 9042 Published by

A Red Hat 3scale API Management 2.10.0 security update and release is available.



RHSA-2021:1129-01: Moderate: Red Hat 3scale API Management 2.10.0 security update and release



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat 3scale API Management 2.10.0 security update and release
Advisory ID: RHSA-2021:1129-01
Product: 3scale API Management
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:1129
Issue date: 2021-04-07
CVE Names: CVE-2018-20843 CVE-2019-5094 CVE-2019-5188
CVE-2019-11719 CVE-2019-11727 CVE-2019-11756
CVE-2019-12749 CVE-2019-14866 CVE-2019-15903
CVE-2019-17006 CVE-2019-17023 CVE-2019-17498
CVE-2019-19126 CVE-2019-19532 CVE-2019-19956
CVE-2019-20388 CVE-2019-20907 CVE-2020-0427
CVE-2020-1971 CVE-2020-6829 CVE-2020-7053
CVE-2020-7595 CVE-2020-8177 CVE-2020-9283
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-12723
CVE-2020-14040 CVE-2020-14351 CVE-2020-25211
CVE-2020-25645 CVE-2020-25656 CVE-2020-25705
CVE-2020-28374 CVE-2020-29661 CVE-2021-20265
=====================================================================

1. Summary:

A security update for Red Hat 3scale API Management Platform is now
available from the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with container images for Red Hat 3scale
API Management 2.10.0.

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management
/2.10/html-single/installing_3scale/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash

5. References:

  https://access.redhat.com/security/cve/CVE-2018-20843
  https://access.redhat.com/security/cve/CVE-2019-5094
  https://access.redhat.com/security/cve/CVE-2019-5188
  https://access.redhat.com/security/cve/CVE-2019-11719
  https://access.redhat.com/security/cve/CVE-2019-11727
  https://access.redhat.com/security/cve/CVE-2019-11756
  https://access.redhat.com/security/cve/CVE-2019-12749
  https://access.redhat.com/security/cve/CVE-2019-14866
  https://access.redhat.com/security/cve/CVE-2019-15903
  https://access.redhat.com/security/cve/CVE-2019-17006
  https://access.redhat.com/security/cve/CVE-2019-17023
  https://access.redhat.com/security/cve/CVE-2019-17498
  https://access.redhat.com/security/cve/CVE-2019-19126
  https://access.redhat.com/security/cve/CVE-2019-19532
  https://access.redhat.com/security/cve/CVE-2019-19956
  https://access.redhat.com/security/cve/CVE-2019-20388
  https://access.redhat.com/security/cve/CVE-2019-20907
  https://access.redhat.com/security/cve/CVE-2020-0427
  https://access.redhat.com/security/cve/CVE-2020-1971
  https://access.redhat.com/security/cve/CVE-2020-6829
  https://access.redhat.com/security/cve/CVE-2020-7053
  https://access.redhat.com/security/cve/CVE-2020-7595
  https://access.redhat.com/security/cve/CVE-2020-8177
  https://access.redhat.com/security/cve/CVE-2020-9283
  https://access.redhat.com/security/cve/CVE-2020-12243
  https://access.redhat.com/security/cve/CVE-2020-12400
  https://access.redhat.com/security/cve/CVE-2020-12401
  https://access.redhat.com/security/cve/CVE-2020-12402
  https://access.redhat.com/security/cve/CVE-2020-12403
  https://access.redhat.com/security/cve/CVE-2020-12723
  https://access.redhat.com/security/cve/CVE-2020-14040
  https://access.redhat.com/security/cve/CVE-2020-14351
  https://access.redhat.com/security/cve/CVE-2020-25211
  https://access.redhat.com/security/cve/CVE-2020-25645
  https://access.redhat.com/security/cve/CVE-2020-25656
  https://access.redhat.com/security/cve/CVE-2020-25705
  https://access.redhat.com/security/cve/CVE-2020-28374
  https://access.redhat.com/security/cve/CVE-2020-29661
  https://access.redhat.com/security/cve/CVE-2021-20265
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.10/html-single/installing_3scale/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.