A Red Hat 3scale API Management 2.10.0 security update and release is available.
RHSA-2021:1129-01: Moderate: Red Hat 3scale API Management 2.10.0 security update and release
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat 3scale API Management 2.10.0 security update and release
Advisory ID: RHSA-2021:1129-01
Product: 3scale API Management
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1129
Issue date: 2021-04-07
CVE Names: CVE-2018-20843 CVE-2019-5094 CVE-2019-5188
CVE-2019-11719 CVE-2019-11727 CVE-2019-11756
CVE-2019-12749 CVE-2019-14866 CVE-2019-15903
CVE-2019-17006 CVE-2019-17023 CVE-2019-17498
CVE-2019-19126 CVE-2019-19532 CVE-2019-19956
CVE-2019-20388 CVE-2019-20907 CVE-2020-0427
CVE-2020-1971 CVE-2020-6829 CVE-2020-7053
CVE-2020-7595 CVE-2020-8177 CVE-2020-9283
CVE-2020-12243 CVE-2020-12400 CVE-2020-12401
CVE-2020-12402 CVE-2020-12403 CVE-2020-12723
CVE-2020-14040 CVE-2020-14351 CVE-2020-25211
CVE-2020-25645 CVE-2020-25656 CVE-2020-25705
CVE-2020-28374 CVE-2020-29661 CVE-2021-20265
=====================================================================
1. Summary:
A security update for Red Hat 3scale API Management Platform is now
available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.
This advisory is intended to use with container images for Red Hat 3scale
API Management 2.10.0.
Security Fix(es):
* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management
/2.10/html-single/installing_3scale/index
4. Bugs fixed ( https://bugzilla.redhat.com/):
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
5. References:
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-19126
https://access.redhat.com/security/cve/CVE-2019-19532
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2020-0427
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7053
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-9283
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/cve/CVE-2020-12723
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14351
https://access.redhat.com/security/cve/CVE-2020-25211
https://access.redhat.com/security/cve/CVE-2020-25645
https://access.redhat.com/security/cve/CVE-2020-25656
https://access.redhat.com/security/cve/CVE-2020-25705
https://access.redhat.com/security/cve/CVE-2020-28374
https://access.redhat.com/security/cve/CVE-2020-29661
https://access.redhat.com/security/cve/CVE-2021-20265
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.10/html-single/installing_3scale/index
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.