Red Hat 9039 Published by

An OpenShift Serverless 1.14.1 security update has been released.



RHSA-2021:2093-01: Moderate: Release of OpenShift Serverless 1.14.1 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.14.1 security update
Advisory ID: RHSA-2021:2093-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2093
Issue date: 2021-05-24
CVE Names: CVE-2021-3114 CVE-2021-3115
=====================================================================

1. Summary:

An update for openshift-serverless-1-kn-cli-artifacts-rhel8-container,
openshift-serverless-1-knative-rhel8-operator-container, and
openshift-serverless-1-serverless-operator-bundle-container is now
available for Openshift Serveless 1.14.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Serverless 1.14.1 is a generally available release of the
OpenShift Serverless Operator. This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform versions 4.6
and 4.7, and includes security and bug fixes and enhancements. For more
information, see the documentation listed in the References section.

Security Fix(es):

* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)

* golang: cmd/go: packages using cgo can cause arbitrary code execution at
build time (CVE-2021-3115)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

See the Red Hat OpenShift Container Platform 4.6 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless/index

See the Red Hat OpenShift Container Platform 4.7 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.7/html/serverless/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3114
  https://access.redhat.com/security/cve/CVE-2021-3115
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.