RHSA-2021:5191-02: Moderate: Red Hat 3scale API Management 2.11.1 Release - Container Images

Red Hat 8983 Published by

Red Hat 3scale API Management 2.11.1 Release - Container Images has been released.



RHSA-2021:5191-02: Moderate: Red Hat 3scale API Management 2.11.1 Release - Container Images



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat 3scale API Management 2.11.1 Release - Container Images
Advisory ID: RHSA-2021:5191-01
Product: 3scale API Management
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:5191
Issue date: 2021-12-16
CVE Names: CVE-2020-26247 CVE-2020-36385 CVE-2021-0512
CVE-2021-3656 CVE-2021-3733 CVE-2021-22946
CVE-2021-22947 CVE-2021-33928 CVE-2021-33929
CVE-2021-33930 CVE-2021-33938
=====================================================================

1. Summary:

Red Hat 3scale API Management 2.11.1 Release - Container Images

A security update for Red Hat 3scale API Management is now available from
the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability
listed as CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with Container Images, for Red Hat 3scale
API Management 2.11.1.

Security Fix(es):

* rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema
(CVE-2020-26247)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1912487 - CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

5. JIRA issues fixed (  https://issues.jboss.org/):

THREESCALE-6868 - [3scale][2.11][LO-prio] Improve select default Application plan
THREESCALE-6879 - [3scale][2.11][HI-prio] Add 'Create new Application' flow to Product > Applications index
THREESCALE-7030 - Address scalability in 'Create new Application' form
THREESCALE-7203 - Fix Zync resync command in 5.6.9. Creating equivalent Zync routes
THREESCALE-7475 - Some api calls result in "Destroying user session"
THREESCALE-7488 - Ability to add external Lua dependencies for custom policies
THREESCALE-7573 - Enable proxy environment variables via the APICAST CRD
THREESCALE-7605 - type change of "policies_config" in /admin/api/services/{service_id}/proxy.json
THREESCALE-7633 - Signup form in developer portal is disabled for users authenticted via external SSO
THREESCALE-7644 - Metrics: Service for 3scale operator is missing
THREESCALE-7646 - Cleanup/refactor Products and Backends index logic
THREESCALE-7648 - Remove "#context-menu" from the url
THREESCALE-7704 - Images based on RHEL 7 should contain at least ca-certificates-2021.2.50-72.el7_9.noarch.rpm
THREESCALE-7731 - Reenable operator metrics service for apicast-operator
THREESCALE-7761 - 3scale Operator doesn't respect *_proxy env vars
THREESCALE-7765 - Remove MessageBus from System
THREESCALE-7834 - admin can't create application when developer is not allowed to pick a plan
THREESCALE-7863 - Update some Obsolete API's in 3scale_v2.js
THREESCALE-7884 - Service top application endpoint is not working properly
THREESCALE-7912 - ServiceMonitor created by monitoring showing HTTP 400 error
THREESCALE-7913 - ServiceMonitor for 3scale operator has wide selector

6. References:

  https://access.redhat.com/security/cve/CVE-2020-26247
  https://access.redhat.com/security/cve/CVE-2020-36385
  https://access.redhat.com/security/cve/CVE-2021-0512
  https://access.redhat.com/security/cve/CVE-2021-3656
  https://access.redhat.com/security/cve/CVE-2021-3733
  https://access.redhat.com/security/cve/CVE-2021-22946
  https://access.redhat.com/security/cve/CVE-2021-22947
  https://access.redhat.com/security/cve/CVE-2021-33928
  https://access.redhat.com/security/cve/CVE-2021-33929
  https://access.redhat.com/security/cve/CVE-2021-33930
  https://access.redhat.com/security/cve/CVE-2021-33938
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.

Fedora 35 Update: dr_libs-0-0.7.20211208git49de65c.fc35

ELSA-2021-5160 Important: Oracle Linux 8 go-toolset:ol8 security and bug fix update

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...