An OpenShift Serverless security update has been released.

RHSA-2022:1747-01: Low: Release of OpenShift Serverless Version 1.22.0

=====================================================================
Red Hat Security Advisory

Synopsis: Low: Release of OpenShift Serverless Version 1.22.0
Advisory ID: RHSA-2022:1747-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:1747
Issue date: 2022-05-09
CVE Names: CVE-2018-25032 CVE-2021-3999 CVE-2021-23177
CVE-2021-31566 CVE-2021-41771 CVE-2021-41772
CVE-2021-45960 CVE-2021-46143 CVE-2022-0778
CVE-2022-21426 CVE-2022-21434 CVE-2022-21443
CVE-2022-21449 CVE-2022-21476 CVE-2022-21496
CVE-2022-22822 CVE-2022-22823 CVE-2022-22824
CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
CVE-2022-23218 CVE-2022-23219 CVE-2022-23308
CVE-2022-23852 CVE-2022-25235 CVE-2022-25236
CVE-2022-25315
=====================================================================

1. Summary:

OpenShift Serverless version 1.22.0 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings for each vulnerability. Ratings are based on a Common Vulnerability
Scoring System (CVSS) base score.

2. Description:

Version 1.22.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10. This
release includes security and bug fixes and enhancements.

For more information, see the documentation linked in the Solution section.

Security Fixes in this release include:
* golang: archive/zip: Reader.Open panics on empty string (CVE-2021-41772)
* golang: debug/macho: invalid dynamic symbol table command can cause panic
(CVE-2021-41771)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information refer to the CVE
pages
linked in the References section.

3. Solution:

For details about the Security fixes, see these Red Hat OpenShift Container
Platform documentation:
* Red Hat OpenShift Container Platform 4.6:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
* Red Hat OpenShift Container Platform 4.7:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
* Red Hat OpenShift Container Platform 4.8:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
* Red Hat OpenShift Container Platform 4.9:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
* Red Hat OpenShift Container Platform 4.10:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic
2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string

5. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2021-3999
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-41771
  https://access.redhat.com/security/cve/CVE-2021-41772
  https://access.redhat.com/security/cve/CVE-2021-45960
  https://access.redhat.com/security/cve/CVE-2021-46143
  https://access.redhat.com/security/cve/CVE-2022-0778
  https://access.redhat.com/security/cve/CVE-2022-21426
  https://access.redhat.com/security/cve/CVE-2022-21434
  https://access.redhat.com/security/cve/CVE-2022-21443
  https://access.redhat.com/security/cve/CVE-2022-21449
  https://access.redhat.com/security/cve/CVE-2022-21476
  https://access.redhat.com/security/cve/CVE-2022-21496
  https://access.redhat.com/security/cve/CVE-2022-22822
  https://access.redhat.com/security/cve/CVE-2022-22823
  https://access.redhat.com/security/cve/CVE-2022-22824
  https://access.redhat.com/security/cve/CVE-2022-22825
  https://access.redhat.com/security/cve/CVE-2022-22826
  https://access.redhat.com/security/cve/CVE-2022-22827
  https://access.redhat.com/security/cve/CVE-2022-23218
  https://access.redhat.com/security/cve/CVE-2022-23219
  https://access.redhat.com/security/cve/CVE-2022-23308
  https://access.redhat.com/security/cve/CVE-2022-23852
  https://access.redhat.com/security/cve/CVE-2022-25235
  https://access.redhat.com/security/cve/CVE-2022-25236
  https://access.redhat.com/security/cve/CVE-2022-25315
For details about the security issues see these CVE pages:
*
  https://access.redhat.com/security/updates/classification/#low
*
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
*
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
*
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
*
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
*
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.