Red Hat 9062 Published by

Containers for OSP 16.2.z director operator tech preview has been released.



RHSA-2022:2183-01: Moderate: Release of containers for OSP 16.2.z director operator tech preview



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID: RHSA-2022:2183-01
Product: Red Hat OpenStack Platform
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:2183
Issue date: 2022-05-11
CVE Names: CVE-2018-25032 CVE-2019-11253 CVE-2019-19794
CVE-2020-15257 CVE-2021-29482 CVE-2021-32760
CVE-2022-1154 CVE-2022-1271
=====================================================================

1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director Operator containers are
available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* golang: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack,
allowing for remote (CVE-2019-11253)
* golang: golang-github-miekg-dns: predictable TXID can lead to response
forgeries (CVE-2019-19794)
* golang: containerd: unrestricted access to abstract Unix domain socket
can lead to privileges (CVE-2020-15257)
* golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of
service (CVE-2021-29482)
* golang: containerd: pulling and extracting crafted container image may
result in Unix file permission changes (CVE-2021-32760)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

3. Solution:

OSP 16.2 Release - OSP Director Operator Containers tech preview

4. Bugs fixed (  https://bugzilla.redhat.com/):

1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries
1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes
2079447 - Rebase tech preview on latest upstream v1.2.x branch

5. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2019-11253
  https://access.redhat.com/security/cve/CVE-2019-19794
  https://access.redhat.com/security/cve/CVE-2020-15257
  https://access.redhat.com/security/cve/CVE-2021-29482
  https://access.redhat.com/security/cve/CVE-2021-32760
  https://access.redhat.com/security/cve/CVE-2022-1154
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.