RHSA-2022:6283-01: Moderate: Red Hat OpenShift Service Mesh 2.2.2 Containers security update

Red Hat 8994 Published by

A Red Hat OpenShift Service Mesh 2.2.2 Containers security update has been released.



RHSA-2022:6283-01: Moderate: Red Hat OpenShift Service Mesh 2.2.2 Containers security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Service Mesh 2.2.2 Containers security update
Advisory ID: RHSA-2022:6283-01
Product: Red Hat OpenShift Service Mesh
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:6283
Issue date: 2022-08-31
CVE Names: CVE-2022-1292 CVE-2022-1586 CVE-2022-1785
CVE-2022-1897 CVE-2022-1927 CVE-2022-1962
CVE-2022-2068 CVE-2022-2097 CVE-2022-28131
CVE-2022-30630 CVE-2022-30632 CVE-2022-30633
CVE-2022-30635 CVE-2022-31107
=====================================================================

1. Summary:

Red Hat OpenShift Service Mesh 2.2.2 Containers

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an OpenShift Container
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

The OpenShift Service Mesh Release Notes provide information on the
features and known issues:

  https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (  https://issues.jboss.org/):

OSSM-1105 - IOR doesn't support a host with namespace/ prefix
OSSM-1205 - Specifying logging parameter will make istio-ingressgateway and istio-egressgateway failed to start
OSSM-1668 - [Regression] jwksResolverCA field in SMCP is missing
OSSM-1718 - Istio Operator pauses reconciliation when gateway deployed to non-control plane namespace
OSSM-1775 - [Regression] Incorrect 3scale image specified for 2.0 control planes
OSSM-1800 - IOR should copy labels from Gateway to Route
OSSM-1805 - Reconcile SMCP when Kiali is not available
OSSM-1846 - SMCP fails to reconcile when enabling PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER
OSSM-1868 - Container release for Maistra 2.2.2

6. References:

  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1785
  https://access.redhat.com/security/cve/CVE-2022-1897
  https://access.redhat.com/security/cve/CVE-2022-1927
  https://access.redhat.com/security/cve/CVE-2022-1962
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-28131
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-30633
  https://access.redhat.com/security/cve/CVE-2022-30635
  https://access.redhat.com/security/cve/CVE-2022-31107
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.

Fedora 35 Update: rsync-3.2.5-1.fc35

ELBA-2022-9749 Oracle Linux 7 Unbreakable Enterprise kernel bug fix update

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...