An OpenShift sandboxed containers 1.3.1 security fix and bug fix update has been released.

RHSA-2022:7058-01: Moderate: OpenShift sandboxed containers 1.3.1 security fix and bug fix update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift sandboxed containers 1.3.1 security fix and bug fix update
Advisory ID: RHSA-2022:7058-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:7058
Issue date: 2022-10-19
CVE Names: CVE-2015-20107 CVE-2022-0391 CVE-2022-1292
CVE-2022-1586 CVE-2022-1785 CVE-2022-1897
CVE-2022-1927 CVE-2022-2068 CVE-2022-2097
CVE-2022-2832 CVE-2022-24675 CVE-2022-29154
CVE-2022-30632 CVE-2022-32206 CVE-2022-32208
CVE-2022-34903 CVE-2022-40674
=====================================================================

1. Summary:

OpenShift sandboxed containers 1.3.1 is now available.

2. Description:

OpenShift sandboxed containers support for OpenShift Container Platform
provides users with built-in support for running Kata containers as an
additional, optional runtime.

This advisory contains an update for OpenShift sandboxed containers with
security fixes and a bug fix.

Space precludes documenting all of the updates to OpenShift sandboxed
containers in this advisory. See the following Release Notes documentation,
which will be updated shortly for this release, for details about these
changes:

  https://docs.openshift.com/container-platform/4.11/sandboxed_containers/sandboxed-containers-release-notes.html

3. Solution:

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, which includes the changes
described in this advisory, refer to:
  https://docs.openshift.com/container-platform/latest/sandboxed_containers/upgrade-sandboxed-containers.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2118556 - CVE-2022-2832 blender: Null pointer reference in blender thumbnail extractor

5. JIRA issues fixed (  https://issues.jboss.org/):

KATA-1751 - CVE-2022-24675 osc-operator-container: golang: encoding/pem: fix stack overflow in Decode [rhosc-1]
KATA-1752 - CVE-2022-28327 osc-operator-container: golang: crypto/elliptic: panic caused by oversized scalar [rhosc-1]
KATA-1754 - OSC Pod security issue in 4.12 prevents subscribing to operator
KATA-1758 - CVE-2022-30632 osc-operator-container: golang: path/filepath: stack exhaustion in Glob [rhosc-1]

6. References:

  https://access.redhat.com/security/cve/CVE-2015-20107
  https://access.redhat.com/security/cve/CVE-2022-0391
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1785
  https://access.redhat.com/security/cve/CVE-2022-1897
  https://access.redhat.com/security/cve/CVE-2022-1927
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2832
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-29154
  https://access.redhat.com/security/cve/CVE-2022-30632
  https://access.redhat.com/security/cve/CVE-2022-32206
  https://access.redhat.com/security/cve/CVE-2022-32208
  https://access.redhat.com/security/cve/CVE-2022-34903
  https://access.redhat.com/security/cve/CVE-2022-40674
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.