Red Hat 9062 Published by

A Service Binding Operator 1.3.1 security update has been released.



RHSA-2022:7407-01: Moderate: Service Binding Operator 1.3.1 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Service Binding Operator 1.3.1 security update
Advisory ID: RHSA-2022:7407-01
Product: OpenShift Developer Tools and Services
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:7407
Issue date: 2022-11-03
CVE Names: CVE-2020-35525 CVE-2020-35527 CVE-2022-2509
CVE-2022-3515 CVE-2022-32149 CVE-2022-37434
=====================================================================

1. Summary:

An update for service-binding-operator-bundle-container and
service-binding-operator-container is now available for OpenShift Developer
Tools and Services for OCP 4.9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Service Binding Operator 1.3.1 is now available for OpenShift Developer
Tools and Services for OCP 4.9 +

Security Fix(es):

* golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time
to parse complex tags (CVE-2022-32149)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, see:
  https://access.redhat.com/articles/11258.

Follow the instructions linked in the References section to create service
binding connections between applications and services using the Developer
perspective in the OpenShift Container Platform web console.

4. Bugs fixed (  https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (  https://issues.jboss.org/):

APPSVC-1220 - Fix CVE-2022-32149

6. References:

  https://access.redhat.com/security/cve/CVE-2020-35525
  https://access.redhat.com/security/cve/CVE-2020-35527
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-3515
  https://access.redhat.com/security/cve/CVE-2022-32149
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/updates/classification/#moderate
  https://docs.openshift.com/container-platform/latest/applications/connecting_applications_to_services/odc-connecting-an-application-to-a-service-using-the-developer-perspective.html

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.