Red Hat 9062 Published by

OpenShift Serverless 1.27.0 has been released.



RHSA-2023:0709-01: Moderate: Release of OpenShift Serverless 1.27.0



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.27.0
Advisory ID: RHSA-2023:0709-01
Product: RHOSS
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:0709
Issue date: 2023-02-09
CVE Names: CVE-2016-3709 CVE-2021-46848 CVE-2022-1304
CVE-2022-2509 CVE-2022-2879 CVE-2022-2880
CVE-2022-22624 CVE-2022-22628 CVE-2022-22629
CVE-2022-22662 CVE-2022-26700 CVE-2022-26709
CVE-2022-26710 CVE-2022-26716 CVE-2022-26717
CVE-2022-26719 CVE-2022-27664 CVE-2022-30293
CVE-2022-35737 CVE-2022-40303 CVE-2022-40304
CVE-2022-41715 CVE-2022-42010 CVE-2022-42011
CVE-2022-42012 CVE-2022-42898 CVE-2022-43680
CVE-2023-21835 CVE-2023-21843
=====================================================================

1. Summary:

Release of OpenShift Serverless 1.27.0
The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.27.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12.

This release includes security and bug fixes, and enhancements.
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)

For more details about the security issues, including the impact; a CVSS
score;
acknowledgments; and other related information refer to the CVE pages
linked in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2154755 - Release of OpenShift Serverless Eventing 1.27.0
2154757 - Release of OpenShift Serverless Serving 1.27.0

5. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-2509
  https://access.redhat.com/security/cve/CVE-2022-2879
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-40303
  https://access.redhat.com/security/cve/CVE-2022-40304
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-42010
  https://access.redhat.com/security/cve/CVE-2022-42011
  https://access.redhat.com/security/cve/CVE-2022-42012
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://access.redhat.com/security/cve/CVE-2022-43680
  https://access.redhat.com/security/cve/CVE-2023-21835
  https://access.redhat.com/security/cve/CVE-2023-21843
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.