A release of OpenShift Serverless 1.27.1 has been released.

RHSA-2023:1181-01: Moderate: Release of OpenShift Serverless 1.27.1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.27.1
Advisory ID: RHSA-2023:1181-01
Product: RHOSS
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1181
Issue date: 2023-03-09
CVE Names: CVE-2021-46848 CVE-2022-4415 CVE-2022-35737
CVE-2022-40303 CVE-2022-40304 CVE-2022-41717
CVE-2022-47629 CVE-2022-48303
=====================================================================

1. Summary:

OpenShift Serverless version 1.27.1 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.27.1 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.8, 4.9, 4.10, 4.11 and 4.12.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests(CVE-2022-41717)

For more details about the security issues, including the impact; a CVSS
score; acknowledgments; and other related information refer to the CVE
pages linked in the References section.

3. Solution:

See the Red Hat OpenShift Container Platform 4.9 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
See the Red Hat OpenShift Container Platform 4.10 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
See the Red Hat OpenShift Container Platform 4.11 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
See the Red Hat OpenShift Container Platform 4.12 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. References:

  https://access.redhat.com/security/cve/CVE-2021-46848
  https://access.redhat.com/security/cve/CVE-2022-4415
  https://access.redhat.com/security/cve/CVE-2022-35737
  https://access.redhat.com/security/cve/CVE-2022-40303
  https://access.redhat.com/security/cve/CVE-2022-40304
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/cve/CVE-2022-47629
  https://access.redhat.com/security/cve/CVE-2022-48303
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.