RHSA-2023:2780-01: Moderate: Image Builder security, bug fix, and enhancement update

Red Hat 9042 Published by

An Image Builder security, bug fix, and enhancement update has been released for Red Hat Enterprise Linux 8.



RHSA-2023:2780-01: Moderate: Image Builder security, bug fix, and enhancement update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Image Builder security, bug fix, and enhancement update
Advisory ID: RHSA-2023:2780-01
Product: Red Hat Enterprise Linux
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:2780
Issue date: 2023-05-16
CVE Names: CVE-2022-2879 CVE-2022-2880 CVE-2022-27664
CVE-2022-41715 CVE-2022-41717
=====================================================================

1. Summary:

An update for cockpit-composer, osbuild, osbuild-composer, and weldr-client
is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Image Builder is a service for building customized OS artifacts, such as VM
images and OSTree commits, that uses osbuild under the hood.

Security Fix(es):

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

5. Bugs fixed (  https://bugzilla.redhat.com/):

2033192 - weldr-client doesn't convert --size to bytes before sending it to osbuild-composer
2063126 - [Azure] Suggest to add 68-azure-sriov-nm-unmanaged.rules
2072834 - [Azure][image] Suggest to enable nm-cloud-setup.timer in Azure images
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132254 - Update Image Builder suite of projects to their latest upstream releases [RHEL-8.8]
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2136503 - osbuild-composer can't access /var/cache/osbuild-composer/rpmmd on package upgrade from 8.6
2139721 - [cockpit-composer] RHEL 8.8 Tier 0 Localization
2141738 - Image builder fails with Volume group "XXX" has insufficient free space (975 extents): 977 required.
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
2168666 - Rebase to weldr-client v35.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
cockpit-composer-45-1.el8_8.src.rpm
osbuild-81-1.el8.src.rpm
osbuild-composer-75-1.el8.src.rpm
weldr-client-35.9-2.el8.src.rpm

aarch64:
osbuild-composer-75-1.el8.aarch64.rpm
osbuild-composer-core-75-1.el8.aarch64.rpm
osbuild-composer-core-debuginfo-75-1.el8.aarch64.rpm
osbuild-composer-debuginfo-75-1.el8.aarch64.rpm
osbuild-composer-debugsource-75-1.el8.aarch64.rpm
osbuild-composer-dnf-json-75-1.el8.aarch64.rpm
osbuild-composer-tests-debuginfo-75-1.el8.aarch64.rpm
osbuild-composer-worker-75-1.el8.aarch64.rpm
osbuild-composer-worker-debuginfo-75-1.el8.aarch64.rpm
weldr-client-35.9-2.el8.aarch64.rpm
weldr-client-debuginfo-35.9-2.el8.aarch64.rpm
weldr-client-debugsource-35.9-2.el8.aarch64.rpm
weldr-client-tests-debuginfo-35.9-2.el8.aarch64.rpm

noarch:
cockpit-composer-45-1.el8_8.noarch.rpm
osbuild-81-1.el8.noarch.rpm
osbuild-luks2-81-1.el8.noarch.rpm
osbuild-lvm2-81-1.el8.noarch.rpm
osbuild-ostree-81-1.el8.noarch.rpm
osbuild-selinux-81-1.el8.noarch.rpm
python3-osbuild-81-1.el8.noarch.rpm

ppc64le:
osbuild-composer-75-1.el8.ppc64le.rpm
osbuild-composer-core-75-1.el8.ppc64le.rpm
osbuild-composer-core-debuginfo-75-1.el8.ppc64le.rpm
osbuild-composer-debuginfo-75-1.el8.ppc64le.rpm
osbuild-composer-debugsource-75-1.el8.ppc64le.rpm
osbuild-composer-dnf-json-75-1.el8.ppc64le.rpm
osbuild-composer-tests-debuginfo-75-1.el8.ppc64le.rpm
osbuild-composer-worker-75-1.el8.ppc64le.rpm
osbuild-composer-worker-debuginfo-75-1.el8.ppc64le.rpm
weldr-client-35.9-2.el8.ppc64le.rpm
weldr-client-debuginfo-35.9-2.el8.ppc64le.rpm
weldr-client-debugsource-35.9-2.el8.ppc64le.rpm
weldr-client-tests-debuginfo-35.9-2.el8.ppc64le.rpm

s390x:
osbuild-composer-75-1.el8.s390x.rpm
osbuild-composer-core-75-1.el8.s390x.rpm
osbuild-composer-core-debuginfo-75-1.el8.s390x.rpm
osbuild-composer-debuginfo-75-1.el8.s390x.rpm
osbuild-composer-debugsource-75-1.el8.s390x.rpm
osbuild-composer-dnf-json-75-1.el8.s390x.rpm
osbuild-composer-tests-debuginfo-75-1.el8.s390x.rpm
osbuild-composer-worker-75-1.el8.s390x.rpm
osbuild-composer-worker-debuginfo-75-1.el8.s390x.rpm
weldr-client-35.9-2.el8.s390x.rpm
weldr-client-debuginfo-35.9-2.el8.s390x.rpm
weldr-client-debugsource-35.9-2.el8.s390x.rpm
weldr-client-tests-debuginfo-35.9-2.el8.s390x.rpm

x86_64:
osbuild-composer-75-1.el8.x86_64.rpm
osbuild-composer-core-75-1.el8.x86_64.rpm
osbuild-composer-core-debuginfo-75-1.el8.x86_64.rpm
osbuild-composer-debuginfo-75-1.el8.x86_64.rpm
osbuild-composer-debugsource-75-1.el8.x86_64.rpm
osbuild-composer-dnf-json-75-1.el8.x86_64.rpm
osbuild-composer-tests-debuginfo-75-1.el8.x86_64.rpm
osbuild-composer-worker-75-1.el8.x86_64.rpm
osbuild-composer-worker-debuginfo-75-1.el8.x86_64.rpm
weldr-client-35.9-2.el8.x86_64.rpm
weldr-client-debuginfo-35.9-2.el8.x86_64.rpm
weldr-client-debugsource-35.9-2.el8.x86_64.rpm
weldr-client-tests-debuginfo-35.9-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2022-2879
  https://access.redhat.com/security/cve/CVE-2022-2880
  https://access.redhat.com/security/cve/CVE-2022-27664
  https://access.redhat.com/security/cve/CVE-2022-41715
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

Lutris 0.5.13 released

RLBA-2023:3096: idm:DL1 bug fix update

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...