Red Hat 9062 Published by

A OpenShift Serverless 1.29.0 has been released.



[RHSA-2023:3455-01] Moderate: Release of OpenShift Serverless 1.29.0


=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.29.0
Advisory ID: RHSA-2023:3455-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3455
Issue date: 2023-06-05
CVE Names: CVE-2022-4304 CVE-2022-4450 CVE-2022-36227
CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
CVE-2023-0215 CVE-2023-0286 CVE-2023-0361
CVE-2023-0767 CVE-2023-21930 CVE-2023-21937
CVE-2023-21938 CVE-2023-21939 CVE-2023-21954
CVE-2023-21967 CVE-2023-21968 CVE-2023-24534
CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
CVE-2023-25173 CVE-2023-27535
=====================================================================

1. Summary:

OpenShift Serverless version 1.29.0 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings
for each vulnerability. Ratings are based on a Common Vulnerability Scoring
System (CVSS) base score.

2. Description:

Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:

- - containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- - golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding(CVE-2022-41723)
- - golang: net/http, mime/multipart: denial of service from excessive
resource consumption(CVE-2022-41725)
- - golang: crypto/tls: large handshake records may cause
panics(CVE-2022-41724)
- - golang: html/template: backticks not treated as string
delimiters(CVE-2023-24538)
- - golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption(CVE-2023-24536)
- - golang: net/http, net/textproto: denial of service from excessive memory
allocation(CVE-2023-24534)
- - golang: go/parser: Infinite loop in parsing(CVE-2023-24537)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE pages
linked from the References section.

3. Solution:

For instructions on how to install and use OpenShift Serverless, see
documentation linked from the References section.

4. Bugs fixed ( https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185507 - Release of OpenShift Serverless Serving 1.29.0
2185509 - Release of OpenShift Serverless Eventing 1.29.0

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0767
https://access.redhat.com/security/cve/CVE-2023-21930
https://access.redhat.com/security/cve/CVE-2023-21937
https://access.redhat.com/security/cve/CVE-2023-21938
https://access.redhat.com/security/cve/CVE-2023-21939
https://access.redhat.com/security/cve/CVE-2023-21954
https://access.redhat.com/security/cve/CVE-2023-21967
https://access.redhat.com/security/cve/CVE-2023-21968
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--