Red Hat 9062 Published by

An OpenShift Jenkins image and Jenkins agent base image security update has been released.



[RHSA-2023:3664-01] Moderate: OpenShift Jenkins image and Jenkins agent base image security update


=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Jenkins image and Jenkins agent base image security update
Advisory ID: RHSA-2023:3664-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3664
Issue date: 2023-06-19
CVE Names: CVE-2021-3782 CVE-2021-46848 CVE-2022-1304
CVE-2022-1705 CVE-2022-2795 CVE-2022-2880
CVE-2022-3627 CVE-2022-3970 CVE-2022-28327
CVE-2022-32148 CVE-2022-35737 CVE-2022-36227
CVE-2022-41715 CVE-2022-41717 CVE-2022-42898
CVE-2022-47629 CVE-2023-0361 CVE-2023-2491
CVE-2023-22490 CVE-2023-23946 CVE-2023-24329
CVE-2023-25652 CVE-2023-25815 CVE-2023-27535
CVE-2023-29007
=====================================================================

1. Summary:

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent
base image.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Release of Security Advisory for the OpenShift Jenkins image and Jenkins
agent base image.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed ( https://issues.redhat.com/):

OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7
OCPBUGS-13653 - [release-4.11] Bump Jenkins and Plugin versions
OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images
OCPBUGS-1438 - [release-411] Jenkins install-plugins script does not ignore updates to locked plugin versions
OCPBUGS-14646 - Bump Jenkins plugins to latest versions

6. References:

https://access.redhat.com/security/cve/CVE-2021-3782
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-22490
https://access.redhat.com/security/cve/CVE-2023-23946
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--