Red Hat 9039 Published by

An OpenShift Virtualization 4.13.4 security and bug fix update has been released.



[RHSA-2023:5233-01] Moderate: OpenShift Virtualization 4.13.4 security and bug fix update


=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Virtualization 4.13.4 security and bug fix update
Advisory ID: RHSA-2023:5233-01
Product: OpenShift Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5233
Issue date: 2023-09-19
CVE Names: CVE-2016-3709 CVE-2022-41723 CVE-2023-1637
CVE-2023-2602 CVE-2023-2603 CVE-2023-3354
CVE-2023-3390 CVE-2023-3610 CVE-2023-3776
CVE-2023-3899 CVE-2023-4004 CVE-2023-4147
CVE-2023-20593 CVE-2023-21102 CVE-2023-30630
CVE-2023-31248 CVE-2023-34969 CVE-2023-35001
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.13.4 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains OpenShift Virtualization 4.13.4 images.

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* USB-redirection regression (BZ#2221220)

* DataImportCron DVs do not respond to default storage class being set
(BZ#2232347)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2221220 - USB-redirection regression
2232347 - DataImportCron DVs do not respond to default storage class being set

5. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-1637
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-3354
https://access.redhat.com/security/cve/CVE-2023-3390
https://access.redhat.com/security/cve/CVE-2023-3610
https://access.redhat.com/security/cve/CVE-2023-3776
https://access.redhat.com/security/cve/CVE-2023-3899
https://access.redhat.com/security/cve/CVE-2023-4004
https://access.redhat.com/security/cve/CVE-2023-4147
https://access.redhat.com/security/cve/CVE-2023-20593
https://access.redhat.com/security/cve/CVE-2023-21102
https://access.redhat.com/security/cve/CVE-2023-30630
https://access.redhat.com/security/cve/CVE-2023-31248
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/cve/CVE-2023-35001
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--