红帽产品勘误 RHSA-2021:3556 - Security Advisory
发布:
2021-09-16
已更新:
2021-09-16

RHSA-2021:3556 - Security Advisory

概述

Moderate: Release of OpenShift Serverless 1.17.0

类型/严重性

Security Advisory: Moderate

标题

Release of OpenShift Serverless 1.17.0

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

描述

Red Hat OpenShift Serverless 1.17.0 release of the OpenShift Serverless
Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7 and 4.8, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section.

Security Fix(es):

  • golang: crypto/tls: certificate of wrong type is causing TLS client to panic

(CVE-2021-34558)

  • golang: net: lookup functions may return invalid host names (CVE-2021-33195)
  • golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
  • golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
  • golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)
  • golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
  • golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703).

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

解决方案

See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index

受影响的产品

  • Red Hat Openshift Serverless 1 for RHEL 8 x86_64

修复

  • BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
  • BZ - 1983651 - Release of OpenShift Serverless Serving 1.17.0
  • BZ - 1983654 - Release of OpenShift Serverless Eventing 1.17.0
  • BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
  • BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
  • BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
  • BZ - 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196

Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/