- Issued:
- 2023-06-05
- Updated:
- 2023-06-05
RHSA-2023:3450 - Security Advisory
Synopsis
Moderate: OpenShift Serverless Client kn 1.29.0 release
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
OpenShift Serverless 1.29.0 has been released. The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.
Description
Red Hat OpenShift Serverless Client kn 1.29.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.29.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.
This release includes security and bug fixes, and enhancements.
Security Fixes in this release include:
- containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding(CVE-2022-41723)
- golang: net/http, mime/multipart: denial of service from excessive resource consumption(CVE-2022-41725)
- golang: crypto/tls: large handshake records may cause panics(CVE-2022-41724)
- golang: html/template: backticks not treated as string delimiters(CVE-2023-24538)
- golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption(CVE-2023-24536)
- golang: net/http, net/textproto: denial of service from excessive memory allocation(CVE-2023-24534)
- golang: go/parser: Infinite loop in parsing(CVE-2023-24537)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE pages linked in the References section.
Solution
For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section.
Affected Products
- Red Hat Openshift Serverless 1 x86_64
- Red Hat OpenShift Serverless for IBM Power, little endian 1 ppc64le
- Red Hat OpenShift Serverless for IBM Z and LinuxONE 1 s390x
Fixes
- BZ - 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
- BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
- BZ - 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
- BZ - 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
- BZ - 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
- BZ - 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
- BZ - 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
- BZ - 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
- BZ - 2185511 - Release of Openshift Serverless Client 1.29.0
CVEs
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index
Red Hat Openshift Serverless 1
SRPM | |
---|---|
openshift-serverless-clients-1.8.1-3.el8.src.rpm | SHA-256: cd82efc227cd2fc5b3b14fe36ef2cbd9e3831d7ea436e859d85a257bd302f159 |
x86_64 | |
openshift-serverless-clients-1.8.1-3.el8.x86_64.rpm | SHA-256: 3fba883fb30ffbef535a71c26b06e424d7dc1d3f090917fe279efb48af985bab |
Red Hat OpenShift Serverless for IBM Power, little endian 1
SRPM | |
---|---|
openshift-serverless-clients-1.8.1-3.el8.src.rpm | SHA-256: cd82efc227cd2fc5b3b14fe36ef2cbd9e3831d7ea436e859d85a257bd302f159 |
ppc64le | |
openshift-serverless-clients-1.8.1-3.el8.ppc64le.rpm | SHA-256: 6127a767cd195f87d634807b21466cb6939a894a0d0fe22a62734625da044853 |
Red Hat OpenShift Serverless for IBM Z and LinuxONE 1
SRPM | |
---|---|
openshift-serverless-clients-1.8.1-3.el8.src.rpm | SHA-256: cd82efc227cd2fc5b3b14fe36ef2cbd9e3831d7ea436e859d85a257bd302f159 |
s390x | |
openshift-serverless-clients-1.8.1-3.el8.s390x.rpm | SHA-256: f115bbbe45c3fcc35895f804bb03a2b0892f30324712a8bc216bdaeae4534ef7 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.