Red Hat Product Errata RHSA-2023:6154 - Security Advisory
Issued:
2023-11-01
Updated:
2023-11-01

RHSA-2023:6154 - Security Advisory

Synopsis

Important: Secondary Scheduler Operator for Red Hat OpenShift 1.2.0

Type/Severity

Security Advisory: Important

Topic

Secondary Scheduler Operator for Red Hat OpenShift 1.2.0

Description

The Secondary Scheduler Operator for Red Hat OpenShift is an optional
operator that makes it possible to deploy a secondary scheduler by
providing a scheduler image. You can run a scheduler with custom
plugins without applying additional manifests, such as cluster roles
and deployments.

Security Fix(es):

  • golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)
  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)
  • golang: html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318)
  • golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)
  • golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)
  • golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Secondary Scheduler Operator for Red Hat OpenShift (OSSO) 1 for RHEL 8 x86_64

Fixes

  • BZ - 2237773 - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
  • BZ - 2237776 - CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
  • BZ - 2237777 - CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
  • BZ - 2237778 - CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake
  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
  • BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
  • WRKLDS-779 - New OSSO 1.2.0 release

x86_64

openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle@sha256:775e1822637d308859c4eff42d7b09c949610430ff27cf08d01d41e44cbac2ff
openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8@sha256:864b263c4dfee9c6144a910f59b6155d20fb48f49f0490efb5d14d383ba2bb84

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.