Issued:: 2024-07-01
Updated:: 2024-07-01

RHSA-2024:3617 - Security Advisory

Overview
Updated Images

Synopsis

Moderate: Kube Descheduler Operator for Red Hat OpenShift 5.0.1 for RHEL 9

Type/Severity

Security Advisory: Moderate

Topic

Kube Descheduler Operator for Red Hat OpenShift 5.0.1 for RHEL 9

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

The Kube Descheduler Operator for Red Hat OpenShift is an optional
operator that deploys the descheduler, which is responsible for
evicting pods based on certain strategies.

Security Fix(es):

golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Affected Products

Kube Descheduler Operator 5 x86_64

Fixes

BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
WRKLDS-1059 - 07- [KDO 5.0.1] GA Release

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

aarch64

kube-descheduler-operator/descheduler-rhel9@sha256:664515e8e38df2bb2cb751e8c0870a1bcbbaf46e4feca86002b225c98610a40d

kube-descheduler-operator/kube-descheduler-operator-bundle@sha256:e4806d2fb547a29e2d33c8c6b2dd7ba2d0c3f23074384884b488077a19aa0bab

kube-descheduler-operator/kube-descheduler-rhel9-operator@sha256:0164ab8191aef77765861c677ab8c62ea648468e5be8283652b8200688e9cf35

ppc64le

kube-descheduler-operator/descheduler-rhel9@sha256:941359511dc5c78eada7f13f5800cb831bb00924e8007adf93201371f522ab6f

kube-descheduler-operator/kube-descheduler-operator-bundle@sha256:5041af3cc040d3e550599e6436bfddd1f449338bb54705273afbc8c4a0dde360

kube-descheduler-operator/kube-descheduler-rhel9-operator@sha256:e60edf5aa0893cba72988c09ae340619accd37a7b171e2af873de37c44f449ac

s390x

kube-descheduler-operator/descheduler-rhel9@sha256:62da135a18b602beeef94dcf035d637b149206d017c83d7d630c5001795e1df0

kube-descheduler-operator/kube-descheduler-operator-bundle@sha256:ef62663d2e7fd44ea7705fc60471bfe504522c22e565fb975617eb0f03a2e821

kube-descheduler-operator/kube-descheduler-rhel9-operator@sha256:442e22a6292d7696a69d650f7e2f3873a3c3b947f70ccf16b97b70a2f6a7c9b8

x86_64

kube-descheduler-operator/descheduler-rhel9@sha256:587190a7b65ea56ce257ae486c0faa6616290fa39f81431359dc2b2d78521b4b

kube-descheduler-operator/kube-descheduler-operator-bundle@sha256:b26e5ebec8ffcfaf18c8c4acb8c25a71318ea7d3b372c9e3e170b6026a681a89

kube-descheduler-operator/kube-descheduler-rhel9-operator@sha256:93cca62bc492bb590667231b26eb5dd0b2c03d866e3035729029ad4bd7a2d351

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation