RHSA-2024:4023 - Security Advisory

Topic

Red Hat openshift-serverless-clients kn 1.33.0 is now available.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Description

Red Hat OpenShift Serverless Client kn 1.33.0 provides a CLI to interact with
Red Hat OpenShift Serverless 1.33.0. The kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux platforms.

This release includes security, bug fixes, and enhancements.

Security Fix(es):

• golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)
• golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
• golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)
• golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
• golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)
• golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

A Red Hat Security Bulletin, which addresses further details about the Rapid
Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

See the Red Hat OpenShift serverless 1 documentation at:
https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1

Affected Products

• Red Hat Openshift Serverless 1 x86_64
• Red Hat OpenShift Serverless for IBM Power, little endian 1 ppc64le
• Red Hat OpenShift Serverless for IBM Z and LinuxONE 1 s390x
• Red Hat Openshift Serverless for ARM 1 aarch64

Fixes

• BZ - 2268017 - CVE-2023-45290 golang: net/http: memory exhaustion in Request.ParseMultipartForm
• BZ - 2268018 - CVE-2023-45289 golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
• BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
• BZ - 2268021 - CVE-2024-24784 golang: net/mail: comments in display names are incorrectly handled
• BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
• BZ - 2268273 - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
• BZ - 2277862 - Release of Openshift Serverless Client 1.33.0

CVEs

• CVE-2023-45288
• CVE-2023-45289
• CVE-2023-45290
• CVE-2024-24783
• CVE-2024-24784
• CVE-2024-24785

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1