Red Hat Product Errata RHSA-2025:0656 - Security Advisory
Issued:
2025-01-28
Updated:
2025-01-28

RHSA-2025:0656 - Security Advisory

Synopsis

Important: OpenShift Container Platform 4.17.14 packages and security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.17.14 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.17.

Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.14. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2025:0656

Security Fix(es):

  • jinja2: Jinja has a sandbox breakout through malicious filenames

(CVE-2024-56201)

  • jinja2: Jinja has a sandbox breakout through indirect reference to format

method (CVE-2024-56326)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Solution

For OpenShift Container Platform 4.17 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html

Affected Products

  • Red Hat OpenShift Container Platform 4.17 for RHEL 9 x86_64
  • Red Hat OpenShift Container Platform 4.17 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform for Power 4.17 for RHEL 9 ppc64le
  • Red Hat OpenShift Container Platform for Power 4.17 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.17 for RHEL 9 s390x
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.17 for RHEL 8 s390x
  • Red Hat OpenShift Container Platform for ARM 64 4.17 for RHEL 9 aarch64
  • Red Hat OpenShift Container Platform for ARM 64 4.17 for RHEL 8 aarch64

Fixes

  • BZ - 2333854 - CVE-2024-56201 jinja2: Jinja has a sandbox breakout through malicious filenames
  • BZ - 2333856 - CVE-2024-56326 jinja2: Jinja has a sandbox breakout through indirect reference to format method

Red Hat OpenShift Container Platform 4.17 for RHEL 9

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.src.rpm SHA-256: 63b111248ec92bd9545069c9a18992c15426a6156054fbbb3ef19ed9570d8d71
x86_64
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.x86_64.rpm SHA-256: fa27776ac62a6d4bf9aba8542db03618bb9439251b08bcdd97fd25ef3587538e
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el9.x86_64.rpm SHA-256: 40112f778448ba5f02e202d7745f865dcb3153fa21a509759b02a9e908f59f64
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el9.x86_64.rpm SHA-256: 4a3698f45ea1ee28e98e6d36026e0431a17aa4b42576bcb11eb0f6fdc1ac6417

Red Hat OpenShift Container Platform 4.17 for RHEL 8

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.src.rpm SHA-256: a09271117d1aaaf15ac51e8779fdb7be06384b6191424aeda03551e6495868fd
x86_64
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.x86_64.rpm SHA-256: 8a0c1495eb35a7ae69d93ff7fab44c17696bae5675100fe66acf536fcff80411
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el8.x86_64.rpm SHA-256: 1730e95d7caafc81e4c900265a0fc4e2bfb16be7acabcc2923d2f01b9c158632
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el8.x86_64.rpm SHA-256: c402a483aff0dc6d903bf93e78fce5416ae7cd0c1064a7df1d9309933e6e9aff

Red Hat OpenShift Container Platform for Power 4.17 for RHEL 9

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.src.rpm SHA-256: 63b111248ec92bd9545069c9a18992c15426a6156054fbbb3ef19ed9570d8d71
ppc64le
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.ppc64le.rpm SHA-256: 50f22ab3c8768dcbc31d32e57ce28fb5bfb1060bd1ab6b5c37ce347ca54f57c1
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el9.ppc64le.rpm SHA-256: be50432e3e56c9ca791722000c10768659ef6f705bd49d9d186b7093f12cc0c5
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el9.ppc64le.rpm SHA-256: 049fb1a5cb0f54fcff7b6313365cb72e3506697ab7cc45a3af1462929a716e6a

Red Hat OpenShift Container Platform for Power 4.17 for RHEL 8

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.src.rpm SHA-256: a09271117d1aaaf15ac51e8779fdb7be06384b6191424aeda03551e6495868fd
ppc64le
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.ppc64le.rpm SHA-256: 67dc9587861ce90dc37f3ad32de76eceb33713c7b2d3774025edf1d0f3524e9b
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el8.ppc64le.rpm SHA-256: 0d8de2be8b93ef779c1871946b277672724e57130f73443e063c1f7338eda126
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el8.ppc64le.rpm SHA-256: 4ddc3ae892b90572f20a2feb2b011582790643cc967c6188c1162d0409f0351e

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.17 for RHEL 9

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.src.rpm SHA-256: 63b111248ec92bd9545069c9a18992c15426a6156054fbbb3ef19ed9570d8d71
s390x
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.s390x.rpm SHA-256: b23e5765cdebb85911b938223cb361b2ad43e4f2cbe574c6e9871116965b452f
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el9.s390x.rpm SHA-256: 6dbf4faa0ef4197bd4265c9adf689d28af5c337a9379cf177e39e4096bc49aea
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el9.s390x.rpm SHA-256: fa4abf44b2e66f0b7ba99af8cd361ade7dff74860437956cbce19efc12a11dbc

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.17 for RHEL 8

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.src.rpm SHA-256: a09271117d1aaaf15ac51e8779fdb7be06384b6191424aeda03551e6495868fd
s390x
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.s390x.rpm SHA-256: 7f258382362106ba3af4fe8457f4a4b8d1e47908192a674c2ab2374eccf83a69
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el8.s390x.rpm SHA-256: 7e42c69a369f3f4d0066d3e9b00acd3ea4fa4a366c895a9e38c1f870bb12033a
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el8.s390x.rpm SHA-256: 3ae63fae467f3c3e259ceebfe4fb3253a7f3aef409b3a778de568e5bcf99c48d

Red Hat OpenShift Container Platform for ARM 64 4.17 for RHEL 9

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.src.rpm SHA-256: 63b111248ec92bd9545069c9a18992c15426a6156054fbbb3ef19ed9570d8d71
aarch64
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el9.aarch64.rpm SHA-256: bf5be1d15fcb8eab90e270312c3daa1197be23b252edfa5f8ca84fbb3724f5aa
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el9.aarch64.rpm SHA-256: 9d50d156ca603be589327c5ef471a33a5e993cf09506677dbd851914fe047a4b
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el9.aarch64.rpm SHA-256: 6ae90da196c0e3825be11d9605969faa8c24c4fc7be90bc6d74ba9220898ffd1

Red Hat OpenShift Container Platform for ARM 64 4.17 for RHEL 8

SRPM
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.src.rpm SHA-256: a09271117d1aaaf15ac51e8779fdb7be06384b6191424aeda03551e6495868fd
aarch64
cri-o-1.30.9-3.rhaos4.17.gitbbf9018.el8.aarch64.rpm SHA-256: 96023bb62a32d5cb74a682fd006169da0184913b1581103b88822526cbbe6fa1
cri-o-debuginfo-1.30.9-3.rhaos4.17.gitbbf9018.el8.aarch64.rpm SHA-256: 94f9233fe469295b41bde56a267fb985798ea4b3c86810b2add36f3c1a85484b
cri-o-debugsource-1.30.9-3.rhaos4.17.gitbbf9018.el8.aarch64.rpm SHA-256: 6f12377c93f82ff734dbaa54fb79ffea21ae7539f60032afb203560ebed5af86

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.