- Issued:
- 2025-12-15
- Updated:
- 2025-12-15
RHSA-2025:23206 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.17.3 security update **Post-Upgrade Action Required: Audit GitOps Operator Roles** Following this upgrade, we strongly recommend you run the provided audit script to review namespace-scoped access. * The script identifies Roles/RoleBindings that grant cross-namespace access for the GitOps operator's features (created via .spec.sourceNamespaces). * Run it to verify and confirm that only the intended namespaces have cross-namespace access to deploy applications. For more details, refer to : - https://github.com/redhat-developer/gitops-operator/tree/master/scripts/audit-namespace-roles
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.17.3 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8116 (CVE-2024-45338 openshift-gitops-dex-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html [gitops-1.17])
- GITOPS-7608 (Redis HA pods are taking longer than expected to come up)
- GITOPS-7789 (Version override in ArgoCD CR causes operator to use upstream images)
- GITOPS-7844 (GitOpsService controller creates default ArgoCD with v1alpha1 api version)
- GITOPS-8019 (CVE-2025-49844 - Vulnerability with Redis)
- GITOPS-8033 (openshift-gitops-redis-ha-haproxy deployment fails to rollout with 3 worker nodes)
- GITOPS-8142 (CVE-2024-45337 reported by RHACS for OpenShift GitOps Operator v1.18.1 (ArgoCD-based) due to outdated git-lfs binary, dependency update required to remove false positive.)
- GITOPS-8152 (ArgoCD CR Reconciliation fails if spec.applicationSet.webhookServer.route.enabled is set to true)
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- https://issues.redhat.com/browse/GITOPS-7608
- https://issues.redhat.com/browse/GITOPS-7789
- https://issues.redhat.com/browse/GITOPS-7844
- https://issues.redhat.com/browse/GITOPS-8019
- https://issues.redhat.com/browse/GITOPS-8033
- https://issues.redhat.com/browse/GITOPS-8142
- https://issues.redhat.com/browse/GITOPS-8152
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:cf7438a5cf8a56eb937cf7a7e6fbd0430837b5e9376c4ad1c1ea44ae8c35c3a4 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:ed4f5d2f4be89dacb91eb072fd06065d1c4a3bbe95a779f15910913a2c01b8bf |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:b3de65128344dffd9b0c6007e0118bed2976a3273b272e96cdac6d0265bdb68d |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:9edc4f6b0da4723b4ae2e18846ce44596204ccd5413cd6af2b3da62c028962ff |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:27a6b27b8fa043d8f7be96c526ef0d361bedda1957eae7a464549e7fa4f4d90c |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:68c54254b55558f7a59a419757c3706c11c72b65126427c5d070472e8c49f445 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:a4876418208983e14da1e0434ded22043e1880bf1bb5e60c0cea6295a772eac8 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:67ff57f12a92a4db8abb9cc73511c576e5099d2583c06ea00485f3a676f6fac6 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:27e7a59bb5c5f60be7509e5f4f07f4181d62e6583a943c46f56f568bfc30c2c1 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:e1101b02df32a56a9aec80639372248b72963240dc86add446d0d07da65baca7 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:fd3749bec7e58fd10a7d0b6978e3d0def6c59be0b512295c307b2cdd3c5750a9 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:a120d2036e7647b266f5cb1caa22f08a6e7c7241ab4073461fd61fdc51a43e4c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:29ac3485b2753099dc2ce4bd9f0d433fd007eb80b19949e6084617d5e4c8401c |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:090423a7278d01ebbf7ed048dea9c7e33dcaf36ab5fd37aeb8ebf9832a98ee35 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:f602e146b76cd3c1f40d19f2b10cb9a9a09de8a58b637d054fe509c3d3c848f4 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:2fa2d758167075121d90193a20c6133f6b956b97d60ff149c48139e382c5e240 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:ef45471b5e81bfa5f3b61f2e6159ec863ad8de3af2faf78d6efa229d8ee7708d |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:5f18539d5ffc19d3525321bee95ea2da33de174c20debfb28e42bee1a8008df4 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:388bf4b92ce9e6e277051071237527315a16543e8f9d4bca348dd412d379e0fa |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:a6f0914b6ea70a3a1dde9614eb388401722fcd9c8c25f5f147728eaa065db0d2 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:698bca4c445cd82d6f27fd23f3fe45248d8e4ae191969823c847abd4064fbfef |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:8c3785cd1c2aabe85c1f447a82583c56860f6a88ad108985338d334cd29e187d |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:6a51fa2984a09ab535a4a642e037dbe4d749b0c287001d73867f36af15fdedf6 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:f7c8a44e27576faeb89037a79b1e175a66d7ad895ecc001f224c45c59bcc9529 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:8d8eea444b653ab2ba3b252fe996d7775d457cd09cfa384f0fa3a51fe4576a5c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:b2886641771b90438b0a68d865a628b532fb22355693248c5689bb4de397e6f6 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:90b53754882f44c06f1736dee31266e6d3b84a35b88d4211b4816d56b92453fa |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:9ae4f68d8ac57af106a20674dddbaaf7c273aab5b359d1a3cfa7c6e498d0615a |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:f43dab8ced42b0f2babd0e7ed3653cba19bddf89beb355cd4c93ab41c31c6db9 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:2d228a645c52e829db1b0078458fb2ae0685a444c4a47bca01ef18dbc00e5d0c |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:7a4be5cc0287daf4f85a5db3fc8a63cd99dd1e4ea69c40711e38cc2ce5ccc393 |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:ebd9f980835a823bbf1e776a0460302fba6fc1c00410046293d5b3e3757ff966 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:33b21324dcd8deaa69ca27e256c32269b9c8520c8f841a65369b99f40867fb39 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:fbc0820ef3ea0ddc7aa0a32e8556847966b98bf5563aee25d9d5b9dba0563b56 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:a3fadba4ca091be88f26efb8d6fb4298e94c89c5473171277369d87972587df3 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:111d349469f89ce6d1d3678d26f195e2aabfc06d10c46095be671b0fd0c28e95 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:c4a07e270cb2f8b9136be341923575c7c6a533010d2053f6fdbc7aec48e29bca |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:7f305f88b076e660cf4329f995cf6a6b12ef5ae325580004580d0c6f0ecf569e |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:27a35a4c154e6f3242fcf4606eff4142fce91b1ec6342b7682350cf256120fe2 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:bc60496d801c19d81020a2f614be34987a603d2ff3d149e58ab4680f6d5e93dd |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:8dfee8533b4cee4381f522b3b58d66a869c9fe5a919c3cb0226fdcd3d44c061b |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
