- Issued:
- 2025-12-15
- Updated:
- 2025-12-16
RHSA-2025:23206 - Security Advisory
Synopsis
Important: Red Hat OpenShift GitOps v1.17.3 security update
Type/Severity
Security Advisory: Important
Topic
Important: Red Hat OpenShift GitOps v1.17.3 security update
Description
An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):
- GITOPS-8116 (CVE-2024-45338 openshift-gitops-dex-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html [gitops-1.17])
- GITOPS-7608 (Redis HA pods are taking longer than expected to come up)
- GITOPS-7789 (Version override in ArgoCD CR causes operator to use upstream images)
- GITOPS-7844 (GitOpsService controller creates default ArgoCD with v1alpha1 api version)
- GITOPS-8019 (CVE-2025-49844 - Vulnerability with Redis)
- GITOPS-8033 (openshift-gitops-redis-ha-haproxy deployment fails to rollout with 3 worker nodes)
- GITOPS-8142 (CVE-2024-45337 reported by RHACS for OpenShift GitOps Operator v1.18.1 (ArgoCD-based) due to outdated git-lfs binary, dependency update required to remove false positive.)
- GITOPS-8152 (ArgoCD CR Reconciliation fails if spec.applicationSet.webhookServer.route.enabled is set to true)
Post-Upgrade Action Required: Audit GitOps Operator Roles
Following this upgrade, we strongly recommend you run the provided audit script to review namespace-scoped access.
- The script identifies Roles/RoleBindings that grant cross-namespace access for the GitOps operator's features (created via .spec.sourceNamespaces).
- Run it to verify and confirm that only the intended namespaces have cross-namespace access to deploy applications.
For more details, refer to :
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
Fixes
- GITOPS-7608 - {}
- GITOPS-7789 - {}
- GITOPS-7844 - {}
- GITOPS-8019 - {}
- GITOPS-8033 - {}
- GITOPS-8142 - {}
- GITOPS-8152 - {}
amd64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:cf7438a5cf8a56eb937cf7a7e6fbd0430837b5e9376c4ad1c1ea44ae8c35c3a4 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:ed4f5d2f4be89dacb91eb072fd06065d1c4a3bbe95a779f15910913a2c01b8bf |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:b3de65128344dffd9b0c6007e0118bed2976a3273b272e96cdac6d0265bdb68d |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:9edc4f6b0da4723b4ae2e18846ce44596204ccd5413cd6af2b3da62c028962ff |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:27a6b27b8fa043d8f7be96c526ef0d361bedda1957eae7a464549e7fa4f4d90c |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:68c54254b55558f7a59a419757c3706c11c72b65126427c5d070472e8c49f445 |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:a4876418208983e14da1e0434ded22043e1880bf1bb5e60c0cea6295a772eac8 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:67ff57f12a92a4db8abb9cc73511c576e5099d2583c06ea00485f3a676f6fac6 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:27e7a59bb5c5f60be7509e5f4f07f4181d62e6583a943c46f56f568bfc30c2c1 |
| registry.redhat.io/openshift-gitops-1/gitops-operator-bundle@sha256:e1101b02df32a56a9aec80639372248b72963240dc86add446d0d07da65baca7 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:fd3749bec7e58fd10a7d0b6978e3d0def6c59be0b512295c307b2cdd3c5750a9 |
arm64
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:a120d2036e7647b266f5cb1caa22f08a6e7c7241ab4073461fd61fdc51a43e4c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:29ac3485b2753099dc2ce4bd9f0d433fd007eb80b19949e6084617d5e4c8401c |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:090423a7278d01ebbf7ed048dea9c7e33dcaf36ab5fd37aeb8ebf9832a98ee35 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:f602e146b76cd3c1f40d19f2b10cb9a9a09de8a58b637d054fe509c3d3c848f4 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:2fa2d758167075121d90193a20c6133f6b956b97d60ff149c48139e382c5e240 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:ef45471b5e81bfa5f3b61f2e6159ec863ad8de3af2faf78d6efa229d8ee7708d |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:5f18539d5ffc19d3525321bee95ea2da33de174c20debfb28e42bee1a8008df4 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:388bf4b92ce9e6e277051071237527315a16543e8f9d4bca348dd412d379e0fa |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:a6f0914b6ea70a3a1dde9614eb388401722fcd9c8c25f5f147728eaa065db0d2 |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:698bca4c445cd82d6f27fd23f3fe45248d8e4ae191969823c847abd4064fbfef |
ppc64le
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:8c3785cd1c2aabe85c1f447a82583c56860f6a88ad108985338d334cd29e187d |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:6a51fa2984a09ab535a4a642e037dbe4d749b0c287001d73867f36af15fdedf6 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:f7c8a44e27576faeb89037a79b1e175a66d7ad895ecc001f224c45c59bcc9529 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:8d8eea444b653ab2ba3b252fe996d7775d457cd09cfa384f0fa3a51fe4576a5c |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:b2886641771b90438b0a68d865a628b532fb22355693248c5689bb4de397e6f6 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:90b53754882f44c06f1736dee31266e6d3b84a35b88d4211b4816d56b92453fa |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:9ae4f68d8ac57af106a20674dddbaaf7c273aab5b359d1a3cfa7c6e498d0615a |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:f43dab8ced42b0f2babd0e7ed3653cba19bddf89beb355cd4c93ab41c31c6db9 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:2d228a645c52e829db1b0078458fb2ae0685a444c4a47bca01ef18dbc00e5d0c |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:7a4be5cc0287daf4f85a5db3fc8a63cd99dd1e4ea69c40711e38cc2ce5ccc393 |
s390x
| registry.redhat.io/openshift-gitops-1/argo-rollouts-rhel8@sha256:ebd9f980835a823bbf1e776a0460302fba6fc1c00410046293d5b3e3757ff966 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:33b21324dcd8deaa69ca27e256c32269b9c8520c8f841a65369b99f40867fb39 |
| registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8@sha256:fbc0820ef3ea0ddc7aa0a32e8556847966b98bf5563aee25d9d5b9dba0563b56 |
| registry.redhat.io/openshift-gitops-1/argocd-extensions-rhel8@sha256:a3fadba4ca091be88f26efb8d6fb4298e94c89c5473171277369d87972587df3 |
| registry.redhat.io/openshift-gitops-1/argocd-rhel9@sha256:111d349469f89ce6d1d3678d26f195e2aabfc06d10c46095be671b0fd0c28e95 |
| registry.redhat.io/openshift-gitops-1/console-plugin-rhel8@sha256:c4a07e270cb2f8b9136be341923575c7c6a533010d2053f6fdbc7aec48e29bca |
| registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:7f305f88b076e660cf4329f995cf6a6b12ef5ae325580004580d0c6f0ecf569e |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:27a35a4c154e6f3242fcf4606eff4142fce91b1ec6342b7682350cf256120fe2 |
| registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:bc60496d801c19d81020a2f614be34987a603d2ff3d149e58ab4680f6d5e93dd |
| registry.redhat.io/openshift-gitops-1/must-gather-rhel8@sha256:8dfee8533b4cee4381f522b3b58d66a869c9fe5a919c3cb0226fdcd3d44c061b |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
