RHSA-2025:23207 - Security Advisory

Topic

Important: Red Hat OpenShift GitOps v1.16.5 security update

Description

An update is now available for Red Hat OpenShift GitOps.
Bug Fix(es) and Enhancement(s):

• GITOPS-8116 (CVE-2024-45338 openshift-gitops-dex-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html [gitops-1.17])
• GITOPS-8019 (CVE-2025-49844 - Vulnerability with Redis)
• GITOPS-8142 (CVE-2024-45337 reported by RHACS for OpenShift GitOps Operator v1.18.1 (ArgoCD-based) due to outdated git-lfs binary, dependency update required to remove false positive.)
• *Post-Upgrade Action Required: Audit GitOps Operator Roles**

Following this upgrade, we strongly recommend you run the provided audit script to review namespace-scoped access.

• The script identifies Roles/RoleBindings that grant cross-namespace access for the GitOps operator's features (created via .spec.sourceNamespaces).
• Run it to verify and confirm that only the intended namespaces have cross-namespace access to deploy applications.

For more details, refer to :

• https://github.com/redhat-developer/gitops-operator/tree/master/scripts/audit-namespace-roles

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Fixes

• https://issues.redhat.com/browse/GITOPS-8019
• https://issues.redhat.com/browse/GITOPS-8142

CVEs

• CVE-2024-45337
• CVE-2024-45338
• CVE-2025-13888
• CVE-2025-49844

References

• https://access.redhat.com/security/updates/classification/
• https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.16/
• https://github.com/redhat-developer/gitops-operator/tree/master/scripts/audit-namespace-roles