Issued:: 2022-08-10
Updated:: 2022-08-10

RHSA-2022:6042 - Important: Release of OpenShift Serverless Client kn 1.24.0

Synopsis

Important: Release of OpenShift Serverless Client kn 1.24.0

Type/Severity

Security Advisory Important

Topic

Release of OpenShift Serverless Client kn 1.24.0

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Serverless Client kn 1.24.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.24.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.

Security Fix(es):

prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
go-restful: Authorization Bypass Through User-Controlled Key (CVE-2022-1996)
golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921)
golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact; a CVSS score; acknowledgments; and other related information refer to the CVE page(s) listed in the References section.

Solution

See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index See the Red Hat OpenShift Container Platform 4.9 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index See the Red Hat OpenShift Container Platform 4.10 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

Affected Products

Product	Version	Arch
Red Hat Openshift Serverless	1	x86_64
Red Hat OpenShift Serverless for IBM Z and LinuxONE	1	s390x
Red Hat OpenShift Serverless for IBM Power, little endian	1	ppc64le

Updated Packages

openshift-serverless-clients-1.3.1-4.el8.ppc64le.rpm
openshift-serverless-clients-1.3.1-4.el8.x86_64.rpm
openshift-serverless-clients-1.3.1-4.el8.s390x.rpm
openshift-serverless-clients-1.3.1-4.el8.src.rpm

Fixes

CVEs

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.