Issued:

2022-09-01

Updated:

2022-09-01

RHSA-2022:6152 - Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update

Synopsis

Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update

Type/Severity

Security Advisory Important

Topic

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For Secondary Scheduler Operator 1.1.0 see the following documentation, which will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift 1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

Affected Products

Fixes

• This content is not included.BZ - 2077688
• This content is not included.BZ - 2077689
• This content is not included.BZ - 2092793
• This content is not included.BZ - 2105001
• This content is not included.BZ - 2107342
• This content is not included.BZ - 2107371
• This content is not included.BZ - 2107374
• This content is not included.BZ - 2107376
• This content is not included.BZ - 2107383
• This content is not included.BZ - 2107386
• This content is not included.BZ - 2107388
• This content is not included.BZ - 2107390
• This content is not included.BZ - 2107392
• This content is not included.WRKLDS-466

CVEs

• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-24675
• CVE-2022-28131
• CVE-2022-28327
• CVE-2022-30629
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-32148

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.