- Issued:
- 2023-06-05
- Updated:
- 2023-06-05
RHSA-2023:3455 - Moderate: Release of OpenShift Serverless 1.29.0
Synopsis
Moderate: Release of OpenShift Serverless 1.29.0
Type/Severity
Security Advisory Moderate
Topic
OpenShift Serverless version 1.29.0 contains a moderate security impact.
The References section contains CVE links providing detailed severity ratings for each vulnerability. Ratings are based on a Common Vulnerability Scoring System (CVSS) base score.
Description
Version 1.29.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.10, 4.11, 4.12, and 4.13.
This release includes security and bug fixes, and enhancements.
Security Fixes in this release include:
- containerd: Supplementary groups are not set up properly(CVE-2023-25173)
- golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding(CVE-2022-41723)
- golang: net/http, mime/multipart: denial of service from excessive resource consumption(CVE-2022-41725)
- golang: crypto/tls: large handshake records may cause panics(CVE-2022-41724)
- golang: html/template: backticks not treated as string delimiters(CVE-2023-24538)
- golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption(CVE-2023-24536)
- golang: net/http, net/textproto: denial of service from excessive memory allocation(CVE-2023-24534)
- golang: go/parser: Infinite loop in parsing(CVE-2023-24537)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE pages linked from the References section.
Solution
For instructions on how to install and use OpenShift Serverless, see documentation linked from the References section.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Openshift Serverless | 1 | x86_64 |
| Red Hat OpenShift Serverless for IBM Z and LinuxONE | 1 | s390x |
| Red Hat OpenShift Serverless for IBM Power, little endian | 1 | ppc64le |
Fixes
- This content is not included.BZ - 2174485
- This content is not included.BZ - 2178358
- This content is not included.BZ - 2178488
- This content is not included.BZ - 2178492
- This content is not included.BZ - 2184481
- This content is not included.BZ - 2184482
- This content is not included.BZ - 2184483
- This content is not included.BZ - 2184484
- This content is not included.BZ - 2185507
- This content is not included.BZ - 2185509
CVEs
- CVE-2022-4304
- CVE-2022-4450
- CVE-2022-36227
- CVE-2022-41723
- CVE-2022-41724
- CVE-2022-41725
- CVE-2023-0215
- CVE-2023-0286
- CVE-2023-0361
- CVE-2023-0767
- CVE-2023-21930
- CVE-2023-21937
- CVE-2023-21938
- CVE-2023-21939
- CVE-2023-21954
- CVE-2023-21967
- CVE-2023-21968
- CVE-2023-24534
- CVE-2023-24536
- CVE-2023-24537
- CVE-2023-24538
- CVE-2023-25173
- CVE-2023-27535
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/serverless/index
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html/serverless/index
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.