Issued:

2025-12-15

Updated:

2025-12-16

RHSA-2025:23206 - Important: Red Hat OpenShift GitOps v1.17.3 security update

Synopsis

Important: Red Hat OpenShift GitOps v1.17.3 security update

Type/Severity

Security Advisory Important

Topic

Important: Red Hat OpenShift GitOps v1.17.3 security update

Description

An update is now available for Red Hat OpenShift GitOps. Bug Fix(es) and Enhancement(s):

• GITOPS-8116 (CVE-2024-45338 openshift-gitops-dex-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html [gitops-1.17])
• GITOPS-7608 (Redis HA pods are taking longer than expected to come up)
• GITOPS-7789 (Version override in ArgoCD CR causes operator to use upstream images)
• GITOPS-7844 (GitOpsService controller creates default ArgoCD with v1alpha1 api version)
• GITOPS-8019 (CVE-2025-49844 - Vulnerability with Redis)
• GITOPS-8033 (openshift-gitops-redis-ha-haproxy deployment fails to rollout with 3 worker nodes)
• GITOPS-8142 (CVE-2024-45337 reported by RHACS for OpenShift GitOps Operator v1.18.1 (ArgoCD-based) due to outdated git-lfs binary, dependency update required to remove false positive.)
• GITOPS-8152 (ArgoCD CR Reconciliation fails if spec.applicationSet.webhookServer.route.enabled is set to true)

Post-Upgrade Action Required: Audit GitOps Operator Roles

Following this upgrade, we strongly recommend you run the provided audit script to review namespace-scoped access.

• The script identifies Roles/RoleBindings that grant cross-namespace access for the GitOps operator's features (created via .spec.sourceNamespaces).
• Run it to verify and confirm that only the intended namespaces have cross-namespace access to deploy applications.

For more details, refer to :

• Content from github.com is not included.https://github.com/redhat-developer/gitops-operator/tree/master/scripts/audit-namespace-roles

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Fixes

(none)

CVEs

(none)

References

• https://access.redhat.com/security/cve/CVE-2024-45337

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.