-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11.286 security update Advisory ID: RHSA-2020:3727-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:3727 Issue date: 2020-09-16 CVE Names: CVE-2020-10743 CVE-2020-14040 ==================================================================== 1. Summary: An update for logging-kibana5-container and openshift-enterprise-registry-container is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Container Platform components are primarily written in Go (golang). The golang.org/x/text contains text-related packages which are used for text operations, such as character encodings, text transformations, and locale-specific text handling. Kibana is one of the major components of OpenShift Container Platform cluster logging. It is a browser-based console interface to query, discover, and visualize the log data. Security Fix(es): * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the following documentation, which will be updated shortly for release 3.11.286, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 4. Bugs fixed (https://bugzilla.redhat.com/): 1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 5. References: https://access.redhat.com/security/cve/CVE-2020-10743 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX2HFmtzjgjWX9erEAQiE9w//SSgLBr+l1wnllmqEJnl+lECCR+2UdZEy MzreNTNbL5WkKwFt+em1sIwNGayPADUdc7cBMEd6r//sB1Xygm6Yw6BGKI0Mep/U AZV29ao0f9T+E6IDBE/ZlSkjYq97gelXTtILtw0Rxq1Z5JSYxbX/FhWLPI/1nu3/ 7XMmKm7ZpD4LK+d092XvyAOcXRSUjFCtEeuB+6mk90PC71CsGBds6UJyM4E+5Vv8 2kCm1BZ4G6jUVnsYjUFcodGYfTZI2KvQnJptu113Yf/i+L4rcQr6WhLYKitszB29 JgbYHWX0+MocO1zvuAr428fLqpv28RYYMx8jFLMNp7ykbDXwkaWkjr31ObQ2q/oe 18E7Vo3oqHwwQ/+3vUQsgD1IzDKaMZ0FSggtQHJEqwKteuIQ+FKDxmnGOJmFqzgv PCUq+/R+6bwKNdmWsFE1tarj4nsqZM9CuvcIP/JIkJ0Ax+4tisMU7TgW4o1juyjM kRHUvqBzq/H4ZdnuVbZQMNQka8qV3z4cF6k2XVrVhBOFHQFGgLUPycjiD7vpZCKV I5nwZV3CU79nzhVkqQrn+blqfn8SkN4jcL/dVPV+QQpC6wxvMAeUUHCXfGYk8OF3 Q3CCAQ5orMV47x3Nh6EMZXDlBlDADMI2bfRH5sebRoUDMDi+NyPSC3VJPasautFU OPvn/eMAjoE=LRhh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce