-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Service Telemetry Framework 1.5 security update
Advisory ID:       RHSA-2023:1529-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1529
Issue date:        2023-03-30
CVE Names:         CVE-2022-1705 CVE-2022-23772 CVE-2022-23773 
                   CVE-2022-23806 CVE-2022-24675 CVE-2022-27664 
                   CVE-2022-28327 CVE-2022-29526 CVE-2022-30629 
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632 
                   CVE-2022-32189 CVE-2022-41715 CVE-2022-41717 
=====================================================================

1. Summary:

An update is now available for Service Telemetry Framework 1.5.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Service Telemetry Framework (STF) provides automated collection of
measurements and data from remote clients, such as Red Hat OpenStack
Platform or third-party nodes. STF then transmits the information to a
centralized, receiving Red Hat OpenShift Container Platform (OCP)
deployment for storage, retrieval, and monitoring.

Security Fix(es):

* golang: crypto/elliptic: IsOnCurve returns true for invalid field
elements (CVE-2022-23806)

* golang: math/big: uncontrolled memory consumption due to an unhandled
overflow via Rat.SetString (CVE-2022-23772)

* golang: cmd/go: misinterpretation of branch names can lead to incorrect
access control (CVE-2022-23773)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

* golang: syscall: faccessat checks wrong group (CVE-2022-29526)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

The Service Telemetry Framework container image provided by this update can
be downloaded from the Red Hat Container Registry at
registry.access.redhat.com. Installation instructions for your platform are
available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally.

4. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group
2092544 - [RFE] Expose certificate duration in Certificate object for Interconnect
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
2176537 - [STF 1.5] Release delivery of STF 1.5.1

5. References:

https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-23772
https://access.redhat.com/security/cve/CVE-2022-23773
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/cve/CVE-2022-24675
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-29526
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZCT+ydzjgjWX9erEAQjyzhAAjXstJjR55eBWISAdd1TGXMClBLY0BPzn
8HGgLzXeq2QPrzo5sxIl/+iDW032fYFW+5Z8GRvMGPkNFm6tZN5PPsv6zyMJppPF
8erziyaLG1lIczWoib23hYhg9wMKtKkkyP0Yl+E3qfy/POle7GIQUWcTyjfHb0mT
Wjm9EUgtC/RFxl7+W8xTBe//MxFIDzX5I73zATqKbcWhkT3nX48ZHzthV+62BmGu
D16afvOFzZb4Pl2+pL/AAkFS/KuD8ZAB/edgFzlrY9p9qGlPYWQ6BikyX/vEsvQG
oUa3npKQn5kkfZIXdmalJIfvkBx5zhtBEvaFj9Hlw1StQcSpS+ECMhpEvji74wiO
M/Id75HKHiSAstYEeav1QXScGuDqb1Lvm4NPW4fwulqu2jOcEGKXM/BVlYds47pH
9LYhHE60jg5oCwf3ajtJPgUtIRRxDS48HLxu8irZYc5XoQLh9rXm6tPnEnDnH8fq
pBn6lIICM7DOwiFAmFzmgLUVX8kQxqmSAedMZwn+3fBOalosvPSuDGQr5bVeJIlB
GYWZZ0bRoRHlR3YCVNdISBbL7G1gWBF/1nrOjItrhken8G9RsXWBOwqq6qYpmoPY
YLQ5kkru0iQpvfkIqyFOnrf0PWczcRBMac/Jubqw6w/smhFQdKkU6+nZzjxX1IbH
/v0lTHvsH0w=
=TpaS
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce