-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Jenkins image and Jenkins agent base image security update Advisory ID: RHSA-2023:3664-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3664 Issue date: 2023-06-19 CVE Names: CVE-2021-3782 CVE-2021-46848 CVE-2022-1304 CVE-2022-1705 CVE-2022-2795 CVE-2022-2880 CVE-2022-3627 CVE-2022-3970 CVE-2022-28327 CVE-2022-32148 CVE-2022-35737 CVE-2022-36227 CVE-2022-41715 CVE-2022-41717 CVE-2022-42898 CVE-2022-47629 CVE-2023-0361 CVE-2023-2491 CVE-2023-22490 CVE-2023-23946 CVE-2023-24329 CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 CVE-2023-29007 ===================================================================== 1. Summary: Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image. Security Fix(es): * golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7 OCPBUGS-13653 - [release-4.11] Bump Jenkins and Plugin versions OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images OCPBUGS-1438 - [release-411] Jenkins install-plugins script does not ignore updates to locked plugin versions OCPBUGS-14646 - Bump Jenkins plugins to latest versions 6. References: https://access.redhat.com/security/cve/CVE-2021-3782 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3627 https://access.redhat.com/security/cve/CVE-2022-3970 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-22490 https://access.redhat.com/security/cve/CVE-2023-23946 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZJBOlNzjgjWX9erEAQgdPxAAh1Y9lOd+r2eO3rZEIgWjMHVWFdkaesI9 leeQl2YnQGRayU9ZBQsNRYal5rb5+ISN4fnccEjHJ8Y0D6ATkLHqA/nXEzkV3+Go McLMN6JqzGrJ/jA7jhEoXGalIYYtfz5EYQ69wNtj5e63RUdNX+d7cqyiqQ+qE89j uz9xoACp0zjuqL2YMiu2J2oTqEPVKFhNMU7j2GKzIWRUj8wnphWK9wzB+Wl6G/RS Gr1l6FU53kkkxu6PQWWzO57uh2hIuBs3Z5a/bYRJoWI9meg/Rb2ro4Pr52v0wBRb AhqXYJAGJlWhFuAgi06b2VNW4zvHt7gS8r8/rAVji+3VeS/bHR47x/Jsq+W+bAZh lZHcL+ByT2kh8kvlEATlevaizpYBF1Uqx1xBMwZ5OvbpnGOhy1sJPWidkGHvBkA3 SuJ4gZaOO79rpyr6zaosMJwvvZC+/E4kxgEwbdDscRtGs8XVIqVYb1hU+7jsrqr3 epp8F2XKT8hmoK9+vS0B2Z+yXe1ba2e4TZTWBmHo7VaeHGZ5NCuQ/M3cW+WBM6Tv DJK8mXjSt/7CklGVL0Ji/L7yIGFdp9GT7fYY3uOYH6jQgq4kzZTdAVBpI/X66H9U jqXHieGJcRjU7fp0DhLgOBbCbbTDtxp+O6yoyziD8qTdc7O9H5MMTuoFwJb9/CYW nlT0/YlHeks= =YZWk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce