-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.5 security update Advisory ID: RHSA-2023:4090-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:4090 Issue date: 2023-07-20 CVE Names: CVE-2022-41717 CVE-2022-41723 CVE-2023-1260 CVE-2023-3089 CVE-2023-24329 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-27561 CVE-2023-29400 CVE-2023-32067 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2023:4091 Security Fix(es): * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-13353 - Dpu operator should not create pdb in case of bad configmap configuration OCPBUGS-14099 - Default namespace for openshift-dpu-network-operator is set to 'Openshift Operators' 6. References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2023-1260 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-27561 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-32067 https://access.redhat.com/security/updates/classification/#moderate https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJkuYVEAAoJENzjgjWX9erEdvEP/1eNA60zMj7f6YeGT3gaJO0z dEGvbdRaMQAlS306YqN3025jPhaz1hCUshnGAgvtz4Rhl3BT0JqrpON/BKpbFKzK Dhpq5IjMD+QaYY+qJAiYmGRXwN/kWVjuj6kJJhXCxAmzGyxsEjI3a8+3dwbGRNA8 WaBxkvl3fvn+3PjLewJDki4MnXc9HkpINFXF4kKeGKmV1JZh6/NMyZk+brgHyWkD 54Eon4JM3WXsCQqXSdtT9EoX23DsoyqHs4Be1xJT4LM0xc5ZaJ5iUtzc5bS0aEPq 9Dj1TFyjoUSoOmX9q8tlET5GQ2j580EnUW1xOxW3XgEycfnBLwY+76ImsZQPGsB0 oGK8aL9Bjurr76rQxuabAkwykZl+zAxqpMecKJhRSE3gY5MfKJ0FA6uO1souHxWt KK4RrPkzsyUC0e6Z0pRe7oNN9vZJdimgVc3XNJjf2YN98IgZ+6Fk1GSi7SZ0L6Zz VNfNoMnSFsoSEP3ThAKR7GYbdh5t30N/hK87BRCiYJo3ml8ABbEs5mcCDvKeqJF7 9leLwYm6B4h7rIFYsl9gsGBu4VyO06Q9nLWwlpkG6IkBJ5Hd3mwnWN6dufcOb38L 2yQa/b+NTAGReFRltYZ5jwXCpUUkZEkqa5dPqZqOgf0MaTl6LZVXqTRhvWc4hKTi v5vyZ0q3FAbRWsXamzde =DqTj -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce