-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Ansible Automation Platform 2.3 Product Security and Bug Fix Update Advisory ID: RHSA-2023:4470-01 Product: Red Hat Ansible Automation Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:4470 Issue date: 2023-08-03 CVE Names: CVE-2022-41717 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400 ===================================================================== 1. Summary: An update is now available for Red Hat Ansible Automation Platform 2.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Ansible Automation Platform 2.3 for RHEL 8 - x86_64 3. Description: Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es) for openshift-clients: * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724) * golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) * golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534) * golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) * golang: go/parser: Infinite loop in parsing (CVE-2023-24537) * golang: html/template: backticks not treated as string delimiters (CVE-2023-24538) * golang: html/template: improper sanitization of CSS values (CVE-2023-24539) * golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540) * golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes 6. Package List: Red Hat Ansible Automation Platform 2.3 for RHEL 8: Source: openshift-clients-4.12.0-202307200611.p0.g49844f7.assembly.stream.el8.src.rpm x86_64: openshift-clients-4.12.0-202307200611.p0.g49844f7.assembly.stream.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJky7g3AAoJENzjgjWX9erEhHsP/RcbV8pZf6odMQDBYsVdnV0L dVZRW12HjfDorWo0BNer1oPSOPCCMbNziPNEzvWb5ij4putbPlNJTNbgvbt/GCe4 L3wRiPjcSPXaTJ3SjrueT3u6oWxN6FA9H/vYUYyHd98tAHUbTf3GtZvLDVokMs75 rHmmvivyBgCXXLQyGfNvjGEd1RIyuiJMjan/aWG1ZNL90REYo3gMSxsgeHofLjYB xe9oBJx+v1mfoWAfZQK4b8bNMMY7Ao0YxUyUcmKHHfVq93og1S+peF+HlCaSNCMH VYqtVJTZAPqj4J7oImkTF2aObsIb5dmSYjtwdQWI+Et6SKVm6xkIlM2cZUKqjjW/ ZuXXv9ACb8oqWwQHaQqYxrZPN7wUIWL5AAa6uNjZWr9SsYyQgdYDJ3WzvjdKvSsq yIqqPf5Gtfqu/ORe1lli8TrVZyvCG/HVVy/LPy0TnMyW0mA0PmJuxAHb6uAkA0k3 vUljuhez3kUslP/NJiWUzX4k2Q2q8m+ur3Mm8Z5r39qZ3uSWllTBCq3G/1iJfeGx 5W2F8oyKXfnRS/l38xgKkbeAA4KQTo6Y5/JTA0ybUiuPsVDnKZ5vCwIVEMsH8/Uo AZ7TemczNaY9d6wCtzgFTwKFJG8IpZoN55p4nS8Jc8665HYLzwrfrtq/eIyhg/iB 873U4d/+ykPVwFsSGYCe =37Iu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce