-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 security update Advisory ID: RHSA-2023:4657-01 Product: OSSO Advisory URL: https://access.redhat.com/errata/RHSA-2023:4657 Issue date: 2023-08-23 CVE Names: CVE-2020-24736 CVE-2022-36227 CVE-2023-1667 CVE-2023-2283 CVE-2023-24532 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-26604 CVE-2023-27535 CVE-2023-29400 ==================================================================== 1. Summary: Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Secondary Scheduler Operator for Red Hat OpenShift 1.1.2 Security Fix(es): * golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532) * golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534) * golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536) * golang: go/parser: Infinite loop in parsing (CVE-2023-24537) * golang: html/template: backticks not treated as string delimiters (CVE-2023-24538) * golang: html/template: improper sanitization of CSS values (CVE-2023-24539) * golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes 2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results 5. JIRA issues fixed (https://issues.redhat.com/): WRKLDS-793 - New OSSO 1.1.2 release 6. References: https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-24532 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-26604 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk5WynAAoJENzjgjWX9erEmR4QAJ5n2XzBLEgoPyYkKLsw7pIJ Cy2mmZeuS4SjQekEDKHQhFStEEv/5meeN8bb5t7K7DJNMSr9LLIkYQmvXgj2b322 LrDl56UaBOnxFUqBzONVQtHJdGJ+8Z5DuO9sudwObeKeb5EWIVpaSU0QDwIJbO7+ v2DvqA4GBOg9SRx/2QphQjcfPzSGMhNSL/b4YcWnMbU+xZGzgNdshI5V4hD/0sV8 T8RFsPyx0EpBFcM3OsasBqzqDUVGAmyONx36+rkjVkh2Mtjw/iwtUQ5SQaasC3bv UhLO6Z7tKd9mS0PmVm6f/Z1gmNfGeritzPgHbsPP42bhX0lsh3Dt6PO/Ft4RX+oz 433owpTVTwxEcffNFdUUhHsB8qhiSthmIgJ4AH+0WEe4RyHspSjUwCMnxZfn3T+x DAKQP8Lgsj1X6qd4FScFYQ7YulURTVyHJ8qQii6Dnkh3BBjPbMmiTwW8qxAbYQLD uBRNcDblFxcbZyjgl4lx0blRpjoKw3RFSTEUuYvfNKSi2XtM32ghKgmu5ECiwkjr 08ME466J3QM1uaSJK9woIvfT3BDGz8teWHJtsl8thL+xadnZdz6X8qcy2YIcW4/i 7EwUB0yQ6/x24gJ6T+IbCLIuwfUWOkKQFP2aFyav8Rbvqqxj3eVH4qK9jsw7Q1V2 pRhgrEM60gxGU/ObtSou =cO9Y -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce