-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless 1.12.0
Advisory ID:       RHSA-2021:0146-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0146
Issue date:        2021-01-14
CVE Names:         CVE-2018-20843 CVE-2019-5018 CVE-2019-13050 
                   CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 
                   CVE-2019-16168 CVE-2019-19221 CVE-2019-19906 
                   CVE-2019-19956 CVE-2019-20218 CVE-2019-20387 
                   CVE-2019-20388 CVE-2019-20454 CVE-2020-1730 
                   CVE-2020-1751 CVE-2020-1752 CVE-2020-1971 
                   CVE-2020-6405 CVE-2020-7595 CVE-2020-9327 
                   CVE-2020-10029 CVE-2020-13630 CVE-2020-13631 
                   CVE-2020-13632 CVE-2020-24553 CVE-2020-24659 
                   CVE-2020-28362 CVE-2020-28366 CVE-2020-28367 
=====================================================================

1. Summary:

Release of OpenShift Serverless 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat OpenShift Serverless 1.12.0 is a generally available release of the
OpenShift Serverless Operator. 

This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform version 4.6,
and includes security and bug fixes and enhancements. For more information,
see the documentation listed in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

3. Solution:

See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi
 and net/http/fcgi could cause XSS
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of
 very large numbers
1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code
 execution at build time
1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to
 code execution at build time
1906381 - Release of OpenShift Serverless Serving 1.12.0
1906382 - Release of OpenShift Serverless Eventing 1.12.0

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAB9FtzjgjWX9erEAQhy4w/8DkWBfDN8NTwDn5G3DQm7avlhwkCoRMUQ
Vt2xCRU6oj06m1xmmixHjbXldN9E8xmJCA9MPfRolKfqFvgxgLs0ZfQNo51qZu2B
IlnB/flgg2xT6j5LRSB6gUILkgeKnnTQOoldrc6W4snz+TwPxVUDGLWx4UlaO2n1
giniC6RESaACoMBZYijKjaM/PAo665Fajfs91bgcg7YnnYtu6Zbs561CoRDg7rR1
nC9zqJDfPQXj01GhKqkscVxDjhWRxo9Dvk7bdT9fSMK9o6EZiRnE4HXNm4FjzLIw
FXQ1Pd7T6Car3iwN0ZMRLn/aEYPzc3h4d3tAMQj+NwHLX0MnXB61+e2bkoFGEluF
PCTis0uhfQaL9unbrQ1NVKMMcbbztlGh9hjY//RLX/aTvYrGqi2sBlnA6n14dRPy
rc6fdK3GdVI4doC1SnIMI7ZvWv3Jt5Wq5l/AnxWm/+pn68ibIMPyC0vU82bffUtA
aiei6JPY7u3O+JqrlQYVQ2tICySnM2bEbP98emg0bedzkD9JfFOQpg8sxkm+V1qm
Tu2xl/v5jHr70nICzVUF3paztwCvMyeD63pYbtWXPqQmc1IIpCUgTQQwpC+G93Uf
wu2FJ4Vqb2tiqRkI4Ju3WJd1qKyTz+83pkuKHwe845n7D8kRFxEYpmE50lT7eAab
A3H5xDIIYLk=
=2gLp
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce