Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01: Posted Jun 19, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-3664-01 - Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image.; tags | advisory; systems | linux, redhat; advisories | CVE-2021-3782, CVE-2021-46848, CVE-2022-1304, CVE-2022-1705, CVE-2022-2795, CVE-2022-28327, CVE-2022-2880, CVE-2022-32148, CVE-2022-35737, CVE-2022-36227, CVE-2022-3627, CVE-2022-3970, CVE-2022-41715, CVE-2022-41717; SHA-256 | dd336c3e2dc2db105e105127e1f2bbf79335a56f544ed3b31f07727c470cb571; Download | Favorite | View

Red Hat Security Advisory 2023-3664-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Jenkins image and Jenkins agent base image security update
Advisory ID:       RHSA-2023:3664-01
Product:           OpenShift Developer Tools and Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3664
Issue date:        2023-06-19
CVE Names:         CVE-2021-3782 CVE-2021-46848 CVE-2022-1304 
                   CVE-2022-1705 CVE-2022-2795 CVE-2022-2880 
                   CVE-2022-3627 CVE-2022-3970 CVE-2022-28327 
                   CVE-2022-32148 CVE-2022-35737 CVE-2022-36227 
                   CVE-2022-41715 CVE-2022-41717 CVE-2022-42898 
                   CVE-2022-47629 CVE-2023-0361 CVE-2023-2491 
                   CVE-2023-22490 CVE-2023-23946 CVE-2023-24329 
                   CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 
                   CVE-2023-29007 
=====================================================================

1. Summary:

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent
base image.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Release of Security Advisory for the OpenShift Jenkins image and Jenkins
agent base image.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7
OCPBUGS-13653 - [release-4.11] Bump Jenkins and Plugin versions
OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images
OCPBUGS-1438 - [release-411] Jenkins install-plugins script does not ignore updates to locked plugin versions
OCPBUGS-14646 - Bump Jenkins plugins to latest versions

6. References:

https://access.redhat.com/security/cve/CVE-2021-3782
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-22490
https://access.redhat.com/security/cve/CVE-2023-23946
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJBOlNzjgjWX9erEAQgdPxAAh1Y9lOd+r2eO3rZEIgWjMHVWFdkaesI9
leeQl2YnQGRayU9ZBQsNRYal5rb5+ISN4fnccEjHJ8Y0D6ATkLHqA/nXEzkV3+Go
McLMN6JqzGrJ/jA7jhEoXGalIYYtfz5EYQ69wNtj5e63RUdNX+d7cqyiqQ+qE89j
uz9xoACp0zjuqL2YMiu2J2oTqEPVKFhNMU7j2GKzIWRUj8wnphWK9wzB+Wl6G/RS
Gr1l6FU53kkkxu6PQWWzO57uh2hIuBs3Z5a/bYRJoWI9meg/Rb2ro4Pr52v0wBRb
AhqXYJAGJlWhFuAgi06b2VNW4zvHt7gS8r8/rAVji+3VeS/bHR47x/Jsq+W+bAZh
lZHcL+ByT2kh8kvlEATlevaizpYBF1Uqx1xBMwZ5OvbpnGOhy1sJPWidkGHvBkA3
SuJ4gZaOO79rpyr6zaosMJwvvZC+/E4kxgEwbdDscRtGs8XVIqVYb1hU+7jsrqr3
epp8F2XKT8hmoK9+vS0B2Z+yXe1ba2e4TZTWBmHo7VaeHGZ5NCuQ/M3cW+WBM6Tv
DJK8mXjSt/7CklGVL0Ji/L7yIGFdp9GT7fYY3uOYH6jQgq4kzZTdAVBpI/X66H9U
jqXHieGJcRjU7fp0DhLgOBbCbbTDtxp+O6yoyziD8qTdc7O9H5MMTuoFwJb9/CYW
nlT0/YlHeks=
=YZWk
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 278 files
Ubuntu 57 files
Gentoo 32 files
Debian 28 files
Apple 9 files
malvuln 6 files
Ahmet Umit Bayram 5 files
nu11secur1ty 5 files
Adam Gowdiak 4 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,087)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,042)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,630)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,779)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,501)
UNIX (9,401)
UnixWare (187)
Windows (6,659)
Other

Red Hat Security Advisory 2023-3664-01

Red Hat Security Advisory 2023-3664-01

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2023-3664-01

Share This

Red Hat Security Advisory 2023-3664-01

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems