-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.6 bug fix and security update Advisory ID: RHSA-2023:4226-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:4226 Issue date: 2023-07-27 CVE Names: CVE-2022-41723 CVE-2022-46663 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-1255 CVE-2023-1260 CVE-2023-2650 CVE-2023-2700 CVE-2023-2828 CVE-2023-3089 CVE-2023-24329 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-25173 CVE-2023-27561 CVE-2023-29400 CVE-2023-32067 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.6. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2023:4229 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es): * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * containerd: Supplementary groups are not set up properly (CVE-2023-25173) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. The sha values for the release are (For x86_64 architecture) The image digest is sha256:3ca57045e070978b38c36d4c98e188795a6cb4b128130f9c8d7a08b47c133aba (For s390x architecture) The image digest is sha256:f4c42c45cbb85db643e72149d08719896f2c1b70707dde062ef570b4c2bbf6eb (For ppc64le architecture) The image digest is sha256:f219f4a01c3f8c8a15026d80c6cb606775cf53a86673fdb0e0cb5f46a111a105 (For aarch64 architecture) The image digest is sha256:4c5ec89db787852cd4118e1f3533e214878ba4335b436f7073296e6955058d1a All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11539 - multus-admission-controller does not have correct RollingUpdate parameterts when running under Hypershift OCPBUGS-15194 - Remove Tech Preview badge from the PAC List and details page OCPBUGS-15368 - Service DNS resolutions fails in Windows Pods on converted OVN hybrid clusters OCPBUGS-15378 - Critical Alert Rules do not have runbook url OCPBUGS-15982 - Load Kamelets as event sources/sinks from custom Camel K operator namespace OCPBUGS-16171 - Backporting tls-server-name is missing when using oc client OCPBUGS-16172 - Backporting tls-server-name is missing when using oc client OCPBUGS-16244 - Operator Backed catalog doesn't show anything when CSV copies are disabled OCPBUGS-16372 - Missing support in version 4.13 for multi architecture catalogs for oc-mirror 6. References: https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-46663 https://access.redhat.com/security/cve/CVE-2023-0464 https://access.redhat.com/security/cve/CVE-2023-0465 https://access.redhat.com/security/cve/CVE-2023-0466 https://access.redhat.com/security/cve/CVE-2023-1255 https://access.redhat.com/security/cve/CVE-2023-1260 https://access.redhat.com/security/cve/CVE-2023-2650 https://access.redhat.com/security/cve/CVE-2023-2700 https://access.redhat.com/security/cve/CVE-2023-2828 https://access.redhat.com/security/cve/CVE-2023-3089 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/cve/CVE-2023-27561 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-32067 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJkwdS+AAoJENzjgjWX9erEnkQP/RTc7HDidI1c8Y6SzIC54ZDJ +gJqLCim88Mz/z797NUOy9Ky3H4+1wjy/bnemEdRcCoVw3wUpWUNRncRUoC2uGQ5 xa3R/s31qxGeuNyBIGVKCQ0yx6X/sxD0RyJXtk8Z53uxIia7snHcrusUyKjSSmFP wDt2tyCMjdd/eJvrsbMkT6HpQdeHTtesyRwqAgaczBFxkRL98FrD3q8OEuNrTq2z JSbi31cWi7vejlM60mF8G1mC2kwn+yT1h+W7/FLvzaTQ5WROEYKd8J0d/6+Yxhl9 HhDv6Z4WVRpGHaC/nb03wirsVw8vF7J/zeqRqrSygB/dDtbnd6zjgqy1CWd+8Qtq cfjGV/L2CyszU4zT8YBdnBlJk2ac5ZKaobTE0X+669QdYFLTMY4Y/2qR2XtNK14x IwXTAYLU/P6Ykvxz+JXtSkvJT1snUoZH1Mc0akQc055tPr3b0m8szMooha0VwfoB /TahgctjrA2OJL2c6l2W3y3BAxyapBFUgk/OXQpaMTOkFi7bNE7mbghUIAWI2K7F mnO20Cyc/iDSZyYL3InwK2z8p5KNUkHYdVyt9jc3jaZ8Ig8v302WoyyMZDRv0rmV VCMk0pbJzfe2dMyB35TXFvk7sHQDmjCzTk7JeBtaTUhQIc7vjhjyyDRcehsRhElo sw61LtTqLTgg3IFoJTTQ =6RwC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce