Operating System:

[RedHat]

Published:

16 August 2022

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2022.4057 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4057
  Red Hat OpenStack Platform 16.1 (collectd-libpod-stats) security update
                              16 August 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenStack Platform 16.1 (collectd-libpod-stats)
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-30631  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2022:6065

Comment: CVSS (Max):  7.5 CVE-2022-30631 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform 16.1 (collectd-libpod-stats) security update
Advisory ID:       RHSA-2022:6065-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6065
Issue date:        2022-08-15
CVE Names:         CVE-2022-30631 
=====================================================================

1. Summary:

An update for collectd-libpod-stats is now available for Red Hat OpenStack
Platform 16.1 (Train).

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - ppc64le, x86_64

3. Description:

Collectd plugin for gathering resource usage statistics from containers
created with the libpod library.

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:
collectd-libpod-stats-1.0.4-2.el8ost.src.rpm

ppc64le:
collectd-libpod-stats-1.0.4-2.el8ost.ppc64le.rpm

x86_64:
collectd-libpod-stats-1.0.4-2.el8ost.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYvo28dzjgjWX9erEAQiJIw//dp8mPmJul3+Vqcelyz+HrEFJwYPSfefl
3mr8VZqvtPdbufEe6L1kgpdQ3aOx8iYOHa7mXUA+NXSYUsZ9IquX5gLtF+9yaVcr
qxyUiYkbokbQv1kDu39bRK3dKp0OquIAErw0FHLGap8D9br9EuJ6BZSleb/eP31A
84GA8uQ+N7VQhrMY/XYwaNmJrLXrnT/nzxYSQIThEE1jDllZW8QpbS8ck1IgP+8Q
yLPA9pMh2zkl3y0ovYDaZDUZTIrOT6gnRjnN0g4cY/50dYSKezwOfSrjO0mjvbvD
ln+EXKal4MaxZxjSSO+YxoKOL3DZNj/BLyv38zw3n7HOjneApyZS+npNHRWLFZVr
sR/0x1cT+xqNl04df70EJSECl7oPXodAcpopMgTzokDwOgpPsJlmvF2M0LSNL/NL
O4Lx+1d329Fp3OCUCjXXl0pmspXCq7Bo1qjCh4KTdC1AdM+zhGPIFACEPczbqwz7
NSrhI78OgHcuIq4JPmQMjB+WKRaKngwK7pv9kSysoKAIsvJyi6xzzlOJBUyUsquZ
73427OdulFyPBLFi5sIXNiI8m9lAxxAG+SNAIF3LmQYgU+rpeaminRsiviWh9y7x
ktR/vfTMjWzFJVsZ62+0XehI4CZynWRdtSWBD+C7rXTzoMrJR6loB1rJHGIu1CS0
EuBqabZ4KYM=
=dw2O
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYvr6LskNZI30y1K9AQhJQA//ex3JiXRtFugL+/cVDS5JAQbMQ8wpY36A
b837FVYh4ROUh4mGM24icxl/XO1wQudBbKAGcgJLPcE0gDAP80VkNluz3vsJHc97
o2bp8Y5FM3nNQ0K+IiotKBuVa0Jg5+9pIr3iox22K8WJjFjrs3vLHXv6Ft+nAr8A
EUUX69Ak3EV8N1i/B3Qa9+eJttNVMqKo2hamStnOlKUkHbLJlny1Br9G6WOFAhyF
TjAKurhEizmEMs+xS/PgmTUjIp7IWuwogN2pijp5ZRzKqhOM9/vFfuN8q606twc1
sbkCVVkawAzB1xyap0pKh7A2GK8aGGlo92gk43abO3itjzCo8eGeTGmtG5DAQNAk
Lad6VN4ULatXk15iWcY+YZWo8QPczs6qfYlxBR+n1jPu5K+EZ9XsJWv7ctK7hUKx
QJ4sFpqjvPFzdhZXiR1MFYBBcl6Lp2kxBqITexO+s4VNTVE+Eunw4xA+vap7uwRk
S3EMzLytDHz1ak10sJjBavBqcEpp8H0yDso8TB6Yrso+DURPhEgrDt/RRq/cfCju
HbBvy1f8PX87DbTyLCMLICb48LYKKZ18oBdHXH14+3gBhL9MxgNHuE/yHUbEWzFv
bixoc3nzAyTnCekO3pmEDUWKP0mOUmVB3yj+wRdPtQiv7pubIGJWv+U4bXR1oIHg
Eh++FkG1ci4=
=4tVM
-----END PGP SIGNATURE-----