Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4100 Release of OpenShift Serverless 1.11.0 19 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Openshift Serverless 1 x86_64 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-14422 CVE-2020-14040 CVE-2020-13632 CVE-2020-13631 CVE-2020-13630 CVE-2020-10029 CVE-2020-9327 CVE-2020-8492 CVE-2020-8177 CVE-2020-7595 CVE-2020-6405 CVE-2020-1752 CVE-2020-1751 CVE-2020-1730 CVE-2019-20916 CVE-2019-20907 CVE-2019-20454 CVE-2019-20388 CVE-2019-20387 CVE-2019-20218 CVE-2019-19956 CVE-2019-19906 CVE-2019-19221 CVE-2019-16935 CVE-2019-16168 CVE-2019-15903 CVE-2019-14889 CVE-2019-13627 CVE-2019-13050 CVE-2019-5018 CVE-2019-1551 CVE-2018-20843 Reference: ASB-2020.0072 ESB-2020.3631 ESB-2020.3364 ESB-2020.3350 ESB-2020.3137 ESB-2020.2573 ESB-2020.2162 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5149 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless 1.11.0 Advisory ID: RHSA-2020:5149-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2020:5149 Issue date: 2020-11-18 CVE Names: CVE-2018-20843 CVE-2019-1551 CVE-2019-5018 CVE-2019-13050 CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 CVE-2019-16168 CVE-2019-16935 CVE-2019-19221 CVE-2019-19906 CVE-2019-19956 CVE-2019-20218 CVE-2019-20387 CVE-2019-20388 CVE-2019-20454 CVE-2019-20907 CVE-2019-20916 CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 CVE-2020-6405 CVE-2020-7595 CVE-2020-8177 CVE-2020-8492 CVE-2020-9327 CVE-2020-10029 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-14040 CVE-2020-14422 ===================================================================== 1. Summary: Release of OpenShift Serverless 1.11.0 2. Description: Red Hat OpenShift Serverless 1.11.0 is a generally available release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform version 4.6. Security Fix(es): * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 3. Solution: See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1889831 - Release of OpenShift Serverless Serving 1.11.0 1889833 - Release of OpenShift Serverless Eventing 1.11.0 5. References: https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2019-1551 https://access.redhat.com/security/cve/CVE-2019-5018 https://access.redhat.com/security/cve/CVE-2019-13050 https://access.redhat.com/security/cve/CVE-2019-13627 https://access.redhat.com/security/cve/CVE-2019-14889 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-16168 https://access.redhat.com/security/cve/CVE-2019-16935 https://access.redhat.com/security/cve/CVE-2019-19221 https://access.redhat.com/security/cve/CVE-2019-19906 https://access.redhat.com/security/cve/CVE-2019-19956 https://access.redhat.com/security/cve/CVE-2019-20218 https://access.redhat.com/security/cve/CVE-2019-20387 https://access.redhat.com/security/cve/CVE-2019-20388 https://access.redhat.com/security/cve/CVE-2019-20454 https://access.redhat.com/security/cve/CVE-2019-20907 https://access.redhat.com/security/cve/CVE-2019-20916 https://access.redhat.com/security/cve/CVE-2020-1730 https://access.redhat.com/security/cve/CVE-2020-1751 https://access.redhat.com/security/cve/CVE-2020-1752 https://access.redhat.com/security/cve/CVE-2020-6405 https://access.redhat.com/security/cve/CVE-2020-7595 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-8492 https://access.redhat.com/security/cve/CVE-2020-9327 https://access.redhat.com/security/cve/CVE-2020-10029 https://access.redhat.com/security/cve/CVE-2020-13630 https://access.redhat.com/security/cve/CVE-2020-13631 https://access.redhat.com/security/cve/CVE-2020-13632 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-14422 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7U50tzjgjWX9erEAQiVDRAAlUzM2NA7x7TjcdwED8FCEf+zjqRn/Mpd H5kTJZnBSW4MOVc0EP1oG7b69MSREdcWszbyJBpENDvJrwJZ2KjtetJ9tudvrJyc NhQH2kg/wBJufbv7IIDtYYbaMgqqERyTM4OevNe1mCH3/yFJHmVo33WeIP7OQ2me hWmTG1uVb1TdFIt4yevH9KJUP/uVYJhKpuDTd7jk4zfKhX/a3UjmoF1WPnorJvD0 pkOgwGlkY27o2a1WKjrQHxAecHDXwHZPjLkyhP/GFKhatqDQsAQPKF8GrXq+vX8r pEWUjVY25wncy49wOrm9V5fPLs/UB2QBesyr7p18WyirA2u6s4vkDnk10CFDxHTv g57Kz+tVbM93zQ+j5mYguy2cWr19Rip0BCziB6pUG6BNHmFyoLakNj1FIQrk1QXP cpSCl1WoCFB35plCwgIBd6LI1Oesw7NfyKlSkYYrT88p9B33ZSxMoTvgBqg4SUqf ijT6SbhqASId3zjUwZjSAeChbmiFkkLDWgsSiX5xfAFkhkVjzX8BPdekVTBY97XX lCoAW2hbsyDvLr9B2PrUw6TsuQS5aSQ1F/YK3jxybuVY6RyhfGQ9iMKUhErEl+2Z 3uEtKaeDvJ9JOJLln2UIs86FUeRxgt+HUJsN4Lk0aEbEeMNjlhekGVdKjoFt26Du PQ+QvoHSnZQ= =M5kM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7XUheNLKJtyKPYoAQiRPw/9HvXSaGt1bzW29qnbmBNVe+F7Hq2uwhHZ hoXHuXuU7okeJ31lz8mL9bJcMxz+G9D/7yugvKvHfkWnH5KIvmkeiu0r6fYj8F/F vfeX4IqRmJKbr2FEEZBsFwrbQ1vtIFlwkkKq4B8K3M9oZuMsiqsC0GIStm7KodZY Hnoc7g6NPvosvvrMDTm/7aYBMtqrShp06Z/R4EuTgEKGOFgavvwalK9ciPbmT8Ji VatT+CNRAZGv3BEkvGjPiub2rg8KrTWHVSclc1Z1i3NR/ZX9a4ybdTT8HJj+Y8LA SMRDG0ShEBsyNPg/NOGYNyHO6ZOLi0oW5KVDoY1UB6ekc/B5P5fLLgT9RMj2gwue ul7y7kJppySOyI6bu9TPmEinBZoyLQoLYoP/Xwv//U4lG/7q/+U2ccx/J3gGi5HU h/sKW3D38SOZ5pU/klNKcWzz/QtLE+mgBOWwmNa5W5SJmI5vWPw4u6if9bRZNfS1 y2S1Nl7gTjfdutqMkouplrOXGDg0A0iYd9fKptoCs2wSg58j2ESwXdLh7PJTyKsT 2AQEVe8XSUevQEE5I09xlKvD/cKZITWgPMFDgEhwMR6WvkYPy0adszp7jJ893Yxh EQrhxqqGz5JvHHdaxQH+I87myF17/C29M0s4tpuTgWAQetKURzWr2c/HEDObcKeL P1dm39b3vtU= =g6di -----END PGP SIGNATURE-----