Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4100
Release of OpenShift Serverless 1.11.0
19 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Openshift Serverless 1 x86_64
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14422 CVE-2020-14040 CVE-2020-13632
CVE-2020-13631 CVE-2020-13630 CVE-2020-10029
CVE-2020-9327 CVE-2020-8492 CVE-2020-8177
CVE-2020-7595 CVE-2020-6405 CVE-2020-1752
CVE-2020-1751 CVE-2020-1730 CVE-2019-20916
CVE-2019-20907 CVE-2019-20454 CVE-2019-20388
CVE-2019-20387 CVE-2019-20218 CVE-2019-19956
CVE-2019-19906 CVE-2019-19221 CVE-2019-16935
CVE-2019-16168 CVE-2019-15903 CVE-2019-14889
CVE-2019-13627 CVE-2019-13050 CVE-2019-5018
CVE-2019-1551 CVE-2018-20843
Reference: ASB-2020.0072
ESB-2020.3631
ESB-2020.3364
ESB-2020.3350
ESB-2020.3137
ESB-2020.2573
ESB-2020.2162
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5149
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Release of OpenShift Serverless 1.11.0
Advisory ID: RHSA-2020:5149-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5149
Issue date: 2020-11-18
CVE Names: CVE-2018-20843 CVE-2019-1551 CVE-2019-5018
CVE-2019-13050 CVE-2019-13627 CVE-2019-14889
CVE-2019-15903 CVE-2019-16168 CVE-2019-16935
CVE-2019-19221 CVE-2019-19906 CVE-2019-19956
CVE-2019-20218 CVE-2019-20387 CVE-2019-20388
CVE-2019-20454 CVE-2019-20907 CVE-2019-20916
CVE-2020-1730 CVE-2020-1751 CVE-2020-1752
CVE-2020-6405 CVE-2020-7595 CVE-2020-8177
CVE-2020-8492 CVE-2020-9327 CVE-2020-10029
CVE-2020-13630 CVE-2020-13631 CVE-2020-13632
CVE-2020-14040 CVE-2020-14422
=====================================================================
1. Summary:
Release of OpenShift Serverless 1.11.0
2. Description:
Red Hat OpenShift Serverless 1.11.0 is a generally available release of the
OpenShift Serverless Operator. This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform version 4.6.
Security Fix(es):
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
3. Solution:
See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index
4. Bugs fixed (https://bugzilla.redhat.com/):
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1889831 - Release of OpenShift Serverless Serving 1.11.0
1889833 - Release of OpenShift Serverless Eventing 1.11.0
5. References:
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-1551
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX7U50tzjgjWX9erEAQiVDRAAlUzM2NA7x7TjcdwED8FCEf+zjqRn/Mpd
H5kTJZnBSW4MOVc0EP1oG7b69MSREdcWszbyJBpENDvJrwJZ2KjtetJ9tudvrJyc
NhQH2kg/wBJufbv7IIDtYYbaMgqqERyTM4OevNe1mCH3/yFJHmVo33WeIP7OQ2me
hWmTG1uVb1TdFIt4yevH9KJUP/uVYJhKpuDTd7jk4zfKhX/a3UjmoF1WPnorJvD0
pkOgwGlkY27o2a1WKjrQHxAecHDXwHZPjLkyhP/GFKhatqDQsAQPKF8GrXq+vX8r
pEWUjVY25wncy49wOrm9V5fPLs/UB2QBesyr7p18WyirA2u6s4vkDnk10CFDxHTv
g57Kz+tVbM93zQ+j5mYguy2cWr19Rip0BCziB6pUG6BNHmFyoLakNj1FIQrk1QXP
cpSCl1WoCFB35plCwgIBd6LI1Oesw7NfyKlSkYYrT88p9B33ZSxMoTvgBqg4SUqf
ijT6SbhqASId3zjUwZjSAeChbmiFkkLDWgsSiX5xfAFkhkVjzX8BPdekVTBY97XX
lCoAW2hbsyDvLr9B2PrUw6TsuQS5aSQ1F/YK3jxybuVY6RyhfGQ9iMKUhErEl+2Z
3uEtKaeDvJ9JOJLln2UIs86FUeRxgt+HUJsN4Lk0aEbEeMNjlhekGVdKjoFt26Du
PQ+QvoHSnZQ=
=M5kM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7XUheNLKJtyKPYoAQiRPw/9HvXSaGt1bzW29qnbmBNVe+F7Hq2uwhHZ
hoXHuXuU7okeJ31lz8mL9bJcMxz+G9D/7yugvKvHfkWnH5KIvmkeiu0r6fYj8F/F
vfeX4IqRmJKbr2FEEZBsFwrbQ1vtIFlwkkKq4B8K3M9oZuMsiqsC0GIStm7KodZY
Hnoc7g6NPvosvvrMDTm/7aYBMtqrShp06Z/R4EuTgEKGOFgavvwalK9ciPbmT8Ji
VatT+CNRAZGv3BEkvGjPiub2rg8KrTWHVSclc1Z1i3NR/ZX9a4ybdTT8HJj+Y8LA
SMRDG0ShEBsyNPg/NOGYNyHO6ZOLi0oW5KVDoY1UB6ekc/B5P5fLLgT9RMj2gwue
ul7y7kJppySOyI6bu9TPmEinBZoyLQoLYoP/Xwv//U4lG/7q/+U2ccx/J3gGi5HU
h/sKW3D38SOZ5pU/klNKcWzz/QtLE+mgBOWwmNa5W5SJmI5vWPw4u6if9bRZNfS1
y2S1Nl7gTjfdutqMkouplrOXGDg0A0iYd9fKptoCs2wSg58j2ESwXdLh7PJTyKsT
2AQEVe8XSUevQEE5I09xlKvD/cKZITWgPMFDgEhwMR6WvkYPy0adszp7jJ893Yxh
EQrhxqqGz5JvHHdaxQH+I87myF17/C29M0s4tpuTgWAQetKURzWr2c/HEDObcKeL
P1dm39b3vtU=
=g6di
-----END PGP SIGNATURE-----