Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3117 Red Hat OpenStack Platform 16.2 (etcd) security update 16 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenStack Platform 16.2 (etcd) Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-33198 CVE-2021-33197 CVE-2021-33195 CVE-2021-31525 Reference: ESB-2021.3007 ESB-2021.2939 ESB-2021.2735 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3487 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform 16.2 (etcd) security update Advisory ID: RHSA-2021:3487-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:3487 Issue date: 2021-09-15 CVE Names: CVE-2021-31525 CVE-2021-33195 CVE-2021-33197 CVE-2021-33198 ===================================================================== 1. Summary: An update for etcd is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 16.2 - ppc64le, x86_64 3. Description: A highly-available key value store for shared configuration Security Fix(es): * net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 6. Package List: Red Hat OpenStack Platform 16.2: Source: etcd-3.3.23-3.1.el8ost.1.src.rpm ppc64le: etcd-3.3.23-3.1.el8ost.1.ppc64le.rpm etcd-debuginfo-3.3.23-3.1.el8ost.1.ppc64le.rpm etcd-debugsource-3.3.23-3.1.el8ost.1.ppc64le.rpm x86_64: etcd-3.3.23-3.1.el8ost.1.x86_64.rpm etcd-debuginfo-3.3.23-3.1.el8ost.1.x86_64.rpm etcd-debugsource-3.3.23-3.1.el8ost.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUGVQtzjgjWX9erEAQhFPQ//aj9A90xuGEN2GzTcpfYQ/ZsicrzDl372 C//bo1eXlViR6brf+lBH8BWD2XSyK+Jl/7cD0AFV5/PuPdJ6OPIUHPjc3/jPiTfH B2Z9qT2T8U6A59e6WwaYVP+HNTTdxp9AEBcbfWqwrbQnUEVTbgGQQcpsTfeBuQ2F VKT9m3yxK/RHnwfGYZLT2Uv670+JmdlAwWMXMPqcOfSuWB8p5x9iOs0H6VEWpngf gZY+JhOXtWQ3PRvEzsojmsxB4uUNpxoWOs0OsV2OvFpJeOwHDHqPUPfJGjy2xoW2 F3HY48Igq+wpHbma2QEeGnQE5OwI3x3uL2riOMNtD1VEItdXo2xBw1fXT0bPStsh jNQoTTpPPueXIWqJQW/1JDXSTDoXHZJuycQHLB7+n4jnKW3Kn9t69zZC+suTOVZ2 dIr65ArrI1N5ZQRK5KU2bEKBcy257Prg2vpEQu2oIs2gqNP5uAIguRvLiswzypku sleLGkzlSP0izYR2DOdvQHm2igJm+mXXtK/T3ISeou2BFW8wcFsQcnsaNEIFvMTy ymQ2FHoCxYM0LHvji4MMt0mEuAKFtzXZeckk08+3hZxotYYIHLKH1NWngSr3SQsB cyXnLMStAoXer/NU0f86DlIKYGvs8zmJrXN/emBbenenSGbspnjfDUzCmrd9LWBb SL1fym9Pq1I= =6dzK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYUKCzeNLKJtyKPYoAQieDQ/+PQ7SPpCDkRCkXLartwXNC40QIbPSluO4 j3zLw8DnqbqvyiAl9pX7ppaAYJ3npF5PR5XryOlYPQUlrJI2GFjr2X3sH3PoxGoZ jkkolBj5lYFJHJYnBHSrCcQZpRIpa9f8w9cQKnCB/NBrJJO4S/6b3xjLEewcx1NW dasoB3xyXQObJfYfb4dr2yM4UJSFEjSOoNydzWZFO8pE21hffxbntBQ94B04fkP8 Ca7e27g1KYr5X9TlbA5Ct2jBmGgKGtPKkFk8LAZQUzkRMcB3HKVRq/5k9aHgTVKZ b30NZqLDkWsL/21oVLKWq0GI5xWksPNRxf1Nhet3UN+KomN8bF0wyQy+XHRnfuII MtuXnJa6509uSDHkhsWcpb026JjVGrQ+dW9+1JCKuxt+SvC9+GjpxfUlZsWAJcgV 3P0WAcsCf8LgGWvc10TDKGIn5ftSjdHVMa3A5Oy9l3Sw1UClrEJxJ7cmmaxXI9AK q/r4XFiHlMKjx89CiDf7AhPZdhR3OHzPfmEptLilOTauHFNB6MugO+1CgPDjwI9x Ps+Lm+5w+AgL/UEHlbQVwfTxhpXiiSQgTxxrmAwCeDIF6h7/t1rV5JPJWvhGJK8j yP/cT5pSAzyJlwFYRqfZq8Hq7iEBoXcxbYvfAeUiEZvb3Zy3soY4gUJjMBMBja7t XNbd3b0whTI= =CfHs -----END PGP SIGNATURE-----