—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0
Advisory ID: RHSA-2021:0145-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0145
Issue date: 2021-01-14
CVE Names: CVE-2020-24553 CVE-2020-28362 CVE-2020-28366
CVE-2020-28367
=====================================================================
1. Summary:
Red Hat OpenShift Serverless Client kn 1.12.0
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.
2. Relevant releases/architectures:
Openshift Serverless 1 on RHEL 8Base – x86_64
3. Description:
Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux
platforms.
Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.12.0, and includes security and bug
fixes and enhancements. For more information, see the release notes listed
in the References section.
Security Fix(es):
* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)
* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)
* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)
* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)
For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.
4. Solution:
See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index
5. Bugs fixed (https://bugzilla.redhat.com/):
1874857 – CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 – CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 – CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 – CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906386 – Release of OpenShift Serverless Client 1.12.0
6. Package List:
Openshift Serverless 1 on RHEL 8Base:
Source:
openshift-serverless-clients-0.18.4-2.el8.src.rpm
x86_64:
openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/installing-openshift-serverless-1#installing-kn
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYABJwtzjgjWX9erEAQiEFg//VA66Q5K3IfNl5ky03WPvGpN0lbcOGu7e
tL77eEw6lr4co45+8G38PlVQCf3EGE2OR6rYXFrEozirJvhiR0pljFz82GQjzYWx
BStrXhfcw4TSI95+rLmuOc2yxKda2F2CSRfO1lGJJDugCoVrZrAS2elBzObAv6eI
Gekll4TC37MhLw2d8gCNvjKbT6b0khDoAXntr/WzceqTRpPUuhvOcxDMzD6AWJDE
5ljIwGCCNii/HO3+UHK1zdCu965R9unr3JmfPvrJaRaYTHQMsmrxLlv0R59aTOPp
6MgHLy0Qx1tA5hdABYNkwDB7UjDaUvoQPuDN7djgMPFL1R4XBun0kNsfibt0P+5g
rYvvClNeKga822jlTVrMDEGHb69++Ba+mYXwsf1TUhII7wGBxm93ytrVIABblqnf
HO5AoT7qBsONj5Sm03YEbJ1SZ4KgLA2U9L1xBssg6I4N9KDo5mfLJJxzmOemd2Dp
7Vzjefb7WIaVxleSHW7aZngyRC5O0a2nWcFYCjm8/lKRUhn1egRyC5Z8I62bFvs4
iejUveFz4yRV8WtKuY9u2ey7xNtuxpBDGDF3zxwzXvOqa7gYKkN38XobAS3OR5bm
aeCR1Th4MopuHjqFldtE0BjBYQ7mPZ/VKzROXyU5zIibV89dIZz5lwpi45/BSZ/Y
6/zPPdn2CC0=
=Tj70
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce