[RHSA-2022:4863-01] Moderate: Release of OpenShift Serverless Version 1.22.1

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Release of OpenShift Serverless Version 1.22.1
Advisory ID:       RHSA-2022:4863-01
Product:           Red Hat OpenShift Serverless
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4863
Issue date:        2022-06-01
CVE Names:         CVE-2018-25032 CVE-2021-3634 CVE-2021-3737 
                   CVE-2021-4189 CVE-2022-23772 CVE-2022-23773 
                   CVE-2022-23806 
=====================================================================

1. Summary:

OpenShift Serverless version 1.22.1 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings for each vulnerability. Ratings are based on a Common Vulnerability
Scoring System (CVSS) base score.

2. Description:

Version 1.22.1 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10. 

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:
- - golang: crypto/elliptic IsOnCurve returns true for invalid field
elements(CVE-2022-23806)
- - golang: cmd/go: misinterpretation of branch names can lead to incorrect
access control(CVE-2022-23773)
- - golang: math/big: uncontrolled memory consumption due to an unhandled
overflow via Rat.SetString (CVE-2022-23772)

For more details about the security issues, including the impact; a CVSS
score; acknowledgments; and other related information refer to the CVE
pages linked in the References section.

3. Solution:

See the Red Hat OpenShift Container Platform 4.6 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
See the Red Hat OpenShift Container Platform 4.8 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
See the Red Hat OpenShift Container Platform 4.9 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
See the Red Hat OpenShift Container Platform 4.10 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

4. Bugs fixed (https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control

5. JIRA issues fixed (https://issues.jboss.org/):

SRVKE-1217 - New KafkaSource implementation does not default to PLAIN for SASL

6. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2022-23772
https://access.redhat.com/security/cve/CVE-2022-23773
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

7. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYpd09dzjgjWX9erEAQhJnA/9E2DMi3bRFUcyAT7IpjWebeCLewnzLIAU
ZpxSqedhjzdAFO3KVpUHydTBUC4TU4orNDL6VzaFaZCP8kderqsWFdppKKST3Hr7
6zSSY1vBRuJxlX6u+PHMoihYLN3RK1Mz8Iv70gMKQAOmK45IUvYH1qsuUbWMuB7R
WJVsDWTdYy0PQT1+MjIT/LAFt88cMKKXCTLdoV9QVJ8xCYjWixzRKTNzupWQ/YWu
BVMpecXMD3gE1fzBnrwsdU+JspNvE2oD3lo61coSfjtOgoIvyoEz+ndctc7Bf16i
PNRKGzRU2afvULaXtG2Vb5kF5VGziB4S1t+sDfTujXQ0qaEMs/DB4JpA6QIRTTq9
8twhK4XvZHmjEDjyry39w+A1LD1e69135zHfY6dTBaBiIUsbYEccjJq6Joj/dQZp
bzhZZh7Pp0IFbPwL66Icssz2v/ofRB0Jyle3FZEpwxwTRQiE72VDXamHjkkh4kz6
1OvmkjVeUOq8PJZkd3GWg8haDcnEAyuU5huGfFIHJMeYUMYtvBJqBafsJ0V3ZYQy
QRDqqQ6RDnLz5o2URsTwTZ1mlN77m0Bs/Vfcq0w2bVsI/JAcUGY91I3/x0GCSgYj
U8BxPTsYi4XcwTKIVJ0sprMNy6Z4kSpgDYDTBGWzynOQUSHztTehldWWHW5TyHzR
speTkdilI20=
=eEoR
-----END PGP SIGNATURE-----