[RHSA-2023:3664-01] Moderate: OpenShift Jenkins image and Jenkins agent base image security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Mon Jun 19 12:48:20 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Jenkins image and Jenkins agent base image security update
Advisory ID: RHSA-2023:3664-01
Product: OpenShift Developer Tools and Services
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3664
Issue date: 2023-06-19
CVE Names: CVE-2021-3782 CVE-2021-46848 CVE-2022-1304
CVE-2022-1705 CVE-2022-2795 CVE-2022-2880
CVE-2022-3627 CVE-2022-3970 CVE-2022-28327
CVE-2022-32148 CVE-2022-35737 CVE-2022-36227
CVE-2022-41715 CVE-2022-41717 CVE-2022-42898
CVE-2022-47629 CVE-2023-0361 CVE-2023-2491
CVE-2023-22490 CVE-2023-23946 CVE-2023-24329
CVE-2023-25652 CVE-2023-25815 CVE-2023-27535
CVE-2023-29007
=====================================================================
1. Summary:
Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent
base image.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Release of Security Advisory for the OpenShift Jenkins image and Jenkins
agent base image.
Security Fix(es):
* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: crypto/elliptic: panic caused by oversized scalar
(CVE-2022-28327)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
5. JIRA issues fixed (https://issues.redhat.com/):
OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7
OCPBUGS-13653 - [release-4.11] Bump Jenkins and Plugin versions
OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images
OCPBUGS-1438 - [release-411] Jenkins install-plugins script does not ignore updates to locked plugin versions
OCPBUGS-14646 - Bump Jenkins plugins to latest versions
6. References:
https://access.redhat.com/security/cve/CVE-2021-3782
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-28327
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-22490
https://access.redhat.com/security/cve/CVE-2023-23946
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZJBOlNzjgjWX9erEAQgdPxAAh1Y9lOd+r2eO3rZEIgWjMHVWFdkaesI9
leeQl2YnQGRayU9ZBQsNRYal5rb5+ISN4fnccEjHJ8Y0D6ATkLHqA/nXEzkV3+Go
McLMN6JqzGrJ/jA7jhEoXGalIYYtfz5EYQ69wNtj5e63RUdNX+d7cqyiqQ+qE89j
uz9xoACp0zjuqL2YMiu2J2oTqEPVKFhNMU7j2GKzIWRUj8wnphWK9wzB+Wl6G/RS
Gr1l6FU53kkkxu6PQWWzO57uh2hIuBs3Z5a/bYRJoWI9meg/Rb2ro4Pr52v0wBRb
AhqXYJAGJlWhFuAgi06b2VNW4zvHt7gS8r8/rAVji+3VeS/bHR47x/Jsq+W+bAZh
lZHcL+ByT2kh8kvlEATlevaizpYBF1Uqx1xBMwZ5OvbpnGOhy1sJPWidkGHvBkA3
SuJ4gZaOO79rpyr6zaosMJwvvZC+/E4kxgEwbdDscRtGs8XVIqVYb1hU+7jsrqr3
epp8F2XKT8hmoK9+vS0B2Z+yXe1ba2e4TZTWBmHo7VaeHGZ5NCuQ/M3cW+WBM6Tv
DJK8mXjSt/7CklGVL0Ji/L7yIGFdp9GT7fYY3uOYH6jQgq4kzZTdAVBpI/X66H9U
jqXHieGJcRjU7fp0DhLgOBbCbbTDtxp+O6yoyziD8qTdc7O9H5MMTuoFwJb9/CYW
nlT0/YlHeks=
=YZWk
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list