Update registry.redhat.io/openshift4/ose-tools-rhel8 Docker digest to 3c7c8e8 [SECURITY] #343
Conversation
![red-hat-konflux[bot]](https://avatars.githubusercontent.com/in/296509?s=60&v=4){kind=small}
… 3c7c8e8 [SECURITY] Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux[bot]. Thanks for your PR. I'm waiting for a openshift-pipelines member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This PR contains the following updates:
898540b->3c7c8e8Warning
Some dependencies could not be looked up. Check the warning logs for more information.
kernel: HID: core: zero-initialize the report buffer
CVE-2024-50302
More information
Details
A vulnerability was found in the Linux kernel's driver for Human Interface Devices. This flaw allows an attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities.
Severity
Important
References
podman: buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile
CVE-2024-11218
More information
Details
A vulnerability was found in
podman buildandbuildah.This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.Severity
Important
References
bind: bind9: Many records in the additional section cause CPU exhaustion
CVE-2024-11187
More information
Details
A flaw was found in the bind package where a crafted DNS zone may generate numerous records in the 'Additional' section of the response. This flaw allows an attacker to send a large amount of such queries, which may lead either the authoritative server or an independent resolver to run into an uncontrolled CPU resource scenario, ultimately resulting in the server not being able to attend new requests and causing a denial of service as a consequence.
Severity
Important
References
golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
CVE-2024-45338
More information
Details
A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.
Severity
Important
References
rsync: Info Leak via Uninitialized Stack Contents
CVE-2024-12085
More information
Details
A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
Severity
Important
References
kernel: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
CVE-2024-53104
More information
Details
A vulnerability was found in the Linux kernel's USB Video Class driver. A buffer for video frame data is allocated, which does not account for all of the frame formats contained in a video stream, leading to an out-of-bounds write when a stream includes frames with an undefined format. An attacker who is able to influence the format of video streams captured by a system's USB video device could exploit this flaw to alter system memory and potentially escalate their privileges or execute arbitrary code.
Severity
Important
References
cross-spawn: regular expression denial of service
CVE-2024-21538
More information
Details
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.
Severity
Low
References
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.This PR has been generated by MintMaker (powered by Renovate Bot).