Update registry.redhat.io/openshift4/ose-tools-rhel8 Docker digest to 3c7c8e8 [SECURITY] #345
Conversation
![red-hat-konflux[bot]](https://avatars.githubusercontent.com/in/296509?s=60&v=4){kind=small}
… 3c7c8e8 [SECURITY] Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: red-hat-konflux[bot] The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @red-hat-konflux[bot]. Thanks for your PR. I'm waiting for a openshift-pipelines member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This PR contains the following updates:
e44074f->3c7c8e8kernel: HID: core: zero-initialize the report buffer
CVE-2024-50302
More information
Details
A vulnerability was found in the Linux kernel's driver for Human Interface Devices. This flaw allows an attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities.
Severity
Important
References
golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
CVE-2023-39325
More information
Details
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.
CVE-2023-39325 was assigned for the
Rapid Reset Attackin the Go language packages.Severity
Important
References
buildah: Buildah allows arbitrary directory mount
CVE-2024-9675
More information
Details
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a
RUNinstruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.Severity
Important
References
golang-github-gin-gonic-gin: Improper Input Validation
CVE-2023-26125
More information
Details
A flaw was found in Gin-Gonic Gin. This flaw allows a remote attacker to bypass security restrictions caused by improper input validation. An attacker can perform cache poisoning attacks by sending a specially-crafted request using the X-Forwarded-Prefix header.
Severity
Important
References
podman: buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile
CVE-2024-11218
More information
Details
A vulnerability was found in
podman buildandbuildah.This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.Severity
Important
References
bind: bind9: Many records in the additional section cause CPU exhaustion
CVE-2024-11187
More information
Details
A flaw was found in the bind package where a crafted DNS zone may generate numerous records in the 'Additional' section of the response. This flaw allows an attacker to send a large amount of such queries, which may lead either the authoritative server or an independent resolver to run into an uncontrolled CPU resource scenario, ultimately resulting in the server not being able to attend new requests and causing a denial of service as a consequence.
Severity
Important
References
golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
CVE-2024-45338
More information
Details
A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.
Severity
Important
References
runc: file descriptor leak
CVE-2024-21626
More information
Details
A file descriptor leak issue was found in the runc package. While a user performs
O_CLOEXECall file descriptors before executing the container code, the file descriptor is open when performingsetcwd(2), which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset afterexecve, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.Severity
Important
References
openshift-console: OAuth2 insufficient state parameter entropy
CVE-2024-6508
More information
Details
An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
Severity
Important
References
rsync: Info Leak via Uninitialized Stack Contents
CVE-2024-12085
More information
Details
A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
Severity
Important
References
Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS)
CVE-2024-9676
More information
Details
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (
--userns=autoin Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.Severity
Important
References
kernel: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
CVE-2024-53104
More information
Details
A vulnerability was found in the Linux kernel's USB Video Class driver. A buffer for video frame data is allocated, which does not account for all of the frame formats contained in a video stream, leading to an out-of-bounds write when a stream includes frames with an undefined format. An attacker who is able to influence the format of video streams captured by a system's USB video device could exploit this flaw to alter system memory and potentially escalate their privileges or execute arbitrary code.
Severity
Important
References
golang.org/x/net/html: Cross site scripting
CVE-2023-3978
More information
Details
A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Severity
Important
References
QEMU: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure
CVE-2024-7409
More information
Details
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
Severity
Important
References
cross-spawn: regular expression denial of service
CVE-2024-21538
More information
Details
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.
Severity
Low
References
go-retryablehttp: url might write sensitive information to log file
CVE-2024-6104
More information
Details
A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
Severity
Moderate
References
python: Path traversal on tempfile.TemporaryDirectory
CVE-2023-6597
More information
Details
A flaw was found in the tempfile.TemporaryDirectory class in python3/cpython3. The class may dereference symbolic links during permission-related errors, resulting in users that run privileged programs being able to modify permissions of files referenced by the symbolic link.
Severity
Important
References
opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics
CVE-2023-47108
More information
Details
A memory exhaustion flaw was found in the otelgrpc handler of open-telemetry. This flaw may allow a remote unauthenticated attacker to flood the peer address and port and exhaust the server's memory by sending multiple malicious requests, affecting the availability of the system.
Severity
Moderate
References
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.This PR has been generated by MintMaker (powered by Renovate Bot).