(RHSA-2023:0408) Important: OpenShift Virtualization 4.12.0 Images security update

OpenShift Virtualization is Red Hat’s virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.12.0 images:

Security Fix(es):

• golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)

• kubeVirt: Arbitrary file read on the host from KubeVirt VMs (CVE-2022-1798)

• golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)

• golang: syscall: don’t close fd 0 on ForkExec error (CVE-2021-44717)

• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

• golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)

• golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)

• golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)

• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

• golang: syscall: faccessat checks wrong group (CVE-2022-29526)

• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

RHEL-8-CNV-4.12

==============

bridge-marker-container-v4.12.0-24
cluster-network-addons-operator-container-v4.12.0-24
cnv-containernetworking-plugins-container-v4.12.0-24
cnv-must-gather-container-v4.12.0-58
hco-bundle-registry-container-v4.12.0-769
hostpath-csi-driver-container-v4.12.0-30
hostpath-provisioner-container-v4.12.0-30
hostpath-provisioner-operator-container-v4.12.0-31
hyperconverged-cluster-operator-container-v4.12.0-96
hyperconverged-cluster-webhook-container-v4.12.0-96
kubemacpool-container-v4.12.0-24
kubevirt-console-plugin-container-v4.12.0-182
kubevirt-ssp-operator-container-v4.12.0-64
kubevirt-tekton-tasks-cleanup-vm-container-v4.12.0-55
kubevirt-tekton-tasks-copy-template-container-v4.12.0-55
kubevirt-tekton-tasks-create-datavolume-container-v4.12.0-55
kubevirt-tekton-tasks-create-vm-from-template-container-v4.12.0-55
kubevirt-tekton-tasks-disk-virt-customize-container-v4.12.0-55
kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.12.0-55
kubevirt-tekton-tasks-modify-vm-template-container-v4.12.0-55
kubevirt-tekton-tasks-operator-container-v4.12.0-40
kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.12.0-55
kubevirt-template-validator-container-v4.12.0-32
libguestfs-tools-container-v4.12.0-255
ovs-cni-marker-container-v4.12.0-24
ovs-cni-plugin-container-v4.12.0-24
virt-api-container-v4.12.0-255
virt-artifacts-server-container-v4.12.0-255
virt-cdi-apiserver-container-v4.12.0-72
virt-cdi-cloner-container-v4.12.0-72
virt-cdi-controller-container-v4.12.0-72
virt-cdi-importer-container-v4.12.0-72
virt-cdi-operator-container-v4.12.0-72
virt-cdi-uploadproxy-container-v4.12.0-71
virt-cdi-uploadserver-container-v4.12.0-72
virt-controller-container-v4.12.0-255
virt-exportproxy-container-v4.12.0-255
virt-exportserver-container-v4.12.0-255
virt-handler-container-v4.12.0-255
virt-launcher-container-v4.12.0-255
virt-operator-container-v4.12.0-255
virtio-win-container-v4.12.0-10
vm-network-latency-checkup-container-v4.12.0-89