-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Advanced Cluster Security 3.74 for Kubernetes security update
Advisory ID:       RHSA-2023:3435-01
Product:           Red Hat Advanced Cluster Security for Kubernetes
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3435
Issue date:        2023-06-05
CVE Names:         CVE-2022-2795 CVE-2022-36227 CVE-2023-2491 
                   CVE-2023-24539 CVE-2023-24540 CVE-2023-27535 
                   CVE-2023-29400 
====================================================================
1. Summary:

An update is now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS).

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of RHACS 3.74.4 includes a fix for CVE-2023-24540 by building
RHACS with updated Golang.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the links
listed in the References section.

3. Solution:

If you are using an earlier version of RHACS 3.74, you are advised to
upgrade to patch release 3.74.4.

4. Bugs fixed (https://bugzilla.redhat.com/):

2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

5. JIRA issues fixed (https://issues.redhat.com/):

ROX-17405 - Release RHACS 3.74.4

6. References:

https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZH4ju9zjgjWX9erEAQg3fRAAkO+FEfLakb0S4TU8LlX1eSmOlJ/BvldZ
MUQjwbvgowtED2JEmSITjc1SdzkWQTF3QmAKyEgLkVb35cgQVdzGykDUJA+A0ch3
1hdCG8J9nAIkLrQjlUXLXlW3QKgY9YM7ywfoI2pAdZZoJfqwVtAPNO1dQ2VqMEgp
OBGmpZZMx4UkENcQatYPrmo5NC10wyS2+poT3v5YjXEWERzSHKXy/R7DkRQ0748J
VbOZ471JAytN2k7QXfYkWyUhSWzIF+XE1M8CyQj7L4JJt8dNlVXiFtShjMDld+ok
/f2jcZufgTWm/fwGuCdJeHxhi+uwrnyT+KxblIl7h4xG/7UjgawG7x5T8qPYUjXY
GvQaLhOlPw+u1biCoyRQbPVjxB2sMhJQYCs6a9tyFn4kaNBC5GuCI05PgxoSmtn4
7elzgI7HDMvWIZ3UEWWDuRcyBIGpE76W0JLJAnbuXdkc0G31lyAlgIBHx9aNt9dw
zakxW321SnBhZcdvcpWl61Upds82qi0Pj/NSMlIrkPtJAum0LDZsczbsERJ6p9oF
V3GQh/d6ik3759EwgIjdnht5uM8JqErYkYPyhJLXvLDTJR+LZMR+29zn8d3QUm2d
OvXLWjoSa/aWi63fFCD97AfNCC7RZWj2bIaxi/j8VimwLEP4KX4roVuEB6PI6sPj
74zX1/jLbJ4=i6g4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3435:01 Important: Red Hat Advanced Cluster Security 3.74

An update is now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS)

Summary

This release of RHACS 3.74.4 includes a fix for CVE-2023-24540 by building RHACS with updated Golang.
Security Fix(es):
* golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
* golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
* golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the links listed in the References section.



Summary


Solution

If you are using an earlier version of RHACS 3.74, you are advised to upgrade to patch release 3.74.4.

References

https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html

Package List


Severity
Advisory ID: RHSA-2023:3435-01
Product: Red Hat Advanced Cluster Security for Kubernetes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3435
Issued Date: : 2023-06-05
CVE Names: CVE-2022-2795 CVE-2022-36227 CVE-2023-2491 CVE-2023-24539 CVE-2023-24540 CVE-2023-27535 CVE-2023-29400

Topic

An update is now available for Red Hat Advanced Cluster Security forKubernetes (RHACS).Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

5. JIRA issues fixed (https://issues.redhat.com/):

ROX-17405 - Release RHACS 3.74.4


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved