Threats Tagged 'cve-2024-55565'

The Red Hat Storage Ceph container images are based on the latest ubi9 base image and Ceph 9.0. This release updates to the latest version.

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): * automation-controller: Potential SQL injection in HasKey(lhs, rhs) on Oracle (CVE-2024-53908) * automation-controller: Potential denial-of-service in django.utils.html.strip_tags() (CVE-2024-53907) * automation-controller: Denial of Service through Data corruption in gRPC-C++ (CVE-2024-11407) * automation-gateway: nanoid mishandles non-integer values (CVE-2024-55565) * python3.11-aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions (CVE-2024-52304) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Updates and fixes included: Platform * Fixed 'not found' error that occurred occasionally when navigating form wizards (AAP-37495) * Fixed an issue where ID_KEY attribute was improperly used to determine the username field in social auth pipelines (AAP-38300) * Fixed an issue where the X-DAB-JW-TOKEN header message would flood logs (AAP-38169) * Fixed an issue where authenticator could create a userid and return a non-viable authenticator_uid (AAP-38021) * Enhanced the status API, /api/gateway/v1/status/, from the services property within the JSON to an array (AAP-37903) * Fixes an issue where a private key was displayed in plain text when downloading the OpenAPI schema file. NOTE: This was not the private key used by gateway, just a random default key (AAP-37843) Automation controller * Added 'job_lifecycle' as a choice in loggers to send externally and added 'organization_id' field to logs related to a job (AAP-37537) * Fixed date comparison mismatch for traceback from 'host_metric_summary_monthly' task (AAP-37487) * Fixed scheduled jobs with count set to a non-zero value to no longer run unexpectedly (AAP-37290) * Fixed the POST operation to '/api/controller/login/' via gateway to no longer result in a fatal error (AAP-37235) * Fixed the behavior of the project's 'requirements.yml' to no longer revert to a prior state in a cluster (AAP-37228) * Fixed occasional error while creating event partition table before starting a job, when lots of jobs are launched quickly (AAP-37227) * Fixed the named URL to no longer return a 404 error code while launching a job template (AAP-37025) * Updated receptor to clean up temporary receptor files after a job completes on nodes (AAP-36904) * Fixed the POST operation to '/api/controller/login/' via gateway to no longer result in a fatal error (AAP-33911) * automation-controller has been updated to 4.6.6 Container-based Ansible Automation Platform * Fixed an issue where the provided inventory file sample for growth inventories could cause the installation to stall on low resource systems (AAP-38372) * Fixed an issue where the throttle capacity of controller in growth topology installation would allow for performance degradation (AAP-38207) * Fixed an issue where the receptor TLS certificate content was not validated during the preflight role execution ensuring that the x509 Subject Alt Name (SAN) field contains the required ISO Object Identifier (OID) (AAP-37880) * TLS certificate and key files are now validated during the preflight role execution (AAP-37845) * Fixed an issue where the Postgresql SSL mode variables were not validated during the preflight role execution (AAP-37352) * containerized installer setup has been updated to 2.5-8 RPM-based Ansible Automation Platform * Fixed an issue where adding a new automation hub host to upgraded environment has caused the installation to fail (AAP-38204) * Fixed an issue where the link to the documents in the installer README.md was broken (AAP-37627) * Updated nginx configuration to properly return API status for Event-Driven Ansible event stream service (AAP-32816) * ansible-automation-platform-installer and installer setup have been updated to 2.5-7 Additional changes: * Installing ansible-core no longer installs python3-jmespath on RHEL 8 (AAP-18251) * ansible-core has been updated to 2.16.14-2 * automation-gateway has been updated to 2.5.20250115 * python3.11-aiohttp has been updated to 3.10.11 along with its dependencies * python3.11-django-ansible-base has been updated to 2.5.20250115 * python3.11-galaxy-importer has been updated to 0.4.27 * python3.11-pulpcore has been updated to 3.49.29

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.17.15. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2025:0876 Security Fix(es): * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * body-parser: Denial of Service Vulnerability in body-parser (CVE-2024-45590) * dompurify: DOMPurify vulnerable to tampering by prototype pollution (CVE-2024-48910) * jinja2: Jinja has a sandbox breakout through malicious filenames (CVE-2024-56201) * express: Improper Input Handling in Express Redirects (CVE-2024-43796) * send: Code Execution Vulnerability in Send Library (CVE-2024-43799) * serve-static: Improper Sanitization in serve-static (CVE-2024-43800) * path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296) * path-to-regexp: path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x (CVE-2024-52798) * nanoid: nanoid mishandles non-integer values (CVE-2024-55565) * jinja2: Jinja has a sandbox breakout through indirect reference to format method (CVE-2024-56326) * cross-spawn: regular expression denial of service (CVE-2024-21538) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html

Logging for Red Hat OpenShift - 6.0.6 lokistack-gateway-container: Go JOSE's Parsing Vulnerable to Denial of Service (CVE-2025-27144) logging-loki-container: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338)

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.57. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2025:16163 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html/release_notes/ Security Fix(es): * golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto (CVE-2024-45337) * golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh (CVE-2025-22869) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.14/html-single/updating_clusters/index#updating-cluster-cli.

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Security Fix(es) from Bugzilla: * golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html (CVE-2024-45338) * golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws (CVE-2025-22868) * golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing (CVE-2025-30204) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.