Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector. https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 https://pkg.go.dev/vuln/GO-2021-0061 https://github.com/go-yaml/yaml/pull/375
Created golang-gopkg-yaml tracking bugs for this issue: Affects: epel-7 [bug 2158142] Created golang-gopkg-yaml-1 tracking bugs for this issue: Affects: fedora-36 [bug 2158144] Affects: fedora-37 [bug 2158150] Created golang-gopkg-yaml-2 tracking bugs for this issue: Affects: fedora-36 [bug 2158145] Affects: fedora-37 [bug 2158152] Created golang-gopkg-yaml-3 tracking bugs for this issue: Affects: fedora-36 [bug 2158146] Affects: fedora-37 [bug 2158153] Created golang-k8s-sample-cli-plugin tracking bugs for this issue: Affects: fedora-36 [bug 2158147] Created golang-sigs-k8s-kustomize tracking bugs for this issue: Affects: fedora-36 [bug 2158148] Affects: fedora-37 [bug 2158154] Created golang-sigs-k8s-kustomize-kyaml tracking bugs for this issue: Affects: fedora-36 [bug 2158149] Created manifest-tool tracking bugs for this issue: Affects: epel-7 [bug 2158143]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4235
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:0570 https://access.redhat.com/errata/RHSA-2023:0570
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:0569 https://access.redhat.com/errata/RHSA-2023:0569
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3615 https://access.redhat.com/errata/RHSA-2023:3615