Bug 1954368 (CVE-2021-29482)
| Summary: | CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adam.kaplan, alazar, alitke, aos-bugs, aos-install, bbennett, bdettelb, bmontgom, bthurber, cnv-qe-bugs, dbecker, dwalsh, dwhatley, dymurray, eparis, fdeutsch, gghezzo, gparvin, ibolton, jburrell, jerzhang, jhrozek, jjoyce, jmatthew, jmontleo, jokerman, josorior, jramanat, jschluet, jweiser, jwendell, kconner, lgamliel, lhh, lpeer, mburns, mfilanov, mrogers, nstielau, pdhamdhe, phoracek, rcernich, rfreiman, rhos-maint, rphillips, sclewis, sejug, shardy, slinaber, slucidi, sponnaga, sseago, stcannon, stirabos, thee, tomckay, tsweeney, twalsh, whayutin, xiyuan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | github.com/ulikunitz/xz 0.5.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service (DoS).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-28 19:06:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1958929, 1955059, 1955060, 1955061, 1955062, 1955063, 1955064, 1955065, 1955066, 1955067, 1961123, 1961124, 1961125, 1961126, 1961127, 1961128, 1961318, 1961319, 2032712, 2032713, 2032714 | ||
| Bug Blocks: | 1954369 | ||
|
Description
Sam Fowler
2021-04-28 02:35:47 UTC
Statement: In OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) the affected components are behind OpenShift OAuth authentication, therefore the impact is low. In OCP before 4.7 the buildah, skopeo and podman packages include vulnerable version of github.com/ulikunitz/xz, but these OCP releases are already in the Maintenance Phase of the support, hence affected components are marked as wontfix. This may be fixed in the future. This issue has been addressed in the following products: RHEL-8-CNV-4.8 Via RHSA-2021:2920 https://access.redhat.com/errata/RHSA-2021:2920 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29482 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: OADP-1.0-RHEL-8 Via RHSA-2022:0687 https://access.redhat.com/errata/RHSA-2022:0687 This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:1276 https://access.redhat.com/errata/RHSA-2022:1276 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:2183 https://access.redhat.com/errata/RHSA-2022:2183 |