An attacker can craft an input to ParseFragment that would cause it to enter an infinite loop and never return. References: https://github.com/golang/go/issues/46288 https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1963235] Created golang tracking bugs for this issue: Affects: epel-all [bug 1963233] Affects: fedora-all [bug 1963234]
Upstream patch: https://go-review.googlesource.com/c/net/+/311090/
For anybody else looking at this, I've chosen to close ours WONTFIX due to: $ go mod why golang.org/x/net/html # golang.org/x/net/html k8s.io/cloud-provider-openstack/tests/e2e/csi/cinder github.com/onsi/gomega github.com/onsi/gomega/matchers golang.org/x/net/html/charset golang.org/x/net/html We're only pulling this dependency in at all because of a gomega matcher we're not using. Our components don't parse html.
Updating buildah RHEL affects to 'notaffected' as the vulnerable code is not shipped with the product, just used in testing.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33194
Hi folks, where can we find status of the fix for previous versions of OpenShift 4?
Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift v4 is still affected
(In reply to Rachel A from comment #25) > Can anyone tell me whether CVE-2021-33194 has been fixed in for OpenShift > 4.7 and 4.6, and if so which security errata its documented in? I can't see > any updated details on > https://access.redhat.com/security/cve/cve-2021-33194, only that OpenShift > v4 is still affected CVE-2021-33194 has been classified as a Moderate impact flaw and therefore it won't be addressed in OpenShift (OCP) 4.7 and 4.6 (both these releases are already in the maintenance support phase). This vulnerability doesn't impact directly majority of OCP components, because even if the golang.org/x/net/html is imported (usually as a dependency) it's not used in the OCP components (the impacted functions are not used). The future releases of OCP will use new version of Go and will import as well fixed version of golang.org/x/net/html. In case of further questions please contact Red Hat Product Security team <secalert>.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2021:4627 https://access.redhat.com/errata/RHSA-2021:4627