(RHSA-2023:1529) Moderate: Service Telemetry Framework 1.5 security update

Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.

Security Fix(es):

• golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806)

• golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772)

• golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773)

• golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

• golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)

• golang: syscall: faccessat checks wrong group (CVE-2022-29526)

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

• golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

• golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

• golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

• golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)

• golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.