-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.8.4 bug fix and security update
Advisory ID:       RHSA-2021:2983-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2983
Issue date:        2021-08-10
CVE Names:         CVE-2021-31525 CVE-2021-33195 CVE-2021-33196 
                   CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 
====================================================================
1. Summary:

Red Hat OpenShift Container Platform release 4.8.4 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.8.4. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:2984

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

Security Fix(es):

* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: archive/zip: Malformed archive may cause panic or memory
exhaustion (CVE-2021-33196)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.4-x86_64

The image digest is
sha256:841535acc09ca8412cd17e8f7702eceda1cac688ccc281278f108675c30de270

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.4-s390x

The image digest is
sha256:78945f4ccc4c1c7fa57762f49e63b1b0e004a0026f6efa85c0a459c777fcead1

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.8.4-ppc64le

The image digest is
sha256:ad3da79ce274c6460a3b50551c54a1eb32562c5a5cec5129cb76c018b8b4dcbb

All OpenShift Container Platform 4.8 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor

3. Solution:

For OpenShift Container Platform 4.8 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

Details on how to access this content are available at
- -cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1938967 - Updating baremetal-machine-controller builder & base images to be consistent with ART
1943565 - ThanosSidecarUnhealthy
1947809 - Upgrade tests should skip disruption tests on single node clusters1948021 - e2e should fail if operators set unexpected Upgradeable post install
1948629 - Add "none" / "minimal" upgrade test suites to skip disruption tests
1957222 - Add internal option for registry info
1957512 - minor regression in openshift-tests command-line options
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1960446 - nmstate operator doesn't handle nodes with taints
1961057 - [Driver: Gluster] tests failing in IPv6 and IPv4v6
1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion
1967949 - (release-4.8) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records
1971730 - 503 Error page contains license for a vulnerable release of Bootstrap
1972478 - OLM: Failure alert message for copied CSV not helpful
1973662 - Image pruner does not use custom tolerations
1974812 - In customize create vm wizard, a warning "no registred model"
1975559 - typo in operators available
1976008 - Get invalid date when edit custom time range on monitoring dashboards
1976349 - Missing policy-group label on the openshift-console namespace manifest
1978043 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8.
1979303 - [release-4.8] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out
1980136 - Binary secret data isn't properly uploaded by ui
1980302 - VNC console stays in Connecting state.
1981770 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit
1982221 - If loading dynamic plugin times out, the UI throws a syntax error
1982246 - Accessibility (and cypress test) issue with empty category on Operator Hub page
1982294 - OLM fails with 'ResolutionFailed' found multiple channel heads
1983247 - (release-4.8] Operator operation is not set when updating status
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1984565 - Ipv6 IP addresses are not accepted for whitelisting
1984978 - [4.8z] External gateway fails to add duplicate OVN ECMP route
1985514 - allow-from-router feature doesn't work on v6 only single stack cluster
1986026 - Manila CSI driver is not in must-gather
1986573 - [4.8z] Services sync causes too many ovn load balancer deletes
1986576 - inspect on the tuning cluster operator does not gather all tuned CRs
1986955 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance
1987182 - Allow Cluster-api-provider-ovirt using auto pinning new namings
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents

5. References:

https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRJEiNzjgjWX9erEAQjEjQ/+MKM7aY5P/pjRnqgBIsBoJsSxkvxVeIOI
D11xKq5nej7yW9pkdFbVOM5d40dtwsf6IsGu05cTrt5R+M0jiHVPit1rn4rAj1ta
4gSHF0MY+Ezm5E8ArFbGo+/vT/c0Y0th+lCE90MlElapAlA2tkPKRTGcxw9Ncu3d
yoJdjles7QmWge8HBfx6H37qX498dpRjGPr85TIzE20FaGpW8W5H2rDZck8ryJEa
rba7kP2sO/JnvmbOJHG0TePcMhJTFyV1j/OgQz1k4Jnf9Zn9qgeOqjjgFAl3aKGU
rvBsYJn2/4HDpEu8vxzhhNq9TB0pwQmfsPtH5zEbHZJtYxFGhSLFtvI7x0igOymr
rVopDVMnVRBAkCxXkxoShCrtPV6sRMf8CktIbQPj2c48pdRxzt3VXyeZpfYLBkPA
oeLfOvRojgBMm609Zn8K6lKSSyn2RsqNDxRItArmp6O2ollM4Svd5f0ByfAEKQ43
STSONghXsI288EvMJrdBgddOZ1SLDaO37GpW1JjgJHzpbr5Va7/hHCfXWY9rVOzf
Ozr40jtUFrfh4Ol+5H9LYbullms//yME2Gx6EzcJAbqQHVzspMGoVfkXaqeJDBG1
cdW1IlPIKE35IetV/F6LxUOizctV3qROkGnkh880J14uP14bjhln47lMt2+wKMgd
gJkB5r/x/Cw=3oEb
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce