-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.8.2 Images security and bug fix update
Advisory ID:       RHSA-2021:3598-01
Product:           cnv
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3598
Issue date:        2021-09-21
CVE Names:         CVE-2021-3609 CVE-2021-22543 CVE-2021-22555 
                   CVE-2021-27218 CVE-2021-33195 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34558 CVE-2021-37576 
                   CVE-2021-38201 CVE-2021-38575 
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.8.2 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for
Red Hat OpenShift Container Platform.

This advisory contains the following OpenShift Virtualization 4.8.2 images:

RHEL-8-CNV-4.8
==============
kubevirt-vmware-container-v4.8.2-1
node-maintenance-operator-container-v4.8.2-1
bridge-marker-container-v4.8.2-1
kubemacpool-container-v4.8.2-1
virtio-win-container-v4.8.2-1
kubevirt-v2v-conversion-container-v4.8.2-1
hostpath-provisioner-container-v4.8.2-1
kubernetes-nmstate-handler-container-v4.8.2-1
cluster-network-addons-operator-container-v4.8.2-1
cnv-containernetworking-plugins-container-v4.8.2-1
hyperconverged-cluster-operator-container-v4.8.2-2
hostpath-provisioner-operator-container-v4.8.2-1
ovs-cni-marker-container-v4.8.2-1
hyperconverged-cluster-webhook-container-v4.8.2-2
ovs-cni-plugin-container-v4.8.2-1
kubevirt-template-validator-container-v4.8.2-2
kubevirt-ssp-operator-container-v4.8.2-2
cnv-must-gather-container-v4.8.2-3
vm-import-virtv2v-container-v4.8.2-4
vm-import-operator-container-v4.8.2-4
vm-import-controller-container-v4.8.2-4
virt-cdi-cloner-container-v4.8.2-2
virt-cdi-controller-container-v4.8.2-2
virt-cdi-operator-container-v4.8.2-2
virt-cdi-uploadproxy-container-v4.8.2-2
virt-cdi-uploadserver-container-v4.8.2-2
virt-cdi-apiserver-container-v4.8.2-2
virt-cdi-importer-container-v4.8.2-2
virt-launcher-container-v4.8.2-5
virt-api-container-v4.8.2-5
virt-handler-container-v4.8.2-5
virt-controller-container-v4.8.2-5
virt-operator-container-v4.8.2-5
hco-bundle-registry-container-v4.8.2-17

Security Fix(es):

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.8/virt/upgrading-virt.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1953485 - [CNV-2.5] Manifests in openshift-cnv missing resource requirements - SSP
1957791 - [MTV][Warm] The migrated VM on target side should be powered off/on accordingly to the source VM's last power state during warm migration
1972819 - Failed, Pending and Scheduling VMs can not be stopped
1982143 - [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990065 - [4.8.2][network] CNV Daemonsets have maxUnavailable set to 1 which leads to very slow upgrades on large clusters
1991460 - Cannot get 'write' permission without 'resize': Image size is not a multiple of request alignment'
1993122 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/
1995050 - RHEL9 template - support level and description should be updated
1996110 - cdi importer fails for a CirrOS VM import to NFS (but not to Cepf-rbd/block)
1996660 - [4.8] Goroutine count and memory remains high after VMIs are removed
1997668 - [v2v] VM import from RHV should not be blocked for a non UTC Timezone.
1998818 - virt-handler Pod is missing xorrisofs command
1998983 - 4.8.2 containers
2000021 - [VMIO][RHV VM Import] 63 long char VM Name with more than 1 Disk results in DataVolumeCreationFailed
2001038 - Importer attempts to shrink an image in certain situations
2001069 - [4.8.z] Automatic size detection may not request a PVC that is large enough for an import

5. References:

https://access.redhat.com/security/cve/CVE-2021-3609
https://access.redhat.com/security/cve/CVE-2021-22543
https://access.redhat.com/security/cve/CVE-2021-22555
https://access.redhat.com/security/cve/CVE-2021-27218
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-37576
https://access.redhat.com/security/cve/CVE-2021-38201
https://access.redhat.com/security/cve/CVE-2021-38575
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYUm9jNzjgjWX9erEAQj5ERAAlwei+1rByD0NbOnsl6V/N8336joQgWAw
YTaHbCzYC7188JJ2ucnup1wmPhjk1mWFzUGI+7GLNjnCAaBy3Eg3w5ZI86H1G7T6
0q3TOmTU8ezyr6JMryiw1v4aambVtB8g1K7XjNVQnKhKyJtsx7iuagyg9QMbVknU
i2uRANE/7GgL0Yv6jwPSgNjzArhW9TosXVfg+oYY9MQ8fAZyhdXxZKRnwwe0lHVk
NMwPppumF80lvraU/HwcYlkQrc9It5F62fm0NOvyvY0J3+V55+yeb5UeiBMeyFK4
++HIcxtktf/X7dBAfUkeqPoVYX/MkHxHCaYbEnXyVNK9m/8Z9HWOzzJ6YgFGZ7hE
FNnKyGG1ZXcOmWHZ2UBoVFOMLGcf907o6oaC6p3AfX6LVPTRb8E8Df7TS0TP3miS
BQmq+UnJG6mnO0xHtxmS+WJ1lh51LVaczJuMUHgpGOn8pCVkQIH4jx2tmSVkZN6O
0jOcW2Lg1YGX6Byfz9jcjaG2pRXGeos/JVJKEeWOVtiJcFQFRgEUNxJpeothOqi5
Dr1hJbtn/Ts4E8jDw3IrjfvjPC7f+IBU67fcT4FXHklkaYchZKLteaIAEMoy+w6h
GMxVU+aohcvVSfIXv6hi4S8hM6HAxEdklwX7nUP2AsjGDDS1ZKFZz/EleItz45MF
E1MQ2NdfNNY=
=vkzK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce