Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

RedHat: RHSA-2022-6290-01 Moderate: OpenShift API Data Protection Issues

red hat
Calendar Grey September 1, 2022
Dist Redhat Esm H88
Incremental enhancement for OpenShift API secures information and remedies a range of vulnerabilities. Discover details about the revisions and their implications.
OpenShift API for Data Protection (OADP) 1.1.0 is now available

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Security Fix(es) from Bugzilla:
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)
* golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory security issue update data protection bug fix moderate impact openShift

References

https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#moderate

Package List


Advisory ID: RHSA-2022:6290-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6290
Issue date: 2022-09-01

Topic

OpenShift API for Data Protection (OADP) 1.1.0 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security issue update data protection bug fix moderate impact openShift

Relevant Releases Architectures

Bugs Fixed

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode

2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig

OADP-154 - Ensure support for backing up resources based on different label selectorsOADP-194 - Remove the registry dependency from OADP

OADP-199 - Enable support for restore of existing resources

OADP-224 - Restore silently ignore resources if they exist - restore log not updated

OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated

OADP-234 - Implementation of incremental restore

OADP-324 - Add label to Expired backups failing garbage collection

OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases

OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone

OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here