-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes
Advisory ID:       RHSA-2022:6370-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6370
Issue date:        2022-09-06
CVE Names:         CVE-2022-1012 CVE-2022-1292 CVE-2022-1586 
                   CVE-2022-1705 CVE-2022-1785 CVE-2022-1897 
                   CVE-2022-1927 CVE-2022-1962 CVE-2022-2068 
                   CVE-2022-2097 CVE-2022-2526 CVE-2022-28131 
                   CVE-2022-29154 CVE-2022-30629 CVE-2022-30630 
                   CVE-2022-30631 CVE-2022-30632 CVE-2022-30633 
                   CVE-2022-30635 CVE-2022-31129 CVE-2022-32148 
                   CVE-2022-32206 CVE-2022-32208 CVE-2022-32250 
====================================================================
1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General
Availability release images, which fix security issues and bugs.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix security issues and several bugs. See
the following Release Notes documentation, which will be updated shortly
for this
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/

Security fixes: 

* CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

* CVE-2022-30629 golang: crypto/tls: session tickets lack random
ticket_age_add

* CVE-2022-1705 golang: net/http: improper sanitization of
Transfer-Encoding header

* CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

* CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

* CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

* CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

* CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

* CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

* CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy -
omit X-Forwarded-For not working

Bug fixes:

* assisted-service repo pin-latest.py script should allow custom tags to be
pinned (BZ# 2065661)

* assisted-service-build image is too big in size (BZ# 2066059)

* assisted-service pin-latest.py script should exclude the postgres image
(BZ# 2076901)

* PXE artifacts need to be served via HTTP (BZ# 2078531)

* Implementing new service-agent protocol on agent side (BZ# 2081281)

* RHACM 2.6.0 images (BZ# 2090906)

* Assisted service POD keeps crashing after a bare metal host is created
(BZ# 2093503)

* Assisted service triggers the worker nodes re-provisioning on the hub
cluster when the converged flow is enabled (BZ# 2096106)

* Fix assisted CI jobs that fail for cluster-info readiness (BZ# 2097696)

* Nodes are required to have installation disks of at least 120GB instead
of at minimum of 100GB (BZ# 2099277)

* The pre-selected search keyword is not readable (BZ# 2107736)

* The value of label expressions in the new placement for policy and
policysets cannot be shown real-time from UI (BZ# 2111843)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2065661 - assisted-service repo pin-latest.py script should allow custom tags to be pinned
2066059 - assisted-service-build image is too big in size
2076901 - assisted-service pin-latest.py script should exclude the postgres image
2078531 - iPXE artifacts need to be served via HTTP
2081281 - Implementing new service-agent protocol on agent side
2090901 - Capital letters in install-config.yaml .platform.baremetal.hosts[].name cause bootkube errors2090906 - RHACM 2.6.0 images
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2093503 - Assisted service POD keeps crashing after a bare metal host is created
2096106 - Assisted service triggers the worker nodes re-provisioning on the hub cluster when the converged flow is enabled
2096445 - Assisted service POD keeps crashing after a bare metal host is created
2096460 - Spoke BMH stuck "inspecting" when deployed via  the converged workflow
2097696 - Fix assisted CI jobs that fail for cluster-info readiness
2099277 - Nodes are required to have installation disks of at least 120GB instead of at minimum of 100GB
2103703 - Automatic version upgrade triggered for oadp operator installed by cluster-backup-chart
2104117 - Spoke BMH stuck ?available? after changing a BIOS attribute via the converged workflow
2104984 - Infrastructure operator missing clusterrole permissions for interacting with mutatingwebhookconfigurations
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2105339 - Search Application button on the Application Table for Subscription applications does not Redirect
2105357 - [UI] hypershift cluster creation error - n[0] is undefined
2106347 - Submariner error looking up service account submariner-operator/submariner-addon-sa
2106882 - Security Context Restrictions are restricting creation of some pods which affects the deployment of some applications
2107049 - The clusterrole for global clusterset did not created by default
2107065 - governance-policy-framework in CrashLoopBackOff state on spoke cluster: Failed to start manager {"error": "error listening on :8081: listen tcp :8081: bind: address already in use"}
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107370 - Helm Release resource recreation feature does not work with the local cluster
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2108888 - Hypershift on AWS - control plane not running
2109370 - The button to create the cluster is not visible
2111203 - Add ocp 4.11 to filters for discovering clusters in ACM 2.6
2111218 - Create cluster - Infrastructure page crashes
2111651 - "View application" button on app table for Flux applications redirects to apiVersion=ocp instead of flux
2111663 - Hosted cluster in Pending import state
2111671 - Leaked namespaces after deleting hypershift deployment
2111770 - [ACM 2.6] there is no node info for remote cluster in multiple hubs
2111843 - The value of label expressions in the new placement for policy and policysets cannot be shown real-time from UI
2112180 - The policy page is crashed after input keywords in the search box
2112281 - config-policy-controller pod can't startup in the OCP3.11 managed cluster
2112318 - Can't delete the objects which are re-created by policy when deleting the policy
2112321 - BMAC reconcile loop never stops after changes
2112426 - No cluster discovered due to x509: certificate signed by unknown authority
2112478 - Value of delayAfterRunSeconds is not shown on the final submit panel and the word itself should not be wrapped.
2112793 - Can't view details of the policy template when set the spec.pruneObjectBehavior as unsupported value
2112803 - ClusterServiceVersion for release 2.6 branch references "latest" tag
2113787 - [ACM 2.6] can not delete namespaces after detaching the hosted cluster
2113838 - the cluster proxy-agent was deployed on the non-infra nodes
2113842 - [ACM 2.6] must restart hosting cluster registration pod if update work-manager-addon cr to change installNamespace
2114982 - Control plane type shows 'Standalone' for hypershift cluster
2115622 - Hub fromsecret function doesn't work for hosted mode in multiple hub
2115723 - Can't view details of the policy template for customer and hypershift cluster in hosted mode from UI
2115993 - Policy automation details panel was not updated after editing the mode back to disabled
2116211 - Count of violations with unknown status was not accurate when managed clusters have mixed status
2116329 - cluster-proxy-agent not startup due to the imagepullbackoff on spoke cluster
2117113 - The proxy-server-host was not correct in cluster-proxy-agent
2117187 - pruneObjectBehavior radio selection cannot work well and always switch the first one template in multiple configurationPolicy templates
2117480 - [ACM 2.6] infra-id of HypershiftDeployment doesn't work
2118338 - Report the "namespace not found" error after clicked view yaml link of a policy in the multiple hub env
2119326 - Can't view details of the SecurityContextConstraints policy for managed clusters from UI

5. References:

https://access.redhat.com/security/cve/CVE-2022-1012
https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1785
https://access.redhat.com/security/cve/CVE-2022-1897
https://access.redhat.com/security/cve/CVE-2022-1927
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-2097
https://access.redhat.com/security/cve/CVE-2022-2526
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/cve/CVE-2022-32250
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxgd1NzjgjWX9erEAQhthxAAmNte0BmIACFV4tQqEOGBPpisyXhXsYni
VvfuP/d5depm8nivue9FQ+RDZt31mzGhqstV5sSsNw9ep2MdvS8DVaVnBqTnFHGN
EHNhvcDu2GUIXpXasPSeimyMjh7Q1wXFwpBXMtFI+V71WfV4ipkpkqWnENQ/oRJG
Ga6PzNcIjgrllPzBpKiO+APFPDzz6oW1HQSSNoqocVuwd4B341kPbwoN7fvZxe4r
fvLioHsM2sWNi+40Oy5UtyDK8A2njEA13i/95K/NMBNK7Hl0l8Rbf4846cUps+LB
gWJqYvrnsi43D03mOZ8usMYYtQcq8SV4KGsQU3xccCKcy2hncasXZ4Q+uLyQl0fg
keAVml/3A5r4JqHL1VIwCTbRveaP4+W57uo5hakfof8wU0TgHYQUkkOGVlx9loyc
49wL1ooIMU4wI3ClkEKQ38PYMPsnCwCVf8mmaxVhr+WjMRxyOGhY868JfNfg0tmv
IbP1KwTlKBM4ehEXzw0wk3F/ile+Gk1wtGp9k0HzoNGdck/PDItI61X9sMTTxSxI
DM+0e5yRgGamfa47s+Td2XaM3Ib1jYZYkzHzaalxwUyNse3iOVcH5qvN//Ifhxdw
3ONkXcsMan6kG3sJhgpO7FwXoMpJv0HmFS67fz0i/wBdXfhK5gStjmb/3DDMDrmx
PF7ifQXx4qw=XsDv
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce