RedHat: RHSA-2022-8634:01 Moderate: OpenShift API for Data Protecti...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.1 security and bug fix update
Advisory ID:       RHSA-2022:8634-01
Product:           OpenShift API for Data Protection
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8634
Issue date:        2022-11-28
CVE Names:         CVE-2020-35525 CVE-2020-35527 CVE-2022-2509 
                   CVE-2022-3515 CVE-2022-27191 CVE-2022-27664 
                   CVE-2022-30632 CVE-2022-30635 CVE-2022-32190 
                   CVE-2022-34903 CVE-2022-37434 CVE-2022-40674 
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.1 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

* golang: net/https: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/url: JoinPath does not strip relative path components in all
circumstances (CVE-2022-32190)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-1002 - DataMover: Backup partially fails for a namespace without PVC
OADP-1016 - DataMover: Restore randomly fails with "secrets vsr-lttsv-secret already exists" error
OADP-1020 - DataMover: restore partiallyFailed with "Plugin Panicked" error
OADP-1027 - DataMover: VSB fails with error "cannot obtain source volumesnapshot"
OADP-608 - Data mover restic secret does not support GCP 
OADP-609 - Data mover VSR validation for default volumesnapshotclass and storageclass
OADP-611 - Data mover VSR resources are sometimes created multiple times with multiple PVCs
OADP-612 - Data mover Backup & Restore needs to fail if a validation check fails
OADP-642 - OADP CRD descriptions should use the same capitalization as yaml fields
OADP-645 - Data mover performance on restore blocks restore process
OADP-662 - VSB/VSR needs to fail if backup/restore partially fails or fails
OADP-724 - Setting an excludedNamespace and includedNamespace in the same backup crashes velero
OADP-725 - DC Restic Post Restore Script handle restore name longer than 63 characters
OADP-731 - Backup partiallyFails with data mover if a stale snapshot is encountered
OADP-741 - Data Mover VSB/VSR CRs do not include status on error
OADP-774 - OADP must-gather is getting stuck
OADP-794 - Second restore of CSI volume fails due to dataSource doesn't match dataSourceRef
OADP-825 - CSI Volumesnapshot Deletion fails with nil pointer execption bug
OADP-849 - DataMover: restore PartiallyFails randomly with "ReplicationDestination.volsync.backube xxxx not found" error
OADP-927 - DataMover backup fails with nil pointer issue

6. References:

https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-40674
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY4RbZdzjgjWX9erEAQgR4g//VRZ+qp8+3SHAQLZyC4J/a+4XMiG1yNR9
ARgZnotH77GFNptWir6E+3ojUutCuH1pULW5FSGoGEuctF7YyKuNl1MqQy6GMVAB
tRTdsqaHwyDDWeli/hM1TtZoPnBpXd5H9eoT0gfVipIpoylYik2mXlLnmvItEmVB
Fq0ECkcqT4aVw9pQxhdlfFf/lwgbf9QNRKIil+A7sG7xgJQ5oAekB3tACRotKWkL
VDjg+yFOMnfDDI04dfXqdexa1qKS3NI4vopPPfSjK4P+UwneWmw/VXykx0NNd2n9
490WMv49s2mNPRHGssZfRZd+Yw0knUb1Iglut0SsC3KLuQ1O+Hod8xCWL2a3N11d
PRybAWgKDy6WceiT/VXUq7agbassWTAijt8QPkKrTEiJTnO7JdoSGNKzKEblp6dU
gauBKnVKmNlnFrAVuwxQ+pXu7arn70mq9wyjNbq1eC4v/bpfXJsWYyCVmPpZ83wR
uFSz0IwxW6gePFsKtKJhtk8EP4jB3ATiNW53d7nV9Dz++X0ltioerowg/sJGeFq7
uISozqrAeTXZXSrd5yL1Of6IDWD9Tb43GAh6GJE6JRNPmMv3yUcAppyv/uHOyiKN
BEfOcFclp56QYWTBiYXWd5Gex5PQW3hdZpwUl3g8bDF+Ikrup7wI6ktw/SejmZuc
uXOU76pYWW4=
=x6Pt
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-8634:01 Moderate: OpenShift API for Data Protection

OpenShift API for Data Protection (OADP) 1.1.1 is now available

Summary

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Security Fix(es) from Bugzilla:
* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
* golang: net/https: handle server errors after sending GOAWAY (CVE-2022-27664)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:8634-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8634
Issued Date: : 2022-11-28
CVE Names: CVE-2020-35525 CVE-2020-35527 CVE-2022-2509 CVE-2022-3515 CVE-2022-27191 CVE-2022-27664 CVE-2022-30632 CVE-2022-30635 CVE-2022-32190 CVE-2022-34903 CVE-2022-37434 CVE-2022-40674

Topic

OpenShift API for Data Protection (OADP) 1.1.1 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances

2124669 - CVE-2022-27664 golang: net/https: handle server errors after sending GOAWAY

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-1002 - DataMover: Backup partially fails for a namespace without PVC

OADP-1016 - DataMover: Restore randomly fails with "secrets vsr-lttsv-secret already exists" error

OADP-1020 - DataMover: restore partiallyFailed with "Plugin Panicked" error

OADP-1027 - DataMover: VSB fails with error "cannot obtain source volumesnapshot"

OADP-608 - Data mover restic secret does not support GCP

OADP-609 - Data mover VSR validation for default volumesnapshotclass and storageclass

OADP-611 - Data mover VSR resources are sometimes created multiple times with multiple PVCs

OADP-612 - Data mover Backup & Restore needs to fail if a validation check fails

OADP-642 - OADP CRD descriptions should use the same capitalization as yaml fields

OADP-645 - Data mover performance on restore blocks restore process

OADP-662 - VSB/VSR needs to fail if backup/restore partially fails or fails

OADP-724 - Setting an excludedNamespace and includedNamespace in the same backup crashes velero

OADP-725 - DC Restic Post Restore Script handle restore name longer than 63 characters

OADP-731 - Backup partiallyFails with data mover if a stale snapshot is encountered

OADP-741 - Data Mover VSB/VSR CRs do not include status on error

OADP-774 - OADP must-gather is getting stuck

OADP-794 - Second restore of CSI volume fails due to dataSource doesn't match dataSourceRef

OADP-825 - CSI Volumesnapshot Deletion fails with nil pointer execption bug

OADP-849 - DataMover: restore PartiallyFails randomly with "ReplicationDestination.volsync.backube xxxx not found" error

OADP-927 - DataMover backup fails with nil pointer issue

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.