RedHat: RHSA-2022-9047:01 Moderate: Migration Toolkit for Container...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.6 security and bug fix update
Advisory ID:       RHSA-2022:9047-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9047
Issue date:        2022-12-15
CVE Names:         CVE-2016-3709 CVE-2020-28851 CVE-2020-28852 
                   CVE-2020-35525 CVE-2020-35527 CVE-2022-0561 
                   CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 
                   CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 
                   CVE-2022-1122 CVE-2022-1304 CVE-2022-1355 
                   CVE-2022-1705 CVE-2022-1962 CVE-2022-2509 
                   CVE-2022-3515 CVE-2022-22624 CVE-2022-22628 
                   CVE-2022-22629 CVE-2022-22662 CVE-2022-22844 
                   CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 
                   CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 
                   CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 
                   CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 
                   CVE-2022-27664 CVE-2022-28131 CVE-2022-30293 
                   CVE-2022-30629 CVE-2022-30630 CVE-2022-30632 
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 
                   CVE-2022-32189 CVE-2022-37434 CVE-2022-42898 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.6 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* golang: net/https: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
2132957 - Migration fails at UnQuiesceDestApplications step in OCP 4.12
2137304 - Location for host cluster is missing in the UI
2140208 - When editing a MigHook in the UI, the page may fail to reload
2143628 - Unable to create Storage Class Conversion plan due to missing cronjob error in OCP 4.12
2143872 - Namespaces page in web console stuck in loading phase
2149920 - Migration fails at prebackupHooks step

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1240 - Implement proposed changes for DVM support with PSAs in 4.12

6. References:

https://access.redhat.com/security/cve/CVE-2016-3709
https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2020-35525
https://access.redhat.com/security/cve/CVE-2020-35527
https://access.redhat.com/security/cve/CVE-2022-0561
https://access.redhat.com/security/cve/CVE-2022-0562
https://access.redhat.com/security/cve/CVE-2022-0865
https://access.redhat.com/security/cve/CVE-2022-0891
https://access.redhat.com/security/cve/CVE-2022-0908
https://access.redhat.com/security/cve/CVE-2022-0909
https://access.redhat.com/security/cve/CVE-2022-0924
https://access.redhat.com/security/cve/CVE-2022-1122
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1355
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-1962
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-22624
https://access.redhat.com/security/cve/CVE-2022-22628
https://access.redhat.com/security/cve/CVE-2022-22629
https://access.redhat.com/security/cve/CVE-2022-22662
https://access.redhat.com/security/cve/CVE-2022-22844
https://access.redhat.com/security/cve/CVE-2022-25308
https://access.redhat.com/security/cve/CVE-2022-25309
https://access.redhat.com/security/cve/CVE-2022-25310
https://access.redhat.com/security/cve/CVE-2022-26700
https://access.redhat.com/security/cve/CVE-2022-26709
https://access.redhat.com/security/cve/CVE-2022-26710
https://access.redhat.com/security/cve/CVE-2022-26716
https://access.redhat.com/security/cve/CVE-2022-26717
https://access.redhat.com/security/cve/CVE-2022-26719
https://access.redhat.com/security/cve/CVE-2022-27404
https://access.redhat.com/security/cve/CVE-2022-27405
https://access.redhat.com/security/cve/CVE-2022-27406
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28131
https://access.redhat.com/security/cve/CVE-2022-30293
https://access.redhat.com/security/cve/CVE-2022-30629
https://access.redhat.com/security/cve/CVE-2022-30630
https://access.redhat.com/security/cve/CVE-2022-30632
https://access.redhat.com/security/cve/CVE-2022-30633
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5qjzdzjgjWX9erEAQjjjA//es5rXZ2qQwQJekrx32tlQ+R2v2BO0jKJ
EIKiMSoPFOotf2TPCnn60CHUGhBs/RkjtqYFIvKW+pMBioRkaqPc8yDCraOGszrH
pAYPI6+lTAfr0YjPJmA9aP5c0tAspHCVISi7+cuIDPTWUPnKtiH9XA8z5WCjWY4H
v2gfULxXtSy2gkG+ezS3xXjrkEvqo33sXhar9baoG3ILfStpNwIrQ3Qt55gYM1yh
y0HxxSjuqpgGFUiSN2wJuox60xA9hFA4B/YVfhzvKs9JFW454tNSns1V+89MSKsF
NIMtuLOpbYe0OT3YsgP2qA1rRwY/HVzV/ewNM9ATQIBPgfXlDt4A3KBhfcSB/xSm
RnERhgp6PJmNU/t1wufhhOD/IfO55v6DKDHf1xZu8Q3NxhZ3ucXxLSrb17q0zOkp
LngN8f0RYzXUNWOapCK+QPAXyhvUYkHi8VFxBbCgF48N00as6IpaK6hgYR9D+mCm
WdljOEZR2CaNhnzU51vutM5T2J/B8S/CA8SYG/ndoyS+fwFkEDv+Ncmg+0Amtu6s
pIhCdvxK6r9+Gh0qbKeT4ALnmUjowQ8+nVTP0GzDWR3InF/YWGOfWi+Q1moUZXND
7Hj1kp46KXlTzPbLKr54RPq98CT8wqPR1IZ7VKD+M5xTYWTlO+uED6TBxRBmrKrL
O33JZ0TnfDw=
=cTlF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-9047:01 Moderate: Migration Toolkit for Containers (MTC)

The Migration Toolkit for Containers (MTC) 1.7.6 is now available

Summary

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
Security Fix(es) from Bugzilla:
* golang: net/https: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)
* golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to install and use MTC, refer to:https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2020-28851 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2020-35525 https://access.redhat.com/security/cve/CVE-2020-35527 https://access.redhat.com/security/cve/CVE-2022-0561 https://access.redhat.com/security/cve/CVE-2022-0562 https://access.redhat.com/security/cve/CVE-2022-0865 https://access.redhat.com/security/cve/CVE-2022-0891 https://access.redhat.com/security/cve/CVE-2022-0908 https://access.redhat.com/security/cve/CVE-2022-0909 https://access.redhat.com/security/cve/CVE-2022-0924 https://access.redhat.com/security/cve/CVE-2022-1122 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1355 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-22844 https://access.redhat.com/security/cve/CVE-2022-25308 https://access.redhat.com/security/cve/CVE-2022-25309 https://access.redhat.com/security/cve/CVE-2022-25310 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27404 https://access.redhat.com/security/cve/CVE-2022-27405 https://access.redhat.com/security/cve/CVE-2022-27406 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:9047-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2022:9047
Issued Date: : 2022-12-15
CVE Names: CVE-2016-3709 CVE-2020-28851 CVE-2020-28852 CVE-2020-35525 CVE-2020-35527 CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-1122 CVE-2022-1304 CVE-2022-1355 CVE-2022-1705 CVE-2022-1962 CVE-2022-2509 CVE-2022-3515 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-22844 CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-27664 CVE-2022-28131 CVE-2022-30293 CVE-2022-30629 CVE-2022-30630 CVE-2022-30632 CVE-2022-30633 CVE-2022-30635 CVE-2022-32148 CVE-2022-32189 CVE-2022-37434 CVE-2022-42898

Topic

The Migration Toolkit for Containers (MTC) 1.7.6 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add

2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob

2107374 - CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header

2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions

2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob

2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode

2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip

2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

2132957 - Migration fails at UnQuiesceDestApplications step in OCP 4.12

2137304 - Location for host cluster is missing in the UI

2140208 - When editing a MigHook in the UI, the page may fail to reload

2143628 - Unable to create Storage Class Conversion plan due to missing cronjob error in OCP 4.12

2143872 - Namespaces page in web console stuck in loading phase

2149920 - Migration fails at prebackupHooks step

5. JIRA issues fixed (https://issues.jboss.org/):

MIG-1240 - Implement proposed changes for DVM support with PSAs in 4.12

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.