-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Applications security and bug fix update
Advisory ID:       RHSA-2023:4627-01
Product:           Migration Toolkit for Applications
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4627
Issue date:        2023-08-14
CVE Names:         CVE-2020-24736 CVE-2021-46877 CVE-2022-4492 
                   CVE-2022-41721 CVE-2022-41723 CVE-2022-41724 
                   CVE-2022-41725 CVE-2022-41854 CVE-2022-41881 
                   CVE-2023-1667 CVE-2023-2283 CVE-2023-2798 
                   CVE-2023-2828 CVE-2023-22899 CVE-2023-24329 
                   CVE-2023-24532 CVE-2023-24534 CVE-2023-24536 
                   CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 
                   CVE-2023-24540 CVE-2023-26125 CVE-2023-26604 
                   CVE-2023-29400 CVE-2023-34104 
=====================================================================

1. Summary:

Migration Toolkit for Applications 6.2.0 release

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Applications 6.2.0 Images

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* x/net/http2/h2c: request smuggling (CVE-2022-41721)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: crypto/tls: large handshake records may cause panics
(CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive
resource consumption (CVE-2022-41725)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* htmlUnit: Stack overflow crash causes Denial of Service (DoS)
(CVE-2023-2798)

* zip4j: does not always check the MAC when decrypting a ZIP archive
(CVE-2023-22899)

* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results (CVE-2023-24532)

* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

* fast-xml-parser: Regex Injection via Doctype Entities (CVE-2023-34104)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2162182 - CVE-2022-41721 x/net/http2/h2c: request smuggling
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2185278 - CVE-2023-22899 zip4j: does not always check the MAC when decrypting a ZIP archive
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation
2210366 - CVE-2023-2798 htmlUnit: Stack overflow crash causes Denial of Service (DoS)
2221261 - CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities
2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed (https://issues.redhat.com/):

MTA-1015 - Credentials filtering is missing 'Created by' filter
MTA-1041 - Application inventory page crashes when deleting an application and the right panel is open
MTA-194 - [RFE] Present a data in more readable format
MTA-24 - [API][Application] ApiApplication returned from post method is missing the identities name
MTA-27 - [API][Credentials] It is possible to create more than one credential with the same name
MTA-464 - [Custom rules] Analysis wizard stucks on custom rules page on moving "Back" from Repository tab.
MTA-465 - Tags & Reports tabs for the application keeps loading while analysis in progress.
MTA-468 - Incorrect description for Azure target.
MTA-469 - Typo under Reports -> Current Landscape UI
MTA-470 - [UI] Clear Repository button is taking few seconds to re-enable every time when we switch to different tab or perspective. 
MTA-472 - [Reports][RFE] "MIGRATION TOOLKIT FOR APPLICATIONS" can be renamed to "Migration Toolkit for Applications"
MTA-474 - Validation issue with "Password" field when creating a new Credential
MTA-476 - Tooltip text for the disabled "Delete" button under "Tags" is incorrect
MTA-477 - Applications imported even after showing Rejected in "Manage Imports" page.
MTA-478 - Application Inventory page doesn't get updated after the "Import"
MTA-479 - Category Color missing when Tag Category is created at the time of import
MTA-480 - Unable to import application with multiple tags under a single tag category.
MTA-481 - [RFE] Deleting a Job function associated with Stakeholder
MTA-483 - EAP6 still present as a target in downstream MTA builds 6.1.0
MTA-484 - Enforce URL validation for git repo while creating custom target
MTA-485 - [UI] Filter category by name list is too long
MTA-500 - Missing space in OpenLiberty target description
MTA-582 - [API] Job function crud and stakeholder group crud fails
MTA-590 - Identified risk table shows error when there are no data
MTA-643 - [Upstream] Success alerts are broken
MTA-647 - [Upstream] Remove Asterisk for member(s) while creating a stakeholder group
MTA-651 - Application owner is sent if its added then manually deleted
MTA-658 - [Upstream] Helper messages are displayed on blur
MTA-659 - [Upstream] Source repository field accepts only git urls.
MTA-674 - [RFE][API] Return reference "name" field from POST method
MTA-678 - Operator failing smoke tests (6.2.0 / release-0.2)
MTA-680 - [Upstream] [Typo] Migration waves wizard stakeholders groups' field should be in plural
MTA-681 - [Upstream][RFE] Add a tooltip for delete button disabled only when selected application(s) are in a migration wave
MTA-682 - [Upstream][Custom Metrics] Initiated assessments total count isn't working correctly
MTA-695 - Running a second migration wave export with additional apps errors out
MTA-698 - [Upstream] Replace Jira Server/Datacenter options with a single option
MTA-699 - [Upstream] Not able to connect to RedHat JIRA account
MTA-706 - [Upstream] [Migration Waves] Date fields can't be entered manually
MTA-717 - [Credentials] Save button remains disabled while editing credentials of Jira type
MTA-739 - Add a tool tip to explain what insecure communication with a Jira instance is
MTA-741 - [Migration Waves] start date value is not updated correctly
MTA-747 - Job function can't be removed
MTA-750 - Applications cannot be selected in the Assessment tab of the Application Inventory
MTA-753 - Some success notifications include two spaces
MTA-761 - eap targets listed as konveyor.io/target=eapx on Analysis dialog
MTA-764 - [UI] Incorrect tooltip when removing credentials
MTA-765 - [UI] Incorrect tooltip when removing credentials
MTA-766 - [UI] Incorrect labels in Jira connections table
MTA-772 - [Upstream] Credentials of type 'Bearer' not listed in Jira instance creation dialog
MTA-773 - Render analysis details as YAML for better readability.
MTA-778 - Clicking ?'Show password' icon for Jira Bearer token key doesn't show the key.
MTA-802 - [Regresssion] Tag list under Tag Category doesn't get updated after new tag creation
MTA-807 - [Custom metrics] The METRICS_ENABLED environment variable is overridden by its default value 
MTA-808 - [UI] Credentials field is empty when editing existing Jira connection instance
MTA-809 - [Custom metrics] Exported issues which move from "Error" to "New" state are counted twice
MTA-81 - CVE-2022-41881 io.netty-netty-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-811 - Failed to delete an application that is associated with a ticket on the issues manager
MTA-814 - [Typo] Application creation notification text starts with lowercase
MTA-815 - [UI] Incrrect Jira instance type name is shown in Jira connection table
MTA-826 - [Tags] Color filter isn't working correctly
MTA-83 - CVE-2022-41881 org.jboss.windup.rules-windup-rulesets-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-84 - CVE-2022-41854 dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow [mta-6]
MTA-845 - CSV Reports cannot be downloaded
MTA-863 - [UI] Jira credentials have different names in creation wizard and filtering
MTA-870 - A Migration Wave cannot be exported as a SubTask - using both Jira Datacenter and Cloud
MTA-872 - After an error ,trying to export the same applications as tasks , fails with an error showing sub-tasks.
MTA-873 - Exporting migration wave as an Epic does not export it to Jira - using Jira Server/Datacenter 
MTA-877 - in migration waves when exporting a migration wave to jira, and moving the ticket to done it changes status to  "Not Started"
MTA-881 - Stakeholder: Assertion is missing "No stakeholders available"
MTA-89 - CVE-2022-41881 org.jboss.windup-windup-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-894 - [Custom metrics] Failed analysis is counted twice
MTA-895 - [UI] Sometimes Jira table doesn't look consistant with other tables
MTA-898 - [UI] Incorrect tooltip when the bulk deletion button is disabled on application inventory page
MTA-906 - Migration Waves: The Name field doesn't have the "too sort" validation
MTA-908 - [UI] Incorrect sorting by URL for Jira instances
MTA-909 - Tags: Tag Category field is missing helper message "This field is required."  
MTA-91 - CVE-2022-41881 org.jboss.windup.plugin-windup-maven-plugin-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]
MTA-912 - in migration waves - after applying wrong dates, correcting the dates does not remove the error message 
MTA-916 -  Application Inventory  : Sorting applications on tag count is broken 
MTA-923 - in migration waves - when creating two migration waves with same name and same dates - once trying to create the second one an error pops "Failed to create migration wave."
MTA-93 - CVE-2022-4492 org.keycloak-keycloak-parent: undertow: Server identity in https connection is not checked by the undertow client [mta-6]
MTA-937 - in migration waves - selecting one migration wave using individual check box will automatically select all applications with the same name
MTA-943 - [UI] Incorrect sorting in reports 
MTA-973 - Jira Configuration: Success alert is missing while creating any new jira instance
MTA-974 - Success notification text starts with lowercase
MTA-984 - Dependencies: Unable to Connect there is an error retrieving data
MTA-985 - [Custom rules in analysis] Enforce URL validation for git repo

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-41721
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2798
https://access.redhat.com/security/cve/CVE-2023-2828
https://access.redhat.com/security/cve/CVE-2023-22899
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24532
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-26125
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-34104
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk2Y9pAAoJENzjgjWX9erEhloP+wVFIYOtxx6UGUCxSjGbX4qz
655durO1rCnxksr0gaVGu4/sXDXQ/5Ez8M3qX2hqiM6PF2viv5iNarNHsv39g8Lq
3zIFMCvu633vO0USRzb1L9sacNJMm+2r5ENGsuthDBVJMMDVm+7mFz83k8uJXAQt
A+FAG5V0ZdIKBbNyhOzyuB2HBWDfVwOjRKDPdWyB9Jj/81w0dFjNy7hhVkziWhQi
5KA2A17fnRPgNDfUbK3QwRCKLZft9otY70ajBCrV2OxNnkuNjgNWjM2MLyFQcmFx
rVU4zCEHhOV+XV3samGnHd/tVlaTpiYi7SMQz0WmHnzuiJFGOc8e8sMMY1baNPS7
8e/XPpvxBqL6xA3b94P9IHH3mT2kyzjxon443EIVbLXj9MpHuJzUnum6EDB+CiuN
eAYE4Gp6v8gEID9+qAiBPDPY8YN3xrnBqTRpG8PFPusgzpFf58mvRAgfe2LCnxrk
DeL/+vv+qQMdd/2Y4ZSUb/VYW0GaShUwuJpQJGav20Lpq9vPZ02NpzqzaRgYoMey
ei2SWA2hLn/Rv91QU8aE2ZtVZauqAoC+tOFU/5z574GUDWfvL6ciKimiG24B77Yh
eQHG2R5dAF3LpiTL8bI3Jbv2nH1tKnPRf4vr76VoOtTkh6oCJ7jxkyJs7BdaVBXa
dtHt/tOKxsM3gxE4JPHw
=wiIB
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4627:01 Important: Migration Toolkit for Applications

Migration Toolkit for Applications 6.2.0 release Red Hat Product Security has rated this update as having a security impact of Important

Summary

Migration Toolkit for Applications 6.2.0 Images
Security Fix(es):
* golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* x/net/http2/h2c: request smuggling (CVE-2022-41721)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
* golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* htmlUnit: Stack overflow crash causes Denial of Service (DoS) (CVE-2023-2798)
* zip4j: does not always check the MAC when decrypting a ZIP archive (CVE-2023-22899)
* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532)
* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
* golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
* golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)
* golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)
* fast-xml-parser: Regex Injection via Doctype Entities (CVE-2023-34104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-41721 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2798 https://access.redhat.com/security/cve/CVE-2023-2828 https://access.redhat.com/security/cve/CVE-2023-22899 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24532 https://access.redhat.com/security/cve/CVE-2023-24534 https://access.redhat.com/security/cve/CVE-2023-24536 https://access.redhat.com/security/cve/CVE-2023-24537 https://access.redhat.com/security/cve/CVE-2023-24538 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-24540 https://access.redhat.com/security/cve/CVE-2023-26125 https://access.redhat.com/security/cve/CVE-2023-26604 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-34104 https://access.redhat.com/security/updates/classification/#important

Package List

Severity

Advisory ID: RHSA-2023:4627-01

Product: Migration Toolkit for Applications

Advisory URL: https://access.redhat.com/errata/RHSA-2023:4627

Issued Date: : 2023-08-14

CVE Names: CVE-2020-24736 CVE-2021-46877 CVE-2022-4492 CVE-2022-41721 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2022-41854 CVE-2022-41881 CVE-2023-1667 CVE-2023-2283 CVE-2023-2798 CVE-2023-2828 CVE-2023-22899 CVE-2023-24329 CVE-2023-24532 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-26125 CVE-2023-26604 CVE-2023-29400 CVE-2023-34104

Topic

Migration Toolkit for Applications 6.2.0 releaseRed Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Bugs Fixed

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

2162182 - CVE-2022-41721 x/net/http2/h2c: request smuggling

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption

2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters

2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation

2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing

2185278 - CVE-2023-22899 zip4j: does not always check the MAC when decrypting a ZIP archive

2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode

2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values

2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace

2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation

2210366 - CVE-2023-2798 htmlUnit: Stack overflow crash causes Denial of Service (DoS)

2221261 - CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities

2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed (https://issues.redhat.com/):

MTA-1015 - Credentials filtering is missing 'Created by' filter

MTA-1041 - Application inventory page crashes when deleting an application and the right panel is open

MTA-194 - [RFE] Present a data in more readable format

MTA-24 - [API][Application] ApiApplication returned from post method is missing the identities name

MTA-27 - [API][Credentials] It is possible to create more than one credential with the same name

MTA-464 - [Custom rules] Analysis wizard stucks on custom rules page on moving "Back" from Repository tab.

MTA-465 - Tags & Reports tabs for the application keeps loading while analysis in progress.

MTA-468 - Incorrect description for Azure target.

MTA-469 - Typo under Reports -> Current Landscape UI

MTA-470 - [UI] Clear Repository button is taking few seconds to re-enable every time when we switch to different tab or perspective.

MTA-472 - [Reports][RFE] "MIGRATION TOOLKIT FOR APPLICATIONS" can be renamed to "Migration Toolkit for Applications"

MTA-474 - Validation issue with "Password" field when creating a new Credential

MTA-476 - Tooltip text for the disabled "Delete" button under "Tags" is incorrect

MTA-477 - Applications imported even after showing Rejected in "Manage Imports" page.

MTA-478 - Application Inventory page doesn't get updated after the "Import"

MTA-479 - Category Color missing when Tag Category is created at the time of import

MTA-480 - Unable to import application with multiple tags under a single tag category.

MTA-481 - [RFE] Deleting a Job function associated with Stakeholder

MTA-483 - EAP6 still present as a target in downstream MTA builds 6.1.0

MTA-484 - Enforce URL validation for git repo while creating custom target

MTA-485 - [UI] Filter category by name list is too long

MTA-500 - Missing space in OpenLiberty target description

MTA-582 - [API] Job function crud and stakeholder group crud fails

MTA-590 - Identified risk table shows error when there are no data

MTA-643 - [Upstream] Success alerts are broken

MTA-647 - [Upstream] Remove Asterisk for member(s) while creating a stakeholder group

MTA-651 - Application owner is sent if its added then manually deleted

MTA-658 - [Upstream] Helper messages are displayed on blur

MTA-659 - [Upstream] Source repository field accepts only git urls.

MTA-674 - [RFE][API] Return reference "name" field from POST method

MTA-678 - Operator failing smoke tests (6.2.0 / release-0.2)

MTA-680 - [Upstream] [Typo] Migration waves wizard stakeholders groups' field should be in plural

MTA-681 - [Upstream][RFE] Add a tooltip for delete button disabled only when selected application(s) are in a migration wave

MTA-682 - [Upstream][Custom Metrics] Initiated assessments total count isn't working correctly

MTA-695 - Running a second migration wave export with additional apps errors out

MTA-698 - [Upstream] Replace Jira Server/Datacenter options with a single option

MTA-699 - [Upstream] Not able to connect to RedHat JIRA account

MTA-706 - [Upstream] [Migration Waves] Date fields can't be entered manually

MTA-717 - [Credentials] Save button remains disabled while editing credentials of Jira type

MTA-739 - Add a tool tip to explain what insecure communication with a Jira instance is

MTA-741 - [Migration Waves] start date value is not updated correctly

MTA-747 - Job function can't be removed

MTA-750 - Applications cannot be selected in the Assessment tab of the Application Inventory

MTA-753 - Some success notifications include two spaces

MTA-761 - eap targets listed as konveyor.io/target=eapx on Analysis dialog

MTA-764 - [UI] Incorrect tooltip when removing credentials

MTA-765 - [UI] Incorrect tooltip when removing credentials

MTA-766 - [UI] Incorrect labels in Jira connections table

MTA-772 - [Upstream] Credentials of type 'Bearer' not listed in Jira instance creation dialog

MTA-773 - Render analysis details as YAML for better readability.

MTA-778 - Clicking ?'Show password' icon for Jira Bearer token key doesn't show the key.

MTA-802 - [Regresssion] Tag list under Tag Category doesn't get updated after new tag creation

MTA-807 - [Custom metrics] The METRICS_ENABLED environment variable is overridden by its default value

MTA-808 - [UI] Credentials field is empty when editing existing Jira connection instance

MTA-809 - [Custom metrics] Exported issues which move from "Error" to "New" state are counted twice

MTA-81 - CVE-2022-41881 io.netty-netty-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]

MTA-811 - Failed to delete an application that is associated with a ticket on the issues manager

MTA-814 - [Typo] Application creation notification text starts with lowercase

MTA-815 - [UI] Incrrect Jira instance type name is shown in Jira connection table

MTA-826 - [Tags] Color filter isn't working correctly

MTA-83 - CVE-2022-41881 org.jboss.windup.rules-windup-rulesets-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]

MTA-84 - CVE-2022-41854 dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow [mta-6]

MTA-845 - CSV Reports cannot be downloaded

MTA-863 - [UI] Jira credentials have different names in creation wizard and filtering

MTA-870 - A Migration Wave cannot be exported as a SubTask - using both Jira Datacenter and Cloud

MTA-872 - After an error ,trying to export the same applications as tasks , fails with an error showing sub-tasks.

MTA-873 - Exporting migration wave as an Epic does not export it to Jira - using Jira Server/Datacenter

MTA-877 - in migration waves when exporting a migration wave to jira, and moving the ticket to done it changes status to "Not Started"

MTA-881 - Stakeholder: Assertion is missing "No stakeholders available"

MTA-89 - CVE-2022-41881 org.jboss.windup-windup-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]

MTA-894 - [Custom metrics] Failed analysis is counted twice

MTA-895 - [UI] Sometimes Jira table doesn't look consistant with other tables

MTA-898 - [UI] Incorrect tooltip when the bulk deletion button is disabled on application inventory page

MTA-906 - Migration Waves: The Name field doesn't have the "too sort" validation

MTA-908 - [UI] Incorrect sorting by URL for Jira instances

MTA-909 - Tags: Tag Category field is missing helper message "This field is required."

MTA-91 - CVE-2022-41881 org.jboss.windup.plugin-windup-maven-plugin-parent: codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [mta-6]

MTA-912 - in migration waves - after applying wrong dates, correcting the dates does not remove the error message

MTA-916 - Application Inventory : Sorting applications on tag count is broken

MTA-923 - in migration waves - when creating two migration waves with same name and same dates - once trying to create the second one an error pops "Failed to create migration wave."

MTA-93 - CVE-2022-4492 org.keycloak-keycloak-parent: undertow: Server identity in https connection is not checked by the undertow client [mta-6]

MTA-937 - in migration waves - selecting one migration wave using individual check box will automatically select all applications with the same name

MTA-943 - [UI] Incorrect sorting in reports

MTA-973 - Jira Configuration: Success alert is missing while creating any new jira instance

MTA-974 - Success notification text starts with lowercase

MTA-984 - Dependencies: Unable to Connect there is an error retrieving data

MTA-985 - [Custom rules in analysis] Enforce URL validation for git repo