[RHSA-2023:1816-01] Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Sat Apr 22 09:32:42 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update
Advisory ID: RHSA-2023:1816-01
Product: RHODF
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1816
Issue date: 2023-04-17
CVE Names: CVE-2020-10735 CVE-2021-28861 CVE-2022-4304
CVE-2022-4415 CVE-2022-4450 CVE-2022-40897
CVE-2022-41717 CVE-2022-45061 CVE-2022-48303
CVE-2023-0215 CVE-2023-0286 CVE-2023-23916
=====================================================================
1. Summary:
Updated images that fix several bugs are now available for Red Hat
OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat
Container Registry.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.
Security Fix(es):
* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* [backport 4.12] s3 sync directory to a bucket fails with Internal Error
in between the upload operation (BZ#2170416)
* [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)
* [Backport to 4.12.z] Placeholder bug to backport the odf changes for
Managed services epic RHSTOR-2442 to 4.12.z (BZ#2174335)
* [ODF 4.12] Missing the status-reporter binary causing pods
"report-status-to-provider" remain in CreateContainerError on ODF to ODF
cluster on ROSA (BZ#2179978)
* [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2
noticed 2 token-exchange-agent pods on managed clusters and one of them on
CBLO (BZ#2183198)
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables
2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442 to 4.12.z
2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work
2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO
2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"
5. References:
https://access.redhat.com/security/cve/CVE-2020-10735
https://access.redhat.com/security/cve/CVE-2021-28861
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-40897
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-45061
https://access.redhat.com/security/cve/CVE-2022-48303
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZEOpudzjgjWX9erEAQgudA//c1DhcceGIufqRhheeM1fMJLx1pr8aS5C
fVkwxXyNVip1BZta1fwLstIPEcbNG1Q3xCnjVmDqjxkG4sPh7HdkzmtIVdt9JSBX
3TKSqHUMtP7m1dtlP8xg2fyQ8Om7Ki9xE6KCkijR3TwDZMZOkFtRg6D9MbSPT7+s
3tvq+vEQ2HVr13KEdMC7kSSyvZsqLgCT3LcURFxn/rZipGy+DDJeK8uGhMe2uF43
QPsYBb0qhm2s6T+6QWhBPahOgDxqCtP8KSgO6RNuieubL/E+wr+sV8LBXkrPZ71N
QT6MEY7R8x5Af7+04t0INnFg2Bqo+eJPLPgLGpTqFtJeoDm0HAeqliHgv7SFqex5
FPArRIPPgzjjEFASv4dr1r4WKAr9PWaGCrFE4OZM2m5ibQi//SWJuEn1719T5WDf
+BGCJ8UfOWOX3J385rECIm2r0ZL5yPq2XBoPJUEcA0I0YSswlOjD6V6ovaROSNrh
NU2eA/xSj4vwDTEC+FojZAeL1IT7uAFUJCYMq+zcyqTFRE+C7tDo8zcnVuJVhHq2
xhezfIlbgBbcEHr5omqVp4utqDSCfYfhoGFxUJtW07iEJmq01R9lPsNbdVQsAGW4
8/Xt+P4wU6LIYNcAM4S5yxMy2KMN/rDKwoxSljg4I6dM8uWUJAF2iaGA1+T2dKq5
GfmMJLVuC8A=
=MYP7
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list