[RHSA-2023:4293-01] Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Thu Jul 27 02:19:55 UTC 2023 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update
Advisory ID:       RHSA-2023:4293-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4293
Issue date:        2023-07-27
CVE Names:         CVE-2020-24736 CVE-2022-41723 CVE-2023-1667 
                   CVE-2023-2283 CVE-2023-24329 CVE-2023-24539 
                   CVE-2023-26125 CVE-2023-26604 CVE-2023-29400 
                   CVE-2023-29401 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.11 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize
filename parameter of Context.FileAttachment function (CVE-2023-29401)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation
2216957 - CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-26125
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-29401
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkwdRKAAoJENzjgjWX9erETLYP/i0v1WOSwBaVLef7uqjKSG4f
E70Qv2TsqsrjB51UNUnGP1PjtnSrHSwfA5fN/TBn4vZkSk1pYIH/lpg1RNbvx8ls
xlKMTd6bX/z4ojHbCss5AIGFxL7zqd9ZTfCfI/NopDVnAIFRDYCWh4rqEtaETBwa
yioqI3py2XOd3lwSEEnaenLR35rpxt730ZLeZAl5/lvRRt7kD69r9exWAUh4sW6j
JtYi6ydY8BXg0HNR+nU57XRmp0S6GfYGncYDZFyDRXTT0UMHVxtRF04VETuBjWC2
IAqp7ocRPt5woh0+HyyRA/9p+QWDP6kYY1Bb8HgKNx3xdQbwJi07Pwt4YadMTmAE
igw1LmIPRIJoNKTh1MqTL00nJIU/1mO+vpkyvNhIZ94vreLJ8MyQLbLAhJYuTCby
sLA2VeLnQmcdrsWDIkx+hJOsR9bydCZuIPykN4Nmstv2j6UHWg31DtaHyQQEyZtm
O/V61KAUYeOd6dMvRYlgz86hvQurwGl/sYsAsIt5mV50wXB14bSfMUnYe3hM1/v3
vB6bNiPIY8UgpRl2ZnZCsVruPEyFn7+W0wCSqX3Afy5Q08lyvuPFXcD1XAm4TLES
5g1bNuIDOPu1r/AqKrC7zSVsL0QLjpyetjPnUa205Nc6LqcyfyvV2BC+61VzWm5E
OTxW8GMl5qshDNCZCUVd
=0sF0
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list