[RHSA-2023:3918-01] Important: OpenShift API for Data Protection (OADP) 1.1.5 security and bug fix update

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift API for Data Protection (OADP) 1.1.5 security and bug fix update
Advisory ID:       RHSA-2023:3918-01
Product:           OpenShift API for Data Protection
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3918
Issue date:        2023-06-29
CVE Names:         CVE-2022-3627 CVE-2022-3970 CVE-2022-36227 
                   CVE-2022-41723 CVE-2023-2491 CVE-2023-24534 
                   CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 
                   CVE-2023-24539 CVE-2023-24540 CVE-2023-27535 
                   CVE-2023-29400 
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.5 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es):

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes

5. References:

https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJz/btzjgjWX9erEAQg3dQ/9Epfv14lSbsAhQoLhFGt+pP8DvEAuNNbI
5Hfa+EXKquBqN5mvdALvAfVozVZ+/RZEG0FjcRrZD2wzFg05VaayvlwQBdvXTCmb
+rvXjSxocYbzaaqyDENydumi1BJzos8uFtyU8e48nHZUMyAlQ2n+aoVkIBYys0k0
a9P52rRqUv2T7MQVSW7wdtnn8s0GzF20/4xwjCpXRaRKuXPq34cBa2Gch+gUMJco
A8fRi2aIJqZ0Cjb4g5unWv5hmJQAsboXMfnCwFqJRhigBWRR0Ejsjaaia/eGbTUQ
/3F7q4fDs+1FoT3MAN5NW1A5mLy7HazZdh5n6S8CYrdMH55TxOeVH7OxDhSxhDEh
2VJtk8gwE44O4L8XGp+2rG0XAj5X08kc3Kubz+shTRAs2nXIUJac2lT/yUzMk54J
5o251f/Fs2nFFJHZhlPjOK8dyLtLhQZoOE8FdqFG44gjGYY1YHK7I3ikNSczn4QV
sUAeBYLjkaaZUbAU8DI9MuyhYr5xlJVR3103x258dC/riEWeRQBlKEvoQW8Km6Jh
CsPMVs7sQj9Gr3SpEOd2hDNbcpcIs7PKpZV3QZS94/ONPgonB+Oo+jyBpzcSp7bU
979X7dDraHXVLrNTZ285dOAlXxOmbN/aVnuT1c6zh6O1Aa5Wkt3lZfkhsVizrxU7
m8Cl+whEhQw=
=WCj0
-----END PGP SIGNATURE-----