Ubuntu Security Notice 5593-1 - It was discovered that Zstandard incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

    =========================================================================Ubuntu Security Notice USN-5593-1September 01, 2022libzstd vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Zstandard could be made to execute arbitrary code if it received speciallycrafted input.Software Description:- libzstd: fast lossless compression algorithmDetails:It was discovered that Zstandard incorrectly handled certain inputs.An attacker could possibly use this issue to execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  libzstd1                        1.3.1+dfsg-1~ubuntu0.16.04.1+esm2  zstd                            1.3.1+dfsg-1~ubuntu0.16.04.1+esm2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5593-1  CVE-2019-11922

Ubuntu Security Notice USN-5593-1

Ubuntu Security Notice 5587-1 - Axel Chong discovered that when curl accepted and sent back cookies containing control bytes that a HTTP server might return a 400 response. A malicious cookie host could possibly use this to cause denial-of-service.

==========================================================================  
Ubuntu Security Notice USN-5587-1  
September 01, 2022

curl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

curl could be denied access to a HTTP(S) content if it recieved  
a specially crafted cookie.

Software Description:  
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Axel Chong discovered that when curl accepted and sent back  
cookies containing control bytes that a HTTP(S) server might  
return a 400 (Bad Request Error) response. A malicious cookie  
host could possibly use this to cause denial-of-service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
curl 7.81.0-1ubuntu1.4  
libcurl3-gnutls 7.81.0-1ubuntu1.4  
libcurl3-nss 7.81.0-1ubuntu1.4  
libcurl4 7.81.0-1ubuntu1.4

Ubuntu 20.04 LTS:  
curl 7.68.0-1ubuntu2.13  
libcurl3-gnutls 7.68.0-1ubuntu2.13  
libcurl3-nss 7.68.0-1ubuntu2.13  
libcurl4 7.68.0-1ubuntu2.13

Ubuntu 18.04 LTS:  
curl 7.58.0-2ubuntu3.20  
libcurl3-gnutls 7.58.0-2ubuntu3.20  
libcurl3-nss 7.58.0-2ubuntu3.20  
libcurl4 7.58.0-2ubuntu3.20

Ubuntu 16.04 ESM:  
curl 7.47.0-1ubuntu2.19+esm5  
libcurl3 7.47.0-1ubuntu2.19+esm5  
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm5  
libcurl3-nss 7.47.0-1ubuntu2.19+esm5

Ubuntu 14.04 ESM:  
curl 7.35.0-1ubuntu2.20+esm12  
libcurl3 7.35.0-1ubuntu2.20+esm12  
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm12  
libcurl3-nss 7.35.0-1ubuntu2.20+esm12

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5587-1  
CVE-2022-35252

Package Information:  
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.4  
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.13  
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.20

Ubuntu Security Notice USN-5587-1

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.

CVE-2021-44718: wolfSSL Security Vulnerabilities | wolfSSL Embedded SSL/TLS Library

In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values.

'15103?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1615: Invalid Bug ID

An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.

'2081181?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1632: Invalid Bug ID

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2022-1632: Red Hat Customer Portal - Access to 24x7 support and knowledge

A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-middle (MITM) attacks.

@ -264,7 +264,7 @@ def get_share_type(share_type):

def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',

             client_timeout=60, do_async=True, **kwargs):

             client_timeout=60, do_async=True, verify=True, **kwargs):

    """execute SCCI command

    This function calls SCCI server modules

@ -276,6 +276,10 @@ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',

    :param auth_method: irmc_username

    :param client_timeout: timeout for SCCI operations

    :param do_async: async call if True, sync call otherwise

    :param verify: (optional) Either a boolean, in which case it

                    controls whether we verify the server's TLS certificate,

                    or a string, in which case it must be a path to

                    a CA bundle to use. Defaults to ``True``.

    :returns: requests.Response from SCCI server

    :raises: SCCIInvalidInputError if port and/or auth_method params

             are invalid

@ -310,12 +314,14 @@ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',

            if check_eject_cd_cmd(cmd):

                if not validate_params_cd_fd("cmd_cd", protocol,

                                             host, auth_obj,

                                             do_async, client_timeout):

                                             do_async, client_timeout,

                                             verify):

                    return

            if check_eject_fd_cmd(cmd):

                if not validate_params_cd_fd("cmd_fd", protocol,

                                             host, auth_obj,

                                             do_async, client_timeout):

                                             do_async, client_timeout,

                                             verify):

                    return

            data = cmd

            config_type = '/config'

@ -323,7 +329,7 @@ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',

        r = requests.post(protocol + '://' + host + config_type,

                          data=data,

                          headers=header,

                          verify=False,

                          verify=verify,

                          timeout=client_timeout,

                          allow_redirects=False,

                          auth=auth_obj)

@ -373,7 +379,7 @@ def scci_cmd(host, userid, password, cmd, port=443, auth_method='basic',

def validate_params_cd_fd(cmd_type, protocol, host, auth_obj,

                          do_async, client_timeout):

                          do_async, client_timeout, verify):

    """Validate parameters of CD/DVD or FD Image Virtual Media in iRMC

    If one of parameters (ImageServer, ImageShareName or ImageName) set in

@ -386,6 +392,10 @@ def validate_params_cd_fd(cmd_type, protocol, host, auth_obj,

    :param auth_obj: irmc userid/password

    :param do_async: async call if True, sync call otherwise

    :param client_timeout: timeout for SCCI operations

    :param verify: Either a boolean, in which case it

                   controls whether we verify the server's TLS certificate,

                   or a string, in which case it must be a path to

                   a CA bundle to use.

    :return: False if one of param is null. Otherwise, returns True.

    """

@ -404,7 +414,7 @@ def validate_params_cd_fd(cmd_type, protocol, host, auth_obj,

        r = requests.get(protocol + '://' + host + '/iRMC_Settings.pre',

                         params=param,

                         headers=header,

                         verify=False,

                         verify=verify,

                         timeout=client_timeout,

                         allow_redirects=False,

                         auth=auth_obj)

@ -486,7 +496,7 @@ def check_eject_fd_cmd(xml_cmd):

def get_client(host, userid, password, port=443, auth_method='basic',

               client_timeout=60, **kwargs):

               client_timeout=60, verify=True, **kwargs):

    """get SCCI command partial function

    This function returns SCCI command partial function

@ -496,12 +506,17 @@ def get_client(host, userid, password, port=443, auth_method='basic',

    :param port: port number of iRMC

    :param auth_method: irmc_username

    :param client_timeout: timeout for SCCI operations

    :param verify: (optional) Either a boolean, in which case it

                    controls whether we verify the server's TLS certificate,

                    or a string, in which case it must be a path to

                    a CA bundle to use. Defaults to ``True``.

    :returns: scci_cmd partial function which takes a SCCI command param

    """

    return functools.partial(scci_cmd, host, userid, password,

                             port=port, auth_method=auth_method,

                             client_timeout=client_timeout, **kwargs)

                             client_timeout=client_timeout,

                             verify=verify, **kwargs)

def get_virtual_cd_set_params_cmd(remote_image_server,

@ -568,7 +583,7 @@ def get_virtual_fd_set_params_cmd(remote_image_server,

def get_report(host, userid, password,

               port=443, auth_method='basic', client_timeout=60):

               port=443, auth_method='basic', client_timeout=60, verify=True):

    """get iRMC report

    This function returns iRMC report in XML format

@ -578,6 +593,10 @@ def get_report(host, userid, password,

    :param port: port number of iRMC

    :param auth_method: irmc_username

    :param client_timeout: timeout for SCCI operations

    :param verify: (optional) Either a boolean, in which case it

                    controls whether we verify the server's TLS certificate,

                    or a string, in which case it must be a path to

                    a CA bundle to use. Defaults to ``True``.

    :returns: root element of SCCI report

    :raises: ISCCIInvalidInputError if port and/or auth_method params

             are invalid

@ -600,7 +619,7 @@ def get_report(host, userid, password,

    try:

        r = requests.get(protocol + '://' + host + '/report.xml',

                         verify=False,

                         verify=verify,

                         timeout=(10, client_timeout),

                         allow_redirects=False,

                         auth=auth_obj)

@ -868,6 +887,10 @@ def get_firmware_upgrade_status(irmc_info, upgrade_type):

          'irmc_port': 80 or 443, default is 443,

          'irmc_auth_method': 'basic' or 'digest', default is 'digest',

          'irmc_client_timeout': timeout, default is 60,

          'irmc_verify_ca': (optional) Either a boolean, in which case it

                            controls whether we verify the server's TLS

                            certificate, or a string, in which case it must be

                            a path to a CA bundle to use. Defaults to ``True``.

          ...

        }

    :param upgrade_type: flag to check upgrade with bios or irmc

@ -882,6 +905,7 @@ def get_firmware_upgrade_status(irmc_info, upgrade_type):

    port = irmc_info.get('irmc_port', 443)

    auth_method = irmc_info.get('irmc_auth_method', 'digest')

    client_timeout = irmc_info.get('irmc_client_timeout', 60)

    verify = irmc_info.get('irmc_verify_ca', True)

    auth_obj = None

    try:

@ -901,7 +925,7 @@ def get_firmware_upgrade_status(irmc_info, upgrade_type):

        elif upgrade_type == 'irmc':

            upgrade_type = '/irmcprogress'

        r = requests.get(protocol + '://' + host + upgrade_type,

                         verify=False,

                         verify=verify,

                         timeout=(10, client_timeout),

                         allow_redirects=False,

                         auth=auth_obj)

@ -915,3 +939,5 @@ def get_firmware_upgrade_status(irmc_info, upgrade_type):

        return upgrade_status_xml

    except ET.ParseError as parse_error:

        raise SCCIClientError(parse_error)

    except requests.RequestException as requests_exception:

        raise SCCIClientError(requests_exception)

CVE-2022-2996: python-scciclient

Red Hat Security Advisory 2022-6152-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.0.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Secondary Scheduler Operator for Red Hat OpenShift 1.1.0 security update  
Advisory ID:       RHSA-2022:6152-01  
Product:           OSSO  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6152  
Issue date:        2022-09-01  
CVE Names:         CVE-2022-1705 CVE-2022-1962 CVE-2022-24675  
                   CVE-2022-28131 CVE-2022-28327 CVE-2022-30629  
                   CVE-2022-30630 CVE-2022-30631 CVE-2022-30632  
                   CVE-2022-30633 CVE-2022-30635 CVE-2022-32148  
====================================================================  
1. Summary:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Red Hat Product Security has rated this update as having a security impact  
of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Description:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.0

Security Fix(es):

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)  
* golang: net/http: improper sanitization of Transfer-Encoding header  
(CVE-2022-1705)  
* golang: go/parser: stack exhaustion in all Parse* functions  
(CVE-2022-1962)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)  
* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)  
* golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)  
* golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)  
* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)  
* golang: net/http/httputil: NewSingleHostReverseProxy - omit  
X-Forwarded-For not working (CVE-2022-32148)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

3. Solution:

For Secondary Scheduler Operator 1.1.0 see the following documentation,  
which  
will be updated shortly, for detailed release notes:

For more information on Secondary Scheduler Operator for Red Hat OpenShift  
1.1.0, see the following release notes:

https://docs.openshift.com/container-platform/4.11/nodes/scheduling/secondary_scheduler/nodes-secondary-scheduler-release-notes.html#secondary-scheduler-operator-release-notes-1.1.0

4. Bugs fixed (https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2105001 - [SSO] Secondary scheduler version is shown as unknown in the operator logs  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob  
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header  
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions  
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode  
2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip  
2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal

5. JIRA issues fixed (https://issues.jboss.org/):

WRKLDS-466 - Secondary Scheduler Operator for Red Hat OpenShift 1.1 release

6. References:

https://access.redhat.com/security/cve/CVE-2022-1705  
https://access.redhat.com/security/cve/CVE-2022-1962  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-28131  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30630  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-30633  
https://access.redhat.com/security/cve/CVE-2022-30635  
https://access.redhat.com/security/cve/CVE-2022-32148  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxCI69zjgjWX9erEAQhXXxAAosQlZxGWGILaGuYUJr/S/jXROYtor0Wv  
z8na9oZNTgJG086tiPehf+HAUIbwIRlExUg/fI0TkkQILou0JDqDKbMfxuvZ3You  
vgUzKoLHnf541JJp1tjLFbHl+dcG1ohoXEFdh6UpmhxILu56hnC7jB7hfAXnye/E  
wIwwtRkG7tzS2f81vFG1TwWunVddvtNy6ITnqkBLWvjRP0ihk6mBt4iBz4NOKYFi  
x/7TRZUGV+ILeP++g7qsbehOwZLj2p9NzqE2cRw/A1DP3WVRglKaGuhd46kR9mtn  
o0LK9jSBJ0QMPXDvEk52PU4J8yDqhhvTWSeCrFg0rwC3Xd3/41xxKTo9htbLOHfQ  
Ei359sevhBTpLH1sdS7/jjmd8jMYe9CZXxk0Ck87e+T17MXOyKVHSsMFjZR1Pgfu  
wXAMZaIut1l23RA+3T79jYUnrbB+zD4rDk5mwLuurO8n6y7Bw1Dr1Rr2r1mKgr7N  
rxIpHDhw2nWjEhnhl91+2r2ucLvfD6qqsdnV58XTKdLUqNbYAOL1p3tGljqmUVsH  
f2YWDoEc3LpbVoT12xbxqnmJRQGmWwfsNRY4tr6w+qVHgKjBAjMGaDhd4gIVEuGi  
08mdVFBRqUPBbkIZu9ku5Eh8dgg2NcOFN1naDYb3AaNJp7+garNbcGFL1lIK0cBM  
ZO93shdrUmc=3goO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6152-01

Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update  
Advisory ID:       RHSA-2022:6290-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6290  
Issue date:        2022-09-01  
CVE Names:         CVE-2021-3634 CVE-2021-40528 CVE-2022-1271  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-24675  
                   CVE-2022-25313 CVE-2022-25314 CVE-2022-26691  
                   CVE-2022-28327 CVE-2022-29154 CVE-2022-29824  
                   CVE-2022-30629 CVE-2022-30631 CVE-2022-32206  
                   CVE-2022-32208  
====================================================================  
1. Summary:

OpenShift API for Data Protection (OADP) 1.1.0 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)

* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, and other related information, refer to the CVE page(s) listed in  
the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig  
OADP-154 - Ensure support for backing up resources based on different label selectors  
OADP-194 - Remove the registry dependency from OADP  
OADP-199 - Enable support for restore of existing resources  
OADP-224 - Restore silently ignore resources if they exist - restore log not updated  
OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated  
OADP-234 - Implementation of incremental restore  
OADP-324 - Add label to Expired backups failing garbage collection  
OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases  
OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone  
OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete  
OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot  
OADP-528 - The volumesnapshotcontent is not removed for the synced backup  
OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10  
OADP-538 - typo on noDefaultBackupLocation error on DPA CR  
OADP-552 - Validate OADP with 4.11 and Pod Security Admissions  
OADP-558 - Empty Failed Backup CRs can't be removed  
OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version  
OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly  
OADP-592 - OADP must-gather add support for insecure tls  
OADP-597 - BSL validation logs  
OADP-598 - Data mover performance on backup blocks backup process  
OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl  
OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled  
OADP-602 - Support GCP for openshift-velero-plugin registry  
OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied  
OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone  
OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace  
OADP-613 - DataMover: upstream documentation refers wrong CRs  
OADP-637 - Restic backup fails with CA certificate  
OADP-643 - [Data Mover] VSB and VSR names are not unique  
OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable  
OADP-648 - Remove default limits for velero and restic pods  
OADP-652 - Data mover VolSync pod errors with Noobaa  
OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace  
OADP-660 - Data mover restic secret does not support Azure  
OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image  
OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores/<pod-volume>/.velero/<restore-UID>"  
OADP-716 - Incremental restore: second restore of a namespace partially fails  
OADP-736 - Data mover VSB always fails with volsync 0.5

6. References:

https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-25313  
https://access.redhat.com/security/cve/CVE-2022-25314  
https://access.redhat.com/security/cve/CVE-2022-26691  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYxA0ftzjgjWX9erEAQgcZBAAhpl5yhUlRDVqai0DF0VUbpNENP0oqAEU  
nSI4eOGm66Y8d2Qtymae3HwiP8Fa+FIg+QLlQqJaLSPRpttv1kxmB7vL2fzcDyQ2  
6VKUFLV9Lo9oSUqfAlvO8rbSWMvvickV3kTYC+HDgz5/Y3C2JKA1wlhn/5548Iq0  
syHaj/sLw3lYK9AsQDrgN+FWFnNgUsqPmb5WmgQ3HoYP4Ksq1jpcnWAtqkNl7eT4  
IeBAl1B8+I5l4eDj20HJyaGh5h37loCLW1NhcVeoqrwqnkWKVXcbXeYanEoRGCya  
Y38JtNmFlNLjQ69sWoyLonDqKdNQmnbhWRYzRjQF7nGAB+STG9uJ1e1e75T4IoD7  
m0gMS30vjC9rqV455m8sOeDwNf+1rPAXmgC5QR1mEavd1LphlHkO56a+j4aPVPGV  
V/ItM94tAuFvdkL7ZPRMxNux0CMzkBtvEeh3wbUXWF1UKw6ew8yhLHoUevCI2paT  
ggXr3kbBV5yAKgT/+c6TRGYiI66pV1RjCOpE/tJYYpiNhq2dhxjpm0e9RRxLtoTK  
EazQq5tWEYDqNcY2LmXIAwgnIhygqy6HXVBI04rqdI4WKgHPtnp8vfSNaArfSCUP  
kC85ROZc6ZTBOPVWEBT34Y64lPO37jzXhuvvytOmOtUJbuWn4XFl9rRswRnv/yKU  
Rl4NtEV1XHs=zaXV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6290-01

Red Hat Security Advisory 2022-6277-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Service Mesh 2.1.5 security update  
Advisory ID:       RHSA-2022:6277-01  
Product:           Red Hat OpenShift Service Mesh  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6277  
Issue date:        2022-08-31  
CVE Names:         CVE-2022-24675 CVE-2022-24785 CVE-2022-24921  
                   CVE-2022-28327 CVE-2022-29526 CVE-2022-30629  
                   CVE-2022-31129  
====================================================================  
1. Summary:

Red Hat OpenShift Service Mesh 2.1.5

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Service Mesh 2.1 - noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio  
service mesh project, tailored for installation into an OpenShift Container  
Platform installation.

This advisory covers the RPM packages for the release.

Security Fix(es):

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* moment: Moment.js: Path traversal in moment.locale (CVE-2022-24785)  
* golang: regexp: stack exhaustion via a deeply nested expression  
(CVE-2022-24921)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)  
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)  
* golang: crypto/tls: session tickets lack random ticket_age_add  
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

The OpenShift Service Mesh Release Notes provide information on the  
features and known issues:

https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS

6. Package List:

OpenShift Service Mesh 2.1:

Source:  
servicemesh-2.1.5-1.el8.src.rpm  
servicemesh-operator-2.1.5-1.el8.src.rpm  
servicemesh-prometheus-2.23.0-9.el8.src.rpm  
servicemesh-proxy-2.1.5-1.el8.src.rpm  
servicemesh-ratelimit-2.1.5-1.el8.src.rpm

noarch:  
servicemesh-proxy-wasm-2.1.5-1.el8.noarch.rpm

ppc64le:  
servicemesh-2.1.5-1.el8.ppc64le.rpm  
servicemesh-cni-2.1.5-1.el8.ppc64le.rpm  
servicemesh-operator-2.1.5-1.el8.ppc64le.rpm  
servicemesh-pilot-agent-2.1.5-1.el8.ppc64le.rpm  
servicemesh-pilot-discovery-2.1.5-1.el8.ppc64le.rpm  
servicemesh-prometheus-2.23.0-9.el8.ppc64le.rpm  
servicemesh-proxy-2.1.5-1.el8.ppc64le.rpm  
servicemesh-proxy-debuginfo-2.1.5-1.el8.ppc64le.rpm  
servicemesh-proxy-debugsource-2.1.5-1.el8.ppc64le.rpm  
servicemesh-ratelimit-2.1.5-1.el8.ppc64le.rpm

s390x:  
servicemesh-2.1.5-1.el8.s390x.rpm  
servicemesh-cni-2.1.5-1.el8.s390x.rpm  
servicemesh-operator-2.1.5-1.el8.s390x.rpm  
servicemesh-pilot-agent-2.1.5-1.el8.s390x.rpm  
servicemesh-pilot-discovery-2.1.5-1.el8.s390x.rpm  
servicemesh-prometheus-2.23.0-9.el8.s390x.rpm  
servicemesh-proxy-2.1.5-1.el8.s390x.rpm  
servicemesh-proxy-debuginfo-2.1.5-1.el8.s390x.rpm  
servicemesh-proxy-debugsource-2.1.5-1.el8.s390x.rpm  
servicemesh-ratelimit-2.1.5-1.el8.s390x.rpm

x86_64:  
servicemesh-2.1.5-1.el8.x86_64.rpm  
servicemesh-cni-2.1.5-1.el8.x86_64.rpm  
servicemesh-operator-2.1.5-1.el8.x86_64.rpm  
servicemesh-pilot-agent-2.1.5-1.el8.x86_64.rpm  
servicemesh-pilot-discovery-2.1.5-1.el8.x86_64.rpm  
servicemesh-prometheus-2.23.0-9.el8.x86_64.rpm  
servicemesh-proxy-2.1.5-1.el8.x86_64.rpm  
servicemesh-proxy-debuginfo-2.1.5-1.el8.x86_64.rpm  
servicemesh-proxy-debugsource-2.1.5-1.el8.x86_64.rpm  
servicemesh-ratelimit-2.1.5-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-24921  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-30629  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYw/gI9zjgjWX9erEAQifIQ//YwnTe6Nn5vgn9won2gFtjcCtUJV8lsqD  
+SB1rTd4vlU8qu6uX0lIWKy3AE8EBcb/kGO47Qyah8H+/AG1mTWpRz3KAYVeHUXx  
vBni5XNsgd7nw9jGf1mPLaGPzS0wB1DB07FzdrNqWXp/CZJTLidzG8wHO27TzTFD  
Rnjq+MHQ3lnjrotjwsk9YgT1jxirHUKK0t5S6/xPxMRmPQeA67Rtqfwydx4l9rDk  
npKrDczBAHNM1jgdF9OQGq5EOSDrzlcCmac5KmJbqjLU7E9JyKeqxd4GhnswfJM+  
WMhpzNnp7+NrACDY1Iyrkvj84mri/wby1AzW5YMSdlbWbdMD0VraIAUl2VFTumm9  
i28sJsoA6YIgSjNwtr4tfsrMPAaB7z/geHr1GXGXOQVkVe4HDw1q/RSXRdKSsosj  
AN7M2FFM5lenJCFbCJVtDWQW8AMrT0YQ2POfr4bMf8FaB6yWlzkk/OgqcBp1FjAh  
H7fNMFiHAVxSf63dL/9okP1J6ibUvdDHzoLT2Pg4jSGnbs9J9nJUfKceLOc7JK3D  
2x7WaRludd40qFZKYj4lPeHeTDzKay55Xv/yvToZegzPVW9JXLCiRcr2HJI82Ow0  
WpbCY7x7qpWYKJShE9nxVq8DrFdGNmb6wrL85KocT5KBNRMWwXUk/cFQZTjAUJ/K  
Zr5mAm3CAjw=QTJn  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#ssl