RHSA-2022:6430-01: Moderate: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update

Red Hat 9042 Published by

An OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update has been released.



RHSA-2022:6430-01: Moderate: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update
Advisory ID: RHSA-2022:6430-01
Product: OpenShift API for Data Protection
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:6430
Issue date: 2022-09-13
CVE Names: CVE-2021-3634 CVE-2021-40528 CVE-2022-1271
CVE-2022-1292 CVE-2022-1586 CVE-2022-1705
CVE-2022-1962 CVE-2022-2068 CVE-2022-2097
CVE-2022-2526 CVE-2022-21698 CVE-2022-24675
CVE-2022-25313 CVE-2022-25314 CVE-2022-26691
CVE-2022-29154 CVE-2022-29824 CVE-2022-30629
CVE-2022-30630 CVE-2022-30631 CVE-2022-32148
CVE-2022-32206 CVE-2022-32208
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.0.4 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es):

* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)

* golang: go/parser: stack exhaustion in all Parse* functions
(CVE-2022-1962)

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)

* golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)

* golang: crypto/tls: session tickets lack random ticket_age_add
(CVE-2022-30629)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-1292
  https://access.redhat.com/security/cve/CVE-2022-1586
  https://access.redhat.com/security/cve/CVE-2022-1705
  https://access.redhat.com/security/cve/CVE-2022-1962
  https://access.redhat.com/security/cve/CVE-2022-2068
  https://access.redhat.com/security/cve/CVE-2022-2097
  https://access.redhat.com/security/cve/CVE-2022-2526
  https://access.redhat.com/security/cve/CVE-2022-21698
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-26691
  https://access.redhat.com/security/cve/CVE-2022-29154
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/cve/CVE-2022-30629
  https://access.redhat.com/security/cve/CVE-2022-30630
  https://access.redhat.com/security/cve/CVE-2022-30631
  https://access.redhat.com/security/cve/CVE-2022-32148
  https://access.redhat.com/security/cve/CVE-2022-32206
  https://access.redhat.com/security/cve/CVE-2022-32208
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.

ELA-677-1 zlib security update

Gigabyte MC62-G40 AMD Ryzen Threadripper Pro Motherboard Review and more

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...