Red Hat 9062 Published by

A Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update has been released.



[RHSA-2023:3624-01] Important: Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update


==================================================================== Red Hat Security Advisory

Synopsis: Important: Migration Toolkit for Containers (MTC) 1.7.10 security and bug fix update
Advisory ID: RHSA-2023:3624-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3624
Issue date: 2023-06-15
CVE Names: CVE-2021-46848 CVE-2022-1304 CVE-2022-2795
CVE-2022-2880 CVE-2022-3627 CVE-2022-3970
CVE-2022-4304 CVE-2022-4450 CVE-2022-25147
CVE-2022-35737 CVE-2022-36227 CVE-2022-41715
CVE-2022-41717 CVE-2022-42898 CVE-2022-47629
CVE-2023-0215 CVE-2023-0286 CVE-2023-0361
CVE-2023-1999 CVE-2023-2491 CVE-2023-22490
CVE-2023-23946 CVE-2023-24534 CVE-2023-24536
CVE-2023-24537 CVE-2023-24538 CVE-2023-24540
CVE-2023-25652 CVE-2023-25815 CVE-2023-27535
CVE-2023-29007
====================================================================
1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.10 is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* golang: html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)

* golang: net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)

* golang: net/http, net/textproto, mime/multipart: denial of service from
excessive resource consumption (CVE-2023-24536)

* golang: go/parser: Infinite loop in parsing (CVE-2023-24537)

* golang: html/template: backticks not treated as string delimiters
(CVE-2023-24538)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
2204461 - Adjust rsync options in DVM
2210565 - Direct migration completes with warnings, failing on DVM phase
2212528 - Rsync pod fails due to error in starting client-server protocol (code 5)

5. References:

https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3627
https://access.redhat.com/security/cve/CVE-2022-3970
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-25147
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-1999
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-22490
https://access.redhat.com/security/cve/CVE-2023-23946
https://access.redhat.com/security/cve/CVE-2023-24534
https://access.redhat.com/security/cve/CVE-2023-24536
https://access.redhat.com/security/cve/CVE-2023-24537
https://access.redhat.com/security/cve/CVE-2023-24538
https://access.redhat.com/security/cve/CVE-2023-24540
https://access.redhat.com/security/cve/CVE-2023-25652
https://access.redhat.com/security/cve/CVE-2023-25815
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/cve/CVE-2023-29007
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--