Red Hat 9062 Published by

A Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update has been released.



[RHSA-2023:4293-01] Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update


==================================================================== Red Hat Security Advisory

Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update
Advisory ID: RHSA-2023:4293-01
Product: Red Hat Migration Toolkit
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4293
Issue date: 2023-07-27
CVE Names: CVE-2020-24736 CVE-2022-41723 CVE-2023-1667
CVE-2023-2283 CVE-2023-24329 CVE-2023-24539
CVE-2023-26125 CVE-2023-26604 CVE-2023-29400
CVE-2023-29401
====================================================================
1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.11 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: html/template: improper sanitization of CSS values
(CVE-2023-24539)

* golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)

* golang: html/template: improper handling of empty HTML attributes
(CVE-2023-29400)

* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize
filename parameter of Context.FileAttachment function (CVE-2023-29401)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation
2216957 - CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function

5. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24539
https://access.redhat.com/security/cve/CVE-2023-26125
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-29400
https://access.redhat.com/security/cve/CVE-2023-29401
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--