RedHat: RHSA-2023-1816:01 Moderate: Red Hat OpenShift Data Foundation
Summary
Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.
Security Fix(es):
* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* [backport 4.12] s3 sync directory to a bucket fails with Internal Error
in between the upload operation (BZ#2170416)
* [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)
* [Backport to 4.12.z] Placeholder bug to backport the odf changes for
Managed services epic RHSTOR-2442 to 4.12.z (BZ#2174335)
* [ODF 4.12] Missing the status-reporter binary causing pods
"report-status-to-provider" remain in CreateContainerError on ODF to ODF
cluster on ROSA (BZ#2179978)
* [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2
noticed 2 token-exchange-agent pods on managed clusters and one of them on
CBLO (BZ#2183198)
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-10735 https://access.redhat.com/security/cve/CVE-2021-28861 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-40897 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-45061 https://access.redhat.com/security/cve/CVE-2022-48303 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-23916 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
Updated images that fix several bugs are now available for Red HatOpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red HatContainer Registry.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables
2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442 to 4.12.z
2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work
2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO
2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"