-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.6 security and bug fix update
Advisory ID:       RHSA-2023:5314-01
Product:           OpenShift API for Data Protection
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5314
Issue date:        2023-09-20
CVE Names:         CVE-2020-24736 CVE-2022-21698 CVE-2022-41723 
                   CVE-2022-48281 CVE-2023-1667 CVE-2023-2253 
                   CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 
                   CVE-2023-24532 CVE-2023-25173 CVE-2023-26604 
                   CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 
                   CVE-2023-29469 CVE-2023-32360 CVE-2023-34969 
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.6 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore
application resources, persistent volume data, and internal container
images to external backup storage. OADP enables both file system-based and
snapshot-based backups for persistent volumes.

Security Fix(es):

* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* distribution/distribution: DoS from malicious API request (CVE-2023-2253)

* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce
incorrect results (CVE-2023-24532)

* containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request
2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed (https://issues.redhat.com/):

OADP-2420 - oadp-1.1.x Restic restore is partially failing due to Pod Security standard 
OADP-2530 - Restore is partially failing for job resource 

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-48281
https://access.redhat.com/security/cve/CVE-2023-1667
https://access.redhat.com/security/cve/CVE-2023-2253
https://access.redhat.com/security/cve/CVE-2023-2283
https://access.redhat.com/security/cve/CVE-2023-2602
https://access.redhat.com/security/cve/CVE-2023-2603
https://access.redhat.com/security/cve/CVE-2023-24532
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-26604
https://access.redhat.com/security/cve/CVE-2023-27536
https://access.redhat.com/security/cve/CVE-2023-28321
https://access.redhat.com/security/cve/CVE-2023-28484
https://access.redhat.com/security/cve/CVE-2023-29469
https://access.redhat.com/security/cve/CVE-2023-32360
https://access.redhat.com/security/cve/CVE-2023-34969
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlC2O7AAoJENzjgjWX9erEIegP/jiQpwXy0aaKzfHzA0rXg1l8
vdXrQixzjdIROSjGgUUn55wQ6oPGJuza/eUcVgg6bTal7FsM68DlsEj61A3EE3TG
9kB+N3M2oHgjTnKHD1NVRZYpoFR1Fbyf2VCPaMQwzfkt7Qdg39gs0SiTgUFwVDCK
wzis/4Gx/bRY94TXmU9nl1FwqWZywTmtKufLqxJrQpYXUJrHkZxMH7Ks8rpOosj+
+30kZxCqjda9W0c0jU9hB9GcggejfeDeIuN5nC7oUYIE8gTscnvsY3odkr2TcH3b
KDKJ2XnVFg5P4RkBBL2B/iT1Bnw6eayrct0FFT3/u5HUKzM2jENyKi4z92HzeiMS
YpULP+seXtH27phR3zCNnO4QtorBg9WUtWdjTz2tlFPGym/W7FwUPKbINzjbnSC0
sj2c9nBZ4l9B3FYgLoe6jBZqiCC3nZ5+Xw8e60LPHlYGdRTV7ssTmqcNMTSjkq0P
y8fdvHmewndtY2RlvOroQEjTYoXVzVTA09HnN30Epulld19n+rCZMRRJUICNVLhJ
Eu121hROtRlneGMDAi/A5DbAXSazggv+4ruDaHjn3A1Xe6/ihBGH+HHF522iz6aP
/angx12WFRYvqtkqQ1p0qimkJjMaKDwCOiDzq1geUMosaaB9wWFjxeSQy54qhaV4
QnWeHUCp/nkyFbRRYSOf
=FDRT
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-5314:01 Moderate: OpenShift API for Data Protection

OpenShift API for Data Protection (OADP) 1.1.6 is now available

Summary

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Security Fix(es):
* prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* distribution/distribution: DoS from malicious API request (CVE-2023-2253)
* golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532)
* containerd: Supplementary groups are not set up properly (CVE-2023-25173)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-48281 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2253 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-2602 https://access.redhat.com/security/cve/CVE-2023-2603 https://access.redhat.com/security/cve/CVE-2023-24532 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/cve/CVE-2023-26604 https://access.redhat.com/security/cve/CVE-2023-27536 https://access.redhat.com/security/cve/CVE-2023-28321 https://access.redhat.com/security/cve/CVE-2023-28484 https://access.redhat.com/security/cve/CVE-2023-29469 https://access.redhat.com/security/cve/CVE-2023-32360 https://access.redhat.com/security/cve/CVE-2023-34969 https://access.redhat.com/security/updates/classification/#moderate

Package List


Severity
Advisory ID: RHSA-2023:5314-01
Product: OpenShift API for Data Protection
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5314
Issued Date: : 2023-09-20
CVE Names: CVE-2020-24736 CVE-2022-21698 CVE-2022-41723 CVE-2022-48281 CVE-2023-1667 CVE-2023-2253 CVE-2023-2283 CVE-2023-2602 CVE-2023-2603 CVE-2023-24532 CVE-2023-25173 CVE-2023-26604 CVE-2023-27536 CVE-2023-28321 CVE-2023-28484 CVE-2023-29469 CVE-2023-32360 CVE-2023-34969

Topic

OpenShift API for Data Protection (OADP) 1.1.6 is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

2189886 - CVE-2023-2253 distribution/distribution: DoS from malicious API request

2223355 - CVE-2023-24532 golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results

5. JIRA issues fixed (https://issues.redhat.com/):

OADP-2420 - oadp-1.1.x Restic restore is partially failing due to Pod Security standard

OADP-2530 - Restore is partially failing for job resource


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved