—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n
====================================================================
\nRed Hat Security Advisory<\/p>\n
Synopsis: Moderate: OpenShift sandboxed containers 1.2.0 security update
\nAdvisory ID: RHSA-2022:0855-01
\nProduct: Red Hat OpenShift Enterprise
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0855
\nIssue date: 2022-03-14
\nCVE Names: CVE-2021-36221 CVE-2021-44716
\n====================================================================
\n1. Summary:<\/p>\n
OpenShift sandboxed containers 1.2.0 is now available.<\/p>\n
Red Hat Product Security has rated this update as having a security impact
\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score,
\nwhich gives a detailed severity rating, is available for each vulnerability
\nfrom the CVE links in the References section.<\/p>\n
2. Description:<\/p>\n
OpenShift sandboxed containers support for OpenShift Container Platform
\nprovides users with built-in support for running Kata containers as an
\nadditional, optional runtime.<\/p>\n
This advisory contains an update for OpenShift sandboxed containers with
\nenhancements, security updates, and bug fixes.<\/p>\n
Space precludes documenting all of the updates to OpenShift sandboxed
\ncontainers in this advisory. See the following Release Notes documentation,
\nwhich will be updated shortly for this release, for details about these
\nchanges:<\/p>\n
https:\/\/docs.openshift.com\/container-platform\/4.10\/sandboxed_containers\/sandboxed-containers-release-notes.html<\/p>\n
Security Fixes:<\/p>\n
* net\/http: limit growth of header canonicalization cache (CVE-2021-44716)<\/p>\n
* net\/http\/httputil: panic due to racy read of persistConn after handler
\npanic (CVE-2021-36221)<\/p>\n
For more details about the security issues, including the impact, a CVSS
\nscore, acknowledgments, and other related information, refer to the CVE
\npages listed in the References section.<\/p>\n
3. Solution:<\/p>\n
For details on how to apply this update, which includes the changes
\ndescribed in this advisory, refer to:
\nhttps:\/\/docs.openshift.com\/container-platform\/latest\/sandboxed_containers\/upgrade-sandboxed-containers.html<\/p>\n
4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n
1995656 – CVE-2021-36221 golang: net\/http\/httputil: panic due to racy read of persistConn after handler panic
\n2030801 – CVE-2021-44716 golang: net\/http: limit growth of header canonicalization cache<\/p>\n
5. JIRA issues fixed (https:\/\/issues.jboss.org\/):<\/p>\n
KATA-1015 – 1.2: unused sourceImage field in KataConfig is confusing
\nKATA-1019 – 1.2: annotations state Operator is only supported on OCP 4.8
\nKATA-1027 – Newer kata-containers shimv2 (from kata-2.2.0 onwards) doesn’t work with OCP.
\nKATA-1118 – Attempt to uninstall while installation is in progress blocks
\nKATA-1134 – Metrics doesn’t work with the latest runtime cgroups improvements and simplifications
\nKATA-1183 – security warning when creating daemonset for kata-monitor
\nKATA-1184 – MachineConfigPool kata-oc is not removed with KataConfig CRD is deleted
\nKATA-1189 – pods for kata-monitor daemonset don’t start: SCC issues
\nKATA-1190 – Operator not reconciling when node labels are changed
\nKATA-1195 – Error: CreateContainer failed: Permission denied (os error 13): unknown
\nKATA-1205 – openshift-sandboxed-containers-operator namespace not labelled for kata metrics
\nKATA-1219 – kata-monitor will forget about a kata pod if an error happens while retrieving the metrics
\nKATA-1222 – daemonset creation fails with reconciler error
\nKATA-1224 – wrong channels and default version in internal build
\nKATA-1225 – upgrade from 1.1.0 to 1.2.0 failed
\nKATA-1247 – kataconfig can’t be applied due to syntax error
\nKATA-1249 – use official pullspec for metrics daemonset as default in kataconfig CRD
\nKATA-1288 – changes to spec.kataMonitorImage are not reconciled
\nKATA-1334 – Unable to loop mount file based image inside Kata container
\nKATA-1340 – runtime installation shows no progress after creating kataconfig
\nKATA-1383 – fix RHSA-2022:0658 (cyrus-sasl)
\nKATA-553 – Worker node is not being created when scaling up a cluster with the Kata operator installed
\nKATA-588 – kata 2.0: stop a container spam crio logs continously
\nKATA-817 – There are no logs coming from kata-containers agent<\/p>\n
6. References:<\/p>\n
https:\/\/access.redhat.com\/security\/cve\/CVE-2021-36221
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-44716
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#moderate<\/p>\n
7. Contact:<\/p>\n
The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n
Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n
iQIVAwUBYjBXvtzjgjWX9erEAQjqww\/\/RMCA4qDjnMLRInZJc\/3rOsThXEsGG\/v8
\n5ZRFWBfIy87MkhgiLR4MDdM2\/EdOOhD27KBCZWC5mLvxM+y4GKRVR\/nzYeYjf+L4
\n3bDg7Sx\/e52yRpgMJ4Ld5EhmSwsREins6UlPlROr\/O9UgDRaBBloENWCvaJr+iVN
\no\/uO5MjmHGrnBMixP8weVDAeC5fvBVtcNHXRiqcqIRf5XauFj2GwyOdfZR6KuzMr
\nH5M97bQa7bAYnDaeCSml+kjD3pSN\/Eei+Ngj72x4kal+aQYf\/lV1RCp6+BSZpTlG
\nv4UmGz1OJlrJspdeixwp6MQ9k+qthtpZcR1+oQwuTlfqWq7KtlX+hpv77KaGU0Nx
\nkrqA5rmQJE1mNPQBcX1TbhlL+IayAAMUjG\/U57k75Q8d9jFYsHtn7mCZtCcnjTei
\n7FxrH9cIJbzdC8Fg3FSsn0fg2ts3bVo8VFr6mLSTmnCTh0CoOkNi1VoUYmxOjnVE
\nQan3wK+3F2ykVssUlGBnjSwP9FIxDILKBT5e+Ty+90v3PYx3H7wGY38AbgZrYMJP
\nSW0ha0Q+1TUcriLTgdJPHYctGWrWtINvCdZX7WuBwy1x90jz5hPz\/whk31+8Ezz0
\ntWEyG6GBc2UxOZRBzQFVVqTZjxUUH961iGLLZEh\/onvBWv9\/XoFkZnlYRV4pm2EH
\ndtS2WFZnPsg=z3KT
\n—–END PGP SIGNATURE—–
\n—
\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift sandboxed containers 1.2.0 security update Advisory ID: RHSA-2022:0855-01 Product: Red Hat OpenShift Enterprise Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0855 Issue date: 2022-03-14 CVE Names: CVE-2021-36221 CVE-2021-44716 ==================================================================== 1. Summary: OpenShift sandboxed containers 1.2.0 is now available. Red Hat Product Security has rated this update …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21783","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21783"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21783\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}