{"id":34161,"date":"2022-11-28T20:30:23","date_gmt":"2022-11-28T17:30:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170027\/RHSA-2022-8634-01.txt"},"modified":"2022-11-30T08:48:10","modified_gmt":"2022-11-30T05:18:10","slug":"red-hat-security-advisory-2022-8634-01","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/red-hat-security-advisory-2022-8634-01\/","title":{"rendered":"Red Hat Security Advisory 2022-8634-01"},"content":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n

====================================================================
\nRed Hat Security Advisory<\/p>\n

Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.1 security and bug fix update
\nAdvisory ID: RHSA-2022:8634-01
\nProduct: OpenShift API for Data Protection
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8634
\nIssue date: 2022-11-28
\nCVE Names: CVE-2020-35525 CVE-2020-35527 CVE-2022-2509
\nCVE-2022-3515 CVE-2022-27191 CVE-2022-27664
\nCVE-2022-30632 CVE-2022-30635 CVE-2022-32190
\nCVE-2022-34903 CVE-2022-37434 CVE-2022-40674
\n====================================================================
\n1. Summary:<\/p>\n

OpenShift API for Data Protection (OADP) 1.1.1 is now available.<\/p>\n

Red Hat Product Security has rated this update as having a security impact
\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
\ngives a detailed severity rating, is available for each vulnerability from
\nthe CVE link(s) in the References section.<\/p>\n

2. Description:<\/p>\n

OpenShift API for Data Protection (OADP) enables you to back up and restore
\napplication resources, persistent volume data, and internal container
\nimages to external backup storage. OADP enables both file system-based and
\nsnapshot-based backups for persistent volumes.<\/p>\n

Security Fix(es) from Bugzilla:<\/p>\n

* golang: crash in a golang.org\/x\/crypto\/ssh server (CVE-2022-27191)<\/p>\n

* golang: net\/http: handle server errors after sending GOAWAY
\n(CVE-2022-27664)<\/p>\n

* golang: path\/filepath: stack exhaustion in Glob (CVE-2022-30632)<\/p>\n

* golang: encoding\/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)<\/p>\n

* golang: net\/url: JoinPath does not strip relative path components in all
\ncircumstances (CVE-2022-32190)<\/p>\n

For more details about the security issue(s), including the impact, a CVSS
\nscore, and other related information, refer to the CVE page(s) listed in
\nthe References section.<\/p>\n

3. Solution:<\/p>\n

For details on how to apply this update, refer to:<\/p>\n

https:\/\/access.redhat.com\/articles\/11258<\/p>\n

4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n

2064702 – CVE-2022-27191 golang: crash in a golang.org\/x\/crypto\/ssh server
\n2107386 – CVE-2022-30632 golang: path\/filepath: stack exhaustion in Glob
\n2107388 – CVE-2022-30635 golang: encoding\/gob: stack exhaustion in Decoder.Decode
\n2124668 – CVE-2022-32190 golang: net\/url: JoinPath does not strip relative path components in all circumstances
\n2124669 – CVE-2022-27664 golang: net\/http: handle server errors after sending GOAWAY<\/p>\n

5. JIRA issues fixed (https:\/\/issues.jboss.org\/):<\/p>\n

OADP-1002 – DataMover: Backup partially fails for a namespace without PVC
\nOADP-1016 – DataMover: Restore randomly fails with “secrets vsr-lttsv-secret already exists” error
\nOADP-1020 – DataMover: restore partiallyFailed with “Plugin Panicked” error
\nOADP-1027 – DataMover: VSB fails with error “cannot obtain source volumesnapshot”
\nOADP-608 – Data mover restic secret does not support GCP
\nOADP-609 – Data mover VSR validation for default volumesnapshotclass and storageclass
\nOADP-611 – Data mover VSR resources are sometimes created multiple times with multiple PVCs
\nOADP-612 – Data mover Backup & Restore needs to fail if a validation check fails
\nOADP-642 – OADP CRD descriptions should use the same capitalization as yaml fields
\nOADP-645 – Data mover performance on restore blocks restore process
\nOADP-662 – VSB\/VSR needs to fail if backup\/restore partially fails or fails
\nOADP-724 – Setting an excludedNamespace and includedNamespace in the same backup crashes velero
\nOADP-725 – DC Restic Post Restore Script handle restore name longer than 63 characters
\nOADP-731 – Backup partiallyFails with data mover if a stale snapshot is encountered
\nOADP-741 – Data Mover VSB\/VSR CRs do not include status on error
\nOADP-774 – OADP must-gather is getting stuck
\nOADP-794 – Second restore of CSI volume fails due to dataSource doesn’t match dataSourceRef
\nOADP-825 – CSI Volumesnapshot Deletion fails with nil pointer execption bug
\nOADP-849 – DataMover: restore PartiallyFails randomly with “ReplicationDestination.volsync.backube xxxx not found” error
\nOADP-927 – DataMover backup fails with nil pointer issue<\/p>\n

6. References:<\/p>\n

https:\/\/access.redhat.com\/security\/cve\/CVE-2020-35525
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-35527
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2509
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-3515
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27191
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-27664
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-30632
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-30635
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-32190
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-34903
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-37434
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-40674
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#moderate<\/p>\n

7. Contact:<\/p>\n

The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n

Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n

iQIVAwUBY4RbZdzjgjWX9erEAQgR4g\/\/VRZ+qp8+3SHAQLZyC4J\/a+4XMiG1yNR9
\nARgZnotH77GFNptWir6E+3ojUutCuH1pULW5FSGoGEuctF7YyKuNl1MqQy6GMVAB
\ntRTdsqaHwyDDWeli\/hM1TtZoPnBpXd5H9eoT0gfVipIpoylYik2mXlLnmvItEmVB
\nFq0ECkcqT4aVw9pQxhdlfFf\/lwgbf9QNRKIil+A7sG7xgJQ5oAekB3tACRotKWkL
\nVDjg+yFOMnfDDI04dfXqdexa1qKS3NI4vopPPfSjK4P+UwneWmw\/VXykx0NNd2n9
\n490WMv49s2mNPRHGssZfRZd+Yw0knUb1Iglut0SsC3KLuQ1O+Hod8xCWL2a3N11d
\nPRybAWgKDy6WceiT\/VXUq7agbassWTAijt8QPkKrTEiJTnO7JdoSGNKzKEblp6dU
\ngauBKnVKmNlnFrAVuwxQ+pXu7arn70mq9wyjNbq1eC4v\/bpfXJsWYyCVmPpZ83wR
\nuFSz0IwxW6gePFsKtKJhtk8EP4jB3ATiNW53d7nV9Dz++X0ltioerowg\/sJGeFq7
\nuISozqrAeTXZXSrd5yL1Of6IDWD9Tb43GAh6GJE6JRNPmMv3yUcAppyv\/uHOyiKN
\nBEfOcFclp56QYWTBiYXWd5Gex5PQW3hdZpwUl3g8bDF+Ikrup7wI6ktw\/SejmZuc
\nuXOU76pYWW4=x6Pt
\n—–END PGP SIGNATURE—–
\n—
\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.1 security and bug fix update Advisory ID: RHSA-2022:8634-01 Product: OpenShift API for Data Protection Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8634 Issue date: 2022-11-28 CVE Names: CVE-2020-35525 CVE-2020-35527 CVE-2022-2509 CVE-2022-3515 CVE-2022-27191 CVE-2022-27664 CVE-2022-30632 CVE-2022-30635 CVE-2022-32190 CVE-2022-34903 CVE-2022-37434 CVE-2022-40674 ==================================================================== …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34161","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34161"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34161\/revisions"}],"predecessor-version":[{"id":34209,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34161\/revisions\/34209"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}