Red Hat Product Errata RHSA-2023:4293 - Security Advisory
Issued:
2023-07-27
Updated:
2023-07-27

RHSA-2023:4293 - Security Advisory

Synopsis

Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update

Type/Severity

Security Advisory: Moderate

Topic

The Migration Toolkit for Containers (MTC) 1.7.11 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

  • net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
  • golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
  • golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)
  • golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)
  • golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function (CVE-2023-29401)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Migration Toolkit 1 for RHEL 8 x86_64

Fixes

  • BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
  • BZ - 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
  • BZ - 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
  • BZ - 2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation
  • BZ - 2216957 - CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function

x86_64

rhmtc/openshift-migration-controller-rhel8@sha256:4acee31f69a7073ff74e57a7951a0a6e82d97599fce50ac4efe085fd213910af
rhmtc/openshift-migration-hook-runner-rhel8@sha256:12a30ae012584c98d88bbf5b592c446ef01c99613d2ead6428a7c300379f7bb7
rhmtc/openshift-migration-legacy-rhel8-operator@sha256:d5e4fbece3335736271fd3c397a47b56f486a6bff74828ae3caa1bad71479ea9
rhmtc/openshift-migration-log-reader-rhel8@sha256:9bb77c878246943764eadc901a3be355b2e209cad4a847fd991edde8f892def8
rhmtc/openshift-migration-must-gather-rhel8@sha256:b494d414adaa0f840e5f73fb46a18d8782ce27993f357d0d76f97b0a0869fbdf
rhmtc/openshift-migration-openvpn-rhel8@sha256:faa6da69f2c290a593b2a2be7090d6a5f56ea15de6ed1096e4af2b71311d5160
rhmtc/openshift-migration-operator-bundle@sha256:e49cdb8a5591edc90a4e2e590848aeca3917c35bd736b442c87dca056526eb9d
rhmtc/openshift-migration-registry-rhel8@sha256:952df168a2a223fc4cb611631ca308633e792d31b20ddeede8ca7be81f875203
rhmtc/openshift-migration-rhel8-operator@sha256:3698e0abf4745cb21de11f7dd0ca820e18412ba120443f5b1e1fb47ea6f1ab56
rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:a9f2b722cac0640c9369652362fb23f36cf871d14f272d5e09ea441992ef44f2
rhmtc/openshift-migration-ui-rhel8@sha256:9e2c212ac1bf3ee88a71dcd7ee8982277c79d0591f804f1fe74e2d2556e6ac39
rhmtc/openshift-migration-velero-plugin-for-aws-rhel8@sha256:ed877c9443049533ac997f416275d243886686e541fcecc577f24fa67457e82e
rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8@sha256:8c364d88218f882fa2d681af9e380eb9d985adb177e3399e449d09edf0905e51
rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8@sha256:5f99efaa36d71c97e9efba6dbd75484726df26c096de53abe9c10bec0d830162
rhmtc/openshift-migration-velero-restic-restore-helper-rhel8@sha256:e4d53ac8ae53d83e3796d910cfa2bf0343fddc1363a4c37c93c7027b8148e3c4
rhmtc/openshift-migration-velero-rhel8@sha256:fa11c3717b862d9da0dfa9fb4f4c9d30af55f893ab0573775d1dc19f93352e8e
rhmtc/openshift-velero-plugin-rhel8@sha256:a160bac588b1e86544fe73fa2aef24c26f0e7d491200edf8c4508cfcecb18b9d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.