-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update
Advisory ID:       RHSA-2023:2107-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2107
Issue date:        2023-05-04
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-41724 
                   CVE-2022-41725 CVE-2023-0215 CVE-2023-0286 
                   CVE-2023-0361 CVE-2023-23916 CVE-2023-25173 
                   CVE-2023-28617 
=====================================================================

1. Summary:

The Migration Toolkit for Containers (MTC) 1.7.9 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es) from Bugzilla:

* golang: crypto/tls: large handshake records may cause panics
(CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive
resource consumption (CVE-2022-41725)

* containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

5. References:

https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-28617
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZFNIXdzjgjWX9erEAQjZLg//Qss/RATn6qEdUmxr+5ca7dZB7vRc5xr2
hZOh4YEIKdQ5ka8aFz05fUIJhHmRIO0FZn8KUDWoLZNy20VcQXRgDqJAp3qaZ8e5
soWpeqcKTaEnHBGA0pa4QZP24yS/XVMiDdSvwYvSiRBXF0TDq0BLlo4t5bw5oMiv
DvicfYK0OnbmNho3NotXo9URmdo3xW1b62DKFPVXnZjQeRLbvlpQrwvNDLY1itV1
r1Cz4lIEEX6atNhBU7y8yE3TTg8S1ss4BtcM6FmkbyKuPz2m9f3AFGOlplXIhVq0
zNKegjfQR0xeRLvs71rJd+rSRZ/8L326SEHS+2+zmil+Krfx0dE26FwYwBE83sk9
PEWRQLhSweQonxthKSstoThHbaKQamIOm2pdOdYjqy1LAX8hV45QFTf8Yc4UD5o8
gGLU3+xdlLlGvo4rtgY4eK0/Sn+wxF5omrBxb4hdKMRcs1fdTQKx9tkAatzAEnzS
aOxtU2TLvxbp/O5kS9Ayqg1MuhL4sb3rN+RZMXEMSGu8cI97PGMNRLrtgbgoGCOI
jX/K4gA3IynIbqIt5m0xP7KA5KqMB/10iVIpwsZFR7Q8VkmSHX5pWyc3Of6Y/yHf
apspLbSdLGSE33VaVa5O4oxTt0U+OM1+3kwNXNSNuqL9I6uLqbTCcXYadSim+ycQ
i5zGVFwZRVQ=
=ODYu
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce