-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Container Storage 4.7 RPM security, bug fix, and enhancement update Advisory ID: RHSA-2021:2042-01 Product: Red Hat OpenShift Container Storage Advisory URL: https://access.redhat.com/errata/RHSA-2021:2042 Issue date: 2021-05-19 CVE Names: CVE-2020-26160 CVE-2020-28362 ==================================================================== 1. Summary: Updated mcg rpm which includes numerous security fixes, bug fixes, and enhancements are now available for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Storage 4.7 on RHEL-8 - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * jwt-go: access restriction bypass vulnerability (CVE-2020-26160) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes: https://access.redhat.com/documentation/en-us/red_hat_openshift_container_s torage/4.7/html-single/4.7_release_notes/index All Red Hat OpenShift Container Storage users are advised to upgrade to these updated images. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1941502 - Respin MCG CLI RPM for 4.7.0 6. Package List: Red Hat OpenShift Container Storage 4.7 on RHEL-8: Source: mcg-5.7.0-69.85e2026.5.7.el8.src.rpm ppc64le: mcg-5.7.0-69.85e2026.5.7.el8.ppc64le.rpm s390x: mcg-5.7.0-69.85e2026.5.7.el8.s390x.rpm x86_64: mcg-5.7.0-69.85e2026.5.7.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-26160 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKTnUtzjgjWX9erEAQjr/g/7BQCs0e7moLyJc9yVzzAlTKxoRRDfpOQS 1zNHfI/kUBK0JWllZ4+KQnqo5dYIgm1MRwUurl+wVNDqElXCxW/fY+0n6re8c65B H9s4vT/HOp0jOqa53BL+8cHRMtz9HLwGr9Uvw2dzTecO/BalyfvOY/EzhcUedqx6 Q/1RGFzCIMhHBelKbW3iK6xYKTl1axf2Pb5p3Te7BgSjEQflVP0La6jHsCMo6+FG ueOjfC45j9I++yADphnKySwsWFlBQokUYcWrbhDFiWpmGBiq3T3ugFULFv8OMIZ5 vErmsM5tcQe5t9KF7OfdzmOrYRbMyQftZV3waC821q//vumH16Z05ZgQrF00O3rc MfVbWkJaMlMeyUvoehhPeaePcfIaX6CJHf7veUqt9vQShPtv+mxZB9m+V/B196la AE5yrLQ37knE3NRKxIhduaLOHboImXExuM1Ri8yJK3RY8vMGBtXrhj+LR5MsY9kb 5nH0uQ/T8Tg/JO2HrsJaqyLb+ALfeqQbykxx3zLUtKjCW9bJPHtILUa3M1W9jrAH vc16hTmFEsgeTuxfquyA+PIW/Z2oRS959myYtIGCLiuCUqpVI6WZ5MFAnAaOaNPi ZGsIMms7YAIbMtrTGjEgDc657vxrHVTImWgaxvYCyNFHlQH0jve4qdXRXX566wux mzCiMOqb+68=s18O -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce