-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Containers (MTC) 1.6.5 security and bug fix update
Advisory ID:       RHSA-2022:4814-01
Product:           Red Hat Migration Toolkit
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4814
Issue date:        2022-05-31
CVE Names:         CVE-2018-25032 CVE-2020-0404 CVE-2020-4788
                   CVE-2020-13974 CVE-2020-19131 CVE-2020-27820
                   CVE-2020-35492 CVE-2021-0941 CVE-2021-3612
                   CVE-2021-3634 CVE-2021-3669 CVE-2021-3737
                   CVE-2021-3743 CVE-2021-3744 CVE-2021-3752
                   CVE-2021-3759 CVE-2021-3764 CVE-2021-3772
                   CVE-2021-3773 CVE-2021-3807 CVE-2021-4002
                   CVE-2021-4037 CVE-2021-4083 CVE-2021-4157
                   CVE-2021-4189 CVE-2021-4197 CVE-2021-4203
                   CVE-2021-20322 CVE-2021-21781 CVE-2021-26401
                   CVE-2021-29154 CVE-2021-37159 CVE-2021-39293
                   CVE-2021-41617 CVE-2021-41864 CVE-2021-42739
                   CVE-2021-43056 CVE-2021-43389 CVE-2021-43976
                   CVE-2021-44733 CVE-2021-45485 CVE-2021-45486
                   CVE-2022-0001 CVE-2022-0002 CVE-2022-0286
                   CVE-2022-0322 CVE-2022-1011 CVE-2022-1154
                   CVE-2022-1271
====================================================================
1. Summary:

The Migration Toolkit for Containers (MTC) 1.6.5 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The Migration Toolkit for Containers (MTC) enables you to migrate
Kubernetes resources, persistent volume data, and internal container images
between OpenShift Container Platform clusters, using the MTC web console or
the Kubernetes API.

Security Fix(es):

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* golang: archive/zip: malformed archive may cause panic or memory
exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to install and use MTC, refer to:

https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2006044 - CVE-2021-39293 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2057579 - [MTC UI] Cancel button on ?Migrations? page does not disappear when migration gets Failed/Succeeded with warnings
2072311 - HPAs of DeploymentConfigs are not being updated when migration from Openshift 3.x to Openshift 4.x
2074044 - [MTC] Rsync pods are not running as privileged
2074553 - Upstream Hook Runner image requires arguments be in a different order

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-4788
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-19131
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2020-35492
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-21781
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-39293
https://access.redhat.com/security/cve/CVE-2021-41617
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43056
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYpYjbtzjgjWX9erEAQhT7g//Z2L9uO6nxiL9MntYac7CrNFsZzo5nfqN
qLiF1fkpIZ09tEQWGsfd2lEzsAAtyYOhhmCxeNkNjYkFkVO9Qs/p1VAAaFMBi3DE
GuiULePVslmn2GDiujvlIPUcej9OT1oUWitZUrOIqapRCMUs7k1KK1FFMJiRp53b
iC59lyHTH8Mbjbj0OWj+KlQCIJ3ejy/gzwGp9BXl15DUOhTpBefIVFob+xb0CMY8
+i0m/beinJ5LpkzgKpyr4pvxoeKmTtJmc10pqCj1BqrxgZwVAXx4x8J1vhUGJ5MJ
i4Eej2XQVFv7Bs24CMdGFlXvMZR+FV2R6IxWpremV6DAfDYzvSRwY5A3CKJGcsNX
7n9d8X4yDIT84rmsdwBkcoD60OO0ijipRbVmSvBEbsnWLmHaYxnMme3gz3NJW9+2
z1/4aX/9tswJCBDUuh4sL3EgYX0OMxoRN/MKCNcWykmMcLBNYKXuIVnqlz4M/vxD
LbGZXlbbQZ27XvbYcLjXta0jUguzFna/OVUzM0HIHn+/WFEQqe9JX2lggiotIvb/
NtDrYOjcceVICo4QI+E32yk7Jn8Ai+mNgdepv2GwTcQy/CEA2Gy/HXSOMzolEWkJ
jhymgnci5w4pvAekigvRMgehqqIUPY+qqlL0PRJB93l5g1sm/gPAcJscZ+SEIqWQ
hx/bwWtTMqg=L0aQ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce