-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes
Advisory ID:       RHSA-2022:4956-01
Product:           Red Hat ACM
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4956
Issue date:        2022-06-08
CVE Names:         CVE-2020-0404 CVE-2020-4788 CVE-2020-13974 
                   CVE-2020-19131 CVE-2020-27820 CVE-2021-0941 
                   CVE-2021-3612 CVE-2021-3634 CVE-2021-3669 
                   CVE-2021-3737 CVE-2021-3743 CVE-2021-3744 
                   CVE-2021-3752 CVE-2021-3759 CVE-2021-3764 
                   CVE-2021-3772 CVE-2021-3773 CVE-2021-3918 
                   CVE-2021-4002 CVE-2021-4037 CVE-2021-4083 
                   CVE-2021-4157 CVE-2021-4189 CVE-2021-4197 
                   CVE-2021-4203 CVE-2021-20322 CVE-2021-21781 
                   CVE-2021-26401 CVE-2021-29154 CVE-2021-37159 
                   CVE-2021-41190 CVE-2021-41864 CVE-2021-42739 
                   CVE-2021-43056 CVE-2021-43389 CVE-2021-43565 
                   CVE-2021-43816 CVE-2021-43858 CVE-2021-43976 
                   CVE-2021-44733 CVE-2021-45485 CVE-2021-45486 
                   CVE-2022-0001 CVE-2022-0002 CVE-2022-0235 
                   CVE-2022-0286 CVE-2022-0322 CVE-2022-0778 
                   CVE-2022-1011 CVE-2022-21803 CVE-2022-23806 
                   CVE-2022-24450 CVE-2022-24778 CVE-2022-24785 
                   CVE-2022-27191 CVE-2022-29810 
=====================================================================

1. Summary:

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 is now generally
available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which
gives a detailed severity rating, is available for each vulnerability from
the CVE links in the References section.

2. Description:

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 images

Red Hat Advanced Cluster Management for Kubernetes provides the
capabilities to address common challenges that administrators and site
reliability engineers face as they work across a range of public and
private cloud environments. Clusters and applications are all visible and
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster
Management for Kubernetes, which fix several bugs and security issues. See
the following Release Notes documentation, which will be updated shortly
for this release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/

Security fixes: 

* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)

* containerd: Unprivileged pod may bind mount any privileged regular file
on disk (CVE-2021-43816)

* minio: user privilege escalation in AddUser() admin API (CVE-2021-43858)

* openssl: Infinite loop in BN_mod_sqrt() reachable when parsing
certificates (CVE-2022-0778)

* imgcrypt: Unauthorized access to encryted container image on a shared
system due to missing check in CheckAuthorization() code path
(CVE-2022-24778)

* golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* nconf: Prototype pollution in memory store (CVE-2022-21803)

* golang: crypto/elliptic IsOnCurve returns true for invalid field elements
(CVE-2022-23806)

* nats-server: misusing the "dynamically provisioned sandbox accounts"
feature authenticated user can obtain the privileges of the System account
(CVE-2022-24450)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

* go-getter: writes SSH credentials into logfile, exposing sensitive
credentials to local uses (CVE-2022-29810)

* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

Bug fixes:

* RFE Copy secret with specific secret namespace, name for source and name,
namespace and cluster label for target (BZ# 2014557)

* RHACM 2.5.0 images (BZ# 2024938)

* [UI] When you delete host agent from infraenv no confirmation message
appear (Are you sure you want to delete x?) (BZ#2028348)

* Clusters are in 'Degraded' status with upgrade env due to obs-controller
not working properly (BZ# 2028647)

* create cluster pool -> choose infra type, As a result infra providers
disappear from UI. (BZ# 2033339)

* Restore/backup shows up as Validation failed but the restore backup
status in ACM shows success (BZ# 2034279)

* Observability - OCP 311 node role are not displayed completely (BZ#
2038650)

* Documented uninstall procedure leaves many leftovers (BZ# 2041921)

* infrastructure-operator pod crashes due to insufficient privileges in ACM
2.5 (BZ# 2046554)

* Acm failed to install due to some missing CRDs in operator (BZ# 2047463)

* Navigation icons no longer showing in ACM 2.5 (BZ# 2051298)

* ACM home page now includes /home/ in url (BZ# 2051299)

* proxy heading in Add Credential should be capitalized (BZ# 2051349)

* ACM 2.5 tries to create new MCE instance when install on top of existing
MCE 2.0 (BZ# 2051983)

* Create Policy button does not work and user cannot use console to create
policy (BZ# 2053264)

* No cluster information was displayed after a policyset was created (BZ#
2053366)

* Dynamic plugin update does not take effect in Firefox (BZ# 2053516)

* Replicated policy should not be available when creating a Policy Set (BZ#
2054431)

* Placement section in Policy Set wizard does not reset when users click
"Back" to re-configured placement (BZ# 2054433)

3. Solution:

For Red Hat Advanced Cluster Management for Kubernetes, see the following
documentation, which will be updated shortly for this release, for
important
instructions on installing this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html-single/install/index#installing

4. Bugs fixed (https://bugzilla.redhat.com/):

2014557 - RFE Copy secret with specific secret namespace, name for source and name, namespace and cluster label for target
2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
2028224 - RHACM 2.5.0 images
2028348 - [UI] When you delete host agent from infraenv no confirmation message appear (Are you sure you want to delete x?)
2028647 - Clusters are in 'Degraded' status with upgrade env due to obs-controller not working properly
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2033339 - create cluster pool -> choose infra type , As a result infra providers disappear from UI.
2034279 - Restore/backup shows up as Validation failed but the restore backup status in ACM shows success
2036252 - CVE-2021-43858 minio: user privilege escalation in AddUser() admin API
2038650 - Observability - OCP 311 node role are not displayed completely
2041921 - Documented uninstall procedure leaves many leftovers
2044434 - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2046554 - infrastructure-operator pod crashes due to insufficient privileges in ACM 2.5
2047463 - Acm failed to install due to some missing CRDs in operator
2051298 - Navigation icons no longer showing in ACM 2.5
2051299 - ACM home page now includes /home/ in url
2051349 - proxy heading in Add Credential should be capitalized
2051983 - ACM 2.5 tries to create new MCE instance when install on top of existing MCE 2.0
2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature  authenticated user can obtain the privileges of the System account
2053264 - Create Policy button does not work and user cannot use console to create policy
2053366 - No cluster information was displayed after a policyset was created
2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements
2053516 - Dynamic plugin update does not take effect in Firefox
2054431 - Replicated policy should not be available when creating a Policy Set
2054433 - Placement section in Policy Set wizard does not reset when users click "Back" to re-configured placement
2054772 - credentialName is not parsed correctly in UI notifications/alerts when creating/updating a discovery config
2054860 - Cluster overview page crashes for on-prem cluster
2055333 - Unable to delete assisted-service operator
2055900 - If MCH is installed on existing MCE and both are in multicluster-engine namespace , uninstalling MCH terminates multicluster-engine namespace
2056485 - [UI]  In infraenv detail the host list don't have pagination
2056701 - Non platform install fails agentclusterinstall CRD is outdated in rhacm2.5
2057060 - [CAPI] Unable to create ClusterDeployment due to service account restrictions (ACM + Bundled Assisted)
2058435 - Label cluster.open-cluster-management.io/backup-cluster stamped 'unknown' for velero backups
2059779 - spec.nodeSelector is missing in MCE instance created by MCH upon installing ACM on infra nodes
2059781 - Policy UI crashes when viewing details of configuration policies for backupschedule that does not exist
2060135 - [assisted-install] agentServiceConfig left orphaned after uninstalling ACM
2060151 - Policy set of the same name cannot be re-created after the previous one has been deleted
2060230 - [UI] Delete host modal has incorrect host's name populated
2060309 - multiclusterhub stuck in installing on "ManagedClusterConditionAvailable" [intermittent]
2060469 - The development branch of the Submariner addon deploys 0.11.0, not 0.12.0
2060550 - MCE installation hang due to no console-mce-console deployment available
2060603 - prometheus doesn't display managed clusters
2060831 - Observability - prometheus-operator failed to start on *KS
2060934 - Cannot provision AWS OCP 4.9 cluster from Power Hub
2061260 - The value of the policyset placement should be filtered space when input cluster label expression
2061311 - Cleanup of installed spoke clusters hang on deletion of spoke namespace
2061659 - the network section in create cluster -> Networking include the brace in the network title
2061798 - [ACM 2.5] The service of Cluster Proxy addon was missing
2061838 - ACM component subscriptions are removed when enabling spec.disableHubSelfManagement in MCH
2062009 - No name validation is performed on Policy and Policy Set Wizards
2062022 - cluster.open-cluster-management.io/backup-cluster of velero schedules should populate the corresponding hub clusterID
2062025 - No validation is done on yaml's format or content in Policy and Policy Set wizards
2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
2062337 - velero schedules get re-created after the backupschedule is in 'BackupCollision' phase
2062462 - Upgrade to 2.5 hang due to irreconcilable errors of grc-sub and search-prod-sub in MCH
2062556 - Always return the policyset page after created the policy from UI
2062787 - Submariner Add-on UI does not indicate on Broker error
2063055 - User with cluserrolebinding of open-cluster-management:cluster-manager-admin role can't see policies and clusters page
2063341 - Release imagesets are missing in the console for ocp 4.10
2063345 - Application Lifecycle- UI shows white blank page when the page is Refreshed
2063596 - claim clusters from clusterpool throws errors
2063599 - Update the message in clusterset -> clusterpool page since we did not allow to add clusterpool to clusterset by resourceassignment
2063697 - Observability - MCOCR reports object-storage secret without AWS access_key in STS enabled env
2064231 - Can not clean the instance type for worker pool when create the clusters
2064247 - prefer UI can add the architecture type when create the cluster
2064392 - multicloud oauth-proxy failed to log users in on web
2064477 - Click at "Edit Policy" for each policy leads to a blank page
2064509 - No option to view the ansible job details and its history in the Automation wizard after creation of the automation job
2064516 - Unable to delete an automation job of a policy
2064528 - Columns of Policy Set, Status and Source on Policy page are not sortable
2064535 - Different messages on the empty pages of Overview and Clusters when policy is disabled
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server
2064722 - [Tracker] [DR][ACM 2.5] Applications are not getting deployed on managed cluster
2064899 - Failed to provision openshift 4.10 on bare metal
2065436 - "Filter" drop-down list does not show entries of the policies that have no top-level remediation specified
2066198 - Issues about disabled policy from UI
2066207 - The new created policy should be always shown up on the first line
2066333 - The message was confuse when the cluster status is Running
2066383 - MCE install failing on proxy disconnected environment
2066433 - Logout not working for ACM 2.5
2066464 - console-mce-console pods throw ImagePullError after upgrading to ocp 4.10
2066475 - User with view-only rolebinding should not be allowed to create policy, policy set and automation job
2066544 - The search box can't work properly in Policies page
2066594 - RFE:  Can't open the helm source link of the backup-restore-enabled policy from UI
2066650 - minor issues in cluster curator due to the startup throws errors
2066751 - the image repo of application-manager did not updated to use the image repo in MCE/MCH configuration
2066834 - Hibernating cluster(s) in cluster pool stuck in 'Stopping' status after restore activation
2066842 - cluster pool credentials are not backed up
2066914 - Unable to remove cluster value during configuration of the label expressions for policy and policy set
2066940 - Validation fired out for https proxy when the link provided not starting with https
2066965 - No message is displayed in Policy Wizard to indicate a policy externally managed
2066979 - MIssing groups in policy filter options comparing to previous RHACM version
2067053 - I was not able to remove the image mirror content when create the cluster
2067067 - Can't filter the cluster info when clicked the cluster in the Placement section
2067207 - Bare metal asset secrets are not backed up
2067465 - Categories,Standards, and Controls annotations are not updated after user has deleted a selected template
2067713 - Columns on policy's "Results" are not sort-able as in previous release
2067728 - Can't search in the policy creation or policyset creation Yaml editor
2068304 - Application Lifecycle- Replicasets arent showing the logs console in Topology
2068309 - For policy wizard in dynamics plugin environment, buttons at the bottom should be sticky and the contents of the Policy should scroll
2068312 - Application Lifecycle - Argo Apps are not showing overview details and topology after upgrading from 2.4
2068313 - Application Lifecycle - Refreshing overview page leads to a blank page
2068328 - A cluster's "View history" page should not contain all clusters' violations history
2068387 - Observability - observability operator always CrashLoopBackOff in FIPS upgrading hub
2068993 - Observability - Node list is not filtered according to nodeType on OCP 311 dashboard
2069329 - config-policy-controller addon with "Unknown" status in OCP 3.11 managed cluster after upgrade hub to 2.5
2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path
2069469 - Status of unreachable clusters is not reported in several places on GRC panels
2069615 - The YAML editor can't work well when login UI using dynamic console plugin
2069622 - No validation for policy template's name
2069698 - After claim a cluster from clusterpool, the cluster pages become very very slow
2069867 - Error occurs when trying to edit an application set/subscription
2069870 - ACM/MCE Dynamic Plugins - 404: Page Not Found Error Occurs - intermittent crashing
2069875 - Cluster secrets are not being created in the managed cluster's namespace
2069895 - Application Lifecycle - Replicaset and Pods gives error messages when Yaml is selected on sidebar
2070203 - Blank Application is shown when editing an Application with AnsibleJobs
2070782 - Failed Secret Propagation to the Same Namespace as the AnsibleJob CR
2070846 - [ACM 2.5] Can't re-add the default clusterset label after removing it from a managedcluster on BM SNO hub
2071066 - Policy set details panel does not work when deployed into namespace different than "default"
2071173 - Configured RunOnce automation job is not displayed although the policy has no violation
2071191 - MIssing title on details panel after clicking "view details" of a policy set card
2071769 - Placement must be always configured or error is reported when creating a policy
2071818 - ACM logo not displayed in About info modal
2071869 - Topology includes the status of local cluster resources when Application is only deployed to managed cluster
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2072097 - Local Cluster is shown as Remote on the Application Overview Page and Single App Overview Page
2072104 - Inconsistent "Not Deployed" Icon Used Between 2.4 and 2.5 as well as the Overview and Topology
2072177 - Cluster Resource Status is showing App Definition Statuses as well
2072227 - Sidebar Statuses Need to Be Updated to Reflect Cluster List and Cluster Resource Statuses
2072231 - Local Cluster not included in the appsubreport for Helm Applications Deployed on All Clusters
2072334 - Redirect URL is now to the details page after created a policy
2072342 - Shows "NaN%" in the ring chart when add the disabled policy into policyset and view its details
2072350 - CRD Deployed via Application Console does not have correct deployment status and spelling
2072359 - Report the error when editing compliance type in the YAML editor and then submit the changes
2072504 - The policy has violations on the failed managed cluster
2072551 - URL dropdown is not being rendered with an Argo App with a new URL
2072773 - When a channel is deleted and recreated through the App Wizard, application creation stalls and warning pops up
2072824 - The edit/delete policyset button should be greyed when using viewer check
2072829 - When Argo App with jsonnet object is deployed, topology and cluster status would fail to display the correct statuses.
2073179 - Policy controller was unable to retrieve violation status in for an OCP 3.11 managed cluster on ARM hub
2073330 - Observabilityy - memory usage data are not collected even collect rule is fired on SNO
2073355 - Get blank page when click policy with unknown status in Governance -> Overview page
2073508 - Thread responsible to get insights data from *ks clusters is broken
2073557 - appsubstatus is not deleted for Helm applications when changing between 2 managed clusters
2073726 - Placement of First Subscription gets overlapped by the Cluster Node in Application Topology
2073739 - Console/App LC - Error message saying resource conflict only shows up in standalone ACM but not in Dynamic plugin
2073740 - Console/App LC- Apps are deployed even though deployment do not proceed because of "resource conflict" error
2074178 - Editing Helm Argo Applications does not Prune Old Resources
2074626 - Policy placement failure during ZTP SNO scale test
2074689 - CVE-2022-21803 nconf: Prototype pollution in memory store
2074803 - The import cluster YAML editor shows the klusterletaddonconfig was required on MCE portal
2074937 - UI allows creating cluster even when there are no ClusterImageSets
2075416 - infraEnv failed to create image after restore
2075440 - The policyreport CR is created for spoke clusters until restarted the insights-client pod
2075739 - The lookup function won't check the referred resource whether exist when using template policies
2076421 - Can't select existing placement for policy or policyset when editing policy or policyset
2076494 - No policyreport CR for spoke clusters generated  in the disconnected env
2076502 - The policyset card doesn't show the cluster status(violation/without violation) again after deleted one policy
2077144 - GRC Ansible automation wizard does not display error of missing dependent Ansible Automation Platform operator
2077149 - App UI shows no clusters cluster column of App Table when Discovery Applications is deployed to a managed cluster
2077291 - Prometheus doesn't display acm_managed_cluster_info after upgrade from 2.4 to 2.5
2077304 - Create Cluster button is disabled only if other clusters exist
2077526 - ACM UI is very very slow after upgrade from 2.4 to 2.5
2077562 - Console/App LC- Helm and Object bucket applications are not showing as deployed in the UI
2077751 - Can't create a template policy from UI when the object's name is referring Golang text template syntax in this policy
2077783 - Still show violation for clusterserviceversions after enforced "Detect Image vulnerabilities " policy template and the operator is installed
2077951 - Misleading message indicated that a placement of a policy became one managed only by policy set
2078164 - Failed to edit a policy without placement
2078167 - Placement binding and rule names are not created in yaml when editing a policy previously created with no placement
2078373 - Disable the hyperlink of *ks node in standalone MCE environment since the search component was not exists
2078617 - Azure public credential details get pre-populated with base domain name in UI
2078952 - View pod logs in search details returns error
2078973 - Crashed pod is marked with success in Topology
2079013 - Changing existing placement rules does not change YAML file
2079015 - Uninstall pod crashed when destroying Azure Gov cluster in ACM
2079421 - Hyphen(s) is deleted unexpectedly in UI when yaml is turned on
2079494 - Hitting Enter in yaml editor caused unexpected keys "key00x:" to be created
2079533 - Clusters with no default clusterset do not get assigned default cluster when upgrading from ACM 2.4 to 2.5
2079585 - When an Ansible Secret is propagated to an Ansible Application namespace, the propagated secret is shown in the Credentials page
2079611 - Edit appset placement in UI with a different existing placement causes the current associated placement being deleted
2079615 - Edit appset placement in UI with a new placement throws error upon submitting
2079658 - Cluster Count is Incorrect in Application UI
2079909 - Wrong message is displayed when GRC fails to connect to an ansible tower
2080172 - Still create policy automation successfully when the PolicyAutomation name exceed 63 characters
2080215 - Get a blank page after go to policies page in upgraded env when using an user with namespace-role-binding of default view role
2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
2080503 - vSphere network name doesn't allow entering spaces and doesn't reflect YAML changes
2080567 - Number of cluster in violation in the table does not match other cluster numbers on the policy set details page
2080712 - Select an existing placement configuration does not work
2080776 - Unrecognized characters are displayed on policy and policy set yaml editors
2081792 - When deploying an application to a clusterpool claimed cluster after upgrade, the application does not get deployed to the cluster
2081810 - Type '-' character in Name field caused previously typed character backspaced in  in the name field of policy wizard
2081829 - Application deployed on local cluster's topology is crashing after upgrade
2081938 - The deleted policy still be shown on the policyset review page when edit this policy set
2082226 - Object Storage Topology includes residue of resources after Upgrade
2082409 - Policy set details panel remains even after the policy set has been deleted
2082449 - The hypershift-addon-agent deployment did not have imagePullSecrets
2083038 - Warning still refers to the `klusterlet-addon-appmgr` pod rather than the `application-manager` pod
2083160 - When editing a helm app with failing resources to another, the appsubstatus and the managedclusterview do not get updated
2083434 - The provider-credential-controller did not support the RHV credentials type
2083854 - When deploying an application with ansiblejobs multiple times with different namespaces, the topology shows all the ansiblejobs rather than just the one within the namespace
2083870 - When editing an existing application and refreshing the `Select an existing placement configuration`, multiple occurrences of the placementrule gets displayed
2084034 - The status message looks messy in the policy set card, suggest one kind status one a row
2084158 - Support provisioning bm cluster where no provisioning network provided
2084622 - Local Helm application shows cluster resources as `Not Deployed` in Topology [Upgrade]
2085083 - Policies fail to copy to cluster namespace after ACM upgrade
2085237 - Resources referenced by a channel are not annotated with backup label
2085273 - Error querying for ansible job in app topology
2085281 - Template name error is reported but the template name was found in a different replicated policy
2086389 - The policy violations for hibernated cluster still be displayed on the policy set details page
2087515 - Validation thrown out in configuration for disconnect install while creating bm credential
2088158 - Object Storage Application deployed to all clusters is showing unemployed in topology [Upgrade]
2088511 - Some cluster resources are not showing labels that are defined in the YAML

5. References:

https://access.redhat.com/security/cve/CVE-2020-0404
https://access.redhat.com/security/cve/CVE-2020-4788
https://access.redhat.com/security/cve/CVE-2020-13974
https://access.redhat.com/security/cve/CVE-2020-19131
https://access.redhat.com/security/cve/CVE-2020-27820
https://access.redhat.com/security/cve/CVE-2021-0941
https://access.redhat.com/security/cve/CVE-2021-3612
https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3669
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-3743
https://access.redhat.com/security/cve/CVE-2021-3744
https://access.redhat.com/security/cve/CVE-2021-3752
https://access.redhat.com/security/cve/CVE-2021-3759
https://access.redhat.com/security/cve/CVE-2021-3764
https://access.redhat.com/security/cve/CVE-2021-3772
https://access.redhat.com/security/cve/CVE-2021-3773
https://access.redhat.com/security/cve/CVE-2021-3918
https://access.redhat.com/security/cve/CVE-2021-4002
https://access.redhat.com/security/cve/CVE-2021-4037
https://access.redhat.com/security/cve/CVE-2021-4083
https://access.redhat.com/security/cve/CVE-2021-4157
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-4197
https://access.redhat.com/security/cve/CVE-2021-4203
https://access.redhat.com/security/cve/CVE-2021-20322
https://access.redhat.com/security/cve/CVE-2021-21781
https://access.redhat.com/security/cve/CVE-2021-26401
https://access.redhat.com/security/cve/CVE-2021-29154
https://access.redhat.com/security/cve/CVE-2021-37159
https://access.redhat.com/security/cve/CVE-2021-41190
https://access.redhat.com/security/cve/CVE-2021-41864
https://access.redhat.com/security/cve/CVE-2021-42739
https://access.redhat.com/security/cve/CVE-2021-43056
https://access.redhat.com/security/cve/CVE-2021-43389
https://access.redhat.com/security/cve/CVE-2021-43565
https://access.redhat.com/security/cve/CVE-2021-43816
https://access.redhat.com/security/cve/CVE-2021-43858
https://access.redhat.com/security/cve/CVE-2021-43976
https://access.redhat.com/security/cve/CVE-2021-44733
https://access.redhat.com/security/cve/CVE-2021-45485
https://access.redhat.com/security/cve/CVE-2021-45486
https://access.redhat.com/security/cve/CVE-2022-0001
https://access.redhat.com/security/cve/CVE-2022-0002
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0286
https://access.redhat.com/security/cve/CVE-2022-0322
https://access.redhat.com/security/cve/CVE-2022-0778
https://access.redhat.com/security/cve/CVE-2022-1011
https://access.redhat.com/security/cve/CVE-2022-21803
https://access.redhat.com/security/cve/CVE-2022-23806
https://access.redhat.com/security/cve/CVE-2022-24450
https://access.redhat.com/security/cve/CVE-2022-24778
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-27191
https://access.redhat.com/security/cve/CVE-2022-29810
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYqGh9NzjgjWX9erEAQioMQ/+N4V24GgHpDTRxKavLHSpma22mLya2Xgu
3zrYbLvVELbdqPyzke5T5cJ/4ElXTr9s2Ev6KKoCXMmYKm3TKFnW9Y3J9XA7l7xk
8sWcAXzqWIgFdOXwzNOhKqn6PsHgZrbwH8UOYsThla+Qc1scK4LtTj67pEn0dqcv
jl0PuRkgQb+tmdAbssXaKyrJeAPYk4B69iDwPoGdG5GJLkJybTs8KZrduZNnjMre
f5hRZHZU6AQlWv/MH9m8Qh+F3O38Yu8I+sc71OGT7JVY4wcIuzCG2D21jdGcuQUh
gtnH5Ma17d2IqaJaX1KYGcdBu4F4bCKW581j8SBX2S7TGXhe9K1+If1ra47eIgeK
8DM/qadQ52GhTK7Voh2EUvG0nQt2iOs6i6V3unCc9wCTZheJPsJHz3G/9HKbWT54
4rsLjjdq/9lMhU3eV4VzSxntCkXgISHmqFoEswCX6YmNeEDMeE6rPsO5+81ObA3n
bOXscXbYscj1FCfW5OboKpAtdtpQbajnS+46lUkW2y0jUyi5vRqWgx5mDQcbpiBj
0uGL7VSADIwKY/i93itqYbVFyu7lsQI3FtQr+akOmaWm7MlDykbb81lyNByi6y86
g34x7lXyjuA+QW862w8v9NINUI7Csja0nnKHDe5XJdWO9cMHuyk6YrM9mv/FpTb4
U39I87cKxqA=
=tOMt
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce