-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Migration Toolkit for Containers (MTC) 1.7.11 security and bug fix update Advisory ID: RHSA-2023:4293-01 Product: Red Hat Migration Toolkit Advisory URL: https://access.redhat.com/errata/RHSA-2023:4293 Issue date: 2023-07-27 CVE Names: CVE-2020-24736 CVE-2022-41723 CVE-2023-1667 CVE-2023-2283 CVE-2023-24329 CVE-2023-24539 CVE-2023-26125 CVE-2023-26604 CVE-2023-29400 CVE-2023-29401 ===================================================================== 1. Summary: The Migration Toolkit for Containers (MTC) 1.7.11 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es) from Bugzilla: * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * golang: html/template: improper sanitization of CSS values (CVE-2023-24539) * golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125) * golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400) * golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function (CVE-2023-29401) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes 2203769 - CVE-2023-26125 golang-github-gin-gonic-gin: Improper Input Validation 2216957 - CVE-2023-29401 golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function 5. References: https://access.redhat.com/security/cve/CVE-2020-24736 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2023-1667 https://access.redhat.com/security/cve/CVE-2023-2283 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24539 https://access.redhat.com/security/cve/CVE-2023-26125 https://access.redhat.com/security/cve/CVE-2023-26604 https://access.redhat.com/security/cve/CVE-2023-29400 https://access.redhat.com/security/cve/CVE-2023-29401 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJkwdRKAAoJENzjgjWX9erETLYP/i0v1WOSwBaVLef7uqjKSG4f E70Qv2TsqsrjB51UNUnGP1PjtnSrHSwfA5fN/TBn4vZkSk1pYIH/lpg1RNbvx8ls xlKMTd6bX/z4ojHbCss5AIGFxL7zqd9ZTfCfI/NopDVnAIFRDYCWh4rqEtaETBwa yioqI3py2XOd3lwSEEnaenLR35rpxt730ZLeZAl5/lvRRt7kD69r9exWAUh4sW6j JtYi6ydY8BXg0HNR+nU57XRmp0S6GfYGncYDZFyDRXTT0UMHVxtRF04VETuBjWC2 IAqp7ocRPt5woh0+HyyRA/9p+QWDP6kYY1Bb8HgKNx3xdQbwJi07Pwt4YadMTmAE igw1LmIPRIJoNKTh1MqTL00nJIU/1mO+vpkyvNhIZ94vreLJ8MyQLbLAhJYuTCby sLA2VeLnQmcdrsWDIkx+hJOsR9bydCZuIPykN4Nmstv2j6UHWg31DtaHyQQEyZtm O/V61KAUYeOd6dMvRYlgz86hvQurwGl/sYsAsIt5mV50wXB14bSfMUnYe3hM1/v3 vB6bNiPIY8UgpRl2ZnZCsVruPEyFn7+W0wCSqX3Afy5Q08lyvuPFXcD1XAm4TLES 5g1bNuIDOPu1r/AqKrC7zSVsL0QLjpyetjPnUa205Nc6LqcyfyvV2BC+61VzWm5E OTxW8GMl5qshDNCZCUVd =0sF0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce