Headline
RHBA-2021:2854: Red Hat Bug Fix Advisory: Migration Toolkit for Containers (MTC) 1.4.6 release advisory
The Migration Toolkit for Containers (MTC) 1.4.6 is now available.The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Related CVEs:
- CVE-2018-25011: libwebp: heap-based buffer overflow in PutLE16()
- CVE-2020-25648: nss: TLS 1.3 CCS flood remote DoS Attack
- CVE-2020-25692: openldap: NULL pointer dereference for unauthenticated packet in slapd
- CVE-2020-26541: kernel: security bypass in certs/blacklist.c and certs/system_keyring.c
- CVE-2020-27216: jetty: local temporary directory hijacking vulnerability
- CVE-2020-27218: jetty: buffer not correctly recycled in Gzip Request inflation
- CVE-2020-27223: jetty: request containing multiple Accept headers with a large number of “quality” parameters may lead to DoS
- CVE-2020-36328: libwebp: heap-based buffer overflow in WebPDecode*Into functions
- CVE-2020-36329: libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c
- CVE-2021-3516: libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c
- CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c
- CVE-2021-3518: libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c
- CVE-2021-3520: lz4: memory corruption due to an integer overflow bug caused by memmove argument
- CVE-2021-3537: libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode
- CVE-2021-3541: libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms
- CVE-2021-20271: rpm: Signature checks bypass via corrupted rpm package
- CVE-2021-21642: jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE) attacks.
- CVE-2021-21643: jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints.
- CVE-2021-21644: jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
- CVE-2021-21645: jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints.
- CVE-2021-27219: glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits
- CVE-2021-31525: golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
- CVE-2021-33034: kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan