Headline
RHSA-2021:5085: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update
Updated Multicloud Object Gateway command line (mcg) packages that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2020-8565: kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
- CVE-2021-33195: golang: net: lookup functions may return invalid host names
- CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
- CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
- CVE-2021-34558: golang: crypto/tls: certificate of wrong type is causing TLS client to panic
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat Openshift Container Storage
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2021-12-13
Updated:
2021-12-13
RHSA-2021:5085 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated Multicloud Object Gateway command line (mcg) packages that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
- kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565)
- golang: net: lookup functions may return invalid host names (CVE-2021-33195)
- golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
- golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
- golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
These updated Multicloud Object Gateway command line (mcg) packages
include numerous bug fixes and enhancements. Space precludes documenting
all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most
significant of these changes:
https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index
All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated packages, which provide numerous bug fixes and enhancements.
Affected Products
- Red Hat OpenShift Data Foundation 4 x86_64
- Red Hat OpenShift Data Foundation for IBM Power, little endian 4 ppc64le
- Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 s390x
Fixes
- BZ - 1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
- BZ - 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
- BZ - 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
- BZ - 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
- BZ - 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
- BZ - 1996033 - [vSphere]: csv ocs-registry:4.9.0-102.ci is in Installing phase
- BZ - 1998680 - [GSS][PS] NooBaa unable to create new OBC’s.
CVEs
- CVE-2020-8565
- CVE-2021-33195
- CVE-2021-33197
- CVE-2021-33198
- CVE-2021-34558
Red Hat OpenShift Data Foundation 4
SRPM
mcg-5.9.0-28.61dcf87.5.9.el8.src.rpm
SHA-256: 81c22faa1e08240e88c0d368e183910db7736f5ef26946fea5783cfb7dd1d94e
x86_64
mcg-5.9.0-28.61dcf87.5.9.el8.x86_64.rpm
SHA-256: 81812ea6fe27934c60a1050a7636c35b336e66bf71ea5aa8fe39c5072ab66e19
Red Hat OpenShift Data Foundation for IBM Power, little endian 4
SRPM
mcg-5.9.0-28.61dcf87.5.9.el8.src.rpm
SHA-256: 81c22faa1e08240e88c0d368e183910db7736f5ef26946fea5783cfb7dd1d94e
ppc64le
mcg-5.9.0-28.61dcf87.5.9.el8.ppc64le.rpm
SHA-256: f0f15602e55dd3907facd79c7bf9dd92c5598c5444c32024f3640ee6764a84f4
Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4
SRPM
mcg-5.9.0-28.61dcf87.5.9.el8.src.rpm
SHA-256: 81c22faa1e08240e88c0d368e183910db7736f5ef26946fea5783cfb7dd1d94e
s390x
mcg-5.9.0-28.61dcf87.5.9.el8.s390x.rpm
SHA-256: 9509fc256090ab8f4446e9a623cf573463174b48231db4e26f62eb3f010c7ca2
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.