openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

MIG-1475: Release notes for MTC 1.7.14

Browse Source 
Signed-off-by: Andy Arnold <anarnold@redhat.com>
This commit is contained in:
Andy Arnold
2023-10-23 19:02:37 +01:00
committed by openshift-cherrypick-robot
parent 8c3c562972
commit c13628d859
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
migration_toolkit_for_containers/mtc-release-notes.adoc
View File

@@ -19,6 +19,7 @@ For information on the support policy for {mtc-short}, see link:https://access.r
include::modules/migration-mtc-release-notes-1-8-1.adoc[leveloffset=+1]
include::modules/migration-mtc-release-notes-1-8.adoc[leveloffset=+1]
include::modules/migration-mtc-release-notes-1-7-14.adoc[leveloffset=+1]
include::modules/migration-mtc-release-notes-1-7-13.adoc[leveloffset=+1]
include::modules/migration-mtc-release-notes-1-7-12.adoc[leveloffset=+1]
include::modules/migration-mtc-release-notes-1-7-11.adoc[leveloffset=+1]

49
modules/migration-mtc-release-notes-1-7-14.adoc Normal file
View File

@@ -0,0 +1,49 @@
// Module included in the following assemblies:
//
// * migration_toolkit_for_containers/mtc-release-notes.adoc
:_content-type: REFERENCE
[id="migration-mtc-release-notes-1-7-14_{context}"]
= {mtc-full} 1.7.14 release notes
[id="resolved-issues-1-7-14_{context}"]
== Resolved issues
This release has the following resolved issues:
.CVE-2023-39325 CVE-2023-44487: various flaws
A flaw was found in the handling of multiplexed streams in the HTTP/2 protocol, which is utilized by {mtc-full} ({mtc-short}). A client could repeatedly make a request for a new multiplex stream then immediately send an `RST_STREAM` frame to cancel those requests. This activity created additional workloads for the server in terms of setting up and dismantling streams, but avoided any server-side limitations on the maximum number of active streams per connection. As a result, a denial of service occurred due to server resource consumption.
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2243564[(BZ#2243564)]
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244013[(BZ#2244013)]
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244014[(BZ#2244014)]
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244015[(BZ#2244015)]
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244016[(BZ#2244016)]
* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244017[(BZ#2244017)]
To resolve this issue, upgrade to {mtc-short} 1.7.14.
For more details, see link:https://access.redhat.com/security/cve/cve-2023-44487[(CVE-2023-44487)] and link:https://access.redhat.com/security/cve/cve-2023-39325[(CVE-2023-39325)].
.CVE-2023-39318 CVE-2023-39319 CVE-2023-39321: various flaws
* link:https://access.redhat.com/security/cve/cve-2023-39318[(CVE-2023-39318)]: A flaw was discovered in Golang, utilized by {mtc-short}. The `html/template` package did not properly handle HTML-like `""` comment tokens, or the hashbang `"#!"` comment tokens, in `<script>` contexts. This flaw could cause the template parser to improperly interpret the contents of `<script>` contexts, causing actions to be improperly escaped.
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
* link:https://access.redhat.com/security/cve/cve-2023-39319[(CVE-2023-39319)]: A flaw was discovered in Golang, utilized by {mtc-short}. The `html/template` package did not apply the proper rules for handling occurrences of `"<script"`, `"<!--"`, and `"</script"` within JavaScript literals in <script> contexts. This could cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. 
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
* link:https://access.redhat.com/security/cve/cve-2023-39321[(CVE-2023-39321)]: A flaw was discovered in Golang, utilized by {mtc-short}. Processing an incomplete post-handshake message for a QUIC connection could cause a panic.
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
* link:https://access.redhat.com/security/cve/cve-2023-39322[(CVE-2023-3932)]: A flaw was discovered in Golang, utilized by {mtc-short}. Connections using the QUIC transport protocol did not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. 
** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
To resolve these issues, upgrade to {mtc-short} 1.7.14.
For more details, see link:https://access.redhat.com/security/cve/cve-2023-39318[(CVE-2023-39318)], link:https://access.redhat.com/security/cve/cve-2023-39319[(CVE-2023-39319)], and link:https://access.redhat.com/security/cve/cve-2023-39321[(CVE-2023-39321)].
[id="known-issues-1-7-14_{context}"]
== Known issues
There are no major known issues in this release.