MIG-1475: Release notes for MTC 1.7.14

Signed-off-by: Andy Arnold <[email protected]>

Author: anarnold97

migration_toolkit_for_containers/mtc-release-notes.adoc

@@ -18,6 +18,7 @@ You can migrate from xref:../migrating_from_ocp_3_to_4/about-migrating-from-3-to
 For information on the support policy for {mtc-short}, see link:https://access.redhat.com/support/policy/updates/openshift#app_migration[OpenShift Application and Cluster Migration Solutions], part of the _Red Hat {product-title} Life Cycle Policy_.
 
 include::modules/migration-mtc-release-notes-1-8.adoc[leveloffset=+1]
+include::modules/migration-mtc-release-notes-1-7-14.adoc[leveloffset=+1]
 include::modules/migration-mtc-release-notes-1-7-13.adoc[leveloffset=+1]
 include::modules/migration-mtc-release-notes-1-7-12.adoc[leveloffset=+1]
 include::modules/migration-mtc-release-notes-1-7-11.adoc[leveloffset=+1]

modules/migration-mtc-release-notes-1-7-14.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * migration_toolkit_for_containers/mtc-release-notes.adoc
+:_content-type: REFERENCE
+[id="migration-mtc-release-notes-1-7-14_{context}"]
+= {mtc-full} 1.7.14 release notes
+
+[id="resolved-issues-1-7-14_{context}"]
+== Resolved issues
+
+This release has the following resolved issues:
+
+.CVE-2023-39325 CVE-2023-44487: various flaws
+
+A flaw was found in the handling of multiplexed streams in the HTTP/2 protocol, which is utilized by {mtc-full} ({mtc-short}). A client could repeatedly make a request for a new multiplex stream then immediately send an `RST_STREAM` frame to cancel those requests. This activity created additional workloads for the server in terms of setting up and dismantling streams, but avoided any server-side limitations on the maximum number of active streams per connection. As a result, a denial of service occurred due to server resource consumption.
+
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2243564[(BZ#2243564)]
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244013[(BZ#2244013)]
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244014[(BZ#2244014)]
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244015[(BZ#2244015)]
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244016[(BZ#2244016)]
+* link:https://bugzilla.redhat.com/show_bug.cgi?id=2244017[(BZ#2244017)]
+
+To resolve this issue, upgrade to {mtc-short} 1.7.14.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2023-44487[(CVE-2023-44487)] and link:https://access.redhat.com/security/cve/cve-2023-39325[(CVE-2023-39325)].
+
+.CVE-2023-39318 CVE-2023-39319 CVE-2023-39321: various flaws 
+
+* link:https://access.redhat.com/security/cve/cve-2023-39318[(CVE-2023-39318)]: A flaw was discovered in Golang, utilized by {mtc-short}. The `html/template` package did not properly handle HTML-like `""` comment tokens, or the hashbang `"#!"` comment tokens, in `<script>` contexts. This flaw could cause the template parser to improperly interpret the contents of `<script>` contexts, causing actions to be improperly escaped.
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
+* link:https://access.redhat.com/security/cve/cve-2023-39319[(CVE-2023-39319)]: A flaw was discovered in Golang, utilized by {mtc-short}. The `html/template` package did not apply the proper rules for handling occurrences of `"<script"`, `"<!--"`, and `"</script"` within JavaScript literals in <script> contexts. This could cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. 
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
+* link:https://access.redhat.com/security/cve/cve-2023-39321[(CVE-2023-39321)]: A flaw was discovered in Golang, utilized by {mtc-short}. Processing an incomplete post-handshake message for a QUIC connection could cause a panic.
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238062[(BZ#2238062)]  
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
+* link:https://access.redhat.com/security/cve/cve-2023-39322[(CVE-2023-3932)]: A flaw was discovered in Golang, utilized by {mtc-short}. Connections using the QUIC transport protocol did not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. 
+** link:https://bugzilla.redhat.com/show_bug.cgi?id=2238088[(BZ#2238088)]
+
+To resolve these issues, upgrade to {mtc-short} 1.7.14.
+
+For more details, see link:https://access.redhat.com/security/cve/cve-2023-39318[(CVE-2023-39318)], link:https://access.redhat.com/security/cve/cve-2023-39319[(CVE-2023-39319)], and link:https://access.redhat.com/security/cve/cve-2023-39321[(CVE-2023-39321)].
+
+[id="known-issues-1-7-14_{context}"]
+== Known issues
+
+There are no major known issues in this release.