|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * backup_and_restore/oadp-release-notes-1-3.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | +[id="oadp-release-notes-1-3-2_{context}"] |
| 7 | += {oadp-short} 1.3.2 release notes |
| 8 | + |
| 9 | +The {oadp-first} 1.3.2 release notes list resolved issues and known issues. |
| 10 | + |
| 11 | +//[id="new-features-1-3-2_{context}"] |
| 12 | +//== New features |
| 13 | + |
| 14 | + |
| 15 | +[id="resolved-issues-1-3-2_{context}"] |
| 16 | +== Resolved issues |
| 17 | + |
| 18 | +.DPA fails to reconcile if a valid custom secret is used for BSL |
| 19 | + |
| 20 | +DPA fails to reconcile if a valid custom secret is used for Backup Storage Location (BSL), but the default secret is missing. The workaround is to create the required default `cloud-credentials` initially. When the custom secret is re-created, it can be used and checked for its existence. |
| 21 | + |
| 22 | +link:https://issues.redhat.com/browse/OADP-3193[OADP-3193] |
| 23 | + |
| 24 | +.CVE-2023-45290: `oadp-velero-container`: Golang `net/http`: Memory exhaustion in `Request.ParseMultipartForm` |
| 25 | + |
| 26 | +A flaw was found in the `net/http` Golang standard library package, which impacts previous versions of {oadp-short}. When parsing a `multipart` form, either explicitly with `Request.ParseMultipartForm` or implicitly with `Request.FormValue`, `Request.PostFormValue`, or `Request.FormFile`, limits on the total size of the parsed form are not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing long lines to cause the allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. This flaw has been resolved in {oadp-short} 1.3.2. |
| 27 | + |
| 28 | +For more details, see link:https://access.redhat.com/security/cve/cve-2023-45290[CVE-2023-45290]. |
| 29 | + |
| 30 | +.CVE-2023-45289: `oadp-velero-container`: Golang `net/http/cookiejar`: Incorrect forwarding of sensitive headers and cookies on HTTP redirect |
| 31 | + |
| 32 | +A flaw was found in the `net/http/cookiejar` Golang standard library package, which impacts previous versions of {oadp-short}. When following an HTTP redirect to a domain that is not a subdomain match or exact match of the initial domain, an `http.Client` does not forward sensitive headers such as `Authorization` or `Cookie`. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. This flaw has been resolved in {oadp-short} 1.3.2. |
| 33 | + |
| 34 | +For more details, see link:https://access.redhat.com/security/cve/cve-2023-45289[CVE-2023-45289]. |
| 35 | + |
| 36 | +.CVE-2024-24783: `oadp-velero-container`: Golang `crypto/x509`: Verify panics on certificates with an unknown public key algorithm |
| 37 | + |
| 38 | +A flaw was found in the `crypto/x509` Golang standard library package, which impacts previous versions of {oadp-short}. Verifying a certificate chain that contains a certificate with an unknown public key algorithm causes `Certificate.Verify` to panic. This affects all `crypto/tls` clients and servers that set `Config.ClientAuth` to `VerifyClientCertIfGiven` or `RequireAndVerifyClientCert`. The default behavior is for TLS servers to not verify client certificates. This flaw has been resolved in {oadp-short} 1.3.2. |
| 39 | + |
| 40 | +For more details, see link:https://access.redhat.com/security/cve/cve-2024-24783[CVE-2024-24783]. |
| 41 | + |
| 42 | +.CVE-2024-24784: `oadp-velero-plugin-container`: Golang `net/mail`: Comments in display names are incorrectly handled |
| 43 | + |
| 44 | +A flaw was found in the `net/mail` Golang standard library package, which impacts previous versions of {oadp-short}. The `ParseAddressList` function incorrectly handles comments, text in parentheses, and display names. Because this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. This flaw has been resolved in {oadp-short} 1.3.2. |
| 45 | + |
| 46 | +For more details, see link:https://access.redhat.com/security/cve/cve-2024-24784[CVE-2024-24784]. |
| 47 | + |
| 48 | +.CVE-2024-24785: `oadp-velero-container`: Golang: html/template: errors returned from `MarshalJSON` methods may break template escaping |
| 49 | + |
| 50 | +A flaw was found in the `html/template` Golang standard library package, which impacts previous versions of {oadp-short}. If errors returned from `MarshalJSON` methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the HTML/template package, allowing subsequent actions to inject unexpected content into the templates. This flaw has been resolved in {oadp-short} 1.3.2. |
| 51 | + |
| 52 | +For more details, see link:https://access.redhat.com/security/cve/cve-2024-24785[CVE-2024-24785]. |
| 53 | + |
| 54 | +For a complete list of all issues resolved in this release, see the list of link:https://issues.redhat.com/issues/?filter=12436254[OADP 1.3.2 resolved issues] in Jira. |
| 55 | + |
| 56 | + |
| 57 | +[id="known-issues-1-3-2_{context}"] |
| 58 | +== Known issues |
| 59 | + |
| 60 | +.Cassandra application pods enter into the `CrashLoopBackoff` status after restoring OADP |
| 61 | + |
| 62 | +After {oadp-short} restores, the Cassandra application pods might enter in the `CrashLoopBackoff` status. To work around this problem, delete the `StatefulSet` pods that are returning an error or the `CrashLoopBackoff` state after restoring {oadp-short}. The `StatefulSet` controller recreates these pods and it runs normally. |
| 63 | + |
| 64 | +link:https://issues.redhat.com/browse/OADP-3767[OADP-3767] |
0 commit comments