chore(release notes): initial draft of the 1.3.2 release notes (RHIDP-4909)

Signed-off-by: Nick Boldt <[email protected]>

Author: nickboldt

artifacts/attributes.adoc

@@ -11,8 +11,8 @@
 :product-short: Developer Hub
 :product-very-short: RHDH
 :product-version: 1.3
-:product-bundle-version: 1.3.0
-:product-chart-version: 1.3.0
+:product-bundle-version: 1.3.2
+:product-chart-version: 1.3.2
 :product-backstage-version: 1.29.2
 :rhdeveloper-name: Red Hat Developer
 :rhel: Red Hat Enterprise Linux

assemblies/assembly-release-notes-fixed-security-issues.adoc

@@ -6,6 +6,10 @@ This section lists security issues fixed in {product} {product-version}.
 
 == {product} {product-bundle-version}
 
+include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.2.adoc[leveloffset=+2]
+
+== {product} 1.3.1
+
 include::./modules/release-notes/snip-fixed-security-issues-in-product-1.3.1.adoc[leveloffset=+2]
 
 include::./modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.1.adoc[leveloffset=+2]

modules/release-notes/list-fixed-security-issues-in-product-1.3.2.txt

@@ -1,3 +1,8 @@
 # CVE number, affected package, fixed in version(s), JIRA
+# none yet
 
 # not yet fixed, built, or ready for release
+# NOTE: CVE is empty at the usual RH location so must manually edit generated .adoc file
+# to link to https://nvd.nist.gov/vuln/detail/CVE-2024-21538
+# once this is actually fixed in 1.3.z
+# CVE-2024-21538,cross-spawn,7.0.5,RHIDP-4864

modules/release-notes/list-fixed-security-issues-in-rpm-1.3.2.txt

@@ -0,0 +1,22 @@
+# CVE number, Errata details, Bugzilla
+
+# high prio fix in krb5-1.21.1-4.el9_5	(RHEL 9.5 update) reported by Prograde - see https://issues.redhat.com/browse/RHIDP-4891
+CVE-2024-3596, freeradius: forgery attack, https://bugzilla.redhat.com/show_bug.cgi?id=2263240
+
+# moderate prio fixes reported by Prograde - see https://issues.redhat.com/browse/RHIDP-4891
+CVE-2024-30203, emacs: Gnus treats inline MIME contents as trusted, https://bugzilla.redhat.com/show_bug.cgi?id=2280296
+CVE-2024-30204, emacs: LaTeX preview is enabled by default for e-mail attachments, https://bugzilla.redhat.com/show_bug.cgi?id=2280297
+CVE-2024-30205, emacs: Org mode considers contents of remote files to be trusted, https://bugzilla.redhat.com/show_bug.cgi?id=2280298
+CVE-2024-50602, libexpat: expat: DoS via XML_ResumeParser, https://bugzilla.redhat.com/show_bug.cgi?id=2321987
+CVE-2024-2236, libgcrypt: vulnerable to Marvin Attack, https://bugzilla.redhat.com/show_bug.cgi?id=2245218
+CVE-2024-0450, python: The zipfile module is vulnerable to zip-bombs leading to denial of service, https://bugzilla.redhat.com/show_bug.cgi?id=2276525
+CVE-2024-8088, python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service, https://bugzilla.redhat.com/show_bug.cgi?id=2307370
+
+# https://errata.engineering.redhat.com/advisory/129215 contains 4 issues
+CVE-2024-3727, containers/image: digest type does not guarantee valid type 
+CVE-2024-24788, golang: net: malformed DNS message can cause infinite loop 
+CVE-2024-6104, go-retryablehttp: url might write sensitive information to log file 
+CVE-2024-24791, net/http: Denial of service due to improper 100-continue handling in net/http 
+
+# https://errata.engineering.redhat.com/advisory/128795 includes 478 bugs fixed in RHEL 9.5 with kernel-5.14.0-503.11.1.el9_5 - only listing one of them here
+CVE-2024-45005, kernel: KVM: s390: fix validity interception issue when gisa is switched off, https://bugzilla.redhat.com/show_bug.cgi?id=2309868

modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.2.adoc

@@ -0,0 +1,41 @@
+= RHEL 9 platform RPM updates
+
+link:https://access.redhat.com/security/cve/CVE-2024-0450[CVE-2024-0450]::
+A flaw was found in the Python/CPython 'zipfile' that can allow a zip-bomb type of attack. An attacker may craft a zip file format, leading to a Denial of Service when processed.
+
+link:https://access.redhat.com/security/cve/CVE-2024-2236[CVE-2024-2236]::
+A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
+
+link:https://access.redhat.com/security/cve/CVE-2024-3596[CVE-2024-3596]::
+A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process.
+
+link:https://access.redhat.com/security/cve/CVE-2024-3727[CVE-2024-3727]::
+A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
+
+link:https://access.redhat.com/security/cve/CVE-2024-6104[CVE-2024-6104]::
+A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
+
+link:https://access.redhat.com/security/cve/CVE-2024-8088[CVE-2024-8088]::
+A flaw was found in Python's zipfile module. When iterating over the entries of a zip archive, the process can enter into an infinite loop state and become unresponsive. This flaw allows an attacker to craft a malicious ZIP archive, leading to a denial of service from the application consuming the zipfile module. Only applications that handle user-controlled zip archives are affected by this vulnerability.
+
+link:https://access.redhat.com/security/cve/CVE-2024-24788[CVE-2024-24788]::
+A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
+
+link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]::
+A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-30203[CVE-2024-30203]::
+A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-30204[CVE-2024-30204]::
+A flaw was found in Emacs. When Emacs is used as an email client, a preview of a crafted LaTeX document attached to an email can exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-30205[CVE-2024-30205]::
+A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45005[CVE-2024-45005]::
+In the Linux kernel, the following vulnerability has been resolved:
+KVM: s390: fix validity interception issue when gisa is switched off
+
+link:https://access.redhat.com/security/cve/CVE-2024-50602[CVE-2024-50602]::
+A security issue was found in Expat (libexpat). A crash can be triggered in the XML_ResumeParser function due to XML_StopParser's ability to stop or suspend an unstarted parser, which can lead to a denial of service.