update RN with more fixed rpm and node/go CVEs; add missing RN item for https://issues.redhat.com/browse/RHIDP-5477 bug fix too

Signed-off-by: Nick Boldt <[email protected]>

Author: nickboldt

modules/release-notes/list-fixed-security-issues-in-rpm-1.3.4.txt

@@ -1,16 +1,14 @@
 # https://errata.engineering.redhat.com/advisory/143859
 CVE-2024-9287, python 3.11: Virtual environment (venv) activation scripts don't quote paths 
 
-# TODO verify these are fixed in the latest rhdh-hub / operator containers
-
 # https://errata.engineering.redhat.com/advisory/144019, kernel-5.14.0-503.21.1.el9_5
-# CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization 
-# CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages 
-# CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address 
-# CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust 
+CVE-2024-46713, kernel: perf/aux: Fix AUX buffer serialization 
+CVE-2024-50208, kernel: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages 
+CVE-2024-50252, kernel: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address 
+CVE-2024-53122, kernel: mptcp: cope racing subflow creation in mptcp_rcv_space_adjust 
 
 # https://errata.engineering.redhat.com/advisory/139648, skopeo-1.16.1-2.el9_5
-# CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion 
+CVE-2024-34156, encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion 
 
 # https://errata.engineering.redhat.com/advisory/143848, python3.9-3.9.21-1.el9_5
-# CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses 
+CVE-2024-11168, python 3.9: Improper validation of IPv6 and IPvFuture addresses 

modules/release-notes/ref-release-notes-fixed-issues.adoc

@@ -4,6 +4,19 @@
 
 This section lists issues fixed in {product} {product-version}.
 
+== Fixed issues in 1.3.4
+
+[id="bug-fix-rhidp-5477"]
+=== GitLab Org plugin throws MODULE_NOT_FOUND error
+
+In the previous version of {product-short}, the gitlab org catalog backend plugin would fail to load when configured with a `MODULE_NOT_FOUND` error. This has been fixed by embedding the missing dependencies in the dynamic plugins.
+
+See similar issue https://issues.redhat.com/browse/RHIDP-5308
+
+.Additional resources
+
+* link:https://issues.redhat.com/browse/RHIDP-5477[RHIDP-5477]
+
 == Fixed issues in 1.3.3
 
 [id="bug-fix-rhidp-5180"]

modules/release-notes/ref-release-notes-known-issues.adoc

@@ -5,7 +5,7 @@
 This section lists known issues in {product} {product-version}.
 
 [id="known-issue-rhidp-5342"]
-== [Helm] Cannot run 2 RHDH replicas on different nodes due to Multi-Attach errors on the dynamic plugins root PVC
+== [Helm] Cannot run two RHDH replicas on different nodes due to Multi-Attach errors on the dynamic plugins root PVC
 
 If you are deploying {product-short} using the Helm Chart, it is currently impossible to have 2 replicas running on different cluster nodes. This might also affect the upgrade from 1.3 to 1.4.0 if the new pod is scheduled on a different node.
 

modules/release-notes/snip-fixed-security-issues-in-product-1.3.4.adoc

@@ -1,5 +1,11 @@
 = {product} dependency updates
 
+link:https://access.redhat.com/security/cve/CVE-2024-45338[CVE-2024-45338]::
+A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-52798[CVE-2024-52798]::
+A flaw was found in path-to-regexp. A path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance.
+
 link:https://access.redhat.com/security/cve/CVE-2024-55565[CVE-2024-55565]::
 nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
 

modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.4.adoc

@@ -2,3 +2,24 @@
 
 link:https://access.redhat.com/security/cve/CVE-2024-9287[CVE-2024-9287]::
 A vulnerability has been found in the Python `venv` module and CLI. Path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts, for example, "source venv/bin/activate". This flaw allows attacker-controlled virtual environments to run commands when the virtual environment is activated.
+
+link:https://access.redhat.com/security/cve/CVE-2024-11168[CVE-2024-11168]::
+A flaw was found in Python. The `urllib.parse.urlsplit()` and `urlparse()` functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture compliant. This behavior was not conformant to RFC 3986 and was potentially vulnerable to server-side request forgery (SSRF) if a URL is processed by more than one URL parser.
+
+link:https://access.redhat.com/security/cve/CVE-2024-34156[CVE-2024-34156]::
+A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
+
+link:https://access.redhat.com/security/cve/CVE-2024-46713[CVE-2024-46713]::
+In the Linux kernel, the following vulnerability has been resolved:
+perf/aux: Fix AUX buffer serialization
+
+link:https://access.redhat.com/security/cve/CVE-2024-50208[CVE-2024-50208]::
+In the Linux kernel, the following vulnerability has been resolved:
+RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages
+
+link:https://access.redhat.com/security/cve/CVE-2024-50252[CVE-2024-50252]::
+In the Linux kernel, the following vulnerability has been resolved:
+mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address
+
+link:https://access.redhat.com/security/cve/CVE-2024-53122[CVE-2024-53122]::
+A divide by zero flaw was found in the Linux kernel's Multipath TCP (MPTCP). This issue could allow a remote user to crash the system.