From 7cdd0038b394ee89398e81fc6327dbe399dd760f Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 4 Oct 2024 15:15:08 -0300 Subject: [PATCH 01/16] add RN text for 1.2.5 Signed-off-by: Nick Boldt dedupe and add note about source of the freshmaker/RPM updates Signed-off-by: Nick Boldt --- build/scripts/single-source-security-fixes.sh | 54 +++++++++++++++++++ .../con-relnotes-fixed-issues.adoc | 40 ++++++++++++++ modules/release-notes/cve-list-1.2.5.txt | 19 +++++++ 3 files changed, 113 insertions(+) create mode 100755 build/scripts/single-source-security-fixes.sh create mode 100644 modules/release-notes/cve-list-1.2.5.txt diff --git a/build/scripts/single-source-security-fixes.sh b/build/scripts/single-source-security-fixes.sh new file mode 100755 index 0000000000..e79f4df9cf --- /dev/null +++ b/build/scripts/single-source-security-fixes.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# +# Copyright (c) 2024 Red Hat, Inc. +# This program, and the accompanying materials are made +# available under the terms of the Apache Public License 2.0, +# available at http://www.apache.org/licenses/ +# +# SPDX-License-Identifier: Apache-2.0 + +# Fail and stop on first error + +if [[ $# -lt 1 ]] || [[ ! -f modules/release-notes/cve-list-$1.txt ]]; then + echo "Usage: + +To process the contents of modules/release-notes/cve-list-\$version.txt, use the appropriate file version: + +$0 x.y.z + +Example: + +$0 1.2.5" + exit +else + version="$1" +fi + +set -e +destination=/tmp/snip-common-vulnerabilities-and-exposures.adoc; rm -f "$destination" + +echo;echo "Paste the following fragment into the file modules/release-notes/con-relnotes-fixed-issues.adoc" +echo; echo "---------------- + +=== Fixed security issues in {product} 1.2.5 + +This section lists fixed security issues with {product} 1.2.5: +" + +while IFS="" read -r cve || [ -n "$cve" ] +do + if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # commented or blank lines + # Start the list. + echo "link:https://access.redhat.com/security/cve/$cve[$cve]::" + # Call the API to return a list of details. + # Red Hat is last if there is one. + # Red Hat details is single line. + # MITRE details are multiline. + # We keep Red Hat details if present. + # We keep only the first two lines on MITRE details. + curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 + # Add a separation + echo "" + fi +done < "modules/release-notes/cve-list-$version.txt" +echo "----------------" diff --git a/modules/release-notes/con-relnotes-fixed-issues.adoc b/modules/release-notes/con-relnotes-fixed-issues.adoc index b34c4f0b32..b8e4e2e384 100644 --- a/modules/release-notes/con-relnotes-fixed-issues.adoc +++ b/modules/release-notes/con-relnotes-fixed-issues.adoc @@ -220,6 +220,46 @@ With the release of the {product-short} 1.2.1 Helm chart, this is fixed. == Fixed security issues +=== Fixed security issues in {product} 1.2.5 + +This section lists fixed security issues with {product} 1.2.5: + +link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]:: +A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. + +link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: +A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. + +link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: +A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service. + +link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]:: +A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. + +link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: +A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. + +link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]:: +A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. + +link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]:: +A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. + +link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]:: +A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. + +link:https://access.redhat.com/security/cve/CVE-2024-45490[CVE-2024-45490]:: +A flaw was found in libexpat's xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function. + +link:https://access.redhat.com/security/cve/CVE-2024-45491[CVE-2024-45491]:: +An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX. + +link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]:: +A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX. + +link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]:: +A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. + === Fixed security issues in {product} 1.2.3 This section lists fixed security issues with {product} 1.2.3: diff --git a/modules/release-notes/cve-list-1.2.5.txt b/modules/release-notes/cve-list-1.2.5.txt new file mode 100644 index 0000000000..d567cf20ed --- /dev/null +++ b/modules/release-notes/cve-list-1.2.5.txt @@ -0,0 +1,19 @@ +# not yet live; uncomment to generate CVE RN text +# CVE-2024-43799 +# CVE-2024-37890 + +# these are live, pending the release of 1.2.5 +CVE-2024-21529 +CVE-2024-45590 +CVE-2024-24791 +CVE-2024-39249 + +# RPM updates from Freshmaker (RHIDP-4218) +CVE-2024-37371 +CVE-2024-37370 +CVE-2024-6923 +CVE-2024-39331 +CVE-2024-45490 +CVE-2024-45491 +CVE-2024-45492 +CVE-2024-6119 From 063264ac70b7c7d83faf7a00c6aee94a456aa45a Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 8 Oct 2024 10:21:34 -0300 Subject: [PATCH 02/16] refactor to align with latest improvements/filenames in 1.3 Signed-off-by: Nick Boldt switch to content from 1.2.5, including support for blank/comment lines Signed-off-by: Nick Boldt remove embedded content for 1.2.5 Signed-off-by: Nick Boldt adjust spacing Signed-off-by: Nick Boldt add notes about how the script changes in 1.3 version Signed-off-by: Nick Boldt wrong indent Signed-off-by: Nick Boldt --- artifacts/attributes.adoc | 4 +- build/scripts/single-source-security-fixes.sh | 54 ----------------- .../con-relnotes-fixed-issues.adoc | 40 +------------ ...ixed-security-issues-in-product-1.2.5.txt} | 10 ---- ...ist-fixed-security-issues-in-rpm-1.2.5.txt | 9 +++ .../single-source-fixed-security-issues.sh | 58 +++++++++++++++++++ ...ixed-security-issues-in-product-1.2.5.adoc | 13 +++++ ...ip-fixed-security-issues-in-rpm-1.2.5.adoc | 25 ++++++++ 8 files changed, 110 insertions(+), 103 deletions(-) delete mode 100755 build/scripts/single-source-security-fixes.sh rename modules/release-notes/{cve-list-1.2.5.txt => list-fixed-security-issues-in-product-1.2.5.txt} (54%) create mode 100644 modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt create mode 100755 modules/release-notes/single-source-fixed-security-issues.sh create mode 100644 modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc create mode 100644 modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc diff --git a/artifacts/attributes.adoc b/artifacts/attributes.adoc index fbe9117a19..f05e0bdd6e 100644 --- a/artifacts/attributes.adoc +++ b/artifacts/attributes.adoc @@ -11,8 +11,8 @@ :product-short: Developer Hub :product-very-short: RHDH :product-version: 1.2 -:product-bundle-version: 1.2.4 -:product-chart-version: 1.2.4 +:product-bundle-version: 1.2.5 +:product-chart-version: 1.2.5 :product-backstage-version: 1.26.5 :rhdeveloper-name: Red Hat Developer :rhel: Red Hat Enterprise Linux diff --git a/build/scripts/single-source-security-fixes.sh b/build/scripts/single-source-security-fixes.sh deleted file mode 100755 index e79f4df9cf..0000000000 --- a/build/scripts/single-source-security-fixes.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2024 Red Hat, Inc. -# This program, and the accompanying materials are made -# available under the terms of the Apache Public License 2.0, -# available at http://www.apache.org/licenses/ -# -# SPDX-License-Identifier: Apache-2.0 - -# Fail and stop on first error - -if [[ $# -lt 1 ]] || [[ ! -f modules/release-notes/cve-list-$1.txt ]]; then - echo "Usage: - -To process the contents of modules/release-notes/cve-list-\$version.txt, use the appropriate file version: - -$0 x.y.z - -Example: - -$0 1.2.5" - exit -else - version="$1" -fi - -set -e -destination=/tmp/snip-common-vulnerabilities-and-exposures.adoc; rm -f "$destination" - -echo;echo "Paste the following fragment into the file modules/release-notes/con-relnotes-fixed-issues.adoc" -echo; echo "---------------- - -=== Fixed security issues in {product} 1.2.5 - -This section lists fixed security issues with {product} 1.2.5: -" - -while IFS="" read -r cve || [ -n "$cve" ] -do - if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # commented or blank lines - # Start the list. - echo "link:https://access.redhat.com/security/cve/$cve[$cve]::" - # Call the API to return a list of details. - # Red Hat is last if there is one. - # Red Hat details is single line. - # MITRE details are multiline. - # We keep Red Hat details if present. - # We keep only the first two lines on MITRE details. - curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 - # Add a separation - echo "" - fi -done < "modules/release-notes/cve-list-$version.txt" -echo "----------------" diff --git a/modules/release-notes/con-relnotes-fixed-issues.adoc b/modules/release-notes/con-relnotes-fixed-issues.adoc index b8e4e2e384..9e3ea00b2e 100644 --- a/modules/release-notes/con-relnotes-fixed-issues.adoc +++ b/modules/release-notes/con-relnotes-fixed-issues.adoc @@ -1,5 +1,5 @@ [id='con-relnotes-fixed-issues_{context}'] -= Fixed issues in {product} {product-version} and 1.2.2 += Fixed issues in {product} {product-version} == Fixed issues in {product} 1.2.2 @@ -222,43 +222,9 @@ With the release of the {product-short} 1.2.1 Helm chart, this is fixed. === Fixed security issues in {product} 1.2.5 -This section lists fixed security issues with {product} 1.2.5: +include::snip-fixed-security-issues-in-product-1.2.5.adoc[leveloffset=+2] -link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]:: -A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. - -link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: -A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. - -link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: -A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service. - -link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]:: -A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. - -link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: -A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. - -link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]:: -A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. - -link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]:: -A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. - -link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]:: -A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. - -link:https://access.redhat.com/security/cve/CVE-2024-45490[CVE-2024-45490]:: -A flaw was found in libexpat's xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function. - -link:https://access.redhat.com/security/cve/CVE-2024-45491[CVE-2024-45491]:: -An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX. - -link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]:: -A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX. - -link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]:: -A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. +include::snip-fixed-security-issues-in-rpm-1.2.5.adoc[leveloffset=+2] === Fixed security issues in {product} 1.2.3 diff --git a/modules/release-notes/cve-list-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt similarity index 54% rename from modules/release-notes/cve-list-1.2.5.txt rename to modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index d567cf20ed..10bb03d1d1 100644 --- a/modules/release-notes/cve-list-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -7,13 +7,3 @@ CVE-2024-21529 CVE-2024-45590 CVE-2024-24791 CVE-2024-39249 - -# RPM updates from Freshmaker (RHIDP-4218) -CVE-2024-37371 -CVE-2024-37370 -CVE-2024-6923 -CVE-2024-39331 -CVE-2024-45490 -CVE-2024-45491 -CVE-2024-45492 -CVE-2024-6119 diff --git a/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt new file mode 100644 index 0000000000..5ea924b1f9 --- /dev/null +++ b/modules/release-notes/list-fixed-security-issues-in-rpm-1.2.5.txt @@ -0,0 +1,9 @@ +# RPM updates from Freshmaker (RHIDP-4218) +CVE-2024-37371 +CVE-2024-37370 +CVE-2024-6923 +CVE-2024-39331 +CVE-2024-45490 +CVE-2024-45491 +CVE-2024-45492 +CVE-2024-6119 diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh new file mode 100755 index 0000000000..fd96c7a8de --- /dev/null +++ b/modules/release-notes/single-source-fixed-security-issues.sh @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Copyright (c) 2024 Red Hat, Inc. +# This program, and the accompanying materials are made +# available under the terms of the Apache Public License 2.0, +# available at http://www.apache.org/licenses/ +# +# SPDX-License-Identifier: Apache-2.0 + +# Single-source the release notes Fixed security issues section from Red Hat Security Data API. +# See: https://docs.redhat.com/en/documentation/red_hat_security_data_api/1.0/html/red_hat_security_data_api/cve + +# Fail and stop on first error +set -e + +# get the z-stream version from the bundle-version attribute. Note that while chart-version could be larger, this is the correct value for CVE tracking +# if a different version is passed in than the value in 'product-bundle-version', generate content for that version instead +if [[ $1 ]]; then product_version="$1"; else product_version="$(grep ':product-bundle-version:' artifacts/attributes.adoc | cut -d' ' -f2 )"; fi + +single_source_from_security_data () { + sectionname="fixed-security-issues-in-${section}-${product_version}" + dirname=$(dirname ${BASH_SOURCE}) + destination="${dirname}/snip-${sectionname}.adoc" + list="${dirname}/list-${sectionname}.txt" + # Assert that the list file exists. + if [ ! -f ${list} ] + then + echo "ERROR: The ${list} file is missing. You must create it to proceed. For a given version, can collect the list of CVEs from a JIRA query like https://issues.redhat.com/issues/?jql=labels%3DSecurityTracking+and+project%3DRHIDP+and+fixversion%3D1.3.1 or list of Erratas from https://errata.devel.redhat.com/advisory/filters/4213" + exit 1 + fi + echo -e "= ${title}" > "$destination" + while IFS="" read -r cve || [ -n "$cve" ]; do + if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # skip commented and blank lines + # Start the list. + echo -e "\nlink:https://access.redhat.com/security/cve/$cve[$cve]::" >> "$destination" + # Call the API to return a list of details. + # Red Hat is last if there is one. + # Red Hat details is single line. + # MITRE details are multiline. + # We keep Red Hat details if present. + # We keep only the first two lines on MITRE details. + curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 >> "$destination" + fi + done < "$list" + # in 1.3, don't remove the 'modules/release-notes/' path prefix, just use ${destination} + echo "include::${destination##*release-notes/}[leveloffset=+2]" +} + +title="{product} dependency updates" +section="product" +single_source_from_security_data + +title="RHEL 9 platform RPM updates" +section="rpm" +single_source_from_security_data + +# in 1.3, this moves to assemblies/assembly-release-notes-fixed-security-issues.adoc +echo "INFO: Verify that the modules/release-notes/con-relnotes-fixed-issues.adoc file contains aforementioned required include statements." diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc new file mode 100644 index 0000000000..165047106e --- /dev/null +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc @@ -0,0 +1,13 @@ += {product} dependency updates + +link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]:: +A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. + +link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: +A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. + +link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: +A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service. + +link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]:: +A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc new file mode 100644 index 0000000000..702288ad50 --- /dev/null +++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc @@ -0,0 +1,25 @@ += RHEL 9 platform RPM updates + +link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: +A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. + +link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]:: +A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens. + +link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]:: +A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. + +link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]:: +A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. + +link:https://access.redhat.com/security/cve/CVE-2024-45490[CVE-2024-45490]:: +A flaw was found in libexpat's xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function. + +link:https://access.redhat.com/security/cve/CVE-2024-45491[CVE-2024-45491]:: +An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX. + +link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]:: +A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX. + +link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]:: +A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. From 7b12b24f8089e3e46f56f4095048e5348d954e3c Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Tue, 8 Oct 2024 10:52:27 -0300 Subject: [PATCH 03/16] indent security fixes one level lower Signed-off-by: Nick Boldt --- modules/release-notes/con-relnotes-fixed-issues.adoc | 4 ++-- modules/release-notes/single-source-fixed-security-issues.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/release-notes/con-relnotes-fixed-issues.adoc b/modules/release-notes/con-relnotes-fixed-issues.adoc index 9e3ea00b2e..9f4ca709a8 100644 --- a/modules/release-notes/con-relnotes-fixed-issues.adoc +++ b/modules/release-notes/con-relnotes-fixed-issues.adoc @@ -222,9 +222,9 @@ With the release of the {product-short} 1.2.1 Helm chart, this is fixed. === Fixed security issues in {product} 1.2.5 -include::snip-fixed-security-issues-in-product-1.2.5.adoc[leveloffset=+2] +include::snip-fixed-security-issues-in-product-1.2.5.adoc[leveloffset=+3] -include::snip-fixed-security-issues-in-rpm-1.2.5.adoc[leveloffset=+2] +include::snip-fixed-security-issues-in-rpm-1.2.5.adoc[leveloffset=+3] === Fixed security issues in {product} 1.2.3 diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh index fd96c7a8de..df0b663545 100755 --- a/modules/release-notes/single-source-fixed-security-issues.sh +++ b/modules/release-notes/single-source-fixed-security-issues.sh @@ -42,8 +42,8 @@ single_source_from_security_data () { curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 >> "$destination" fi done < "$list" - # in 1.3, don't remove the 'modules/release-notes/' path prefix, just use ${destination} - echo "include::${destination##*release-notes/}[leveloffset=+2]" + # in 1.3, don't remove the 'modules/release-notes/' path prefix, just use ${destination} and use levelofset=+2 + echo "include::${destination##*release-notes/}[leveloffset=+3]" } title="{product} dependency updates" From 593be7b6a4dd620fd6466e03b282e6ad535f1713 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Wed, 9 Oct 2024 09:10:03 -0300 Subject: [PATCH 04/16] remove CVE-2024-45590 for now, not yet done Signed-off-by: Nick Boldt --- .../list-fixed-security-issues-in-product-1.2.5.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index 10bb03d1d1..e255a71545 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -1,9 +1,9 @@ # not yet live; uncomment to generate CVE RN text # CVE-2024-43799 # CVE-2024-37890 +# CVE-2024-45590 # these are live, pending the release of 1.2.5 CVE-2024-21529 -CVE-2024-45590 CVE-2024-24791 CVE-2024-39249 From 93f53c3b65cac4baefd02358ac22804c785affb1 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Wed, 9 Oct 2024 09:10:43 -0300 Subject: [PATCH 05/16] remove CVE-2024-45590 for now, not yet done Signed-off-by: Nick Boldt --- .../snip-fixed-security-issues-in-product-1.2.5.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc index 165047106e..86e5944d06 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc @@ -3,9 +3,6 @@ link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]:: A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. -link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: -A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. - link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service. From 478d29cc35b1d391990e3f3d321b06cdb377973a Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Wed, 9 Oct 2024 09:19:41 -0300 Subject: [PATCH 06/16] chore: uniquely version sort CVEs Signed-off-by: Nick Boldt --- .../single-source-fixed-security-issues.sh | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh index df0b663545..0a07508037 100755 --- a/modules/release-notes/single-source-fixed-security-issues.sh +++ b/modules/release-notes/single-source-fixed-security-issues.sh @@ -22,26 +22,31 @@ single_source_from_security_data () { dirname=$(dirname ${BASH_SOURCE}) destination="${dirname}/snip-${sectionname}.adoc" list="${dirname}/list-${sectionname}.txt" + list_cleaned="" # Assert that the list file exists. - if [ ! -f ${list} ] - then + if [ ! -f ${list} ]; then echo "ERROR: The ${list} file is missing. You must create it to proceed. For a given version, can collect the list of CVEs from a JIRA query like https://issues.redhat.com/issues/?jql=labels%3DSecurityTracking+and+project%3DRHIDP+and+fixversion%3D1.3.1 or list of Erratas from https://errata.devel.redhat.com/advisory/filters/4213" exit 1 fi echo -e "= ${title}" > "$destination" while IFS="" read -r cve || [ -n "$cve" ]; do if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # skip commented and blank lines - # Start the list. - echo -e "\nlink:https://access.redhat.com/security/cve/$cve[$cve]::" >> "$destination" - # Call the API to return a list of details. - # Red Hat is last if there is one. - # Red Hat details is single line. - # MITRE details are multiline. - # We keep Red Hat details if present. - # We keep only the first two lines on MITRE details. - curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 >> "$destination" - fi + list_cleaned="${list_cleaned}\n${cve}" + fi done < "$list" + list_cleaned=$(echo -e "$list_cleaned" | sort -uV) + for cve in $list_cleaned; do + # Start the list. + echo "[DEBUG] $cve ..." + echo -e "\nlink:https://access.redhat.com/security/cve/$cve[$cve]::" >> "$destination" + # Call the API to return a list of details. + # Red Hat is last if there is one. + # Red Hat details is single line. + # MITRE details are multiline. + # We keep Red Hat details if present. + # We keep only the first two lines on MITRE details. + curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2 >> "$destination" + done # in 1.3, don't remove the 'modules/release-notes/' path prefix, just use ${destination} and use levelofset=+2 echo "include::${destination##*release-notes/}[leveloffset=+3]" } From cbe198bc08becaedbcac228bb1739072a2aff22c Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Wed, 9 Oct 2024 09:22:52 -0300 Subject: [PATCH 07/16] chore: uniquely version sort CVEs Signed-off-by: Nick Boldt --- .../single-source-fixed-security-issues.sh | 2 +- .../snip-fixed-security-issues-in-rpm-1.2.5.adoc | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh index 0a07508037..d80b09492a 100755 --- a/modules/release-notes/single-source-fixed-security-issues.sh +++ b/modules/release-notes/single-source-fixed-security-issues.sh @@ -37,7 +37,7 @@ single_source_from_security_data () { list_cleaned=$(echo -e "$list_cleaned" | sort -uV) for cve in $list_cleaned; do # Start the list. - echo "[DEBUG] $cve ..." + # echo "[DEBUG] $cve ..." echo -e "\nlink:https://access.redhat.com/security/cve/$cve[$cve]::" >> "$destination" # Call the API to return a list of details. # Red Hat is last if there is one. diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc index 702288ad50..39b1d8e299 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc @@ -1,13 +1,16 @@ = RHEL 9 platform RPM updates -link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: -A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. +link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]:: +A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. + +link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]:: +A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]:: A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens. -link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]:: -A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. +link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: +A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]:: A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. @@ -20,6 +23,3 @@ An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It c link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]:: A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX. - -link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]:: -A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. From b45f00acbbe3190befef962c11d707494ad2d164 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Thu, 10 Oct 2024 15:31:57 -0300 Subject: [PATCH 08/16] Update modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt Co-authored-by: Kim Tsao <84398375+kim-tsao@users.noreply.github.com> --- .../list-fixed-security-issues-in-product-1.2.5.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index e255a71545..e626c7d83e 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -2,6 +2,10 @@ # CVE-2024-43799 # CVE-2024-37890 # CVE-2024-45590 +# CVE-2024-45296 +# CVE-2024-47764 +# CVE-2024-43800 +# CVE-2024-48949 # these are live, pending the release of 1.2.5 CVE-2024-21529 From ee9806ff91d10b2a1434e80abe6fcb3af592f8a8 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Thu, 17 Oct 2024 16:41:00 -0300 Subject: [PATCH 09/16] add one more fixed CVE, update list of incomplete ones from query 'project = RHIDP AND fixVersion = 1.2.5 and resolution is null and labels = SecurityTracking'; also add affected package and version metadata Signed-off-by: Nick Boldt --- ...fixed-security-issues-in-product-1.2.5.txt | 21 ++++++++++--------- .../single-source-fixed-security-issues.sh | 2 +- ...ixed-security-issues-in-product-1.2.5.adoc | 3 +++ 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index e626c7d83e..a08b0ad05f 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -1,13 +1,14 @@ +# CVE number, affected package, fixed in version(s), JIRA + # not yet live; uncomment to generate CVE RN text -# CVE-2024-43799 -# CVE-2024-37890 -# CVE-2024-45590 -# CVE-2024-45296 -# CVE-2024-47764 -# CVE-2024-43800 -# CVE-2024-48949 +# CVE-2024-43799,send,0.19.0,RHIDP-3946 +# CVE-2024-43800,serve-static,1.16.0,RHIDP-3932 +# CVE-2024-45590,body-parser,1.20.3,RHIDP-3916 +# CVE-2024-45296,path-to-regexp,0.1.10||8.0.0,RHIDP-3897 +# CVE-2004-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733 # these are live, pending the release of 1.2.5 -CVE-2024-21529 -CVE-2024-24791 -CVE-2024-39249 +CVE-2024-48949,elliptic,6.5.6,RHIDP-4417 +CVE-2024-21529,dset,3.1.4,RHIDP-3925 +CVE-2024-24791,net/http,go-toolset:1.21.13-2,RHIDP-3173 +CVE-2024-39249,async,2.6.4||3.2.5,RHIDP-3146 diff --git a/modules/release-notes/single-source-fixed-security-issues.sh b/modules/release-notes/single-source-fixed-security-issues.sh index d80b09492a..f4e547cec9 100755 --- a/modules/release-notes/single-source-fixed-security-issues.sh +++ b/modules/release-notes/single-source-fixed-security-issues.sh @@ -31,7 +31,7 @@ single_source_from_security_data () { echo -e "= ${title}" > "$destination" while IFS="" read -r cve || [ -n "$cve" ]; do if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # skip commented and blank lines - list_cleaned="${list_cleaned}\n${cve}" + list_cleaned="${list_cleaned}\n${cve%%,*}" # trim csv content after the CVE number fi done < "$list" list_cleaned=$(echo -e "$list_cleaned" | sort -uV) diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc index 86e5944d06..1924dbe841 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc @@ -8,3 +8,6 @@ A flaw was found in Go. The net/http module mishandles specific server responses link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]:: A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. + +link:https://access.redhat.com/security/cve/CVE-2024-48949[CVE-2024-48949]:: +A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order. From d6da5d304342ac61757c4ac7f06e2956327fc785 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Mon, 21 Oct 2024 09:17:20 -0300 Subject: [PATCH 10/16] bump plugin list to latest version @janus-idp/backstage-plugin-ocm-backend 4.0.9 Signed-off-by: Nick Boldt --- modules/dynamic-plugins/rhdh-supported-plugins.adoc | 2 +- modules/dynamic-plugins/rhdh-supported-plugins.csv | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/dynamic-plugins/rhdh-supported-plugins.adoc b/modules/dynamic-plugins/rhdh-supported-plugins.adoc index acc98dff41..34748299f7 100644 --- a/modules/dynamic-plugins/rhdh-supported-plugins.adoc +++ b/modules/dynamic-plugins/rhdh-supported-plugins.adoc @@ -308,7 +308,7 @@ a| a| |Disabled -|OCM |@janus-idp/backstage-plugin-ocm-backend |Backend |4.0.8 |Production +|OCM |@janus-idp/backstage-plugin-ocm-backend |Backend |4.0.9 |Production |./dynamic-plugins/dist/janus-idp-backstage-plugin-ocm-backend-dynamic a| `OCM_HUB_NAME` diff --git a/modules/dynamic-plugins/rhdh-supported-plugins.csv b/modules/dynamic-plugins/rhdh-supported-plugins.csv index 5497705a40..2ffc436892 100644 --- a/modules/dynamic-plugins/rhdh-supported-plugins.csv +++ b/modules/dynamic-plugins/rhdh-supported-plugins.csv @@ -41,7 +41,7 @@ "Lighthouse ","@backstage/plugin-lighthouse","Frontend","0.4.20","Community Support","./dynamic-plugins/dist/backstage-plugin-lighthouse",";","Disabled" "Nexus Repository Manager ","@janus-idp/backstage-plugin-nexus-repository-manager","Frontend","1.6.10","Red Hat Tech Preview","./dynamic-plugins/dist/janus-idp-backstage-plugin-nexus-repository-manager",";","Disabled" "OCM ","@janus-idp/backstage-plugin-ocm","Frontend","4.1.8","Production","./dynamic-plugins/dist/janus-idp-backstage-plugin-ocm",";","Disabled" -"OCM ","@janus-idp/backstage-plugin-ocm-backend","Backend","4.0.8","Production","./dynamic-plugins/dist/janus-idp-backstage-plugin-ocm-backend-dynamic","`OCM_HUB_NAME`;`OCM_HUB_URL`;`moc_infra_token`;","Disabled" +"OCM ","@janus-idp/backstage-plugin-ocm-backend","Backend","4.0.9","Production","./dynamic-plugins/dist/janus-idp-backstage-plugin-ocm-backend-dynamic","`OCM_HUB_NAME`;`OCM_HUB_URL`;`moc_infra_token`;","Disabled" "PagerDuty ","@pagerduty/backstage-plugin","Frontend","0.12.0","Community Support","./dynamic-plugins/dist/pagerduty-backstage-plugin",";","Disabled" "Quay ","@janus-idp/backstage-plugin-quay","Frontend","1.7.8","Production","./dynamic-plugins/dist/janus-idp-backstage-plugin-quay",";","Disabled" "Quay ","@janus-idp/backstage-scaffolder-backend-module-quay","Backend","1.4.12","Production","./dynamic-plugins/dist/janus-idp-backstage-scaffolder-backend-module-quay-dynamic",";","Enabled" From d27c9e1975558c11dffbf14fb794cc71cf58c36a Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 15 Nov 2024 19:21:18 -0500 Subject: [PATCH 11/16] Update modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt Co-authored-by: Kim Tsao <84398375+kim-tsao@users.noreply.github.com> --- .../list-fixed-security-issues-in-product-1.2.5.txt | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index a08b0ad05f..cfb3c755c4 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -1,9 +1,8 @@ # CVE number, affected package, fixed in version(s), JIRA -# not yet live; uncomment to generate CVE RN text -# CVE-2024-43799,send,0.19.0,RHIDP-3946 -# CVE-2024-43800,serve-static,1.16.0,RHIDP-3932 -# CVE-2024-45590,body-parser,1.20.3,RHIDP-3916 +CVE-2024-43799,send,0.19.0,RHIDP-3946 +CVE-2024-43800,serve-static,1.16.0,RHIDP-3932 +CVE-2024-45590,body-parser,1.20.3,RHIDP-3916 # CVE-2024-45296,path-to-regexp,0.1.10||8.0.0,RHIDP-3897 # CVE-2004-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733 From 7761cbc793f3e6cc0ea92d9b9c0ac965ddf48252 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 15 Nov 2024 19:21:58 -0500 Subject: [PATCH 12/16] Update modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt Co-authored-by: Kim Tsao <84398375+kim-tsao@users.noreply.github.com> --- .../list-fixed-security-issues-in-product-1.2.5.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index cfb3c755c4..c3a99f9109 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -4,7 +4,7 @@ CVE-2024-43799,send,0.19.0,RHIDP-3946 CVE-2024-43800,serve-static,1.16.0,RHIDP-3932 CVE-2024-45590,body-parser,1.20.3,RHIDP-3916 # CVE-2024-45296,path-to-regexp,0.1.10||8.0.0,RHIDP-3897 -# CVE-2004-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-2733 +CVE-2024-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-4668 # these are live, pending the release of 1.2.5 CVE-2024-48949,elliptic,6.5.6,RHIDP-4417 From 8fc0af2b8f6a6892fa5c4ea131597b8c88244319 Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 15 Nov 2024 19:22:22 -0500 Subject: [PATCH 13/16] Update modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt Co-authored-by: Kim Tsao <84398375+kim-tsao@users.noreply.github.com> --- .../list-fixed-security-issues-in-product-1.2.5.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index c3a99f9109..99aa22d09c 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -3,7 +3,6 @@ CVE-2024-43799,send,0.19.0,RHIDP-3946 CVE-2024-43800,serve-static,1.16.0,RHIDP-3932 CVE-2024-45590,body-parser,1.20.3,RHIDP-3916 -# CVE-2024-45296,path-to-regexp,0.1.10||8.0.0,RHIDP-3897 CVE-2024-37890,ws,8.17.1||7.5.10||6.2.3||5.2.4,RHIDP-4668 # these are live, pending the release of 1.2.5 From 2d98574b5a6da12900e3af2569c197777e39a6ad Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 15 Nov 2024 19:23:21 -0500 Subject: [PATCH 14/16] Update modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt --- .../list-fixed-security-issues-in-product-1.2.5.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt index 99aa22d09c..170e53d939 100644 --- a/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt +++ b/modules/release-notes/list-fixed-security-issues-in-product-1.2.5.txt @@ -10,3 +10,5 @@ CVE-2024-48949,elliptic,6.5.6,RHIDP-4417 CVE-2024-21529,dset,3.1.4,RHIDP-3925 CVE-2024-24791,net/http,go-toolset:1.21.13-2,RHIDP-3173 CVE-2024-39249,async,2.6.4||3.2.5,RHIDP-3146 +CVE-2024-21536, http-proxy-middleware, , RHIDP-4921 +CVE-2024-21538, cross-spawn, , RHIDP-4865 From 716b291d23474501ceecb73a32bcab7b43dd5dfd Mon Sep 17 00:00:00 2001 From: Nick Boldt Date: Fri, 15 Nov 2024 20:24:35 -0400 Subject: [PATCH 15/16] regen from script Signed-off-by: Nick Boldt --- ...-fixed-security-issues-in-product-1.2.5.adoc | 17 +++++++++++++++++ ...snip-fixed-security-issues-in-rpm-1.2.5.adoc | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc index 1924dbe841..27a5a98d00 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc @@ -3,11 +3,28 @@ link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]:: A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program. +link:https://access.redhat.com/security/cve/CVE-2024-21536[CVE-2024-21536]:: +A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths. + +link:https://access.redhat.com/security/cve/CVE-2024-21538[CVE-2024-21538]:: + link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service. +link:https://access.redhat.com/security/cve/CVE-2024-37890[CVE-2024-37890]:: +A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service. + link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]:: A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input. +link:https://access.redhat.com/security/cve/CVE-2024-43799[CVE-2024-43799]:: +A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function. + +link:https://access.redhat.com/security/cve/CVE-2024-43800[CVE-2024-43800]:: +A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect(). + +link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: +A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. + link:https://access.redhat.com/security/cve/CVE-2024-48949[CVE-2024-48949]:: A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order. diff --git a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc index 39b1d8e299..b6681ab56c 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-rpm-1.2.5.adoc @@ -10,7 +10,7 @@ link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]:: A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens. link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]:: -A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling. +A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens. link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]:: A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. From fec1872b38a88260096407815bd7f3740280987e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 22 Nov 2024 10:25:02 +0100 Subject: [PATCH 16/16] Update modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc Added description manually --- .../snip-fixed-security-issues-in-product-1.2.5.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc index 27a5a98d00..01e6f56e17 100644 --- a/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc +++ b/modules/release-notes/snip-fixed-security-issues-in-product-1.2.5.adoc @@ -7,6 +7,7 @@ link:https://access.redhat.com/security/cve/CVE-2024-21536[CVE-2024-21536]:: A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths. link:https://access.redhat.com/security/cve/CVE-2024-21538[CVE-2024-21538]:: +Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]:: A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.