Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-12028

[release-2.10] Business Continuity: fix CVE-2023-45288 if necessary

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • ACM 2.10.4
    • ACM 2.10.3
    • Business Continuity
    • None
    • Important
    • No

      Description of problem:

       

      Need to ensure that CVE-2023-45288 is patched for Business continuity images:

       

      • [x] cluster-backup-operator (patched in release-2.10 should make ACM 2.10.4 release)
      • [x] volsync-addon-controller (patched in release-2.10 should make ACM 2.10.4 release)
      • [x] volsync (will be fixed in volsync v0.9.2 which ships alongside ACM 2.10.4)

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1.  
      2.  
      3. ...

      Actual results:

      Expected results:

      Additional info:

            [ACM-12028] [release-2.10] Business Continuity: fix CVE-2023-45288 if necessary

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Low: Red Hat Advanced Cluster Management 2.10.4 security updates and bug fixes), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:4464

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Low: Red Hat Advanced Cluster Management 2.10.4 security updates and bug fixes), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:4464

            Tesshu Flower added a comment -

            Closing as regression has been run on the acm 2.9 builds that contain these changes

            Tesshu Flower added a comment - Closing as regression has been run on the acm 2.9 builds that contain these changes

            Sahar Ebrahimi added a comment - - edited

            For cluster-backup-operator ACM 2.10 release:

            Sahar Ebrahimi added a comment - - edited For cluster-backup-operator ACM 2.10 release: golang.org/x/net updated to v0.24.0 in https://github.com/stolostron/cluster-backup-operator/pull/557 golang.org/x/net/http2 not used net/http not used

            Tesshu Flower added a comment -

            volsync-addon-controller changes merged - should make ACM 2.10.4 release.

            golang.org/x/net updated to v0.24.0 (> v0.23.0 patched version)
            golang.org/x/net/http2 not used
            net/http not used

             

            Tesshu Flower added a comment - volsync-addon-controller changes merged - should make ACM 2.10.4 release. golang.org/x/net updated to v0.24.0 (> v0.23.0 patched version) golang.org/x/net/http2 not used net/http not used  

            Tesshu Flower added a comment -

            VolSync v0.9.2 will ship alongside ACM 2.10.4 (targeted for 06/26/2024) - and contains fixes for this CVE

            golang.org/x/net is at v0.24.0 (> v0.23.0 patched version)
            golang.org/x/net/http2 not used
            net/http not used

            Tesshu Flower added a comment - VolSync v0.9.2 will ship alongside ACM 2.10.4 (targeted for 06/26/2024) - and contains fixes for this CVE golang.org/x/net is at v0.24.0 (> v0.23.0 patched version) golang.org/x/net/http2 not used net/http not used

              tflower@redhat.com Tesshu Flower
              tflower@redhat.com Tesshu Flower
              Thuy Nguyen Thuy Nguyen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: