-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #32317 from openshift-cherrypick-robot/cherry-pick…
…-32292-to-enterprise-4.8 [enterprise-4.8] RHDEVDOCS-2985 Logging: Create RNs for 5.0.3 RHSA-2021:1515 OSE-LOGGING
- Loading branch information
Showing
5 changed files
with
64 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
[id="cluster-logging-release-notes-5-0-3"] | ||
= OpenShift Logging 5.0.3 | ||
|
||
This release includes link:https://access.redhat.com/errata/RHSA-2021:1515[RHSA-2021:1515 Security Advisory for Important OpenShift Logging Bug Fix Release (5.0.3)] | ||
|
||
|
||
[id="openshift-logging-5-0-3-security-fixes"] | ||
== Security fixes | ||
|
||
* jackson-databind: arbitrary code execution in slf4j-ext class (link:https://www.redhat.com/security/data/cve/CVE-2018-14718.html[*CVE-2018-14718*]) | ||
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (link:https://www.redhat.com/security/data/cve/CVE-2018-14719.html[*CVE-2018-14719*]) | ||
* jackson-databind: exfiltration/XXE in some JDK classes (link:https://www.redhat.com/security/data/cve/CVE-2018-14720.html[*CVE-2018-14720*]) | ||
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (link:https://www.redhat.com/security/data/cve/CVE-2018-14721.html[*CVE-2018-14721*]) | ||
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (link:https://www.redhat.com/security/data/cve/CVE-2018-19360.html[*CVE-2018-19360*]) | ||
* jackson-databind: improper polymorphic deserialization in openjpa class (link:https://www.redhat.com/security/data/cve/CVE-2018-19361.html[*CVE-2018-19361*]) | ||
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (link:https://www.redhat.com/security/data/cve/CVE-2018-19362.html[*CVE-2018-19362*]) | ||
* jackson-databind: default typing mishandling leading to remote code execution (link:https://www.redhat.com/security/data/cve/CVE-2019-14379.htmld[*CVE-2019-14379*]) | ||
* jackson-databind: serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (link:https://www.redhat.com/security/data/cve/CVE-2020-24750.html[*CVE-2020-24750*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-35490.html[*CVE-2020-35490*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-35491.html[*CVE-2020-35491*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (link:https://www.redhat.com/security/data/cve/CVE-2020-35728.html[*CVE-2020-35728*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (link:https://www.redhat.com/security/data/cve/CVE-2020-36179.html[*CVE-2020-36179*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (link:https://www.redhat.com/security/data/cve/CVE-2020-36180.html[*CVE-2020-36180*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (link:https://www.redhat.com/security/data/cve/CVE-2020-36181.html[*CVE-2020-36181*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (link:https://www.redhat.com/security/data/cve/CVE-2020-36182.html[*CVE-2020-36182*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (link:https://www.redhat.com/security/data/cve/CVE-2020-36183.html[*CVE-2020-36183*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36184.html[*CVE-2020-36184*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36185.html[*CVE-2020-36185*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36186.html[*CVE-2020-36186*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36187.html[*CVE-2020-36187*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36188.html[*CVE-2020-36188*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource (link:https://www.redhat.com/security/data/cve/CVE-2020-36189.html[*CVE-2020-36189*]) | ||
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing (link:https://www.redhat.com/security/data/cve/CVE-2021-20190.html[*CVE-2021-20190*]) | ||
* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (link:https://www.redhat.com/security/data/cve/CVE-2020-15586.html[*CVE-2020-15586*]) | ||
* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (link:https://www.redhat.com/security/data/cve/CVE-2020-16845.html[*CVE-2020-16845*]) | ||
* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906) (link:https://www.redhat.com/security/data/cve/CVE-2021-2163.html[*CVE-2021-2163*]) | ||
|
||
The following Jira issues contain the above CVEs: | ||
|
||
* LOG-1234 CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4]. (link:https://issues.redhat.com/browse/LOG-1234[*LOG-1234*]) | ||
* LOG-1243 CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728... logging-elasticsearch6-container: various flaws [openshift-logging-5.0]. (link:https://issues.redhat.com/browse/LOG-1243[*LOG-1243*]) | ||
|
||
[id="openshift-logging-5-0-3-bug-fixes"] | ||
== Bug fixes | ||
|
||
This release also includes the following bug fixes: | ||
|
||
* LOG-1224 Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected. (link:https://issues.redhat.com/browse/LOG-1224[*LOG-1224*]) | ||
* LOG-1232 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. (link:https://issues.redhat.com/browse/LOG-1232[*LOG-1232*]) | ||
* LOG-1299 Release 5.0 - Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)". (link:https://issues.redhat.com/browse/LOG-1299[*LOG-1299*]) |