Bug 2002703 - CVE-2021-39240 CVE-2021-39241 CVE-2021-39242 CVE-2021-40346 haproxy: does not ensure that the scheme and path portions of a URI have the expected characters [openshift-4.8.z]
Summary: CVE-2021-39240 CVE-2021-39241 CVE-2021-39242 CVE-2021-40346 haproxy: does not...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-08-17
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.z
Assignee: Andrew McDermott
QA Contact: Arvind iyengar
URL:
Whiteboard: component:haproxy
: 2002753 2019913 (view as bug list)
Depends On: 2001963 2003162 2019913
Blocks: CVE-2021-39240 CVE-2021-39241 CVE-2021-39242 CVE-2021-40346 2002706
TreeView+ depends on / blocked
 
Reported: 2021-09-09 14:22 UTC by Andrew McDermott
Modified: 2022-08-04 22:35 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 2001963
Environment:
Last Closed: 2022-01-05 15:44:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5208 0 None None None 2022-01-05 15:44:36 UTC

Comment 5 Sam Fowler 2021-09-29 01:56:42 UTC
*** Bug 2002753 has been marked as a duplicate of this bug. ***

Comment 11 David Hernández Fernández 2021-11-03 16:17:17 UTC
*** Bug 2019913 has been marked as a duplicate of this bug. ***

Comment 17 Sam Fowler 2021-12-01 00:04:18 UTC
Ok, so standard process in these situations is to assign a new CVE for the CVE we claimed to fix already in an RHSA. I can take care of that on the ProdSec side, I've already converted bz#2027736 to track a new flaw bug (bz#2027881) which is where we'll assign the new CVE.

Couple more questions:

* We've only shipped an RHSA for CVE-2021-39242 in OCP 4.9.z, but are other packages waiting to be released that are also missing this patch? (rhel-9 perhaps?)
* Can we ensure that the upcoming OCP 4.8, 4.7 releases include all four CVE fixes?

Miciah, since it seems like you were the one who discovered this issue, would you like to be publicly acknowledge as the reporter on the new CVE page?

Comment 19 Miciah Dashiel Butler Masters 2021-12-02 02:52:38 UTC
(In reply to Sam Fowler from comment #17)
> Miciah, since it seems like you were the one who discovered this issue,
> would you like to be publicly acknowledge as the reporter on the new CVE
> page?

No need for acknowledgement.  If it's preferable to put a name on it, you may put my name, but otherwise no need.

Comment 22 Miciah Dashiel Butler Masters 2021-12-14 01:14:16 UTC
Attachment 20 [details] and attachment 21 [details] look correct.  All CVE patches are accounted for in each attachment.

Comment 23 Miciah Dashiel Butler Masters 2021-12-14 01:23:29 UTC
Sorry, I meant attachment 1845079 [details] from comment 20 and attachment 1845080 [details] from comment 21 look correct.

Comment 27 Arvind iyengar 2021-12-20 07:26:41 UTC
Verified in "4.8.0-0.nightly-2021-12-18-022810" release version. the rpm has been updated and no regression issue found :
------
oc get clusterversion                      
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-12-18-022810   True        False         6m5s    Cluster version is 4.8.0-0.nightly-2021-12-18-022810


sh-4.4$ haproxy -v       
HA-Proxy version 2.2.13-5f3eb59 2021/04/02 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.2.13.html
Running on: Linux 4.18.0-305.30.1.el8_4.x86_64 #1 SMP Tue Nov 30 13:13:11 EST 2021 x86_64

sh-4.4$ rpm -qa haproxy22
haproxy22-2.2.13-2.el8.x86_64
------

Comment 30 errata-xmlrpc 2022-01-05 15:44:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.25 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:5208


Note You need to log in before you can comment on or make changes to this bug.