Synopsis
Important: Migration Toolkit for Applications security and bug fix update
Type/Severity
Security Advisory: Important
Topic
Migration Toolkit for Applications 6.2.0 release
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Migration Toolkit for Applications 6.2.0 Images
Security Fix(es):
- golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)
- jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
- undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
- x/net/http2/h4c: request smuggling (CVE-2022-41721)
- net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
- golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)
- golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725)
- dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
- codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
- htmlUnit: Stack overflow crash causes Denial of Service (DoS) (CVE-2023-2798)
- zip4j: does not always check the MAC when decrypting a ZIP archive (CVE-2023-22899)
- golang: crypto/internal/nistec: specific unreduced P-256 scalars produce incorrect results (CVE-2023-24532)
- golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
- golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
- golang: go/parser: Infinite loop in parsing (CVE-2023-24537)
- golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
- golang: html/template: improper sanitization of CSS values (CVE-2023-24539)
- golang-github-gin-gonic-gin: Improper Input Validation (CVE-2023-26125)
- golang: html/template: improper handling of empty HTML attributes (CVE-2023-29400)
- fast-xml-parser: Regex Injection via Doctype Entities (CVE-2023-34104)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat Migration Toolkit for Applications 1 x86_64