-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat OpenShift support for Windows Containers 7.1.0 [security update]
Advisory ID:       RHSA-2023:4025-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4025
Issue date:        2023-07-18
CVE Names:         CVE-2022-36227 CVE-2023-0361 CVE-2023-25173 
                   CVE-2023-27535 
=====================================================================

1. Summary:

The components for Red Hat OpenShift support for Windows Containers 7.1.0
are now available. This product release includes bug fixes and security
updates for the following packages: windows-machine-config-operator and
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy
Windows container workloads running on Windows Server containers.

Security Fix(es):

* containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10417 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace
OCPBUGS-10784 - In-tree storage for azure-file and vSphere is disabled
OCPBUGS-10933 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup -
OCPBUGS-10935 - Windows pods are unable to resolve DNS records for services
OCPBUGS-11667 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039    4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\"
OCPBUGS-11785 - oc adm node-logs failing in vSphere CI
OCPBUGS-13790 - Segmentation Violation found in WMCO .ensureWICDSecretContent
OCPBUGS-14260 - Upgrade from WMCO 7.0.1 to 7.1.0 not working on Windows BYOH nodes: error waiting for proper windowsmachineconfig.openshift.io/version annotation for node
OCPBUGS-14445 - Instance configurations fails on Windows Server 2019 without the container feature
OCPBUGS-4862 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled
OCPBUGS-7336 - WMCO kubelet version not matching OCP payload's one
OCPBUGS-7843 - containerd version is being misreported
OCPBUGS-8037 - Directory deletion errors are being ignored when deconfiguring Windows instances
OCPBUGS-8056 - WMCO is unable to drain DaemonSet workloads
OCPBUGS-8085 - Hybrid Overlay logfile is in use and cannot be deleted
WINC-1037 - Windows Server 2019 CI coverage
WINC-981 - Red Hat OpenShift support for Windows Containers 7.0.1 Post Release
WINC-983 - [e2e] Ensure required log files are non-empty

6. References:

https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-25173
https://access.redhat.com/security/cve/CVE-2023-27535
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkthd/AAoJENzjgjWX9erEn8MP/3Bf86MhhUzmDog2ttnikXx2
KB8KBrmrYZIyuE59cbL1+8+kRTVxh3aW+Q9SHoiCY/ZlX3XvfeKJmzyOTCkdpyVO
DasddWw2B3/NiRBH6ufpy4pJMva/4MCc2IH5VlDXXQy+ydrONIpw+Xa2pWqAzx47
Sj30qqWmcgxev7KfZXPrC9gDj0pgl5CIsMzlDlhx2LvWmbaryXAL3zRB+AKKvrdA
U3zIMRFOxRx/GJ3M9usWPkeGzgYVQHyljEIexKa6q8nW0ubyW3Gar2JD8CF8wwPM
+pRJHJvoG4shcp9c6DkFGLt/Ti5/z+Vj3nSsIFbDzaT4LS7W5HzEdc7/C7PechWY
gHesjgyqqX/nropT9mrwcTJt5boywdYcXPEkOxca5Ke+g2HMBrAR0F9SpnLjvWVE
9qYfeeiUkrxb1TYV1iKe2qbkQvGcGSL9U9VYTgAisUXx4FLF6RW1+L57iZMYmTaC
GXOF94oG2s7BBD4FteNAKIHNyIKIX/7CMMaQPZITTwxfxWDGlCup5OS2mBbdM4uO
MAdket7e5FzfzNfJXbs0d2QTtyTqV1nXMyWZ4XVoinaoRgwHQb47xaMkGysF4GhL
vpKTzH+nsX8nKq76m0GuQtHxqq9lVKCZ9m+l3WI7CzZf+mjLjbZ/TwMnFsFsiy3q
MWCyyldecxHw+otiRbk/
=4/Hi
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce