Release notes


Red Hat Developer Hub 1.3

Release notes for Red Hat Developer Hub 1.3

Red Hat Customer Content Services

Abstract

Red Hat Developer Hub is a developer platform for building developer portals. This document contains release notes for the Red Hat Developer Hub 1.3.

Preface

Red Hat Developer Hub (Developer Hub) 1.3 is now generally available. Developer Hub is a fully supported, enterprise-grade productized version of upstream Backstage v1.29.2. You can access and download the Red Hat Developer Hub application from the Red Hat Customer Portal or from the Ecosystem Catalog.

Chapter 1. New features

This section highlights new features in Red Hat Developer Hub 1.3.

1.1. Customizing the deployment by using the custom resource

With this update, when deploying Red Hat Developer Hub by using the operator, you can configure the Developer Hub Deployment resource. The Developer Hub Operator Custom Resource Definition (CRD) API Version has been updated to rhdh.redhat.com/v1alpha2. This CRD exposes a generic spec.deployment.patch field, which allows you to patch the Developer Hub Deployment resource.

1.2. Using nested conditions in RBAC conditional policies

With this update, as a Developer Hub administrator, you can create and edit nested conditions in RBAC conditional policies by using the Developer Hub web UI.

1.3. Persisting the audit log

With this update, you can persist the audit log:

  • You can send Red Hat Developer Hub audit logs to a rotating file.
  • You can send logs to a locked down file with append only rights.
  • When using the Helm chart, Developer Hub writes logs to persistent volumes.

1.4. Allow Dynamic Configuration of Keycloak User/Group Transformers

With this update, you can provide transformer functions for users and groups to mutate entity parameters from Keycloak before their ingestion into the catalog. This can be done by creating a new backend module and using the added keycloakTransformerExtensionPoint.

1.5. Expose extension points for the keycloak-backend plugin

With this update, you can provide transformer functions for user/group to mutate the entity from Keycloak before their ingestion into the catalog with the new Backstage backend.

Procedure

  1. Create a backend module.
  2. Provide the custom transformers to the keycloakTransformerExtensionPoint extension point exported by the package.

1.6. All public endpoints in core and plugins have OpenAPI specs

With this update, OpenAPI Specs are available for all components, including the rbac-backend plugin.

1.7. RBAC Backend plugin module support

With this update, Developer Hub can load roles and permissions into the RBAC Backend plugin through the use of extension points with the help of a plugin module.

1.8. Force catalog ingestion for production users

By default, it is now required for the user entity to exist in the software catalog to allow sign in. This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. To bypass this, enable the dangerouslySignInWithoutUserInCatalog configuration that allows sign in without the user being in the catalog. Enabling this option is dangerous as it might allow unauthorized users to gain access.

1.9. RBAC UI enhancements

With this update, the RBAC UI has been improved:

  • The Create role form and the Role overview page display the total number of conditional rules configured.
  • The Role list page displays accessible plugins.

1.10. Updated Backstage version

With this update, Backstage was updated to version 1.29.2.

1.11. Authenticating with Microsoft Azure

The Microsoft Azure Authentication provider is now enterprise ready. To enable this, enhancements and bug fixes were made to improve the authentication and entity ingestion process. Note, the existence of user entity in the catalog is now enforced.

1.12. Deploying on OpenShift Dedicated on Google Cloud Provider (GCP)

Before this update, there was no automated process to deploy Developer Hub on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP).

With this update, you can install Red Hat Developer Hub on OpenShift Dedicated (OSD) on Google Cloud Platform (GCP) by using either Red Hat Developer Hub Operator or Red Hat Developer Hub Helm Chart.

1.13. Visualize Virtual Machine nodes on the Topology plugin

With this update, you can visualize the Virtual Machine nodes deployed on the cluster through the Topology plugin.

1.14. Customizing the Home page

With this update, you can customize the Home page in Red Hat Developer Hub by passing the data into the app-config.yaml file as a proxy. It is now possible to add, reorganize, and remove cards, including the search bar, quick access, headline, markdown, placeholder, catalog starred entities and featured docs that appear based on the plugins you have installed and enabled.

1.15. Customizing the main navigation sidebar

This update introduces a configurable and customizable main navigation sidebar in Developer Hub, offering administrators greater control over the navigation structure. Previously, the sidebar was hard-coded with limited flexibility, and dynamic plugins could only contribute menu items without control over their order or structure.

With this feature, administrators can now configure the order of navigation items, create nested sub-navigation, and provide users with a more organized and intuitive interface. This enhancement improves user experience and efficiency by allowing a more tailored navigation setup.

Backward compatibility is maintained, ensuring existing dynamic plugin menu item contributions remain functional. A default configuration is provided, along with example configurations, including one with an external dynamic plugin. Documentation has been updated to guide developers on customizing the navigation.

1.16. Surfacing Catalog Processing Errors to Users

With this update, the @backstage/plugin-catalog-backend-module-logs plugin has been made available as a dynamic plugin to help surface catalog errors into the logs. This dynamic plugin is disabled by default.

1.17. Configuring conditional policies by using external files

With this release, you can configure conditional policies in Developer Hub using external files. Additionally, Developer Hub supports conditional policy aliases, which are dynamically substituted with the appropriate values during policy evaluation.

For more information, see Configuring conditional policies.

1.18. Restarting Red Hat Developer Hub faster

Before this update, it took a long time for Developer Hub to restart because Developer Hub bootstraps all dynamic plugins from zero with every restart.

With this update, Developer Hub is using persisted volumes for the dynamic plugins. Therefore, Developer Hub restarts faster.

1.19. Monitoring active users on Developer Hub

With this update, you can monitor active users on Developer Hub using the licensed-users-info-backend plugin. This plugin provides statistical data on logged-in users through the Web UI or REST API endpoints.

For more information, see Authorization.

1.20. Loading a custom Backstage theme from a dynamic plugin

With this update, you can load a custom Backstage theme from a dynamic plugin.

Procedure

  1. Export a theme provider function in the dynamic plugin, such as:

    import { lightTheme } from './lightTheme'; // some custom theme
    import { UnifiedThemeProvider } from '@backstage/theme';
    export const lightThemeProvider = ({ children }: { children: ReactNode }) => (
      <UnifiedThemeProvider theme={lightTheme} children={children} />
    );
  2. Configure Developer Hub to load the them in the UI by using the new themes configuration field:

    dynamicPlugins:
      frontend:
        example.my-custom-theme-plugin:
          themes:
            - id: light # <1>
              title: Light
              variant: light
              icon: someIconReference
              importName: lightThemeProvider

    <1> Set your theme id. Optionally, override the default Developer Hub themes specifying following id value: light overrides the default light theme and dark overrides the default dark theme.

Verification

  • The theme is available in the "Settings" page.

This update also introduced the ability to override core API service factories from a dynamic plugin, which can be helpful for more specialized use cases such as providing a custom ScmAuth configuration for the Developer Hub frontend.

Chapter 2. Breaking changes

This section lists breaking changes in Red Hat Developer Hub 1.3.

2.1. The 'dynamic-plugins' config map is named dynamically

Before this update, the dynamic-plugins config map name was hardcoded. Therefore, it was not possible to install two Red Hat Developer Hub helm charts in the same namespace.

With this update, the dynamic-plugins config map is named dynamically based on the deployment name similar to how all other components names are generated. When upgrading from a previous chart you might need to manually update that section of your values.yaml file to pull in the correct config map.

Additional resources

2.2. Signing in without user in the software catalog is now disabled by default

By default, it is now required for the user entity to exist in the software catalog to allow sign in. This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. To bypass this, enable the dangerouslySignInWithoutUserInCatalog configuration that allows sign in without the user being in the catalog. Enabling this option is dangerous as it might allow unauthorized users to gain access.

Additional resources

2.3. Red Hat and Community Technology Preview (TP) plugins and actions are disabled by default

Before this update, some Red Hat and Community Technology Preview (TP) plugins and actions were enabled by default:

Technology Preview plugins

  • @backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor (changing in RHIDP-3643)

Community Support plugins

  • @backstage/plugin-scaffolder-backend-module-azure
  • @backstage/plugin-scaffolder-backend-module-bitbucket-cloud
  • @backstage/plugin-scaffolder-backend-module-bitbucket-server
  • @backstage/plugin-scaffolder-backend-module-gerrit
  • @backstage/plugin-scaffolder-backend-module-github
  • @backstage/plugin-scaffolder-backend-module-gitlab
  • @roadiehq/scaffolder-backend-module-http-request
  • @roadiehq/scaffolder-backend-module-utils

With this update, all plugins included under the Technology Preview scope of support, whether from Red Hat or the community, are disabled by default.

Procedure

  • If your workload requires these plugins, enable them in your custom resource or configmap using disabled: false.

Additional resources

2.4. Plugins with updated scope

With this update, three plugins previously under the @janus-idp scope have moved to @backstage-community:

RHDH 1.2 Plugin NameRHDH 1.3 Plugin Name

@janus-idp/backstage-plugin-argocd

@backstage-community/plugin-redhat-argocd

@janus-idp/backstage-plugin-3scale-backend

@backstage-community/plugin-3scale-backend

@janus-idp/backstage-plugin-catalog-backend-module-scaffolder-relation-processor

@backstage-community/plugin-catalog-backend-module-scaffolder-relation-processor

As the scope of the previous plugins has been updated, the dynamic plugin configuration has also changed.

RHDH 1.2 ConfigurationRHDH 1.3 Configuration

dynamic-plugins.default.yaml

dynamic-plugins.default.yaml

Procedure

  • If your workload requires plugins with an updated scope, revise your configuration to use the latest plugins from the new scope.

Additional resources

Chapter 3. Deprecated functionalities

This section lists deprecated functionalities in Red Hat Developer Hub 1.3.

3.1. spec.application.image, spec.application.replicas and spec.application.imagePullSecrets fields are deprecated

spec.application.image, spec.application.replicas and spec.application.imagePullSecrets fields are deprecated in v1alpha2 in favour of spec.deployment.

Procedure:

To update your Developer Hub Operation configuration:

  1. Remove the spec.application.image, spec.application.replicas and spec.application.imagePullSecrets fields from the Operator configuration:

    spec:
      application:
        replicas: 2 # &lt;1&gt;
        imagePullSecrets: # &lt;2&gt;
          - my-secret-name
        image: quay.io/my/my-rhdh:latest # &lt;3&gt;

    <1> Replica count. <2> Array of image pull secrets names. <3> Image name.

  2. Replace the removed fields by new spec.deployment fields, such as:

    spec:
      deployment:
        patch:
          spec:
            replicas: 2 # &lt;1&gt;
            imagePullSecrets: # &lt;2&gt;
              - name: my-secret-name
            template:
              metadata:
                labels:
                  my: true
              spec:
                containers:
                  - name: backstage-backend
                    image: quay.io/my/my-rhdh:latest # &lt;3&gt;

    <1> Replica count. <2> Array of image pull secrets names. <3> Image name.

Additional resources

Chapter 4. Technology Preview

This section lists Technology Preview features in Red Hat Developer Hub 1.3.

Important

Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported under Red Hat Subscription Level Agreements, may not be functionally complete, and are not intended for production use. As Red Hat considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features. See: Technology Preview support scope.

4.1. Registering existing entities from multiple Git repositories simultaneously

With this update, you can register entities from multiple repositories simultaneously, without the need to register them individually.

For repositories without a catalog-entity.yaml file, the plugin creates a pull request. Once the pull request is merged, Developer Hub registers the entity in the software catalog.

Additional resources

4.2. Added the catalog backend module logs plugin

With this update, Developer Hub includes the @backstage/plugin-catalog-backend-module-logs plugin as a dynamic plugin to help surface catalog errors into the logs. This dynamic plugin is disabled by default.

Additional resources

Chapter 5. Fixed issues

This section lists issues fixed in Red Hat Developer Hub 1.3.

5.1. Fixed issues in 1.3.3

5.1.1. Opting out of using Redis sets does not work

Before this update, configuring the useRedisSets: false option resulted in the useRedisSets: true behaviour.

With this update, you can now opt out of using Redis sets. It is recommended to clear your cache in order to remove any invalid keys.

Additional resources

5.2. Fixed issues in 1.3.2

5.2.1. Impossible to report a documentation issue from selected documentation content

Previously, the feature to report a documentation (techdoc) issue didn't work. When the user selected a text in the documentation, it showed a huge icon rather than a tooltip button.

With this update, the user can select content in the documentation, and click the tooltip button to report a documentation issue.

Additional resources

5.3. Fixed issues in 1.3.1

5.3.1. Conditional alias $ownerRefs does not work

Before this update, a conditional alias that uses $ownerRefs did not work.

With this update, a conditional alias can use $ownerRefs.

Additional resources

5.4. Fixed issues in 1.3

5.4.1. Removed unnecessary pull secret from the Red Hat Developer Hub Helm Chart

With this update, the Red Hat Developer Hub Helm Chart does not contain a pull secret that is no longer needed.

Additional resources

5.4.2. Filtering for permissions policies that do not exist leads to an error being thrown

Before this update, permission checks by the permission framework would throw an error if a matching permission policy was not previously defined. Therefore, Developer Hub denied the request with an error.

With this update, Developer Hub denies the request without throwing an error.

Additional resources

5.4.3. HTTP error code 431 when an user is member of many groups

Before this update, Developer Hub API became unresponsive when a user was member of a high number of groups (more than 150) with aggregated relations. Therefore, the user might have failed to authenticate. Also, Developer Hub might have shown an error when opening the user entity in the UI.

With this update, Developer Hub can handle a user member of a high number of groups (more than 150) with aggregated relations.

Additional resources

5.4.4. OCM calls are not scoped to the OCM page

Before this update, when the OCM plugin is installed, navigating to non-OCM pages triggered unnecessary failed OCM API calls.

With this update, Developer Hub restricts OCM API calls to OCM-related pages.

Additional resources

5.4.5. When login using azure entra sso, it will use id to match the user entity, which will fail to match with user entity imported by msgraph.

Before this update, Developer Hub failed to resolve user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. Therefore, a user authentication with Microsoft Azure could not open a session in Developer Hub.

With this update, Developer Hub resolves user entities with Azure authentication provider to entities ingested by the MsGraph catalog provider. Therefore, a user authentication with Microsoft Azure can open a session in Developer Hub.

Additional resources

5.4.6. Replaced the deprecated backend.auth.keys field in the default configuration

Before this update, in a Developer Hub deployment with the default configuration, the application logs displayed the deprecation warning.

With this update, the default upstream.backstage.appConfig configuration uses the backend.auth.externalAccess field rather than the deprecated backend.auth.keys field.

Additional resources

5.4.7. Handle PII logging in Application Logs

With this update, Developer Hub does not include user IP addresses in the application logs.

Additional resources

5.4.8. The last ~10 GitHub Pull Requests are missing from the list

Before this update, Developer Hub ignored GitHub search API restrictions to list pull requests. Therefore, Developer Hub might have not displayed all pull requests.

With this update, Developer Hub limits paging to max 1000 results to respect GitHub search API restrictions. Developer Hub show users when additional results are available, suggesting in a tooltip that they can refine their query to retrieve more specific results.

Additional resources

5.4.9. rhtap installation always failed at RHDH due to Migration table is already locked

Before this update, after updating a config map or a secret, when pods where restarting to apply the changes, they might have tried to simultaneous lock the database. The situation ended with a dead lock.

With this update, Developer Hub handles simultaneous pod refreshing without a dead lock.

Additional resources

5.4.10. Renamed optional secret dynamic-plugins-npmrc in helm chart

Before this update, the Helm Chart was using an unversioned name for the dynamic-plugins-npmrc secret. Therefore subsequent Helm deployments of the RHDH Helm Chart version 1.2.1 failed after the first deployment with an error that a secret named dynamic-plugins-npmrc exists and is not owned by the current release.

With this update, the Helm Chart creates and uses a dynamic-plugins-npmrc secret that is named in line with the other resources managed by the Helm Chart: <release-name>-dynamic-plugins-npmrc. As a result, the Helm Chart does not fail on the previous error.

Additional resources

5.4.11. Backstage Specific Metrics no longer appear in /metrics endpoint

Before this update, Developer Hub stopped displaying some metrics such as catalog metrics in the <RHDH_URL>/metrics endpoint.

With this update, Developer Hub displays expected metrics in the /metrics endpoint.

Additional resources

5.4.12. Theme issues with plugins using material 5

Before this update, Developer Hub had theme issues with plugins using Material UI (MUI) 5.

With this update, Developer Hub includes additional MUI 5 related packages, added to the application shell as shared modules. Therefore, dynamic plugins that use MUI 5 components and tss-react can properly load the currently selected theme. This ensures that MUI 5 components have the correct colors and styling applied to them.

While not strictly a requirement, if a dynamic plugin relies on MUI 5 components with a class name prefix, that behavior can be added to a frontend dynamic plugin by adding the following code to the plugin's index.ts:

import { unstable_ClassNameGenerator as ClassNameGenerator } from &#39;@mui/material/className&#39;;

ClassNameGenerator.configure(componentName =&gt; {
  return componentName.startsWith(&#39;v5-&#39;)
    ? componentName
    : `v5-${componentName}`;
})

This update requires using a version of the @janus-idp/cli package > 1.13.1.

Additional resources

5.4.13. Creating RBAC role with name that contains ':' or '/' creates a role that does nothing and cannot be deleted

Before this update, creating an RBAC role with name that contains ':' or '/' through the REST API (or RBAC admin panel in the UI) created a role that did nothing and could not be deleted. Although the name of the role showed up in full as written in the POST request, when clicked on for more information about the role it showed only the part of the name written before the first ':' or '/'. Also while the list of RBAC roles did list how many policies were added to the role, when clicking on the role for more information it displayed no users or policies.

With this udpate, Developer Hub validates more strictly role and namespace names in accordance with backstage validation:

Developer Hub invalidates role names that do not conform with the format:

  • Strings of length at least 1, and at most 63.
  • Must consist of sequences of [a-z0-9A-Z] possibly separated by one of [-_.].

Developer Hub invalidates namespaces that do not conform with the format:

  • Strings of length at least 1, and at most 63.
  • Must be sequences of [a-zA-Z0-9], possibly separated by -.

Additional resources

5.4.14. Update contitional policies and policies loaded from files when these files are deleted

Before this update, conditional policies and policies loaded from files remained active after the corresponding policy files were removed from the configuration.

With this update, conditional policies and policies loaded from files are removed after the corresponding policy files are removed from the configuration.

Additional resources

5.4.15. Fixed the timestamp inserted by catalog:timestamping

Before this update, the timestamp in the catalog-info.yaml created by the catalog:timestamping action by the backstage-scaffolder-backend-module-annotator plugin was different from the execution time of the template.

With this update, a unique timestamp is generated on each execution of the template.

Additional resources

5.4.16. Added missing virtual machine details to the sidebar

Before this update, when a user displayed the virtual machine details in the sidebar, the icon corresponding to virtual machine was not shown.

With this update, the missing icons have been added. Therefore, when a user displays the virtual machine details in the sidebar, an icon shows the virtual machine status.

Additional resources

5.4.17. Authenticate with GitHub a user absent in the software catalog when dangerouslyAllowSignInWithoutUserInCatalog is set to true

Before this update, authentication with Github failed when the dangerouslyAllowSignInWithoutUserInCatalog field was set to true and the user was absent from the software catalog.

With this update, when the dangerouslyAllowSignInWithoutUserInCatalog field is set to true, you can authenticate to Developer Hub with a user absent from the software catalog.

Additional resources

5.4.18. The Developer Hub image defined in the custom resource takes precedence on the image defined in the environment variable

Before this update, when the Developer Hub image was configured in both the custom resource and in the 'RELATED_IMAGE_backstage' environment variable, the image defined in the custom resource was not used.

With this update, the custom resource configuration takes precedence and is applied.

Additional resources

5.4.19. Updated the search dropdown to display results for a large number of users or groups

Before this update, in the RBAC administration page, the members dropdown was not able to load a large number of users or groups. Therefore, the Developer Hub administrator was not able to select required users or groups to add to the role.

With this update, the dropdown displays initially up to 100 users or groups shown and updates the display once the user starts to search. The search happens across the whole data-set and displays the first 100 results. The user must refine their search to narrow the results to a list containing the desired user or group. Therefore, even with larger numbers or users/groups, the Developer Hub administrator can add required users or groups to the role.

Additional resources

5.4.20. Bundled ArgoCD plugin with dynamic frontent assets

Before this update, the ArgoCD plugin was bundled with dynamic backend plugin assets rather than dynamic frontend plugin assets. Therefore the ArgoCD plugin failed to load.

With this update, the ArgoCD plugin is bundled with dynamic frontend plugin assets. Therefore the ArgoCD plugin can load properly.

Additional resources

5.5. Fixed issues in 1.2.2

5.5.1. Added missing plugin name in the RBAC administration interface

Before this update, the RBAC administration user interface Permission Policies table did not display the plugin name.

With this update, the RBAC administration user interface Permission Policies table displays the plugin name.

Additional resources

Chapter 6. Fixed security issues

This section lists security issues fixed in Red Hat Developer Hub 1.3.

6.1. Red Hat Developer Hub 1.3.3

6.1.1. Red Hat Developer Hub dependency updates

CVE-2024-21538
A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.

6.1.2. RHEL 9 platform RPM updates

CVE-2024-0450
A flaw was found in the Python/CPython 'zipfile' that can allow a zip-bomb type of attack. An attacker may craft a zip file format, leading to a Denial of Service when processed.
CVE-2024-2236
A timing-based side-channel flaw was found in libgcrypt’s RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
CVE-2024-3596
A vulnerability in the RADIUS (Remote Authentication Dial-In User Service) protocol allows attackers to forge authentication responses when the Message-Authenticator attribute is not enforced. This issue arises from a cryptographically insecure integrity check using MD5, enabling attackers to spoof UDP-based RADIUS response packets. This can result in unauthorized access by modifying an Access-Reject response to an Access-Accept response, thereby compromising the authentication process.
CVE-2024-3727
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
CVE-2024-6104
A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. This issue could expose sensitive authentication information.
CVE-2024-8088
A flaw was found in Python’s zipfile module. When iterating over the entries of a zip archive, the process can enter into an infinite loop state and become unresponsive. This flaw allows an attacker to craft a malicious ZIP archive, leading to a denial of service from the application consuming the zipfile module. Only applications that handle user-controlled zip archives are affected by this vulnerability.
CVE-2024-24788
A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
CVE-2024-24791
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
CVE-2024-30203
A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
CVE-2024-30204
A flaw was found in Emacs. When Emacs is used as an email client, a preview of a crafted LaTeX document attached to an email can exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
CVE-2024-30205
A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution.
CVE-2024-42283
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops
CVE-2024-45005
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix validity interception issue when gisa is switched off
CVE-2024-46824
In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops
CVE-2024-46858
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync
CVE-2024-50602
A security issue was found in Expat (libexpat). A crash can be triggered in the XML_ResumeParser function due to XML_StopParser’s ability to stop or suspend an unstarted parser, which can lead to a denial of service.

6.2. Red Hat Developer Hub 1.3.1

6.2.1. Red Hat Developer Hub dependency updates

CVE-2024-21536
A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.
CVE-2024-37890
A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
CVE-2024-45590
A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.

6.2.2. RHEL 9 platform RPM updates

CVE-2021-47385
In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field
CVE-2023-28746
A vulnerability was found in some Intel Atom Processor’s microcode. This issue may allow a malicious actor to achieve a local information disclosure, impacting the data confidentiality of the targeted system.
CVE-2023-52658
In the Linux kernel, the following vulnerability has been resolved: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency"
CVE-2024-6232
A regular expression denial of service (ReDos) vulnerability was found in Python’s tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive.
CVE-2024-9355
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.
CVE-2024-27403
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_flow_offload: reset dst in route object after setting up flow
CVE-2024-34156
A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-35989
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix oops during rmmod on single-CPU platforms
CVE-2024-36889
In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect
CVE-2024-36978
In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune()
CVE-2024-38556
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore
CVE-2024-39483
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked
CVE-2024-39502
In the Linux kernel, the following vulnerability has been resolved: ionic: fix use after netif_napi_del()
CVE-2024-40959
In the Linux kernel, the following vulnerability has been resolved: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
CVE-2024-42079
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush
CVE-2024-42272
In the Linux kernel, the following vulnerability has been resolved: sched: act_ct: take care of padding in struct zones_ht_key
CVE-2024-42284
In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error

6.3. Red Hat Developer Hub 1.3.0

6.3.1. Red Hat Developer Hub dependency updates

CVE-2024-24790
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn’t behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
CVE-2024-24791
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
CVE-2024-35255
A flaw was found in the Azure identity library at github.com/Azure/azure-sdk-for-go/sdk/azidentity. This issue allows an elevation of privileges.
CVE-2024-37891
A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects.
CVE-2024-39008
A flaw was found in the fast-loops Node.js package. This flaw allows an attacker to alter the behavior of all objects inheriting from the affected prototype by passing arguments to the objectMergeDeep function crafted with the built-in property: proto. This issue can potentially lead to a denial of service, remote code execution, or Cross-site scripting.
CVE-2024-39249
A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.

6.3.2. RHEL 9 platform RPM updates

CVE-2023-52439
A flaw was found in the Linux kernel’s uio subsystem. A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system.
CVE-2023-52884
In the Linux kernel, the following vulnerability has been resolved: Input: cyapa - add missing input core locking to suspend/resume functions
CVE-2024-6119
A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
CVE-2024-26739
A use-after-free flaw was found in net/sched/act_mirred.c in the Linux kernel. This may result in a crash.
CVE-2024-26929
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix double free of fcport
CVE-2024-26930
A vulnerability was found in the Linux kernel. A potential double-free in the pointer ha→vp_map exists in the Linux kernel in drivers/scsi/qla2xxx/qla_os.c.
CVE-2024-26931
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix command flush on cable pull
CVE-2024-26947
A flaw was found in the Linux kernel’s ARM memory management functionality, where certain memory layouts cause a kernel panic. This flaw allows an attacker who can specify or alter memory layouts to cause a denial of service.
CVE-2024-26991
A flaw was found in the Linux Kernel. A lpage_info overflow can occur when checking attributes. This may lead to a crash.
CVE-2024-27022
In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized
CVE-2024-35895
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem
CVE-2024-36016
In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
CVE-2024-36899
In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: Fix use after free in lineinfo_changed_notify
CVE-2024-38562
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing
CVE-2024-38570
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount
CVE-2024-38573
A NULL pointer dereference flaw was found in cppc_cpufreq_get_rate() in the Linux kernel. This issue may result in a crash.
CVE-2024-38601
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix a race between readers and resize checks
CVE-2024-38615
In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional
CVE-2024-39331
A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
CVE-2024-40984
In the Linux kernel, the following vulnerability has been resolved: ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."
CVE-2024-41071
An out-of-bounds buffer overflow has been found in the Linux kernel’s mac80211 subsystem when scanning for SSIDs. Address calculation using out-of-bounds array indexing could result in an attacker crafting an exploit, resulting in the complete compromise of a system.
CVE-2024-42225
A potential flaw was found in the Linux kernel’s MediaTek WiFi, where it was reusing uninitialized data. This flaw allows a local user to gain unauthorized access to some data potentially.
CVE-2024-42246
In the Linux kernel, the following vulnerability has been resolved: net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
CVE-2024-45490
A flaw was found in libexpat’s xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
CVE-2024-45491
An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
CVE-2024-45492
A flaw was found in libexpat’s internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.

Chapter 7. Known issues

This section lists known issues in Red Hat Developer Hub 1.3.

7.1. Entities of repositories under a configured org in catalog-backend-module-github-org plugin are not deleted from the catalog when the imported repository is deleted from bulk imports

Repositories might be added to Developer Hub from various sources (like statically in an app-config file or dynamically when enabling GitHub discovery). By design, the bulk import plugin will only track repositories that are accessible from the configured GitHub integrations. When both the Bulk Import and the GitHub Discovery plugins are enabled, the repositories the latter discovers might be listed in the Bulk Import pages. However, attempting to delete a repository added by the discovery plugin from the Bulk Import Jobs may have no effect, as any entities registered from this repository might still be present in the Developer Hub catalog. There is unfortunately no known workaround yet.

Additional resources

7.2. Bulk Import: Added repositories count is incorrect

Only the first 20 repositories (in alphabetical order) can be displayed at most on the Bulk Import Added Repositories page. Also, the count of Added Repositories displayed might be wrong. In future releases, we plan to address this with proper pagination. Meanwhile, as a workaround, searching would still work against all Added Repositories. So you can still search any Added Repository and get it listed on the table.

Additional resources

7.3. Topology plugin permission is not displayed in the RBAC front-end UI

Permissions associated only with front-end plugins do not appear in the UI because they require a backend plugin to expose the permission framework's well-known endpoint. As a workaround, you can apply these permissions by using a CSV file or directly calling the REST API of the RBAC backend plugin. Affected plugins include Topology (topology.view.read), Tekton (tekton.view.read), ArgoCD (argocd.view.read), and Quay (quay.view.read).

Additional resources

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.