Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Fixed issues in Red Hat Developer Hub 1.2
6.1. Fixed issues in Red Hat Developer Hub 1.2.2
This section lists fixed issues with Red Hat Developer Hub 1.2.2:
- Dynamic plugins fail to load if the file name in ConfigMap is invalid
- Previously, an invalid dynamic plugin file name in ConfigMap prevented the creation of a Backstage CR. With this release, the Backstage CR can be created even with an invalid plugin file name, and a corresponding log message will be displayed if the Developer Hub build fails.
- Plugin ID is missing in the permission table in RBAC Administration UI
-
Previously, plugin IDs were missing from the permission table in UI accessed from Administration
RBAC. With this release, updates to both the RBAC backend and frontend plugins now ensure that plugin IDs are displayed in the table. - Git information for Helm chart-based workflows is no longer shown in the ArgoCD plugin UI
- Previously, the ArgoCD plugin UI displayed Git information for all workflows, including those that were not based on Git. With this release, the ArgoCD plugin UI now only displays Git information for workflows where it is relevant, ensuring that only pertinent information is shown.
6.2. Fixed issues in Red Hat Developer Hub 1.2
This section lists fixed issues with Red Hat Developer Hub 1.2:
- Dynamic plugins fail to load after update to Backstage 1.25
An upstream security fix introduced in Backstage 1.25 required authentication tokens for all backend endpoints, including static assets used by dynamic plugins.
As a result of this fix, users could not access dynamic plugin UI elements, leading to a degraded user experience and decreased functionality within the application.
In this release, the security requirement for dynamic plugin static assets has been removed, which restores access to dynamic plugin UI elements.
With this fix, users can view and interact with dynamic plugin UI elements, resulting in improved usability and functionality within the application.
- API throwing error upon adding conditions for scaffolder-action resource-type
In earlier versions of Red Hat Developer Hub, defining conditional policies with a policy action of
usewould result in an error.This issue led to difficulties in defining conditional policies, hindering the configuration of permissions within the application.
With this fix, you can now define conditional policies in Developer Hub with permission policy actions of
use.- Setting a custom route not working when using the Developer Hub Operator on OpenShift
In earlier versions of the Red Hat Developer Hub Operator, setting a custom Route host on OpenShift Container Platform by using the
spec.application.route.hostfield in the Custom Resource was not possible.This limitation prevented users from configuring custom route hosts, limiting their ability to customize the deployment environment.
With this release, you can now set a custom route host on OpenShift Container Platform by using the specified field in the Custom Resource.
- Mounting a secret/configmap with a '.' in its name
In earlier versions of the Red Hat Developer Hub Operator, it was not possible to reference a ConfigMap or Secret object in the Custom Resource if that object contained a dot (
.) character in its name.This issue prevented the Red Hat Developer Hub instance from starting correctly.
With this update, this issue is fixed.
- Upgrading Developer Hub Operator from 1.1 to 1.2 causes an existing instance to use a new empty database
When upgrading the Red Hat Developer Hub Operator from version 1.1 to 1.2 with an already-running operator-backed instance of Developer Hub, the instance was configured to use a new empty local database pod and volume.
The existing database data was retained but this misconfiguration caused the existing Developer Hub instance to use a new empty local database pod and volume, resulting in data redundancy and potential data inconsistency issues.
This update ensures that an existing Developer Hub instance continues to use the existing local database when the Operator is upgraded to a newer version.
- UI pod stays 'Pending' when using the operator
In earlier versions of Red Hat Developer Hub, the Developer Hub pod created by the (product-short) Operator may not be scheduled on some clusters due to missing resource requests.
This issue resulted in the Developer Hub application being unavailable as the pods could not be scheduled properly.
This update adds CPU and memory requests to the default configuration of the Operator, ensuring that Developer Hub pods have the necessary resource requests specified.
With this fix, Developer Hub pods can now be scheduled and started properly on all clusters, ensuring the availability of the Red Hat Developer Hub application.
- Allow specifying image pull secrets in custom resource for the database
In earlier versions of the Red Hat Developer Hub operator, specifying image pull secrets to pull container images from repositories such as
registry.redhat.iodid not affect the database image. This limitation prevented the use of a database image fromregistry.redhat.io`when deploying Developer Hub in Kubernetes clusters like Amazon EKS or Azure AKS.As a result, users were unable to deploy the database image from
registry.redhat.ioin Kubernetes clusters, limiting deployment flexibility and compatibility.This update fixes the issue by propagating the image pull secrets specified in the
spec.application.imagePullSecretsCustom Resource field. You can now use these secrets can for both the Developer Hub and database images.With this fix, users can successfully use image pull secrets for both the Developer Hub and database images, allowing deployments from repositories such as
registry.redhat.ioin Kubernetes clusters like Amazon EKS or Azure AKS. This ensures greater deployment flexibility and compatibility across different environments.- RBAC tab is visible when RBAC plugin is disabled
In earlier versions of Red Hat Developer Hub When the Role-Based Access Control (RBAC) plugin is disabled, the RBAC tab remained visible bwhen the RBAC plugin was disabled.
This update ensures that the RBAC tab is hidden when the RBAC plugin is disabled.
With this fix, the RBAC tab is no longer visible when the RBAC plugin is disabled, resulting in a cleaner and more intuitive user interface.
- Show configure access button for previously created simple permission policies in edit form
In previous versions, when a user creates simple permission policies and later returns to edit the role, the Configure Access button does not appear.
As a result, the user cannot add conditional permission policies to roles that were created with simple permission policies, limiting the ability to update and refine access controls.
In this release, the role form has been updated to display the Configure Access button for previously created simple permission policies for plugins and resource types that support conditions. This fix allows users to add and save new conditional policies.
- Conflicting Condition Action Sets
In previous versions, the Condition API allowed storing multiple conditions with conflicting action sets.
This issue could lead to inconsistencies and conflicts in permission handling, potentially causing unexpected behavior in the application.
In this release, the Condition API has been updated to prevent storing multiple conditions with conflicting action sets.
- RBAC backend admin metadata and policies removal
Previously, when admins were removed from the configuration, their associated admin metadata and policies were not automatically removed.
This issue caused outdated admin metadata and policies to persist in the application.
In this release, admin metadata and policies are removed when admins are removed from the application configuration.
- Existing Backstage operand not upgraded after upgrading operator from 1.1.x to 1.2.x
In previous versions, there was an issue with the Developer Hub Operator upgrade process that prevented operator-backed Developer Hub instances from upgrading seamlessly when the Developer Hub Operator itself was upgraded. This occurred because the Operator, when trying to reconcile existing Developer Hub custom resources, was denied patching certain fields that are restricted or read-only by Kubernetes or OpenShift Container Platform.
This issue led to a failure in reaching the desired state during the upgrade.
In this update, the Operator has been refactored to overcome these issues by replacing objects forcibly when it is unable to patch them. However, as a known issue, users might need to re-create any custom labels or annotations on the underlying resources managed by the Developer Hub Operator after the upgrade.
- Failed to List Cluster Resources in Janus IDP Backstage Plugin OCM Backend Dynamic
In previous versions, the OpenShift Cluster Manager (OCM) Plugin Readme file had no information on how to configure OCM on a Kubernetes cluster.
Due to this missing information, users were unable to configure the OCM plugin to fetch clusters, resulting in the plugin’s inability to display clusters.
In this release, the Readme file has been updated to include a link for configuring OCM on a Kubernetes cluster and also provides instructions to enable access to the OCM backend plugin when the RBAC permission framework is enabled.
With these updates, users can now properly configure the OCM plugin to fetch and display clusters in the OCM front-end, ensuring the plugin operates as intended.
- RBAC: Could not fetch catalog entities. Request failed with 403 Forbidden.
Recent updates to Backstage required plugins that use service-to-service authentication to be updated to use the new
httpAuthandauthservices.Without these updates, the RBAC Backend plugin was unable to query information from other plugins. This update modifies the RBAC Backend plugin to use the new
httpAuthandauthservices for service-to-service authentication.With this fix, the RBAC Backend plugin can now successfully query information from other plugins without breaking.
- RBAC role data out-of-sync when scaling horizontally
When scaling a Developer Hub instance, role data would become out of sync due to the in-memory cache not being shared between instances.
This issue resulted in inconsistencies in role data across different instances.
With this fix, scaling a Developer Hub instance will no longer lead to role data being out of sync.
- Gitlab organization synchronization not working
Recent updates to the Gitlab plugin resulted in the failure to synchronize organization provider data.
In this release, the issue is fixed by including a wrapper for the Gitlab plugin that exposes the Gitlab organization provider.
- Helm deployment shows empty white screen and 404 errors loading static content
A recent change to the upstream Helm chart accidentally prevented deployment of static resources.
With the release of the Developer Hub 1.2.1 Helm chart, this is fixed.
6.3. Fixed security issues
6.3.1. Fixed security issues in Red Hat Developer Hub 1.2.6
6.3.1.1. Red Hat Developer Hub dependency updates
- CVE-2024-37890
- A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
- CVE-2024-43799
- A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
- CVE-2024-43800
- A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
- CVE-2024-45590
- A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
6.3.2. Fixed security issues in Red Hat Developer Hub 1.2.5
6.3.2.1. Red Hat Developer Hub dependency updates
- CVE-2024-21529
- A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
- CVE-2024-21536
- A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.
- CVE-2024-21538
- Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
- CVE-2024-24791
- A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
- CVE-2024-37890
- A flaw was found in the Node.js WebSocket library (ws). A request with several headers exceeding the 'server.maxHeadersCount' threshold could be used to crash a ws server, leading to a denial of service.
- CVE-2024-39249
- A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
- CVE-2024-43799
- A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.
- CVE-2024-43800
- A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().
- CVE-2024-45590
- A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
- CVE-2024-48949
- A flaw was found in the Elliptic package. This vulnerability allows attackers to bypass EDDSA signature validation via improper handling of signature values where the S() component of the signature is not properly checked for being non-negative or smaller than the curve order.
6.3.2.2. RHEL 9 platform RPM updates
- CVE-2024-6119
- A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
- CVE-2024-6923
- A vulnerability was found in the email module that uses Python language. The email module doesn’t properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity.
- CVE-2024-37370
- A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens.
- CVE-2024-37371
- A vulnerability was found in the MIT Kerberos 5 GSS krb5 wrap token, where an attacker can modify the plaintext Extra Count field, causing the unwrapped token to appear truncated to the application, occurs when the attacker alters the token data during transmission which can lead to improper handling of authentication tokens.
- CVE-2024-39331
- A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
- CVE-2024-45490
- A flaw was found in libexpat’s xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
- CVE-2024-45491
- An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
- CVE-2024-45492
- A flaw was found in libexpat’s internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.
6.3.3. Fixed security issues in Red Hat Developer Hub 1.2.3
This section lists fixed security issues with Red Hat Developer Hub 1.2.3:
- CVE-2024-41818
- A regular expression denial of service (ReDoS) flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition. This vulnerability is fixed in 4.4.1.
- CVE-2024-37891
- A flaw was found in urllib3, an HTTP client library for Python. In certain configurations, urllib3 does not treat the Proxy-Authorization HTTP header as one carrying authentication material. This issue results in not stripping the header on cross-origin redirects. This vulnerability is fixed in 2.2.2.
- CVE-2024-39338
- Axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. This vulnerability is fixed in 1.7.4.
6.3.4. Fixed security issues in Red Hat Developer Hub 1.2.2
This section lists fixed security issues with Red Hat Developer Hub 1.2.2:
- CVE-2024-28863
-
A flaw was found in ISAACS’s node-tar, where it is vulnerable to a denial of service, caused by the lack of folder count validation. The vulnerability exists due to the application not properly controlling the consumption of internal resources while parsing a
.tarfile. By sending a specially crafted request, a remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6.3.5. Fixed security issues in Red Hat Developer Hub 1.2
This section lists fixed security issues with Red Hat Developer Hub 1.2:
- CVE-2023-6597
- A flaw was found in the tempfile.TemporaryDirectory class in python3/cpython3. The class may dereference symbolic links during permission-related errors, resulting in users that run privileged programs being able to modify permissions of files referenced by the symbolic link.
- CVE-2024-0450
- A flaw was found in the Python/CPython 'zipfile' that can allow a zip-bomb type of attack. An attacker may craft a zip file format, leading to a Denial of Service when processed.
- CVE-2024-35195
-
An incorrect control flow implementation vulnerability was found in Requests. If the first request in a session is made with
verify=False, all subsequent requests to the same host ignore cert verification. - CVE-2024-27307
- A vulnerability was found that could exploit the JSONata transform operator to override properties on the Object constructor and prototype. This could result in denial of service, remote code execution, or other unforeseen behavior in applications that assess user-provided JSONata expressions.
- CVE-2024-34064
-
A flaw was found in jinja2. The
xmlattr filteraccepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could inject other attributes and perform cross-site scripting (XSS). - CVE-2023-45288
- A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.
- CVE-2024-27316
- A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up memory resources to cause a DoS.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}