add RN text for 1.2.5

Signed-off-by: Nick Boldt <[email protected]>

dedupe and add note about source of the freshmaker/RPM updates

Signed-off-by: Nick Boldt <[email protected]>

build/scripts/single-source-security-fixes.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# Copyright (c) 2024 Red Hat, Inc.
+# This program, and the accompanying materials are made
+# available under the terms of the Apache Public License 2.0,
+# available at http://www.apache.org/licenses/
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Fail and stop on first error
+
+if [[ $# -lt 1 ]] || [[ ! -f modules/release-notes/cve-list-$1.txt ]]; then
+  echo "Usage:
+
+To process the contents of modules/release-notes/cve-list-\$version.txt, use the appropriate file version:
+
+$0 x.y.z
+
+Example:
+
+$0 1.2.5"
+  exit
+else 
+  version="$1"
+fi
+
+set -e
+destination=/tmp/snip-common-vulnerabilities-and-exposures.adoc; rm -f "$destination"
+
+echo;echo "Paste the following fragment into the file modules/release-notes/con-relnotes-fixed-issues.adoc"
+echo; echo "----------------
+
+=== Fixed security issues in {product} 1.2.5
+
+This section lists fixed security issues with {product} 1.2.5:
+"
+
+while IFS="" read -r cve || [ -n "$cve" ]
+do
+  if [[ ${cve} != "#"* ]] && [[ $cve != "" ]]; then # commented or blank lines
+    # Start the list.
+    echo "link:https://access.redhat.com/security/cve/$cve[$cve]::"
+    # Call the API to return a list of details.
+    # Red Hat is last if there is one.
+    # Red Hat details is single line.
+    # MITRE details are multiline.
+    # We keep Red Hat details if present.
+    # We keep only the first two lines on MITRE details.
+    curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/$cve.json" | jq -r '.details[-1]' | head -n 2
+    # Add a separation
+    echo ""
+  fi
+done < "modules/release-notes/cve-list-$version.txt"
+echo "----------------"

modules/release-notes/con-relnotes-fixed-issues.adoc

@@ -220,6 +220,46 @@ With the release of the {product-short} 1.2.1 Helm chart, this is fixed.
 
 == Fixed security issues
 
+=== Fixed security issues in {product} 1.2.5
+
+This section lists fixed security issues with {product} 1.2.5:
+
+link:https://access.redhat.com/security/cve/CVE-2024-21529[CVE-2024-21529]::
+A flaw was found in the dset package. Affected versions of this package are vulnerable to Prototype Pollution via the dset function due to improper user input sanitization. This vulnerability allows the attacker to inject a malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]::
+A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled.
+
+link:https://access.redhat.com/security/cve/CVE-2024-24791[CVE-2024-24791]::
+A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
+
+link:https://access.redhat.com/security/cve/CVE-2024-39249[CVE-2024-39249]::
+A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37371[CVE-2024-37371]::
+A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling.
+
+link:https://access.redhat.com/security/cve/CVE-2024-37370[CVE-2024-37370]::
+A vulnerability was found in Kerberos. This flaw is due to an issue with message token handling.
+
+link:https://access.redhat.com/security/cve/CVE-2024-6923[CVE-2024-6923]::
+A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity.
+
+link:https://access.redhat.com/security/cve/CVE-2024-39331[CVE-2024-39331]::
+A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45490[CVE-2024-45490]::
+A flaw was found in libexpat's xmlparse.c component. This vulnerability allows an attacker to cause improper handling of XML data by providing a negative length value to the XML_ParseBuffer function.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45491[CVE-2024-45491]::
+An issue was found in libexpat’s internal dtdCopy function in xmlparse.c, It can have an integer overflow for nDefaultAtts on 32-bit platforms where UINT_MAX equals SIZE_MAX.
+
+link:https://access.redhat.com/security/cve/CVE-2024-45492[CVE-2024-45492]::
+A flaw was found in libexpat's internal nextScaffoldPart function in xmlparse.c. It can have an integer overflow for m_groupSize on 32-bit platforms where UINT_MAX equals SIZE_MAX.
+
+link:https://access.redhat.com/security/cve/CVE-2024-6119[CVE-2024-6119]::
+A flaw was found in OpenSSL. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.
+
 === Fixed security issues in {product} 1.2.3
 
 This section lists fixed security issues with {product} 1.2.3:

modules/release-notes/cve-list-1.2.5.txt

@@ -0,0 +1,19 @@
+# not yet live; uncomment to generate CVE RN text
+# CVE-2024-43799
+# CVE-2024-37890
+
+# these are live, pending the release of 1.2.5
+CVE-2024-21529
+CVE-2024-45590
+CVE-2024-24791
+CVE-2024-39249
+
+# RPM updates from Freshmaker (RHIDP-4218)
+CVE-2024-37371
+CVE-2024-37370
+CVE-2024-6923
+CVE-2024-39331
+CVE-2024-45490
+CVE-2024-45491
+CVE-2024-45492
+CVE-2024-6119