-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: openstack-tripleo-common and openstack-tripleo-heat-templates update
Advisory ID:       RHSA-2018:0602-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:0602
Issue date:        2018-03-28
CVE Names:         CVE-2017-12155 
=====================================================================

1. Summary:

An update for openstack-tripleo-common and openstack-tripleo-heat-templates
is now available for Red Hat OpenStack Platform 12.0 (Pike).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 12.0 - noarch

3. Description:

openstack-tripleo-common contains the python library for code common to the
Red Hat OpenStack Platform director CLI and GUI (codename tripleo).

openstack-tripleo-heat-templates is a collection of OpenStack Orchestration
templates and tools (codename heat), which can be used to help deploy
OpenStack.

Security Fix(es):

* openstack-tripleo-heat-templates: Ceph client keyring is world-readable
when deployed by director (CVE-2017-12155)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Katuya Kawakami (NEC) for reporting this issue.

Bug Fix(es):

* All Compute and Controller nodes have bridge-mappings configured and
therefore are eligible to schedule routers. However, if you scheduled a
router on a Compute node that doesn't have a connection to an external
network, connectivity with the external network fails. This fix adds the
ability to configure bridge-mappings in TripleO and in the director
according to roles so that you can now exclude Compute nodes from router
scheduling and maintain external network connectivity. (BZ#1510879)

* Previously, the CephPools parameter value was incorrectly consumed as a
string list instead of as a JSON object. This prevented creating additional
Ceph pools during the overcloud deployment, because attempting to pass a
JSON object failed. This fix updates the CephPools parameter so that it now
accepts any JSON object that describes additional pools to create in the
Ceph cluster. Note: The JSON object structure must conform to ceph-ansible
conventions. (BZ#1516389)

* There is currently a known issue with LDAP integration for Red Hat
OpenStack Platform. The `keystone_domain_confg` tag is missing currently
from `keystone.yaml`, preventing Puppet from properly applying the required
configuration files. Consequently, LDAP integration with Red Hat OpenStack
Platform will not be properly configured. As a workaround, you must
manually edit `keystone.yaml` and add the missing tag. There are two ways
to do this:

1. Edit the file directly:
  a. Log into the undercloud as the stack user.
  b. Open the keystone.yaml in the editor of your choice. For example:
       `sudo vi
/usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
  c. Append the missing puppet tag, `keystone_domain_confg`, to line 94.
For example:
      `puppet_tags: keystone_config`
        Changes to:
      `puppet_tags: keystone_config,keystone_domain_confg`
  d. Save and close `keystone.yaml`.
  e. Verify you see the missing tag in the `keystone.yaml` file. The
following command should return '1':
    `cat
/usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml |
grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`

2. Or, use sed to edit the file inline:
  a. Login to the undercloud as the stack user.
  b. Run the following command to add the missing puppet tag:
     `sed -i 's/puppet_tags\: keystone_config/puppet_tags\:
keystone_config,keystone_domain_config/'
/usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml`
  c. Verify you see the missing tag in the keystone.yaml file The following
command should return '1':
    `cat
/usr/share/openstack-tripleo-heat-templates/docker/sercies/keystone.yaml |
grep 'puppet_tags: keystone_config,keystone_domain_config' | wc -l`
(BZ#1519057)

* It is only possible to deploy Ceph storage servers if their disk devices
are homogeneous. (BZ#1520004)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1301534 - The gateway_ip attribute for the isolated networks are not accurate
1433534 - [RFE] [OVN] HA support for OVN ovn-northd
1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director
1507888 - Deployment with ceph and TLS everywhere fails with: "WorkflowTasks_Step2_Execution: ERROR "cannot stat '/var/run/ceph/ceph-mon.overcloud-controller-2.asok': No such file or directory""
1508601 - Add NetIpMap to hieradata for *ExtraConfig overrides (Composable Networks)
1519765 - containerized HA rabbitmq stops on re-deploy if lsns fails
1523272 - OSP10->11->12 upgrade:  major-upgrade-composable-steps-docker.yaml fails with Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::panko
1523707 - [UPDATES] PCS managed containers ain't restarted with latest images
1528755 - ConfigDebug setting does not work for docker init bundles
1533097 - CephPools parameter does not add CephX permission for openstack user
1533468 - capabilities-map.yaml references wrong environment files for ceph services
1533875 - Using the Telmetry Role with Ceph/RBD as gnocchi backend Fails in step 4 of the Deployment
1537725 - Deployment templates for unsupported components causing some confusion
1538828 - standalone Telemetry.yaml role has wrong services and typo
1538875 - mysql_init_bundle container doesn't fail deployment if puppet fails
1539090 - Cinder backups fail when running in a container (non-HA)
1542537 - tox -epep8 fails with ERROR: Generated roles file not match
1543641 - Cinder HA and non-HA containers are not configured the same
1546234 - Rebase openstack-tripleo-heat-templates to 7.0.9
1546807 - [OSP12] After a minor update the swift_rsync container was in restarting state
1547955 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases)
1551137 - Queue versioned_notifications.info not found
1551461 - [UPDATES] Failed to setup heat-output: refusing to convert between directory and link for /var/log/containers/swift
1552466 - docker_puppet_apply.sh has a fatal typo
1558639 - Collectd not re-using /var/run directory  from overcloud node therefor ovs plugin fails to connect to db.sock of openswitch.

6. Package List:

Red Hat OpenStack Platform 12.0:

Source:
openstack-tripleo-heat-templates-7.0.9-8.el7ost.src.rpm

noarch:
openstack-tripleo-heat-templates-7.0.9-8.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-12155
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFau84VXlSAg2UNWIIRAk5OAJ912PmETLFITLgnM/OniepSERyWvACfWCmj
hsFDLkLErcQNYFMUT80VIqc=
=a7WB
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce