-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 12.0 director security and bug fix update
Advisory ID:       RHSA-2018:2331-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2331
Issue date:        2018-08-20
CVE Names:         CVE-2018-1000115 
=====================================================================

1. Summary:

An update for memcached is now available for Red Hat OpenStack Platform
12.0 (Pike).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 12.0 - noarch

3. Description:

memcached is a high-performance, distributed memory object caching system,
generic in nature, but intended for use in speeding up dynamic web
applications by alleviating database load.

Security fix(es):

* memcached: UDP server support allows spoofed traffic amplification DoS
(CVE-2018-1000115)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

For more information about the bug fixes and enhancements included with
this update, see the "Technical Notes" section of the Release Notes 
linked in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1470033 - OSP11 -> OSP12 upgrade: docker services are missing preupgrade validation tasks in the upgrade tasks
1477663 - OSP11 -> OSP12 upgrade: after undercloud upgrade ironic-inspector logs repeated [Errno 32] Broken pipe errors in /var/log/messages
1488058 - Fix multiple issues related to DPDK derive parameters
1502860 - rhosp-director: difficult to map certain containers to their logs.
1504052 - Exception should be handled when resources are mapped to non-existent paths in the templates
1506038 - openstack-ironic: errors: Only 14 nodes are exposed to Nova of 15 requests.
1508867 - NovaMigrationTarget service is missing at ComputeOvsDpdk.yaml
1511988 - Call destroy-patch-ports from neutron-openvswitch-agent container
1513497 - FQDN hieradata is hardcoded.
1513502 - TLS everywhere fails with keystone admin API in the external network
1518605 - Hard-coded bootstrap node means replacing overcloud-controller-0 is not possible
1518662 - OSP11 -> OSP12 upgrade: pre-upgrade validations are preventing a re-run of the upgrade-non-controller.sh script to upgrade a compute node after a failed attempt
1520453 - OPS Tools | Centralized Logging | nova-conductor.log is not being tailed by fluentd because of mistake in nova-conductor.yaml file.
1527205 - ansible memory utilization
1528632 - stack update operation fails in rabbitmq config generation
1533204 - Upgrade from OSP11->OSP12 fails - ocf-exit-reason:Could not determine galera name from pacemaker node <galera-bundle-0>
1533271 - Running the mistral workflow to rotate Fernet decryption keys in the overcloud Fails
1533511 - gnocchi-upgrade doesnt get triggered from O->P upgrade causing ceilo-upgrade to fail
1534442 - ComputeExtraConfig is not applied. Is really NovaComputeExtraConfig deprecated ?
1537606 - TripleO doesn't install the trunk service plugin when deployed with OVN
1539961 - RabbitMQ user name not set in Neutron transport_url
1547146 - RFE: VNX tripleo support backport to pike
1547539 - [UPDATES] Failed to setup heat-output with custom stack name
1549139 - Stack update is not working when using derived parameters.
1550934 - Openstack 12 - Missing mount in the keystone container
1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
1552759 - Deployment fails with HCI enabled and SchedulerHints
1556720 - [OSP12] gnocchi-upgrade fails with InternalError: (1050, u"Table 'archive_policy' already exists")
1557328 - Security hardened image doesn't have enough space for /var partition
1558679 - Introspection of Diskless servers (iSCSI Booted)
1559151 - OSP11 -> OSP12 upgrade: after rebooting controller nodes post upgrade at boot time interfaces set under ovs bridges have no network connectivity
1559920 - gnocchi_api and gnocchi_metricd don't bind host's /var/lib/gnocchi directory
1560937 - [UPDATE] automation fails on controller update, but update actually pass successfully
1562148 - Overcloud deployment RHOS12 failed, 404 Client Error: Not Found for url: u'swift_rings_container': u'overcloud-swift-rings
1570147 - panko events are kept in DB forever, panko-expirer utility inclusion
1571435 - "subscription-manager list" shows Ceph OSD after updating overcloud compute nodes
1571646 - Update HostnameFormatDefault files to match overcloud-compute-%index%
1571744 - [RFE][Deployment] add ability to configure extra CPU flags for named CPU models
1572353 - FedRAMP requires cloud providers to use TLS v1.1 as a minimum
1572667 - don't restart openvswitch if --no-activate is specified (OSP-12)
1573583 - OSP12 Deployment with TLS everywhere fails -  Could not evaluate: The certificate * wasn't found in the list.
1573791 - [OSP12] live-migration uses port range from ephemeral port range
1573808 - The inability to enable LbaaS in horizon
1576751 - live migration broken when live_migration_inbound_addr is set and transport = ssh
1579023 - Director deployment of keystone integration with LDAP broken
1582597 - Non-descriptive failure logs during RHOS-12->RHOS-13 upgrade
1582645 - Rebase puppet-ceilometer to f2f2d2b
1583792 - Rebase puppet-cinder to 01d3e0e
1583858 - Rebase puppet-glance to 03bd9b8
1584279 - Rebase puppet-heat to dab3e55
1584374 - Rebase puppet-ironic to fc61157
1584396 - Rebase puppet-ceph to 401605a
1584403 - Rebase puppet-manila to eef0b53
1584404 - Rebase puppet-mistral to 728f96a
1584411 - Rebase puppet-neutron to 7415256
1584416 - Rebase puppet-panko to eefeaff
1584417 - Rebase puppet-keystone to 4de23ac
1584754 - Rebase puppet-trove to efcd4b3
1585189 - OSP12: Overcloud deployment fails when using capital letters in customized stack name ( --stack TEST-STACK34 ).
1585362 - NetApp Cinder back end does not deploy in RHOSP12 (Pike)
1586155 - [mixed versions] compat installation overcloud deployment failed WorkflowTasks_Step2_Execution
1589951 - Incorrect setting in Cinder's db purge cron job
1590030 - Rebase openstack-tripleo-puppet-elements to 7.0.7
1590031 - Rebase os-net-config to 7.3.6
1590033 - Rebase openstack-tripleo-image-elements to 7.0.5
1590368 - [osp12] Deployment fails in step 1 with "not a directory" when mounting "/etc/ssh/ssh_known_hosts" in scale deplyoments
1590586 - Rebase instack-undercloud to 7.4.12
1590607 - Rebase puppet-tripleo to b885b06
1590612 - Rebase python-tripleoclient to 7.3.10
1590613 - Rebase puppet-nova to 40eb56c
1590953 - CinderNetappNfsMountOptions missing from puppet manifest
1591782 - [osp12] os-collect-config service running on the undercloud causes overcloud deployment failures
1592418 - Rebase puppet-aodh to 77b54fc
1592963 - Rebase openstack-tripleo-heat-templates to 90cd669
1592967 - Rebase openstack-tripleo-common to 7.6.13
1596760 - [Deployment] Live migrations failing when domain is incorrect
1597313 - [UPGRADES][12]Failed to host-evacuate-live VM from non-containerized to containerized compute
1597972 - OSP12: With OvS2.9, hugetlbfs group should be used instead workarounds for DPDK
1599410 - [OSP12] Upgrade converge failed: cinder-manage  db sync returned 1 instead of one of
1599883 - Deployment fails during Gnocchi db_sync due to timing issue
1600038 - [UPDATE] update fails with error "The Resource Type (OS::TripleO::Services::ManilaBackendGeneric) could not be found"
1601348 - Running "openstack overcloud upgrade run --roles Controller --skip-tags validation" fails
1607143 - [UPDATE] Compute and Controller update exit with error code while executing step 5
1608450 - TLS everywhere deployment fails - missing TLS bits in T-H-T

6. Package List:

Red Hat OpenStack Platform 12.0:

Source:
instack-undercloud-7.4.12-1.el7ost.src.rpm
openstack-tripleo-common-7.6.13-3.el7ost.src.rpm
openstack-tripleo-heat-templates-7.0.12-8.el7ost.src.rpm
openstack-tripleo-image-elements-7.0.5-1.el7ost.src.rpm
openstack-tripleo-puppet-elements-7.0.7-1.el7ost.src.rpm
os-net-config-7.3.6-1.el7ost.src.rpm
puppet-aodh-11.4.0-2.el7ost.src.rpm
puppet-ceilometer-11.5.0-2.el7ost.src.rpm
puppet-ceph-2.4.2-2.el7ost.src.rpm
puppet-cinder-11.5.0-4.el7ost.src.rpm
puppet-glance-11.5.0-2.el7ost.src.rpm
puppet-heat-11.5.0-2.el7ost.src.rpm
puppet-ironic-11.5.0-2.el7ost.src.rpm
puppet-keystone-11.4.0-2.el7ost.src.rpm
puppet-manila-11.4.0-4.el7ost.src.rpm
puppet-mistral-11.4.0-2.el7ost.src.rpm
puppet-neutron-11.5.0-2.el7ost.src.rpm
puppet-nova-11.5.0-4.el7ost.src.rpm
puppet-panko-11.5.0-2.el7ost.src.rpm
puppet-tripleo-7.4.12-8.el7ost.src.rpm
puppet-trove-11.4.0-2.el7ost.src.rpm
python-novajoin-1.0.17-3.el7ost.src.rpm
python-os-brick-1.15.5-2.el7ost.src.rpm
python-tripleoclient-7.3.10-3.el7ost.src.rpm

noarch:
instack-undercloud-7.4.12-1.el7ost.noarch.rpm
openstack-tripleo-common-7.6.13-3.el7ost.noarch.rpm
openstack-tripleo-common-container-base-7.6.13-3.el7ost.noarch.rpm
openstack-tripleo-common-containers-7.6.13-3.el7ost.noarch.rpm
openstack-tripleo-common-devtools-7.6.13-3.el7ost.noarch.rpm
openstack-tripleo-heat-templates-7.0.12-8.el7ost.noarch.rpm
openstack-tripleo-image-elements-7.0.5-1.el7ost.noarch.rpm
openstack-tripleo-puppet-elements-7.0.7-1.el7ost.noarch.rpm
os-net-config-7.3.6-1.el7ost.noarch.rpm
puppet-aodh-11.4.0-2.el7ost.noarch.rpm
puppet-ceilometer-11.5.0-2.el7ost.noarch.rpm
puppet-ceph-2.4.2-2.el7ost.noarch.rpm
puppet-cinder-11.5.0-4.el7ost.noarch.rpm
puppet-glance-11.5.0-2.el7ost.noarch.rpm
puppet-heat-11.5.0-2.el7ost.noarch.rpm
puppet-ironic-11.5.0-2.el7ost.noarch.rpm
puppet-keystone-11.4.0-2.el7ost.noarch.rpm
puppet-manila-11.4.0-4.el7ost.noarch.rpm
puppet-mistral-11.4.0-2.el7ost.noarch.rpm
puppet-neutron-11.5.0-2.el7ost.noarch.rpm
puppet-nova-11.5.0-4.el7ost.noarch.rpm
puppet-panko-11.5.0-2.el7ost.noarch.rpm
puppet-tripleo-7.4.12-8.el7ost.noarch.rpm
puppet-trove-11.4.0-2.el7ost.noarch.rpm
python-novajoin-1.0.17-3.el7ost.noarch.rpm
python-os-brick-1.15.5-2.el7ost.noarch.rpm
python-tripleoclient-7.3.10-3.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1000115
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW3q67dzjgjWX9erEAQiCvBAAiDr+sV6h+3Ocsxdl6EnQQrwQvs91YOEl
kiKI1eIC5H9FBeru35koMYHA6spSr1eEv++WX7YFC4njlbYBshR5Totd0981AAjs
bfylCK20CZtWDsYq5GaC3q+nYP9r22R5WlvpfTmTtLp03b63i4jf6d6mNiQKIvNH
dR3WAeGOGrJiQzR0RBARzywc17fawaSh7ndESZLlN/gCRFcoyI8MisBXSn4uxhzi
fwCRXm47qLkuip7Us8JgHUC7WRrXD8s/cb8a/6aok2IpVL8j6GsgJRrl/u4aHHlL
2b/3VYG1vY+eLlkxbuh4JQagSl5hjqnMptU9Xgq7RPmTomdXiYVuZXnpXULGgOIs
FkF4OD05NcfwxdExwdw1tsozQdq+zXvXx+9ZC2WXcRvxK4N9Vo5T5P9+C04yWgVa
8/WncnMD8SRh+63Sk4sPZhtl4Jv44TYvGwTwF9XwEJBt0MK9zPEQuaTM8P7urEBZ
7MYTyS1lgHJib5bcz+EYv3KESZKrxqeK5twRLJq6cjk4DxWCMNScG4BBVLL1gMPw
zIY9FhhWp/zKIkenfs1IF7BnzbgiGy6HYBnMKEmOw2dIe10aVvXueuHE9b+Yan/L
IkDQWuVDVPWdsQxExVriTFL8rTLQsBAUn8DaG1aHwOT2Ev3acxcizxO7PaACGq3n
zVOXc2kQXOE=
=1za7
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce