-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update
Advisory ID:       RHSA-2022:0995-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0995
Issue date:        2022-03-23
CVE Names:         CVE-2021-4180 
=====================================================================

1. Summary:

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Heat templates for TripleO

Security Fix(es):

* Data leak of internal URL through keystone_authtoken (CVE-2021-4180)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1855678 - Configure Ceph Messenger for encryption OTW
1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade
1886762 - [RFE] support NFS mount at the conversion directory
1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.
1949673 - [RHOSP16.2] [rsyslog]  Miss configuration generated in 50_openstack_logs.conf
1949675 - [RHOSP16.2] [rsyslog]  rsyslog containers does not forward logs to elasticsearch
1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out
1962304 - cinder volume at DCN unable to read central cephx keyring
1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container
1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network
1975271 - Minor update does not restart ha resource when it is in failed stated
1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries
1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere
1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade
1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent
1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.
1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided
1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no
1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy
1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network
2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)
2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient
2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks
2005086 - Unable to disable gateway validation on deployment
2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default
2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration
2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task
2010114 - Openstack ceilometer archival policy is not taking effect
2010703 - rhosp-release package is removed during upgrade from all nodes
2010940 - ceph-nfs not coming up after the FFU
2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic
2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize
2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start
2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2
2022691 - [OSP16.2] qemu logs are not accessible on the host
2026290 - Some log files are not collected/relayed by rsyslog to remote log server
2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm
2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null
2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit
2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers
2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure
2034730 - Horizon log not collected/relayed by rsyslog to remote log server
2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale
2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error
2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane
2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade
2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm

noarch:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-4180
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYjvmKNzjgjWX9erEAQispxAAihi4ziFGX97tUuSGWQgConiT5Hewws7X
84GxTMJ82iW7M7bQBPW6+YaKsKqqt3Yd3+1qCJG2q4A1j8dR/9Cy9U93AHHqMZe+
HOALT/1JQzrmH/DZGkuj5buhaHLYxbeBv/3IlyoaZVPRhu8xZ6wD/1OnPPTkc0LA
HrEc47t5bVTmAqMyTdnBi5+0FxmgabOErSZk2MaWfTiBUpDbZfgO4Nw6Kq0UZyG1
q72gOnR6ZPCZG3n+QDIZytifEW9wCpngF8H5lOYe+BLErmBySUGtQubWllBA02Go
DXIb4pPmtc7O08CVywTfdxAFTdaE69pk7LhB9/XRRVeLMkHc7ICKqtJmNXkyYugW
6zI/F950TzTqHlx7cRnEOY44D3sHva3CMy2QQHgz93FPiSdnNktLimP116jJHUfZ
R6BAg4nBU8T1scTf0SBTurJeVhmOh9r5zyGRSzdDKA/iS6qY0u/RTzaQKLZrM2fl
BPKbyZwQPFvGYepjBtSbKEbdXihz+b03N2KDg7XI4RP7z6k/qHnUAJ9lNIt9t9gI
hJmiKyGAzrHKNqkuzXrMRhOnbfgElzMI2epsfUtYSfx3cga6NB4fQafT+YVZotLJ
1DkCfWDmwr/6qVqMNfqLh4KhC1WjwwYKFeqz5VYbNagEhe2Zn7ALIBc+b4xjp+8E
UKkhXd7aiwk=
=yB4a
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce