-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update
Advisory ID:       RHSA-2022:8796-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8796
Issue date:        2022-12-07
CVE Names:         CVE-2021-4180 
=====================================================================

1. Summary:

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch

3. Description:

Heat templates for TripleO

Security Fix(es):

* data leak of internal URL through keystone_authtoken (CVE-2021-4180)

Other fixes:

* Before this update, NTP validation did not occur during deployments. Some
users reported issues with cloud authentication failing with invalid tokens
due to time not being synchronized between nodes. With this update, NTP
synchronization validation during deployment has been re-enabled. Hosts
must be able to connect to the defined NTP server list. If you previously
performed a deployment with invalid or unreachable NTP servers, after
update, the deployment might fail when NTP is validated. Ensure that you
have valid and reachable NTP servers before updating. (BZ#2034095)

* With this update, director supports specifying overrides for NVSv4 ID
mapping when using a CephFS-NFS back end with the Shared File Systems
service (manila). Ceph-NFS with the Shared File Systems service only allows
client access through NFSv4.1+. With NFSv4.1, usernames and group names are
sent over the wire and translated by both the server and the client.
Deployers might want to customize their domain settings to better represent
organization users who can access Shared File Systems service shares from
multiple clients. Director supports customizing NFS ID mapping settings
through these parameters:
- - ManilaCephFSNFSIdmapOverrides: Allows specifying configuration objects
for override with the default idmapd.conf file used by the NFS service
- - ManilaCephFSNFSIdmapConf: Allows specifying a custom idmapd.conf file for
the NFS service (BZ#1917356)

* Before this update, the ceilometer-agent-compute container could not read
the /var/run/libvirt directory because of an improper volume mount to
/var/run/libvirt in the ceilometer-agent-compute container, resulting in
the inability to poll for CPU metrics on Compute nodes. With this update,
the appropriate global permissions have been applied to the
/var/run/libvirt directory, and you can poll for CPU telemetry with the
ceilometer-agent-compute container on the Compute nodes. CPU telemetry data
is available through the Compute service (nova). (BZ#2103971)

* Before this update, the libvirt service started after the
ceilometer-agent-compute service and the ceilometer-agent-compute service
did not communicate with libvirt, resulting in missing libvirt metrics.
With this update, the ceilometer-agent-compute service starts after the
libvirt service and can poll libvirt metrics without "Permission denied"
errors. (BZ#2130078)

* Before this update, a Telemetry service (ceilometer) user had
insufficient privileges to poll objects from the Object Storage service
(swift). The Object Storage service client did not allow the Telemetry
service user to fetch object details. With this update, the Telemetry
service user is associated with the ResellerAdmin role.
+
Execute the following command to workaround this issue manually:
+
- ----
$ openstack role add --user ceilometer --project service ResellerAdmin
- ----
+
The associated Telemetry service user can poll Object Storage service
object metrics successfully. (BZ#2130849)

* Before this update, systemd stopped the Load-balancing services (octavia)
during shutdown, leaving resources in the PENDING_UPDATE status. With this
update, the graceful shutdown duration of the Load-balancing services is
increased, preventing the services from being stopped by systemd.
(BZ#2063031)

* In Red Hat OpenStack Platform (RHOSP) 16.1.9, the collectd processes
plugin is removed from the default list of plugins. Loading the plugin can
cause flooding issues and does not provide value when running in a
containerized environment because it only recognizes the collectd and
sensubility processes rather than the expected system processes. Bug fixes
and support will be provided through the end of the 16.1.9 lifecycle but no
new feature enhancements will be made. (BZ#2101949)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1851467 - [OVN] Do not send geneve UDP traffic to conntrack for performance reasons
1910115 - OVNCMSOptions are not set correctly on controller nodes if OVN without DVR is deployed with minimum extra env files
1917356 - [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation
1936278 - Sensitive amphora values exposed in ansible.log during stack update.
2032295 - [RHOSP 16.1] [ipv6 undercloud] undercloud update fails when you have ipv6 undercloud with enable_routed_networks=false in undercloud.conf; during stack update router interface port is tried to be re-created with the same ip
2032518 - Bonding Rendered Templates have incorrect indentation
2034095 - Deployment fails while authenticating for nova and glance during TASK [tripleo-keystone-resources : Check Keystone public endpoint status]
2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
2036195 - Provide mechanism to tune the sysctl param fs.aio-max-nr on the host
2039412 - after minor update to 16.1.7, libvirtd is enabled on the controllers
2049452 - Killing dhcp sidecar container fails
2061845 - [RHOS 16.1] Fix InternalApi subnet for ControllerNovaStandalone role
2062764 - [RHOSP 16.1] ceilometer-ipmi-agent logs to /var/log/ceilometer inside the container
2063031 - Octavia services might be killed by systemd on update
2064383 - FFU OSP13->16.1 leapp fails with: Detected loaded kernel drivers which have been removed in RHEL 8
2065736 - RHOSP13-16.1 FFU - Use state file for workaround 1925078
2066852 - Overcloud deployment fails with error as 'overcloud_endpoint.pem' not found.
2069755 - [16.1] [Regression] Nova instance QEMU logs are not created under /var/log/libvirt/qemu/
2073607 - Certificate DN is not expanding in the Octavia tenant flow logs
2100907 - Octavia fails when enabling TLS-e in existing setup
2101949 - [RHOSP 16.1] Remove processes plugin from list of default plugins for collectd deployments
2103971 - [RHOSP 16.1] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics
2109931 - Too frequent async task polling causes delay in timeout detection
2129031 - [RHOSP16.1.8] DHCP agent container is not removed after network deletion
2129882 - [OVN][16.1] VM status spawning and ERROR on CI jenkins job
2130078 - [RHOSP 16.1] Ceilometer-agent-compute could be started on compute nodes before libvirt which will cause ceilometer to fail to collect virt mertrics
2130140 - [13->16.1] Undercloud upgrade fails on nova_db_sync_stein
2130849 - [RHOSP 16.1] swiftclient forbids ceilometer from polling swift objects
2131961 - Overcloud container images not updated during minor update
2136171 - Predictable IP Deploy fails Storage Port cidr is incorrect
2136393 - overcloud update failed with error {"msg": "Failed to get information on remote file (/var/lib/mistral/overcloud/octavia-ansible/group_vars/octavia_vars.yaml): Permission denied"}
2141835 - [RHOSP16.1] DerivePciWhitelistEnabled Is Not Defined

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:
openstack-tripleo-heat-templates-11.3.2-1.20221013153262.el8ost.src.rpm

noarch:
openstack-tripleo-heat-templates-11.3.2-1.20221013153262.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-4180
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5FphNzjgjWX9erEAQipSA/+OVCRPwVATGYE1VxmQWCkXtB4thYPtkxd
WQ0vnNrepSAauvrQMo4YZwOHYF+5gyxZ5w9rEShY8l3YhcinhO8EDXVn8f61DsRA
WBIE7i/bMOK1LZ0heYXZT8R1G2I+uldoB8D+vLSzINRfi0hibEkZGXOULlK85Avx
PFzeO4887LYcJfrppf6WwdQ3lyma/8GWTQctnzEmyFXvIf6MKM5dTby75x6Yo2uC
XC4pCcwPpdHvZT5BINBIvYenqNNgHh2S4Mk+ilyaslm51ZTa/PIpKyk9GD3R3JD6
lQIN3nHhZkrPw3AhchtOicrbi8C1djrvAOnc9DMCVD10vP5pPUzUs8VeyADext0g
URx93mF24MH36ao89vTZPkinSnG5Y7DxhG1vn+49NtclXRiGUQo/XQ0eF+uvfEZM
+Bpw3LKuxz/og5GJA2N4hu/UOl6G0xdeknzjEWne/DmTBDNHwho1Q8jDKPFlwTHO
/ubCOT6HtdQM/tug2PHyfdf/73CsvCOcmhxByXm7TnwfLM9Dv87cp/Pb2Oqm0Pzp
rE7W44uvkkuq507YPyRtZKEdGO973AY2sXtnfZMh/Y38oCPgvS0Fd9XixSifCn6/
ZxN6QsExd5Oi9pAMjmy/tlUEe294GcD6fOrtcoNtrbCW1Wg4XKL4T+dz2ky8um1j
hy8gAdxaruw=
=ZoRF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce