-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update Advisory ID: RHSA-2022:0995-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:0995 Issue date: 2022-03-23 CVE Names: CVE-2021-4180 ===================================================================== 1. Summary: An update for openstack-tripleo-heat-templates is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 16.2 - noarch 3. Description: Heat templates for TripleO Security Fix(es): * Data leak of internal URL through keystone_authtoken (CVE-2021-4180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1855678 - Configure Ceph Messenger for encryption OTW 1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade 1886762 - [RFE] support NFS mount at the conversion directory 1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade. 1949673 - [RHOSP16.2] [rsyslog] Miss configuration generated in 50_openstack_logs.conf 1949675 - [RHOSP16.2] [rsyslog] rsyslog containers does not forward logs to elasticsearch 1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out 1962304 - cinder volume at DCN unable to read central cephx keyring 1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container 1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network 1975271 - Minor update does not restart ha resource when it is in failed stated 1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries 1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere 1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade 1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent 1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing. 1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided 1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no 1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy 1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network 2000582 - ceph ssl radosgw port is closed for tempest (undercloud node) 2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient 2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks 2005086 - Unable to disable gateway validation on deployment 2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default 2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration 2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task 2010114 - Openstack ceilometer archival policy is not taking effect 2010703 - rhosp-release package is removed during upgrade from all nodes 2010940 - ceph-nfs not coming up after the FFU 2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic 2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize 2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start 2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2 2022691 - [OSP16.2] qemu logs are not accessible on the host 2026290 - Some log files are not collected/relayed by rsyslog to remote log server 2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm 2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null 2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit 2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers 2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure 2034730 - Horizon log not collected/relayed by rsyslog to remote log server 2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken 2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale 2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error 2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane 2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade 2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers. 6. Package List: Red Hat OpenStack Platform 16.2: Source: openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm noarch: openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4180 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYjvmKNzjgjWX9erEAQispxAAihi4ziFGX97tUuSGWQgConiT5Hewws7X 84GxTMJ82iW7M7bQBPW6+YaKsKqqt3Yd3+1qCJG2q4A1j8dR/9Cy9U93AHHqMZe+ HOALT/1JQzrmH/DZGkuj5buhaHLYxbeBv/3IlyoaZVPRhu8xZ6wD/1OnPPTkc0LA HrEc47t5bVTmAqMyTdnBi5+0FxmgabOErSZk2MaWfTiBUpDbZfgO4Nw6Kq0UZyG1 q72gOnR6ZPCZG3n+QDIZytifEW9wCpngF8H5lOYe+BLErmBySUGtQubWllBA02Go DXIb4pPmtc7O08CVywTfdxAFTdaE69pk7LhB9/XRRVeLMkHc7ICKqtJmNXkyYugW 6zI/F950TzTqHlx7cRnEOY44D3sHva3CMy2QQHgz93FPiSdnNktLimP116jJHUfZ R6BAg4nBU8T1scTf0SBTurJeVhmOh9r5zyGRSzdDKA/iS6qY0u/RTzaQKLZrM2fl BPKbyZwQPFvGYepjBtSbKEbdXihz+b03N2KDg7XI4RP7z6k/qHnUAJ9lNIt9t9gI hJmiKyGAzrHKNqkuzXrMRhOnbfgElzMI2epsfUtYSfx3cga6NB4fQafT+YVZotLJ 1DkCfWDmwr/6qVqMNfqLh4KhC1WjwwYKFeqz5VYbNagEhe2Zn7ALIBc+b4xjp+8E UKkhXd7aiwk= =yB4a -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce