Linux Security
    Linux Security
    Linux Security

    RedHat: RHSA-2021-0037:01 Moderate: OpenShift Container Platform 4.6.12 bug

    Date 18 Jan 2021
    455
    Posted By LinuxSecurity Advisories
    Red Hat OpenShift Container Platform release 4.6.12 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.6.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: OpenShift Container Platform 4.6.12 bug fix and security update
    Advisory ID:       RHSA-2021:0037-01
    Product:           Red Hat OpenShift Enterprise
    Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0037
    Issue date:        2021-01-18
    CVE Names:         CVE-2020-1971 CVE-2020-2304 CVE-2020-2305 
                       CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 
                       CVE-2020-2309 CVE-2020-2574 CVE-2020-2752 
                       CVE-2020-2922 CVE-2020-8177 CVE-2020-8566 
                       CVE-2020-13249 CVE-2020-25641 CVE-2020-25694 
                       CVE-2020-25696 CVE-2020-28362 
    =====================================================================
    
    1. Summary:
    
    Red Hat OpenShift Container Platform release 4.6.12 is now available with
    updates to packages and images that fix several bugs.
    
    This release includes a security update for Red Hat OpenShift Container
    Platform 4.6.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat OpenShift Container Platform is Red Hat's cloud computing
    Kubernetes application platform solution designed for on-premise or private
    cloud deployments.
    
    This advisory contains the container images for Red Hat OpenShift Container
    Platform 4.6.12. See the following advisory for the RPM packages for this
    release:
    
    https://access.redhat.com/errata/RHSA-2021:0038
    
    Space precludes documenting all of the container images in this advisory.
    See the following Release Notes documentation, which will be updated
    shortly for this release, for details about these changes:
    
    https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
    ease-notes.html
    
    Security Fix(es):
    
    * kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
    (CVE-2020-8566)
    
    * golang: math/big: panic during recursive division of very large numbers
    (CVE-2020-28362)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    You may download the oc tool and use it to inspect release image metadata
    as follows:
    
    (For x86_64 architecture)
    
      $ oc adm release info
    quay.io/openshift-release-dev/ocp-release:4.6.12-x86_64
    
    The image digest is
    sha256:5c3618ab914eb66267b7c552a9b51c3018c3a8f8acf08ce1ff7ae4bfdd3a82bd
    
    (For s390x architecture)
    
      $ oc adm release info
    quay.io/openshift-release-dev/ocp-release:4.6.12-s390x
    
    The image digest is
    sha256:9e78700d5b1b8618d67d39f12a2c163f08e537eb4cea89cd28d1aa3f4ea356bb
    
    (For ppc64le architecture)
    
      $ oc adm release info
    quay.io/openshift-release-dev/ocp-release:4.6.12-ppc64le
    
    The image digest is
    sha256:290cd8207d81123ba05c2f4f6f29c99c4001e1afbbfdee94c327ceb81ab75924
    
    All OpenShift Container Platform 4.6 users are advised to upgrade to these
    updated packages and images when they are available in the appropriate
    release channel. To check for available updates, use the OpenShift Console
    or the CLI oc command. Instructions for upgrading a cluster are available
    at
    https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
    - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
    - -minor.
    
    3. Solution:
    
    For OpenShift Container Platform 4.6 see the following documentation, which
    will be updated shortly for this release, for important instructions on how
    to upgrade your cluster and fully apply this asynchronous errata update:
    
    https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
    ease-notes.html
    
    Details on how to access this content are available at
    https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
    - -cli.html.
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1810470 - [Flake] volume expansion tests occasionally flake with EBS CSI driver
    1811341 - Subpath test pod did not start within 5 minutes
    1814282 - Storage e2es leaving namespaces/pods around
    1836931 - `oc explain localvolume` returns empty description
    1842747 - Not READYTOUSE volumesnapshot instance can not be deleted
    1843008 - Fix reconcilliation of manifests for 4.6 channel for LSO
    1850161 - [4.6] the skipVersion should exactly match regex in art.yaml
    1852619 - must-gather creates empty files occasionally
    1866843 - upgrade got stuck because of FailedAttachVolume
    1867704 - cluster-storage-operator needs to grant pod list/watch permissions to aws operator
    1867757 - Rebase node-registrar sidebar with latest version
    1871439 - Bump node registrar golang version
    1871955 - Allow snapshot operator to run on masters
    1872000 - Allow ovirt controller to run on master nodes
    1872244 - [aws-ebs-csi-driver] build fails
    1872290 - storage operator does not install on ovirt
    1872500 - Update resizer sidecar in CSI operators to use timeout parameter than csiTimeout
    1873168 - add timeout parameter to resizer for aws
    1877084 - tune resizer to have higher timeout than 2mins
    1879221 - [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress
    1881625 - replace goautoreneg library in LSO
    1886640 - CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
    1888909 - Placeholder bug for OCP 4.6.0 rpm release
    1889416 - Installer complains about not enough vcpu for the baremetal flavor where generic bm flavor is being used
    1889936 - Backport timecache LRU fix
    1894244 - [Backport 4.6] IO archive contains more records of than is the limit
    1894678 - Installer panics on invalid flavor
    1894878 - Helm chart fails to install using developer console because of TLS certificate error
    1895325 - [OSP] External mode cluster creation disabled for Openstack and oVirt platform
    1895426 - unable to edit an application with a custom builder image
    1895434 - unable to edit custom template application
    1897337 - Mounts failing with error "Failed to start transient scope unit: Argument list too long"
    1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
    1898178 - [OVN] EgressIP does not guard against node IP assignment
    1899266 - [4.6z] Baremetal IPI with IPv6 control plane: nodes respond with duplicate packets to ICMP6 echo requests
    1899622 - [4.6z] configure-ovs.sh doesn't configure bonding options
    1900736 - [SR-IOV] Backport request to SR-IOV operator version 4.6 - SriovNetworkNodePolicies apply ignoring the spec.nodeSelector.
    1900792 - Track all resource counts via telemetry
    1901736 - additionalSecurityGroupIDs not working for master nodes
    1903353 - Etcd container leaves grep and lsof zombie processes
    1905947 - [Internal Mode] Object gateway (RGW) in unknown state after OCP upgrade.
    1906428 - [release-4.6]: When using webhooks in OCP 4.5 fails to rollout latest deploymentconfig
    1906723 - File /etc/NetworkManager/system-connections/default_connection.nmconnection  is incompatible with SR-IOV operator
    1906836 - [sig-arch][Early] Managed cluster should start all core operators: monitoring: container has runAsNonRoot and image has non-numeric user (nobody)
    1907203 - clusterresourceoverride-operator has version: 1.0.0 every build
    1908472 - High Podready Latency due to timed out waiting for annotations
    1908749 - [GSS] Unable to deploy OCS 4.5.2 on OCP 4.6.1, cannot `Create OCS Cluster Service`
    1908803 - [OVN] Network Policy fails to work when project label gets overwritten
    1908847 - [4.6.z] RHCOS 4.6 - Missing Initiatorname
    1909062 - ARO/Azure: excessive pod memory allocation causes node lockup
    1909248 - Intermittent packet drop from pod to pod
    1909682 - When scaling down the status of the node is stuck on deleting
    1909990 - oVirt provider uses depricated cluster-api project
    1910066 - OpenShift YAML editor jumps to top every few seconds
    1910104 - [oVirt] Node is not removed when VM has been removed from oVirt engine
    1911790 - [Assisted-4.6] [Staging] reduce disk speed requirement for test/dev environments
    1913103 - Placeholder bug for OCP 4.6.0 rpm release
    1913105 - Placeholder bug for OCP 4.6.0 metadata release
    1913263 - [4.6] Unable to schedule a pod due to Insufficient ephemeral-storage
    1913329 - [Assisted-4.6] [Staging] Installation fails to start
    1914988 - [4.6.z] real-time kernel in RHCOS is not synchronized
    1915007 - Fixed by revert -- Upgrade to OCP 4.6.9 results in cluster-wide DNS and connectivity issues due to bad NetworkPolicy flows
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2020-1971
    https://access.redhat.com/security/cve/CVE-2020-2304
    https://access.redhat.com/security/cve/CVE-2020-2305
    https://access.redhat.com/security/cve/CVE-2020-2306
    https://access.redhat.com/security/cve/CVE-2020-2307
    https://access.redhat.com/security/cve/CVE-2020-2308
    https://access.redhat.com/security/cve/CVE-2020-2309
    https://access.redhat.com/security/cve/CVE-2020-2574
    https://access.redhat.com/security/cve/CVE-2020-2752
    https://access.redhat.com/security/cve/CVE-2020-2922
    https://access.redhat.com/security/cve/CVE-2020-8177
    https://access.redhat.com/security/cve/CVE-2020-8566
    https://access.redhat.com/security/cve/CVE-2020-13249
    https://access.redhat.com/security/cve/CVE-2020-25641
    https://access.redhat.com/security/cve/CVE-2020-25694
    https://access.redhat.com/security/cve/CVE-2020-25696
    https://access.redhat.com/security/cve/CVE-2020-28362
    https://access.redhat.com/security/updates/classification/#moderate
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2021 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBYAXQr9zjgjWX9erEAQhINxAAjh7aW1WwDkpKJ6CeA/YpDjZmlkHATXTl
    GjxB6A67OIVKzNbNhydIu9lsZnYaYCk7MQVAbua9BN0VxDv6Wcg3+NicCCaRYntm
    yTqh4L0pKd9/yrMF0WAshrw/Z8QJgnyEnCXDCKltHFkNa+d9Zu6HrSEqAnLYFneU
    jZ8CVB4FzA9sgCntvQnzoqxToA0iICT4znhJws3qTf+1WFbQNWHpyYgo8p0oJqbK
    0TWv0hcuMNA1xfbhqRH2uW2RLJIJJxTixi2iHA3N9WZlQE26/6p67L12OH7SKmcI
    ve8b6fCT/co1O27AJk4gzyqkyVNzXjBOEFT1wPigB0CQRoTJmC+tqtD1nKIkdMaQ
    pc7hOkXx6FjKjFC8Q/laW5N8e98897lhklSzaEI3d4V4SBzAAg2eNztPNoOs/AWS
    hGUaiByVjg88lV1JahNOom3mv6rqHTNZufYGNRmDImHovrDJWDLMW6SUSDLVa/Ib
    6x/JX5bRn4YATlulIrR/3czkO6S+J/y6k5eJONbvgErQWxGYx/Zej+b20om4vU+A
    pLQ8xS2gR0OQo0aIPetZsB6t70Ng9r3HlR1yZvpcHPjcSVQd6YmXfj4ZX+dDnufE
    Qh9cn+8VBLHk/HGhhYYVrrW6mF1ZpYCw8UNY+D8FTmNgoGUIF5Kgbil20BVfD7IG
    l4Zmr01HNY4=
    =+mgi
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Which is the best secure Linux distro for pentesting?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/50-which-is-the-best-secure-linux-distro-for-pentesting?task=poll.vote&format=json
    50
    radio
    [{"id":"174","title":"Kali Linux","votes":"9","type":"x","order":"1","pct":56.25,"resources":[]},{"id":"175","title":"Parrot OS","votes":"7","type":"x","order":"2","pct":43.75,"resources":[]},{"id":"176","title":"BlackArch Linux","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.