-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update
Advisory ID:       RHSA-2022:0995-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0995
Issue date:        2022-03-23
CVE Names:         CVE-2021-4180 
====================================================================
1. Summary:

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Heat templates for TripleO

Security Fix(es):

* Data leak of internal URL through keystone_authtoken (CVE-2021-4180)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1855678 - Configure Ceph Messenger for encryption OTW
1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade
1886762 - [RFE] support NFS mount at the conversion directory
1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.
1949673 - [RHOSP16.2] [rsyslog]  Miss configuration generated in 50_openstack_logs.conf
1949675 - [RHOSP16.2] [rsyslog]  rsyslog containers does not forward logs to elasticsearch
1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out
1962304 - cinder volume at DCN unable to read central cephx keyring
1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container
1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network
1975271 - Minor update does not restart ha resource when it is in failed stated
1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries
1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere
1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade
1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent
1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.
1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided
1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no
1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy
1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network
2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)
2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient
2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks
2005086 - Unable to disable gateway validation on deployment
2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default
2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration
2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task
2010114 - Openstack ceilometer archival policy is not taking effect
2010703 - rhosp-release package is removed during upgrade from all nodes
2010940 - ceph-nfs not coming up after the FFU
2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic
2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize
2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start
2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2
2022691 - [OSP16.2] qemu logs are not accessible on the host
2026290 - Some log files are not collected/relayed by rsyslog to remote log server
2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm
2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null
2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit
2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure
2034730 - Horizon log not collected/relayed by rsyslog to remote log server
2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale
2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error
2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane
2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade
2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm

noarch:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-4180
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYjvmKNzjgjWX9erEAQispxAAihi4ziFGX97tUuSGWQgConiT5Hewws7X
84GxTMJ82iW7M7bQBPW6+YaKsKqqt3Yd3+1qCJG2q4A1j8dR/9Cy9U93AHHqMZe+
HOALT/1JQzrmH/DZGkuj5buhaHLYxbeBv/3IlyoaZVPRhu8xZ6wD/1OnPPTkc0LA
HrEc47t5bVTmAqMyTdnBi5+0FxmgabOErSZk2MaWfTiBUpDbZfgO4Nw6Kq0UZyG1
q72gOnR6ZPCZG3n+QDIZytifEW9wCpngF8H5lOYe+BLErmBySUGtQubWllBA02Go
DXIb4pPmtc7O08CVywTfdxAFTdaE69pk7LhB9/XRRVeLMkHc7ICKqtJmNXkyYugW
6zI/F950TzTqHlx7cRnEOY44D3sHva3CMy2QQHgz93FPiSdnNktLimP116jJHUfZ
R6BAg4nBU8T1scTf0SBTurJeVhmOh9r5zyGRSzdDKA/iS6qY0u/RTzaQKLZrM2fl
BPKbyZwQPFvGYepjBtSbKEbdXihz+b03N2KDg7XI4RP7z6k/qHnUAJ9lNIt9t9gI
hJmiKyGAzrHKNqkuzXrMRhOnbfgElzMI2epsfUtYSfx3cga6NB4fQafT+YVZotLJ
1DkCfWDmwr/6qVqMNfqLh4KhC1WjwwYKFeqz5VYbNagEhe2Zn7ALIBc+b4xjp+8E
UKkhXd7aiwk=yB4a
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0995:01 Moderate: Red Hat OpenStack Platform 16.2

An update for openstack-tripleo-heat-templates is now available for Red Hat OpenStack Platform 16.2 (Train)

Summary

Heat templates for TripleO
Security Fix(es):
* Data leak of internal URL through keystone_authtoken (CVE-2021-4180)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section.

Summary

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-4180 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat OpenStack Platform 16.2:
Source: openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm
noarch: openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2022:0995-01

Product: Red Hat OpenStack Platform

Advisory URL: https://access.redhat.com/errata/RHSA-2022:0995

Issued Date: : 2022-03-23

CVE Names: CVE-2021-4180

Topic

An update for openstack-tripleo-heat-templates is now available for Red HatOpenStack Platform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Red Hat OpenStack Platform 16.2 - noarch

Bugs Fixed

1855678 - Configure Ceph Messenger for encryption OTW

1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade

1886762 - [RFE] support NFS mount at the conversion directory

1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.

1949673 - [RHOSP16.2] [rsyslog] Miss configuration generated in 50_openstack_logs.conf

1949675 - [RHOSP16.2] [rsyslog] rsyslog containers does not forward logs to elasticsearch

1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out

1962304 - cinder volume at DCN unable to read central cephx keyring

1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container

1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network

1975271 - Minor update does not restart ha resource when it is in failed stated

1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries

1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere

1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade

1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent

1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.

1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided

1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no

1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy

1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network

2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)

2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient

2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks

2005086 - Unable to disable gateway validation on deployment

2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default

2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration

2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task

2010114 - Openstack ceilometer archival policy is not taking effect

2010703 - rhosp-release package is removed during upgrade from all nodes

2010940 - ceph-nfs not coming up after the FFU

2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic

2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize

2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start

2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2

2022691 - [OSP16.2] qemu logs are not accessible on the host

2026290 - Some log files are not collected/relayed by rsyslog to remote log server

2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm

2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null

2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit

2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure

2034730 - Horizon log not collected/relayed by rsyslog to remote log server

2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken

2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale

2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error

2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane

2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade

2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.