RedHat: RHSA-2022-0995:01 Moderate: Red Hat OpenStack Platform 16.2
Summary
Heat templates for TripleO
Security Fix(es):
* Data leak of internal URL through keystone_authtoken (CVE-2021-4180)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2021-4180 https://access.redhat.com/security/updates/classification/#moderate
Package List
Red Hat OpenStack Platform 16.2:
Source:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm
noarch:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for openstack-tripleo-heat-templates is now available for Red HatOpenStack Platform 16.2 (Train).Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat OpenStack Platform 16.2 - noarch
Bugs Fixed
1855678 - Configure Ceph Messenger for encryption OTW
1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade
1886762 - [RFE] support NFS mount at the conversion directory
1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.
1949673 - [RHOSP16.2] [rsyslog] Miss configuration generated in 50_openstack_logs.conf
1949675 - [RHOSP16.2] [rsyslog] rsyslog containers does not forward logs to elasticsearch
1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out
1962304 - cinder volume at DCN unable to read central cephx keyring
1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container
1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network
1975271 - Minor update does not restart ha resource when it is in failed stated
1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries
1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere
1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade
1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent
1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.
1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided
1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no
1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy
1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network
2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)
2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient
2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks
2005086 - Unable to disable gateway validation on deployment
2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default
2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration
2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task
2010114 - Openstack ceilometer archival policy is not taking effect
2010703 - rhosp-release package is removed during upgrade from all nodes
2010940 - ceph-nfs not coming up after the FFU
2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic
2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize
2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start
2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2
2022691 - [OSP16.2] qemu logs are not accessible on the host
2026290 - Some log files are not collected/relayed by rsyslog to remote log server
2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm
2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null
2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit
2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure
2034730 - Horizon log not collected/relayed by rsyslog to remote log server
2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale
2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error
2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane
2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade
2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.