RedHat: RHSA-2022-5673:01 Important: Release of containers for OSP ...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID:       RHSA-2022:5673-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5673
Issue date:        2022-07-20
CVE Names:         CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 
                   CVE-2021-40528 CVE-2021-41103 CVE-2021-43565 
                   CVE-2022-1271 CVE-2022-1621 CVE-2022-1629 
                   CVE-2022-22576 CVE-2022-25313 CVE-2022-25314 
                   CVE-2022-26945 CVE-2022-27774 CVE-2022-27776 
                   CVE-2022-27782 CVE-2022-29824 CVE-2022-30321 
                   CVE-2022-30322 CVE-2022-30323 
=====================================================================

1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with
several Important security fixes, are available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)
* go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)
* go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)
* go-getter: command injection vulnerability [Important] (CVE-2022-26945)
* golang.org/x/crypto: empty plaintext packet causes panic [Moderate]
(CVE-2021-43565)
* containerd: insufficiently restricted permissions on container root and
plugin directories [Moderate] (CVE-2021-41103)

3. Solution:

OSP 16.2 Release - OSP Director Operator Containers tech preview

4. Bugs fixed (https://bugzilla.redhat.com/):

2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
2092928 - CVE-2022-26945 go-getter: command injection vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2021-3634
https://access.redhat.com/security/cve/CVE-2021-3737
https://access.redhat.com/security/cve/CVE-2021-4189
https://access.redhat.com/security/cve/CVE-2021-40528
https://access.redhat.com/security/cve/CVE-2021-41103
https://access.redhat.com/security/cve/CVE-2021-43565
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1621
https://access.redhat.com/security/cve/CVE-2022-1629
https://access.redhat.com/security/cve/CVE-2022-22576
https://access.redhat.com/security/cve/CVE-2022-25313
https://access.redhat.com/security/cve/CVE-2022-25314
https://access.redhat.com/security/cve/CVE-2022-26945
https://access.redhat.com/security/cve/CVE-2022-27774
https://access.redhat.com/security/cve/CVE-2022-27776
https://access.redhat.com/security/cve/CVE-2022-27782
https://access.redhat.com/security/cve/CVE-2022-29824
https://access.redhat.com/security/cve/CVE-2022-30321
https://access.redhat.com/security/cve/CVE-2022-30322
https://access.redhat.com/security/cve/CVE-2022-30323
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/errata/RHSA-2022:4991
https://access.redhat.com/containers

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYtg1odzjgjWX9erEAQgLKhAAmNPdMhNGBxVdTDymf3EpM8xQcr25XWOR
wfdum3Q4/Ji9/IQJ1NCv/5IsphsHgDaKlo9pY9BPzgeT4z90ga+5ldcXgqC9dk74
KVBUURmWxfbkg57E5dWHkMb9fxyRIpo0NiFlwLx5ynjIjO/WwWwFzz4YIiktDy1H
AgGz1oZnX+hdZ+BpH2Ltx70cCyqvHgA+aOFXGHZNl8qQXQEjtCBN957XEo4c1hgp
6HBmK3GkcaL2Ml32/EM+2j4BLyz4hUK9Xfe171le0RcjkIND9BNzx2055dXov9uY
eN52pn7pL8BvWU37b39wZx4EEyluYfnnlLaM9I+Y0t0NFhtA2H5Xk/hei1W3tzkP
FdSR6gYIB1wwkBKu/qus4RqrtDEhYHOYXqIziEE+G0nF0ht1As7kLq7U05n7spOu
9mKht4iXLj17lzPHAXM5N9HF0/v3WuVNQf1DXOzb29BUF14fGFzXCWp/nIG+PpEt
efmBklT4DAgLaibGwKyLZ7YOcfl/mQoQDCs3uPqpqeXf799cTtJFmC520ox/eaFx
OFQ1ZNpDI/FKi1919hl2Ox5V7OxOZRIs/MPsLJ+HBtr9CmGMV2/rezeTEu+cD7Ts
SFDt82MQeqSJuxjpa04odqcU6NZbccoF3c7sxn49Vvk6AAn6umXgJCR/Pnp9QPZT
/jnfjsj7xYM=
=+5tE
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5673:01 Important: Release of containers for OSP 16.2.z

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview

Summary

Release osp-director-operator images
Security Fix(es):
* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321) * go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322) * go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323) * go-getter: command injection vulnerability [Important] (CVE-2022-26945) * golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565) * containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)

Solution

OSP 16.2 Release - OSP Director Operator Containers tech preview

References

https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-41103 https://access.redhat.com/security/cve/CVE-2021-43565 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1621 https://access.redhat.com/security/cve/CVE-2022-1629 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-26945 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30321 https://access.redhat.com/security/cve/CVE-2022-30322 https://access.redhat.com/security/cve/CVE-2022-30323 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/errata/RHSA-2022:4991 https://access.redhat.com/containers

Package List

Severity
Advisory ID: RHSA-2022:5673-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5673
Issued Date: : 2022-07-20
CVE Names: CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 CVE-2021-40528 CVE-2021-41103 CVE-2021-43565 CVE-2022-1271 CVE-2022-1621 CVE-2022-1629 CVE-2022-22576 CVE-2022-25313 CVE-2022-25314 CVE-2022-26945 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-29824 CVE-2022-30321 CVE-2022-30322 CVE-2022-30323

Topic

Red Hat OpenStack Platform 16.2 (Train) director operator containers, withseveral Important security fixes, are available for technology preview.

Relevant Releases Architectures

Bugs Fixed

2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories

2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic

2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)

2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)

2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)

2092928 - CVE-2022-26945 go-getter: command injection vulnerability

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.