-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform 12.0 director security and bug fix update Advisory ID: RHSA-2018:2331-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2331 Issue date: 2018-08-20 CVE Names: CVE-2018-1000115 ===================================================================== 1. Summary: An update for memcached is now available for Red Hat OpenStack Platform 12.0 (Pike). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 12.0 - noarch 3. Description: memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Security fix(es): * memcached: UDP server support allows spoofed traffic amplification DoS (CVE-2018-1000115) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. For more information about the bug fixes and enhancements included with this update, see the "Technical Notes" section of the Release Notes linked in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1470033 - OSP11 -> OSP12 upgrade: docker services are missing preupgrade validation tasks in the upgrade tasks 1477663 - OSP11 -> OSP12 upgrade: after undercloud upgrade ironic-inspector logs repeated [Errno 32] Broken pipe errors in /var/log/messages 1488058 - Fix multiple issues related to DPDK derive parameters 1502860 - rhosp-director: difficult to map certain containers to their logs. 1504052 - Exception should be handled when resources are mapped to non-existent paths in the templates 1506038 - openstack-ironic: errors: Only 14 nodes are exposed to Nova of 15 requests. 1508867 - NovaMigrationTarget service is missing at ComputeOvsDpdk.yaml 1511988 - Call destroy-patch-ports from neutron-openvswitch-agent container 1513497 - FQDN hieradata is hardcoded. 1513502 - TLS everywhere fails with keystone admin API in the external network 1518605 - Hard-coded bootstrap node means replacing overcloud-controller-0 is not possible 1518662 - OSP11 -> OSP12 upgrade: pre-upgrade validations are preventing a re-run of the upgrade-non-controller.sh script to upgrade a compute node after a failed attempt 1520453 - OPS Tools | Centralized Logging | nova-conductor.log is not being tailed by fluentd because of mistake in nova-conductor.yaml file. 1527205 - ansible memory utilization 1528632 - stack update operation fails in rabbitmq config generation 1533204 - Upgrade from OSP11->OSP12 fails - ocf-exit-reason:Could not determine galera name from pacemaker node 1533271 - Running the mistral workflow to rotate Fernet decryption keys in the overcloud Fails 1533511 - gnocchi-upgrade doesnt get triggered from O->P upgrade causing ceilo-upgrade to fail 1534442 - ComputeExtraConfig is not applied. Is really NovaComputeExtraConfig deprecated ? 1537606 - TripleO doesn't install the trunk service plugin when deployed with OVN 1539961 - RabbitMQ user name not set in Neutron transport_url 1547146 - RFE: VNX tripleo support backport to pike 1547539 - [UPDATES] Failed to setup heat-output with custom stack name 1549139 - Stack update is not working when using derived parameters. 1550934 - Openstack 12 - Missing mount in the keystone container 1551182 - CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS 1552759 - Deployment fails with HCI enabled and SchedulerHints 1556720 - [OSP12] gnocchi-upgrade fails with InternalError: (1050, u"Table 'archive_policy' already exists") 1557328 - Security hardened image doesn't have enough space for /var partition 1558679 - Introspection of Diskless servers (iSCSI Booted) 1559151 - OSP11 -> OSP12 upgrade: after rebooting controller nodes post upgrade at boot time interfaces set under ovs bridges have no network connectivity 1559920 - gnocchi_api and gnocchi_metricd don't bind host's /var/lib/gnocchi directory 1560937 - [UPDATE] automation fails on controller update, but update actually pass successfully 1562148 - Overcloud deployment RHOS12 failed, 404 Client Error: Not Found for url: u'swift_rings_container': u'overcloud-swift-rings 1570147 - panko events are kept in DB forever, panko-expirer utility inclusion 1571435 - "subscription-manager list" shows Ceph OSD after updating overcloud compute nodes 1571646 - Update HostnameFormatDefault files to match overcloud-compute-%index% 1571744 - [RFE][Deployment] add ability to configure extra CPU flags for named CPU models 1572353 - FedRAMP requires cloud providers to use TLS v1.1 as a minimum 1572667 - don't restart openvswitch if --no-activate is specified (OSP-12) 1573583 - OSP12 Deployment with TLS everywhere fails - Could not evaluate: The certificate * wasn't found in the list. 1573791 - [OSP12] live-migration uses port range from ephemeral port range 1573808 - The inability to enable LbaaS in horizon 1576751 - live migration broken when live_migration_inbound_addr is set and transport = ssh 1579023 - Director deployment of keystone integration with LDAP broken 1582597 - Non-descriptive failure logs during RHOS-12->RHOS-13 upgrade 1582645 - Rebase puppet-ceilometer to f2f2d2b 1583792 - Rebase puppet-cinder to 01d3e0e 1583858 - Rebase puppet-glance to 03bd9b8 1584279 - Rebase puppet-heat to dab3e55 1584374 - Rebase puppet-ironic to fc61157 1584396 - Rebase puppet-ceph to 401605a 1584403 - Rebase puppet-manila to eef0b53 1584404 - Rebase puppet-mistral to 728f96a 1584411 - Rebase puppet-neutron to 7415256 1584416 - Rebase puppet-panko to eefeaff 1584417 - Rebase puppet-keystone to 4de23ac 1584754 - Rebase puppet-trove to efcd4b3 1585189 - OSP12: Overcloud deployment fails when using capital letters in customized stack name ( --stack TEST-STACK34 ). 1585362 - NetApp Cinder back end does not deploy in RHOSP12 (Pike) 1586155 - [mixed versions] compat installation overcloud deployment failed WorkflowTasks_Step2_Execution 1589951 - Incorrect setting in Cinder's db purge cron job 1590030 - Rebase openstack-tripleo-puppet-elements to 7.0.7 1590031 - Rebase os-net-config to 7.3.6 1590033 - Rebase openstack-tripleo-image-elements to 7.0.5 1590368 - [osp12] Deployment fails in step 1 with "not a directory" when mounting "/etc/ssh/ssh_known_hosts" in scale deplyoments 1590586 - Rebase instack-undercloud to 7.4.12 1590607 - Rebase puppet-tripleo to b885b06 1590612 - Rebase python-tripleoclient to 7.3.10 1590613 - Rebase puppet-nova to 40eb56c 1590953 - CinderNetappNfsMountOptions missing from puppet manifest 1591782 - [osp12] os-collect-config service running on the undercloud causes overcloud deployment failures 1592418 - Rebase puppet-aodh to 77b54fc 1592963 - Rebase openstack-tripleo-heat-templates to 90cd669 1592967 - Rebase openstack-tripleo-common to 7.6.13 1596760 - [Deployment] Live migrations failing when domain is incorrect 1597313 - [UPGRADES][12]Failed to host-evacuate-live VM from non-containerized to containerized compute 1597972 - OSP12: With OvS2.9, hugetlbfs group should be used instead workarounds for DPDK 1599410 - [OSP12] Upgrade converge failed: cinder-manage db sync returned 1 instead of one of 1599883 - Deployment fails during Gnocchi db_sync due to timing issue 1600038 - [UPDATE] update fails with error "The Resource Type (OS::TripleO::Services::ManilaBackendGeneric) could not be found" 1601348 - Running "openstack overcloud upgrade run --roles Controller --skip-tags validation" fails 1607143 - [UPDATE] Compute and Controller update exit with error code while executing step 5 1608450 - TLS everywhere deployment fails - missing TLS bits in T-H-T 6. Package List: Red Hat OpenStack Platform 12.0: Source: instack-undercloud-7.4.12-1.el7ost.src.rpm openstack-tripleo-common-7.6.13-3.el7ost.src.rpm openstack-tripleo-heat-templates-7.0.12-8.el7ost.src.rpm openstack-tripleo-image-elements-7.0.5-1.el7ost.src.rpm openstack-tripleo-puppet-elements-7.0.7-1.el7ost.src.rpm os-net-config-7.3.6-1.el7ost.src.rpm puppet-aodh-11.4.0-2.el7ost.src.rpm puppet-ceilometer-11.5.0-2.el7ost.src.rpm puppet-ceph-2.4.2-2.el7ost.src.rpm puppet-cinder-11.5.0-4.el7ost.src.rpm puppet-glance-11.5.0-2.el7ost.src.rpm puppet-heat-11.5.0-2.el7ost.src.rpm puppet-ironic-11.5.0-2.el7ost.src.rpm puppet-keystone-11.4.0-2.el7ost.src.rpm puppet-manila-11.4.0-4.el7ost.src.rpm puppet-mistral-11.4.0-2.el7ost.src.rpm puppet-neutron-11.5.0-2.el7ost.src.rpm puppet-nova-11.5.0-4.el7ost.src.rpm puppet-panko-11.5.0-2.el7ost.src.rpm puppet-tripleo-7.4.12-8.el7ost.src.rpm puppet-trove-11.4.0-2.el7ost.src.rpm python-novajoin-1.0.17-3.el7ost.src.rpm python-os-brick-1.15.5-2.el7ost.src.rpm python-tripleoclient-7.3.10-3.el7ost.src.rpm noarch: instack-undercloud-7.4.12-1.el7ost.noarch.rpm openstack-tripleo-common-7.6.13-3.el7ost.noarch.rpm openstack-tripleo-common-container-base-7.6.13-3.el7ost.noarch.rpm openstack-tripleo-common-containers-7.6.13-3.el7ost.noarch.rpm openstack-tripleo-common-devtools-7.6.13-3.el7ost.noarch.rpm openstack-tripleo-heat-templates-7.0.12-8.el7ost.noarch.rpm openstack-tripleo-image-elements-7.0.5-1.el7ost.noarch.rpm openstack-tripleo-puppet-elements-7.0.7-1.el7ost.noarch.rpm os-net-config-7.3.6-1.el7ost.noarch.rpm puppet-aodh-11.4.0-2.el7ost.noarch.rpm puppet-ceilometer-11.5.0-2.el7ost.noarch.rpm puppet-ceph-2.4.2-2.el7ost.noarch.rpm puppet-cinder-11.5.0-4.el7ost.noarch.rpm puppet-glance-11.5.0-2.el7ost.noarch.rpm puppet-heat-11.5.0-2.el7ost.noarch.rpm puppet-ironic-11.5.0-2.el7ost.noarch.rpm puppet-keystone-11.4.0-2.el7ost.noarch.rpm puppet-manila-11.4.0-4.el7ost.noarch.rpm puppet-mistral-11.4.0-2.el7ost.noarch.rpm puppet-neutron-11.5.0-2.el7ost.noarch.rpm puppet-nova-11.5.0-4.el7ost.noarch.rpm puppet-panko-11.5.0-2.el7ost.noarch.rpm puppet-tripleo-7.4.12-8.el7ost.noarch.rpm puppet-trove-11.4.0-2.el7ost.noarch.rpm python-novajoin-1.0.17-3.el7ost.noarch.rpm python-os-brick-1.15.5-2.el7ost.noarch.rpm python-tripleoclient-7.3.10-3.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1000115 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html/release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3q67dzjgjWX9erEAQiCvBAAiDr+sV6h+3Ocsxdl6EnQQrwQvs91YOEl kiKI1eIC5H9FBeru35koMYHA6spSr1eEv++WX7YFC4njlbYBshR5Totd0981AAjs bfylCK20CZtWDsYq5GaC3q+nYP9r22R5WlvpfTmTtLp03b63i4jf6d6mNiQKIvNH dR3WAeGOGrJiQzR0RBARzywc17fawaSh7ndESZLlN/gCRFcoyI8MisBXSn4uxhzi fwCRXm47qLkuip7Us8JgHUC7WRrXD8s/cb8a/6aok2IpVL8j6GsgJRrl/u4aHHlL 2b/3VYG1vY+eLlkxbuh4JQagSl5hjqnMptU9Xgq7RPmTomdXiYVuZXnpXULGgOIs FkF4OD05NcfwxdExwdw1tsozQdq+zXvXx+9ZC2WXcRvxK4N9Vo5T5P9+C04yWgVa 8/WncnMD8SRh+63Sk4sPZhtl4Jv44TYvGwTwF9XwEJBt0MK9zPEQuaTM8P7urEBZ 7MYTyS1lgHJib5bcz+EYv3KESZKrxqeK5twRLJq6cjk4DxWCMNScG4BBVLL1gMPw zIY9FhhWp/zKIkenfs1IF7BnzbgiGy6HYBnMKEmOw2dIe10aVvXueuHE9b+Yan/L IkDQWuVDVPWdsQxExVriTFL8rTLQsBAUn8DaG1aHwOT2Ev3acxcizxO7PaACGq3n zVOXc2kQXOE= =1za7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce