-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update Advisory ID: RHSA-2022:8796-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:8796 Issue date: 2022-12-07 CVE Names: CVE-2021-4180 ===================================================================== 1. Summary: An update for openstack-tripleo-heat-templates is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 16.1 - noarch 3. Description: Heat templates for TripleO Security Fix(es): * data leak of internal URL through keystone_authtoken (CVE-2021-4180) Other fixes: * Before this update, NTP validation did not occur during deployments. Some users reported issues with cloud authentication failing with invalid tokens due to time not being synchronized between nodes. With this update, NTP synchronization validation during deployment has been re-enabled. Hosts must be able to connect to the defined NTP server list. If you previously performed a deployment with invalid or unreachable NTP servers, after update, the deployment might fail when NTP is validated. Ensure that you have valid and reachable NTP servers before updating. (BZ#2034095) * With this update, director supports specifying overrides for NVSv4 ID mapping when using a CephFS-NFS back end with the Shared File Systems service (manila). Ceph-NFS with the Shared File Systems service only allows client access through NFSv4.1+. With NFSv4.1, usernames and group names are sent over the wire and translated by both the server and the client. Deployers might want to customize their domain settings to better represent organization users who can access Shared File Systems service shares from multiple clients. Director supports customizing NFS ID mapping settings through these parameters: - - ManilaCephFSNFSIdmapOverrides: Allows specifying configuration objects for override with the default idmapd.conf file used by the NFS service - - ManilaCephFSNFSIdmapConf: Allows specifying a custom idmapd.conf file for the NFS service (BZ#1917356) * Before this update, the ceilometer-agent-compute container could not read the /var/run/libvirt directory because of an improper volume mount to /var/run/libvirt in the ceilometer-agent-compute container, resulting in the inability to poll for CPU metrics on Compute nodes. With this update, the appropriate global permissions have been applied to the /var/run/libvirt directory, and you can poll for CPU telemetry with the ceilometer-agent-compute container on the Compute nodes. CPU telemetry data is available through the Compute service (nova). (BZ#2103971) * Before this update, the libvirt service started after the ceilometer-agent-compute service and the ceilometer-agent-compute service did not communicate with libvirt, resulting in missing libvirt metrics. With this update, the ceilometer-agent-compute service starts after the libvirt service and can poll libvirt metrics without "Permission denied" errors. (BZ#2130078) * Before this update, a Telemetry service (ceilometer) user had insufficient privileges to poll objects from the Object Storage service (swift). The Object Storage service client did not allow the Telemetry service user to fetch object details. With this update, the Telemetry service user is associated with the ResellerAdmin role. + Execute the following command to workaround this issue manually: + - ---- $ openstack role add --user ceilometer --project service ResellerAdmin - ---- + The associated Telemetry service user can poll Object Storage service object metrics successfully. (BZ#2130849) * Before this update, systemd stopped the Load-balancing services (octavia) during shutdown, leaving resources in the PENDING_UPDATE status. With this update, the graceful shutdown duration of the Load-balancing services is increased, preventing the services from being stopped by systemd. (BZ#2063031) * In Red Hat OpenStack Platform (RHOSP) 16.1.9, the collectd processes plugin is removed from the default list of plugins. Loading the plugin can cause flooding issues and does not provide value when running in a containerized environment because it only recognizes the collectd and sensubility processes rather than the expected system processes. Bug fixes and support will be provided through the end of the 16.1.9 lifecycle but no new feature enhancements will be made. (BZ#2101949) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1851467 - [OVN] Do not send geneve UDP traffic to conntrack for performance reasons 1910115 - OVNCMSOptions are not set correctly on controller nodes if OVN without DVR is deployed with minimum extra env files 1917356 - [RHOSP 16.1] manila with cephfs using nfs doesn't honor Squash = None provided in the ganesha export template during share creation 1936278 - Sensitive amphora values exposed in ansible.log during stack update. 2032295 - [RHOSP 16.1] [ipv6 undercloud] undercloud update fails when you have ipv6 undercloud with enable_routed_networks=false in undercloud.conf; during stack update router interface port is tried to be re-created with the same ip 2032518 - Bonding Rendered Templates have incorrect indentation 2034095 - Deployment fails while authenticating for nova and glance during TASK [tripleo-keystone-resources : Check Keystone public endpoint status] 2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken 2036195 - Provide mechanism to tune the sysctl param fs.aio-max-nr on the host 2039412 - after minor update to 16.1.7, libvirtd is enabled on the controllers 2049452 - Killing dhcp sidecar container fails 2061845 - [RHOS 16.1] Fix InternalApi subnet for ControllerNovaStandalone role 2062764 - [RHOSP 16.1] ceilometer-ipmi-agent logs to /var/log/ceilometer inside the container 2063031 - Octavia services might be killed by systemd on update 2064383 - FFU OSP13->16.1 leapp fails with: Detected loaded kernel drivers which have been removed in RHEL 8 2065736 - RHOSP13-16.1 FFU - Use state file for workaround 1925078 2066852 - Overcloud deployment fails with error as 'overcloud_endpoint.pem' not found. 2069755 - [16.1] [Regression] Nova instance QEMU logs are not created under /var/log/libvirt/qemu/ 2073607 - Certificate DN is not expanding in the Octavia tenant flow logs 2100907 - Octavia fails when enabling TLS-e in existing setup 2101949 - [RHOSP 16.1] Remove processes plugin from list of default plugins for collectd deployments 2103971 - [RHOSP 16.1] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics 2109931 - Too frequent async task polling causes delay in timeout detection 2129031 - [RHOSP16.1.8] DHCP agent container is not removed after network deletion 2129882 - [OVN][16.1] VM status spawning and ERROR on CI jenkins job 2130078 - [RHOSP 16.1] Ceilometer-agent-compute could be started on compute nodes before libvirt which will cause ceilometer to fail to collect virt mertrics 2130140 - [13->16.1] Undercloud upgrade fails on nova_db_sync_stein 2130849 - [RHOSP 16.1] swiftclient forbids ceilometer from polling swift objects 2131961 - Overcloud container images not updated during minor update 2136171 - Predictable IP Deploy fails Storage Port cidr is incorrect 2136393 - overcloud update failed with error {"msg": "Failed to get information on remote file (/var/lib/mistral/overcloud/octavia-ansible/group_vars/octavia_vars.yaml): Permission denied"} 2141835 - [RHOSP16.1] DerivePciWhitelistEnabled Is Not Defined 6. Package List: Red Hat OpenStack Platform 16.1: Source: openstack-tripleo-heat-templates-11.3.2-1.20221013153262.el8ost.src.rpm noarch: openstack-tripleo-heat-templates-11.3.2-1.20221013153262.el8ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4180 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY5FphNzjgjWX9erEAQipSA/+OVCRPwVATGYE1VxmQWCkXtB4thYPtkxd WQ0vnNrepSAauvrQMo4YZwOHYF+5gyxZ5w9rEShY8l3YhcinhO8EDXVn8f61DsRA WBIE7i/bMOK1LZ0heYXZT8R1G2I+uldoB8D+vLSzINRfi0hibEkZGXOULlK85Avx PFzeO4887LYcJfrppf6WwdQ3lyma/8GWTQctnzEmyFXvIf6MKM5dTby75x6Yo2uC XC4pCcwPpdHvZT5BINBIvYenqNNgHh2S4Mk+ilyaslm51ZTa/PIpKyk9GD3R3JD6 lQIN3nHhZkrPw3AhchtOicrbi8C1djrvAOnc9DMCVD10vP5pPUzUs8VeyADext0g URx93mF24MH36ao89vTZPkinSnG5Y7DxhG1vn+49NtclXRiGUQo/XQ0eF+uvfEZM +Bpw3LKuxz/og5GJA2N4hu/UOl6G0xdeknzjEWne/DmTBDNHwho1Q8jDKPFlwTHO /ubCOT6HtdQM/tug2PHyfdf/73CsvCOcmhxByXm7TnwfLM9Dv87cp/Pb2Oqm0Pzp rE7W44uvkkuq507YPyRtZKEdGO973AY2sXtnfZMh/Y38oCPgvS0Fd9XixSifCn6/ ZxN6QsExd5Oi9pAMjmy/tlUEe294GcD6fOrtcoNtrbCW1Wg4XKL4T+dz2ky8um1j hy8gAdxaruw= =ZoRF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce