-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update Advisory ID: RHSA-2023:2138-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:2138 Issue date: 2023-05-18 CVE Names: CVE-2020-16251 CVE-2021-43998 ==================================================================== 1. Summary: An update for ztp-site-generate-container, topology-aware-lifecycle-manager and bare-metal-event-relay is now available for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2023:1326 All OpenShift Container Platform users are advised to upgrade to these updated packages and images. Security Fix(es): * vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251) * vault: incorrect policy enforcement (CVE-2021-43998) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2028193 - CVE-2021-43998 vault: incorrect policy enforcement 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2 OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done. OCPBUGS-3092 - TALM precaching pulls more content than needed OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching OCPBUGS-4200 - Segfault from TALM after CGU timeout OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes OCPBUGS-4329 - Cannot install LVMO through gitops ZTP OCPBUGS-4406 - ptp configs should match reference configs OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up OCPBUGS-6612 - Default backup timeout too short for large scale upgrade OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit "container-mount-namespace.service" is enabled, but has no install section so enable does nothing OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs 6. References: https://access.redhat.com/security/cve/CVE-2020-16251 https://access.redhat.com/security/cve/CVE-2021-43998 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGW9UdzjgjWX9erEAQi5/A/+KKaHyRl+23u8Wj3rxjrnEcz9KPFU+ZUc UUW1MvuqmFqCX+0Sb98agk5faDIQfhAPuE4ShcwduR8w39ftxFAQWEaDfBqZBuul 1Nptw0Ammrh0btDaQnjXF5vLTcF1sv5GWtkICpoTXg6qcVnIsibw9f1G/hBidiG2 u35ThWipKMp0N9DMDTSBr8Fy0Mffw5+ny05QU18DegHRVFupt1XF8SnW4lh/UlhD LiR9iJ2K1xnfvDr+BdMhFWiqH7xZzZHMX0s2FEcBvUMW6/DYYLzaiUSFbh6TYiIK 5fwCXQKXLlls0+oUbBquoYG64beXOMxSgYEiI4B+bFblqfzTN4ev+vJOqCfjt7ye BG1B7350xgMhHxBV8stMoY5mQMLoYjZHzBvQ9KU672ze0gLlIspTLjzlN2fhUr3/ bfiVsX8T9pJJOszDmbyrRXaFHbgEtR1SYJVMC/0G49koPrSX6JwasGHq/b5yMSIH v+cLWsQ7YTRdC7zUc54j2ILP75VeLxxm4Rxm4pWTHvUo0h48GFn92AYWbW4Vt9Yn 6ZVcEuNSJK1iVd67L9P9Y+hX3nlrt/PBkbMYO0IcTFhCf97Xo76O84iqovuRHGRX rst63r8Zjx0GfT2OA8ewcxBMf5hCs3zBO8Psr6Wx8oMccd6brME9RdzqgNpo9pEW TXwdOxzzbkIYDl -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce