A Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update has been released.

RHSA-2022:0995-01: Moderate: Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenStack Platform 16.2 (openstack-tripleo-heat-templates) security update
Advisory ID: RHSA-2022:0995-01
Product: Red Hat OpenStack Platform
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:0995
Issue date: 2022-03-23
CVE Names: CVE-2021-4180
=====================================================================

1. Summary:

An update for openstack-tripleo-heat-templates is now available for Red Hat
OpenStack Platform 16.2 (Train).

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.2 - noarch

3. Description:

Heat templates for TripleO

Security Fix(es):

* Data leak of internal URL through keystone_authtoken (CVE-2021-4180)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

5. Bugs fixed (  https://bugzilla.redhat.com/):

1855678 - Configure Ceph Messenger for encryption OTW
1869587 - Octavia and LB issues after OSP13z11 and OSP16.x upgrade
1886762 - [RFE] support NFS mount at the conversion directory
1921112 - [OSP13->OSP16.2] nova-consoleauth still present in cli after upgrade.
1949673 - [RHOSP16.2] [rsyslog] Miss configuration generated in 50_openstack_logs.conf
1949675 - [RHOSP16.2] [rsyslog] rsyslog containers does not forward logs to elasticsearch
1955562 - Backup and Restore: Backup openstack client integration - openstack backup using bad nfs server address is not erroring out
1962304 - cinder volume at DCN unable to read central cephx keyring
1965233 - [FFU 13 -> 16.x] xinetd is running after upgrade, blocking swift_rsync container
1969411 - [RFE]: allow for the deployment of RHCS dashboard on any composable network
1975271 - Minor update does not restart ha resource when it is in failed stated
1976055 - Configuration of Memcached TLS requires the user to duplicate configuration entries
1978228 - [OSP13->OSP16.2] Leapp upgrade failed with TLSEverywhere
1980542 - [16.2] LC_CTYPE: cannot change locale (C.UTF-8) during OC upgrade 13 to 16.2 seems to fail upgrade
1983748 - NeutronL3AgentAvailabilityZone does not set specified value for Availability zone of Neutron L3 agent
1984555 - [RHOSP16.2] Smart plugin doesn't work for CAP_SYS_RAWIO capability missing.
1984875 - [OSP13->16.2] the leapp persistentnetnamesdisable actor should be removed so that a reboot can be avoided
1992506 - [RHOSP16.2] dpdk ovs vhost postcopy requires to start ovs with --mlockall=no
1999324 - NovaLiveMigrationPermitAutoConverge should default to true to match NovaLiveMigrationPermitPostCopy
1999725 - [RFE] Allow for the deployment of Ganesha on the overcloud "external" network
2000582 - ceph ssl radosgw port is closed for tempest (undercloud node)
2002346 - [OSP-16.2] [Upgrades][TripleO] Revert of the TSX change in tripleoclient
2003176 - [OSP16.2] ovn-dbs pacemaker update_tasks can race with pacemaker update_tasks
2005086 - Unable to disable gateway validation on deployment
2005680 - Cinder __DEFAULT__ volume type is installed but *tripleo* volume type is the real default
2008418 - Stack reconfiguration failed because ha-proxy container crashed during reconfiguration
2009422 - Deployment failing due to "Create /etc/openstack directory if it does not exist" task
2010114 - Openstack ceilometer archival policy is not taking effect
2010703 - rhosp-release package is removed during upgrade from all nodes
2010940 - ceph-nfs not coming up after the FFU
2013913 - Minion should be configured with same default tuning as Undercloud for atleast heat & ironic
2014758 - There's a typo in MySQLInodbBufferPoolSize as it should be MySQLInnodbBufferPoolSize
2021575 - [16.2] openstack overcloud upgrade run times out / HAProxy container fails to start
2022234 - Parameter 'ValidateGatewaysIcmp:false' is not working in OSP16.2
2022691 - [OSP16.2] qemu logs are not accessible on the host
2026290 - Some log files are not collected/relayed by rsyslog to remote log server
2027787 - Undercloud upgrade to 16.2 fails because of missing dependencies of swtpm
2030409 - [OSP16.2] Memcached if off for Heat, Keystone and Nova since caching backend is dogpile.cache.null
2031110 - Long t-h-t role name causes OVNMacAddressPort tag to exceed the neutron tag length limit
2032010 - [OSP16.2.0] neutron-dhcp-agent causes oom issues on controllers
2034189 - Validation if NTP/Chrony is configured during at initial stage of deployment procedure
2034730 - Horizon log not collected/relayed by rsyslog to remote log server
2035793 - CVE-2021-4180 openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
2037940 - [OVN] Enable ovn-monitor-all to help with OVN scale
2038897 - [RHOSP16.2] [DCN] [STF] metrics_qdr containers failed to start with bind address error
2046185 - From time to time memcached stops processing requests and brings down OpenStack control plane
2046211 - [OSP13->OSP16.2] Leapp actors directory change impacting in the upgrade
2050154 - [update] 16.1->16.2 experience a connectivity cut (ping loss) to FIP during update of the controllers.

6. Package List:

Red Hat OpenStack Platform 16.2:

Source:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.src.rpm

noarch:
openstack-tripleo-heat-templates-11.6.1-2.20220116004912.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
  https://access.redhat.com/security/team/key/

7. References:

  https://access.redhat.com/security/cve/CVE-2021-4180
  https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.