Issued:: 2023-10-20
Updated:: 2023-10-20

RHSA-2023:5965 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat OpenStack Platform 16.2.5 (collectd-libpod-stats, etcd) security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.2.5 (Train).

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A highly-available key value store for shared configuration

Security Fix(es):

golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)
HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack for IBM Power 16.2 ppc64le
Red Hat OpenStack 16.2 x86_64

Fixes

BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack for IBM Power 16.2

SRPM
etcd-3.3.23-15.el8ost.src.rpm	SHA-256: 15c31cce6c48de574295145fe301ba947b3cc6d158e6f969028d8e5f621e1650
python-octavia-tests-tempest-1.4.1-2.20230111145026.f7718ef.el8ost.src.rpm	SHA-256: 7b09ef0a085a82336be2a0e65e70c94b5f7ae0006e1607fc6cad019d2cb32f7f
ppc64le
etcd-3.3.23-15.el8ost.ppc64le.rpm	SHA-256: eba5932532fb8b482f1fca6e76d3032a2a6358172917450ef03ed03f944d1d88
etcd-debuginfo-3.3.23-15.el8ost.ppc64le.rpm	SHA-256: 9f51bb43bb9a36d9a68a08e397751cca4fde991e27d0d5c1f08a49d3ed5587ee
etcd-debugsource-3.3.23-15.el8ost.ppc64le.rpm	SHA-256: 6e1e4a3b25b79e5c42a898153e705d9097c73590276e86eb04d8f86d45200ad6
python-octavia-tests-tempest-debugsource-1.4.1-2.20230111145026.f7718ef.el8ost.ppc64le.rpm	SHA-256: aa75e43ef59e084c28321979c423153c27b9d3466fac4fecf8f35ca6eb520c39
python3-octavia-tests-tempest-1.4.1-2.20230111145026.f7718ef.el8ost.noarch.rpm	SHA-256: e48f5c6c4ddba134a02bad6466fed808ea2176256ac534497598d7e6637b9b7a
python3-octavia-tests-tempest-golang-1.4.1-2.20230111145026.f7718ef.el8ost.ppc64le.rpm	SHA-256: b894ed1736d2e0bb4c0963b9ffe55578e4b9fa374d70930fc048298cb19af291
python3-octavia-tests-tempest-golang-debuginfo-1.4.1-2.20230111145026.f7718ef.el8ost.ppc64le.rpm	SHA-256: 77183eead61c3b403f550201835b01b26369d46772feef3c0b5a0bbd14d5e90f

Red Hat OpenStack 16.2

SRPM
etcd-3.3.23-15.el8ost.src.rpm	SHA-256: 15c31cce6c48de574295145fe301ba947b3cc6d158e6f969028d8e5f621e1650
python-octavia-tests-tempest-1.4.1-2.20230111145026.f7718ef.el8ost.src.rpm	SHA-256: 7b09ef0a085a82336be2a0e65e70c94b5f7ae0006e1607fc6cad019d2cb32f7f
x86_64
etcd-3.3.23-15.el8ost.x86_64.rpm	SHA-256: bc2f19b2c9f4dbf02cd91012e68bb5fccaaa6eb09dd1f628fef06dcb7e73e3b5
etcd-debuginfo-3.3.23-15.el8ost.x86_64.rpm	SHA-256: 25af7ae5aa19de0382ec28d85543c57ff9134157afee7ddb076cf89ae363aa17
etcd-debugsource-3.3.23-15.el8ost.x86_64.rpm	SHA-256: 46c1936b8b4ffef9f246b7331aa65767b431c18c2f45718e9139546204b5e428
python-octavia-tests-tempest-debugsource-1.4.1-2.20230111145026.f7718ef.el8ost.x86_64.rpm	SHA-256: a9efcde6f3bf400548b4e712a530d1b15bc63d8d655806e38fb7dc176aaa21c7
python3-octavia-tests-tempest-1.4.1-2.20230111145026.f7718ef.el8ost.noarch.rpm	SHA-256: e48f5c6c4ddba134a02bad6466fed808ea2176256ac534497598d7e6637b9b7a
python3-octavia-tests-tempest-golang-1.4.1-2.20230111145026.f7718ef.el8ost.x86_64.rpm	SHA-256: 81840182510e406d5b5db4cf604b9aed463ea5b76fef62053775baad9f00aae2
python3-octavia-tests-tempest-golang-debuginfo-1.4.1-2.20230111145026.f7718ef.el8ost.x86_64.rpm	SHA-256: 298da553588b3c39f725c493d85beea642f0a2f0d5ea59fc1e98fc1200ef3909

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation