Red Hat Product Errata RHSA-2024:2736 - Security Advisory
Issued:
2024-05-22
Updated:
2024-05-22

RHSA-2024:2736 - Security Advisory

Synopsis

Moderate: openstack-tripleo-heat-templates and tripleo-ansible update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-tripleo-heat-templates and tripleo-ansible is now available for Red Hat OpenStack Platform 17.1 for RHEL 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

openstack-tripleo-heat-templates is a collection of OpenStack Orchestration templates and tools (codename heat), which can be used to help deploy OpenStack.

Security Fix(es):

  • tripleo-ansible: bind keys are world readable (CVE-2023-6725)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • Banner text is not being displayed for overcloud hosts (BZ#2237000)
  • RHOSP16.2 to 17.1 upgrade: During Leapp uprade steps the network interface names are not preserved (BZ#2249024)
  • [FFU][DCN] ceph-ansible package is removed at the end of ceph adopt" stage during ceph upgrade (BZ#2249690)
  • [FFU] The Host System upgrade of HCI nodes fails on setting noout flags (BZ#2254036)
  • Config state files created during update run for tripleo ha services has unexpected file suffixes (BZ#2256780)
  • [OSP17.1] After upgrade to OSP16.2.6 Octavia Mgmt network amphoras having random MTU change: smaller MTU (1500) compared to orginal value 8950 (jumbo frames) (BZ#2257274)
  • multi-rhel-container-image-prepare.py for 16.2 to 17.1 upgrades returning wrong ceph image (BZ#2259286)
  • Upgrade [OSP16.2 -> OSP17.1] VMS stoped due to use Libvirt on RHEL-8 computes instead of LibvirtLegacy (BZ#2263916)
  • iptables on the undercloud not starting due to neutron rules (BZ#2272006)
  • [RHOSP 17.1] "ipmi/main" plugin read error in collectd container (BZ#2274010)

Enhancement(s):

  • DCN - FFU 16.2 to 17.1.1 computes only (BZ#1900663)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenStack 17.1 for RHEL 9 x86_64

Fixes

  • BZ - 1900663 - DCN - FFU 16.2 to 17.1.1 computes only
  • BZ - 2233300 - [hackfest] OSP17.1 deployment gets stuck on "Manage firewall rules" step for long time
  • BZ - 2237000 - Banner text is not being displayed for overcloud hosts
  • BZ - 2249024 - RHOSP16.2 to 17.1 upgrade: During Leapp uprade steps the network interface names are not preserved
  • BZ - 2249273 - CVE-2023-6725 tripleo-ansible: bind keys are world readable
  • BZ - 2249690 - [FFU][DCN] ceph-ansible package is removed at the end of ceph adopt" stage during ceph upgrade
  • BZ - 2250940 - [FFU][DCN] OSP upgrade of a DCN stack with etcd (Cinder A/A) fail on inability to fetch etcd image
  • BZ - 2254036 - [FFU] The Host System upgrade of HCI nodes fails on setting noout flags
  • BZ - 2255114 - [FFU][DCN] Compute nodes' AZ is unset during the system upgrade of the compute nodes
  • BZ - 2256780 - Config state files created during update run for tripleo ha services has unexpected file suffixes
  • BZ - 2257274 - [OSP17.1] After upgrade to OSP16.2.6 Octavia Mgmt network amphoras having random MTU change: smaller MTU (1500) compared to orginal value 8950 (jumbo frames)
  • BZ - 2259286 - multi-rhel-container-image-prepare.py for 16.2 to 17.1 upgrades returning wrong ceph image
  • BZ - 2260304 - ceph pool creation failed with pg error during 17.1 deployment
  • BZ - 2263226 - [FFU 16.2 to 17.1] openstack overcloud system upgrade fails when pulling images from registry registry.redhat.io
  • BZ - 2263916 - Upgrade [OSP16.2 -> OSP17.1] VMS stoped due to use Libvirt on RHEL-8 computes instead of LibvirtLegacy
  • BZ - 2264884 - iptables not starting due to neutron rules
  • BZ - 2266206 - Task Generate container puppet configs for step 1 fails with TypeError
  • BZ - 2272006 - iptables on the undercloud not starting due to neutron rules
  • BZ - 2274010 - [RHOSP 17.1] "ipmi/main" plugin read error in collectd container

Red Hat OpenStack 17.1 for RHEL 9

SRPM
openstack-tripleo-heat-templates-14.3.1-17.1.20231103010840.el9ost.src.rpm SHA-256: 7237723b08ec19b279d997767a3ea8d73a752226cd63fd24b7aa934d8d46beff
tripleo-ansible-3.3.1-17.1.20231101230831.el9ost.src.rpm SHA-256: 8b917129fbae682b1e8bd6f07e1985c0b7766b4b699c83a20a6855d0564d877c
x86_64
openstack-tripleo-heat-templates-14.3.1-17.1.20231103010840.el9ost.noarch.rpm SHA-256: 7072eab31efa68ef5e44fe1d4f4b1baabba431c90669c23b5aca852ab7c2719b
tripleo-ansible-3.3.1-17.1.20231101230831.el9ost.noarch.rpm SHA-256: 228c8aa5f3cddd8261e3c8b6e4d53b5c745c854f5bcee5cb83aa08c223d95a66

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.