RHSA-2024:4591 - Security Advisory

Topic

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API.

Security Fix(es):

• get-func-name: ReDoS in chai module (CVE-2023-43646)
• opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics (CVE-2023-47108)
• golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)
• golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)
• golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)
• golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)
• jose: resource exhaustion (CVE-2024-28176)
• jose-go: improper handling of highly compressed data (CVE-2024-28180)
• submariner-operator: RBAC permissions can allow for the spread of node compromises (CVE-2024-5042)
• nodejs-ws: denial of service when handling a request with many HTTP headers (CVE-2024-37890)
• node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):
These updated packages include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes:

https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.16/html/4.16_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these packages that provide these bug fixes and enhancements.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Data Foundation 4 for RHEL 9 x86_64
• Red Hat OpenShift Data Foundation for IBM Power, little endian 4 for RHEL 9 ppc64le
• Red Hat OpenShift Data Foundation for IBM Z and LinuxONE 4 for RHEL 9 s390x
• Red Hat OpenShift Data Foundation for RHEL 9 ARM 4 aarch64

Fixes

• BZ - 2069759 - Ramen needs to improve reporting of status when s3 gateway is down
• BZ - 2078270 - In OSD cluster, storage cluster node selector allowing scheduling storage api pods on infra node
• BZ - 2128142 - [MDR]VRG does not report DataReady if there are no PVCs protected in a MetroDR
• BZ - 2132724 - [RFE] [RDR] mirror peer is taking a lot of time to come in ExchangedSecret
• BZ - 2136413 - [RDR] [UI] When DRPC is deleted from the local-cluster via UI, it doesn't provide deletion status/progress
• BZ - 2139835 - ramen-dr-cluster ManifestWork does not reconcile properly
• BZ - 2210040 - [UI] ODF Topology details of Deployment does not have header
• BZ - 2214499 - [Tracker for https://bugzilla.redhat.com/show_bug.cgi?id=2266035] ceph-client.admin crashed in ceph-exporter thread with "throw_invalid_argument(char const*, boost::source_location const&)+0x37) [0x557c40cab267]"
• BZ - 2214948 - [Tracker][RDR] Appset based workload remain stuck upon deletion via ACM UI though necessary tolerations are added
• BZ - 2215910 - [UI] Error message improvements. Block pool Edit label checks failed.
• BZ - 2216213 - [RDR] No error message shown while editing few immutable fields in DRPolicy
• BZ - 2216803 - Rook ceph exporter pod remains stuck in terminating state when node is offline
• BZ - 2222146 - ODF Nooba creates route which OpenShift compliance operator marks as non-compliant
• BZ - 2231360 - OSD addition always stucks when Ceph reports HEALTH_ERR due to full OSDs
• BZ - 2238308 - Should not allow to create a 2nd dr Policy on an existing cluster set with an existing dr policy
• BZ - 2239587 - [RDR][CEPHFS][Tracker] sync for some pvc hangs
• BZ - 2240951 - ODF should allow to manage pod tolerance from a single place
• BZ - 2241149 - CVE-2023-43646 get-func-name: ReDoS in chai module
• BZ - 2242832 - [RDR] Percentage of a few rbd image states needs adjustments on UI
• BZ - 2243244 - [RDR] UI shows misleading VolumeSynchronizationDelay critical alert until lastGroupSyncTime is available in DRPC
• BZ - 2244353 - [OCP Tracker] [RDR][CEPHFS] volsync-rsync-src pod's are stuck in ContainerCreating with msg for volume is not a mountpoint
• BZ - 2246186 - [RDR] [Hub recovery] After hub recovery, MCO didn't recreate the VolumeReplicationClass
• BZ - 2246364 - [RFE] Tooltip for External object provider used capacity card
• BZ - 2246834 - [RDR] [Node failure] [CephFS] Relocate remains stuck forever with MountVolume.SetUp failed error when one of the three worker nodes was rebooted during the relocation
• BZ - 2251022 - [RDR] [Hub recovery] Failover of rbd workloads didn't proceed after drpc reporting WaitForStorageMaintenanceActivation
• BZ - 2251198 - CVE-2023-47108 opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics
• BZ - 2251308 - Unable to uninstall ocs-client-operator
• BZ - 2252318 - Mirroring Peer is not removed in Ceph when mirroring is disabled in StorageCluster
• BZ - 2253043 - [Tracker ACM-9159] [RDR] [Hub recovery] [CephFS] Data sync stopped for multiple workloads after one of the managed clusters which went down was restored
• BZ - 2253076 - [RFE][RDR][MDR] Need OCP alert when S3 bucket request to upload or retrieve metadata fails
• BZ - 2255998 - [RDR] [Hub recovery] Failover for most cephfs and a few rbd workloads remain stuck at WaitingForResourceRestore
• BZ - 2256563 - status card doesn't reflect the status for Standalone ODF/Noobaa deployment
• BZ - 2256899 - Duplicate metrics in ocs-metrics-exporter
• BZ - 2257259 - csi-addons-controller-manager pod is reset after running the must-gather command
• BZ - 2257949 - [ODF Hackathon]: Quota Alerts overlapping (quotaobjects and quotaobjectsexhausted) and flapping (RGW)
• BZ - 2258801 - [Provider-Client] Noobaa backingstore is created on a PV pool instead of RGW
• BZ - 2258861 - [RDR] [Hub recovery] Both graphs are empty for one of the managed clusters due to missing metrics
• BZ - 2258950 - [Tracker Ceph BZ #2259180] [CEE/SD][cephfs] mds crash: void MDLog::trim(int): assert(segments.size() >= pre_segments_size)
• BZ - 2259195 - Storage - Data Foundation : I18n misses
• BZ - 2259209 - [GSS] Rook-Ceph orperator deployment check/fail if 2 StorageClassDeviceSets are deployed but name: is not unique
• BZ - 2259616 - UI option while changing resource profile the node memory details are updated with new additions
• BZ - 2259847 - RBD Mirror daemon count is not validated in StorageCluster
• BZ - 2260325 - [Non Contanerized NSFS] Creating an account using the node CLI with the --from_file option requires setting the creation_date property
• BZ - 2260550 - Standalone Noobaa cannot change tolerations on Noobaa pods
• BZ - 2260757 - Tracker for OCP bug OCPBUGS-27853
• BZ - 2261938 - UI: unselected option should remain same after navigating back
• BZ - 2262134 - rook-ceph-mon pods listen to both 3300 and 6789 port
• BZ - 2262455 - [MDR] VirtualMachine PV claimRef definition does not include "kind: PersistentVolumeClaim"
• BZ - 2262461 - [IBM Support] noobaa-db-pg-0 stuck in CLBO state
• BZ - 2262921 - CVE-2024-1394 golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads
• BZ - 2262943 - PrometheusRule evaluation failing for pool-quota.rules
• BZ - 2262992 - [Non Contanerized NSFS] The allow_bucket_creation property is ignored when creating an account
• BZ - 2262997 - [Non Contanerized NSFS] Account credentials standards are not checked when using the --from_file option
• BZ - 2263148 - ODF installation fails if "Performance Mode" is picked up during install ( "Performance Mode" requests on CPU exceed available cpu on OCP node )
• BZ - 2263468 - Manual Deletion of storageconsumer deletes the storageclassrequests but not the underlying pool and subvolumegroup(due to volumes present under them)
• BZ - 2263488 - [RDR] [Hub recovery] [Co-situated] Cleanup remains stuck after failover when older primary cluster is recovered
• BZ - 2263818 - Some texts are not clearly visible in StorageSystem details page when using Dark Mode
• BZ - 2264435 - [RDR] [UI] Spurious VolumeSynchronizationDelay alert persists in UI after application deletion
• BZ - 2264480 - db-noobaa-db-pg-0 PVC continues to grow extensively, activitylogs already truncated need to either fix or workaround
• BZ - 2264767 - [4.15][RDR][Hub Recovery] Failover remains stuck with WaitForReadiness
• BZ - 2264900 - PVC cloning is failing with error "RBD image not found"
• BZ - 2265340 - [must-gather] No need to call pre-install script for help flag
• BZ - 2265492 - Add Runbooks for ODF alerts - some text correction is required in Runbooks for few alerts
• BZ - 2265562 - [MCG] S3 GetObject with an invalid VersionId argument on an AWS or IBMCOS Namespacestore MCG bucket fails and leaves the Namespacestore Rejected
• BZ - 2266316 - PrometheusRuleFailures alert after installation or upgrade
• BZ - 2266562 - [Non Contanerized NSFS] CreateMultipartUpload operation is failing with "Access Denied" error
• BZ - 2266621 - mon pod scaledown is skipped if the mons are portable
• BZ - 2266629 - Noobaa operator code is missing one AWS region
• BZ - 2266845 - Token usage explanation in the UI is not as per design doc
• BZ - 2266930 - No error message displayed when ux pod is down and we try to generate onboarding token
• BZ - 2267067 - rbd metrics are not available on Provider-Client cluster
• BZ - 2267610 - Openshift console UI shows "techPreview" label for multus for ODF create storage system method
• BZ - 2267907 - [RDR] CephFS subvolume left behind in managed cluster after deleting the application
• BZ - 2267965 - [4.16][RDR][Hub Recovery] Failover remains stuck with WaitForReadiness
• BZ - 2268019 - CVE-2024-24783 golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm
• BZ - 2268022 - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping
• BZ - 2268046 - CVE-2024-24786 golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON
• BZ - 2268820 - CVE-2024-28176 jose: resource exhaustion
• BZ - 2268854 - CVE-2024-28180 jose-go: improper handling of highly compressed data
• BZ - 2268939 - [GSS] Standalone MCG stuck in Rejected Phase after fresh deployment
• BZ - 2269319 - Missing runbook_url on OSDCPUHigh alert
• BZ - 2269354 - [RFE] Change the default interval duration for two ServiceMonitors, 'rook-ceph-exporter' and 'rook-ceph-mgr'
• BZ - 2270064 - [Tracker ACM-10508][RDR] [Node failure] [CephFS] Src PVC did not clean up post relocate operation hindering data sync
• BZ - 2270446 - management-console unresponsive when copied name with trailing space into resource name input
• BZ - 2271593 - Create storage-system wizard overlaps Project dropdown
• BZ - 2271804 - [Non Contanerized NSFS] list_multipart_uploads is not listing incomplete multipart uploads
• BZ - 2271921 - Noobaa is not deployed successfully over Azure cluster Error: <nil>, Params: map[is_master:true]}
• BZ - 2272386 - [Non Contanerized NSFS] put-bucket-policy of some invalid policies result in InternalError instead of MalformedPolicy
• BZ - 2272469 - ocs-operator.v4.16.0-61 failed to install due to ocs-operator in CLBO
• BZ - 2272528 - [RDR] [UI] [Hub recovery] [Co-situated] Subscription based apps go missing on passive hub from application dropdown of Data policies page after site-failure
• BZ - 2272644 - [UI] BlockPool option is missing under Storage? Data Foundation ---> Storage systems tab
• BZ - 2272664 - Default resource allocation for ODF Noobaa BackingStore is too low when used as storage for Internal Registry
• BZ - 2272666 - [MCG 4.16] MCG bucket logging always writes to the root level of the logs bucket and not to the defined prefix
• BZ - 2272928 - Consumption trend displays only current date in the graph. Not showing previous days.
• BZ - 2272932 - [MCG 4.16] MCG bucket logging fails to deliver logs withiin 24h
• BZ - 2272938 - [RDR] tokenexchange addons are not getting deployed on ManagedClusters
• BZ - 2273305 - Both Storageclassclaim and Storageclaim are listed under Provided API for the ocs-storage-client Installed operator page
• BZ - 2273336 - ocs-metrics-exporter pod doesnot contain 'node.ocs.openshift.io/storage' toleration
• BZ - 2273386 - change odf CSV pods to read only root file system
• BZ - 2273387 - change ocs CSV pods to read only root file system
• BZ - 2273398 - [GSS][ODF 4.16 backport] Legacy LVM-based OSDs are in crashloop state
• BZ - 2273533 - [RDR] Unexpected webhook MCO error when creating additional DRPolicy from the ACM console
• BZ - 2273553 - ocs-operator is going into "CrashLoopBackOff" state after adding virtualHostnames in storagecluster yaml
• BZ - 2273560 - "virtual host style" support for RGW is not working
• BZ - 2273605 - [MDR][RDR] Drpolicy is in Not validated state with error msg spec: Invalid value: "object": replicationClassSelector is immutable, spec: Invalid value: "object": volumeSnapshotClassSelector is immutable
• BZ - 2273702 - [RDR] [Discovered Apps] kubeObjectProtection.disabled should be set as false by default
• BZ - 2273705 - [RDR] [Discovered Apps] ramenOpsNamespace should be set by default and required namespace should be created by ramen or mco operator
• BZ - 2274107 - Failure in Cluster-Wide Encryption Key Rotation for NooBaa Secret 'noobaa-root-master-key-volume'.
• BZ - 2274175 - With Replica-1 enabled, replicated pool is spreading PGs across all OSDs
• BZ - 2274193 - cleartext postgres password in noobaa-db-pg init container logs
• BZ - 2274324 - [RDR][MDR] [Discovered Apps] VeleroNamespaceSecretKeyRef and CACertificates fields in the ramen hub configmap should not be removed by mco operator
• BZ - 2274373 - Collect rbd image details from rados namespaces within a cephblockpool in must-gather command
• BZ - 2274381 - ceph commands are not collected with --odf ; -c or -o -pc options with 4.16 must-gather
• BZ - 2274392 - PV encryption with AZURE KMS failed with certificate error.
• BZ - 2274476 - ODF4.16 console, On the "Installed Operator" web page the Rook-Ceph operator should be hidden
• BZ - 2274548 - CSI_DISABLE_HOLDER_PODS config value misspelled
• BZ - 2274728 - [RDR][MDR] Kubernetes objects Sync status is not getting updated in Protected Application page
• BZ - 2274734 - [RDR][MDR] The data services page has vanished after a while.
• BZ - 2274750 - [RDR] [Tracker ACM-10967] Pods in NS openshift-operators on hub with ACM observability enabled starts crashing after a few days
• BZ - 2274757 - [rook][GSS][ODF 4.14.6] Notify/alert end user if legacy OSDs are LVM backed
• BZ - 2274765 - [RDR] [Discovered Apps] Ceph fs imperative workloads are not getting DR protected
• BZ - 2275049 - Nooba service stuck in 'NoobaaInitializing' state due to missing Azure credentials during ODF deployment with cluster-wide encryption using Azure KMS
• BZ - 2275181 - Enable kube object protection for openshift-dr starting from 4.16
• BZ - 2275222 - In Replica-1 data always goes to one particular osd and never goes to the additional osds present for a failure domain
• BZ - 2275254 - [DR] Count namespace protected DRPC as one application
• BZ - 2275413 - remove extra hop in deleting public secret while rotating keys
• BZ - 2275456 - After upgrade, old csv ocs-operator.v4.15.2-rhodf is in failed state due to conflicting CRD owner in namespace
• BZ - 2275484 - Rook operator is hardcoded to use redhat catalog, even when installing ODF from a custom catalog
• BZ - 2275886 - rook-ceph-operator after upgrade to ODF 4.16 is in CrashLoopBackOff
• BZ - 2275935 - Disk replacement procedure failed with cli tool
• BZ - 2276028 - ODF client operator has nondescript information on the operator hub
• BZ - 2276055 - Sync provider mode specific changes from main to 4.16
• BZ - 2276056 - Sync ocs-client-operator main to 4.16 branch
• BZ - 2276135 - ocs-operator should not be annotating all openshift-* namespaces
• BZ - 2276222 - [RDR] [Hub recovery] [Co-situated] Primary workloads become secondary, UI also shows incorrect information
• BZ - 2276344 - [RDR][MDR] [Discovered Apps] ramen-dr-cluster-operator pod in CrashLoopBackOff state
• BZ - 2276353 - [RDR] [Discovered Apps] recipe-controller-manager pod in CrashLoopBackOff state
• BZ - 2276366 - [UI] Provider mode. 'Prepare the cluster for RDR'. Remove not supported UI elements
• BZ - 2276413 - Remove extra tiles of arbiter and make storageclient clusterscoped - Creation of Storageclient from UI is blocked
• BZ - 2276438 - [UI] All modes. Update msg "This view is only supported for Internal mode cluster" on Topology
• BZ - 2276591 - Rook is not creating "rook-ceph-csi-config" configmap when CSI is deployed by ocs-client-op
• BZ - 2276593 - StorageClaim controller fails to query the type of claim from CR and logs empty value
• BZ - 2276694 - Expose the upgrade setting for a longer timeout waiting for healthy OSDs before continuing
• BZ - 2276913 - custom tolerations are not replicated to rook-ceph-operator-stable-4.16-redhat-operators-openshift-marketplace subscription
• BZ - 2276941 - [RDR][MDR][Discovered Apps] Kube objects protected resourceConditions is not getting updated after every kubeobject sync
• BZ - 2277184 - [UI][MDR][RDR] Delete button is not in disabled state when trying to delete DRpolicy attached to workloads
• BZ - 2277186 - [GSS] noobaa-operator logs expose aws secret
• BZ - 2277711 - Add Tech Preview flag to Azure Key Vault UI support
• BZ - 2277766 - [RDR][MDR] [Discovered Apps] ODF operator should install Recipe operator on managed clusters
• BZ - 2277770 - [RDR][MDR][Discovered Apps] Recipe operator does not have logo/image and it's missing description
• BZ - 2277773 - [RDR][MDR] [Discovered Apps] ODF-DR operator should create openshift-dr-ops namespace on managedclusters and hub cluster
• BZ - 2277785 - [RDR][MDR] [Discovered Apps] Protection of Discovered Apps fails with msg namespaces "ramen-ops" not found
• BZ - 2278120 - [MCG 4.16] PVPool Backingstore pod enters CLBO due to missing agent_conf.json file
• BZ - 2278389 - [IBM Support] After upgrade to OCP/ODF 4.14 Stand alone MCG backing store getting rejected/not ready with ENOSUPT
• BZ - 2278593 - Heartbeat job running in hcp based cluster is not sending the cluster name
• BZ - 2278603 - [RDR][Discovered Apps] UI is not checking for targetcluster status at the time of failover and relocate
• BZ - 2278606 - After Upgrade ODF4.15-ODF4.16 with multus [dropping holder design], pod FailedMount to pvc [ceph-fs and ceph-rbd]
• BZ - 2278676 - Provider mode. Create StorageClient form. IP is not allowed without https prefix
• BZ - 2278681 - Must-gather needs changes in the API names for the deprecated Storageclassclaim, Storageclassrequest etc
• BZ - 2278684 - 4.16 must-gather missing all relevant logs and details from openshift-storage namespace
• BZ - 2278799 - Revert ODF capacity trend, UI should not display the related graph and values in 4.16.0.
• BZ - 2278815 - [VolumeGroupSnapshot] csi-cephfsplugin-provisioner and csi-rbdplugin-provisioner pods stuck in CrashLoopBackOff state after enabling featuregate in OCP
• BZ - 2279742 - [GSS] NooBaa DB PVC consumption rising continuously
• BZ - 2279860 - Clicking the Storage status card results in "Minified React error #31"
• BZ - 2279928 - [rook][GSS][ODF 4.14.6] Notify/alert end user if legacy OSDs are LVM backed
• BZ - 2280342 - ServiceMonitor ramen-hub-operator-metrics-monitor selector too open
• BZ - 2280378 - Must-gather -pc option to collect client side logs needs changes as storageclient is now cluster-scoped
• BZ - 2280657 - [MDR][RDR][Discovered Apps]: On fresh installation Ramen pod crashes on managed cluster as OADP Operator is not installed
• BZ - 2280813 - Cephblockpoolradosnamespace, cephfilesystemsubvolumegroup and storagerequest are not deleted with storageconsumer deletion
• BZ - 2280818 - [odf-operator] csi-addons upgrade should be handled by ocs-client-op
• BZ - 2280820 - csi-addons upgrade should be handled by ocs-client-op
• BZ - 2280834 - noobaa-db-pg-0 in CLBO post ODF upgrade from 4.14 to 4.15, while OCP is 4.14
• BZ - 2280921 - CVE-2024-5042 submariner-operator: RBAC permissions can allow for the spread of node compromises
• BZ - 2280946 - Cephblockpoolradosnamespace and subvolumegroups not deleted with storageconsumer deletion
• BZ - 2280953 - Add translations for ODF 4.16 release
• BZ - 2281580 - CephSubVolumeGroup cleanup job fails due to missing subvolumegroup name env
• BZ - 2281722 - [UI][Provider mode] StorageCluster fields missed when created from UI. cephFilesystems. disableSnapshotClass and disableStorageClass
• BZ - 2281729 - [MCG] The prefix filter is ignored in log-based replication policies
• BZ - 2282243 - [RDR] DR monitoring dashboard crashes after enabling ACM observability
• BZ - 2282254 - Mon stay in CrashLoopBackOff when deploying ODF single stack ipv6
• BZ - 2282284 - [RDR][Discovered Apps] ramen proceeds to recover kubeObjects from a capture even if the capture is invalid
• BZ - 2282314 - [UI][Provider mode] No utilization data on ODF Client dashboard
• BZ - 2282543 - Noobaa-DB Failed mount on cluster with multus
• BZ - 2282834 - [MDR][Discovered Apps] Application volumes (PVCs) Sync status is not getting updated in Protected Application page and always status as critical
• BZ - 2283024 - Hide the recipe Operator from Installed Operators page
• BZ - 2283489 - Too many ocs-metrics-exporter secrets created
• BZ - 2283621 - [UI][Provider mode] Remove Client related resources available for Clients with stable heartbeat
• BZ - 2283629 - Must Gather collects redundant data in collection in odf mode
• BZ - 2283651 - [MDR]: All the deployed application has protected status set to false
• BZ - 2283797 - ODF Nooba creates route which OpenShift compliance operator marks as non-compliant
• BZ - 2283820 - [MDR][RDR] Discovered application pre-reqs require automated velero secret creation
• BZ - 2283965 - Resource label selector as a default option for discovered applications
• BZ - 2283981 - Must-gather: Error in the oc describe command of csidriver, collection of describe output fails
• BZ - 2284090 - Capacity & Utilization cards do not incorporate custom StorageClasses (Block & file dashboard)
• BZ - 2284430 - Console, every few seconds the "create local volume set" page switches to "Discovering disks on all hosts"
• BZ - 2284652 - [GSS] NooBaa Backingstore In Phase: "Connecting" with "Invalid URL" Blocking Upgrade from ODF v4.13 to ODF v4.14
• BZ - 2290677 - [MDR]: Post relocation new PVC created on primary cluster
• BZ - 2290847 - [MCG] Expired object deletion fails with lifecycle errors
• BZ - 2291132 - [UI] Home => Overview page crashes when ceph osd crosses the near full ratio limits
• BZ - 2291182 - [UI][Provider mode] Remove StorageClaim form from management-console
• BZ - 2291255 - [Discovered Apps] Disable volsync with cephfs on regionaldr setups for 4.16
• BZ - 2291301 - [UI] Hide recipe selection from the enroll discovered application wizard
• BZ - 2291305 - [Tracker] [RDR][Discovered Apps] drpc status is stuck in WaitForReadiness after performing failover operation
• BZ - 2291336 - [RDR] [MDR] : Missing Icon, description, and pod for Openshift DR Cluster Operator
• BZ - 2292114 - [Provider mode] Upgrade to 4.16 failed when storageconsumer is present
• BZ - 2292241 - [QA Only] Qualify RHCS-6.1z6 with ODF-4.16.0 in the external mode
• BZ - 2292777 - CVE-2024-37890 nodejs-ws: denial of service when handling a request with many HTTP headers
• BZ - 2293200 - CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
• BZ - 2293621 - bug in encryption key rotation steps while removing key slot
• BZ - 2293634 - [MDR][RDR] Discovered apps are not getting FailedOver with OADP 1.4
• BZ - 2293881 - Revert changes done to limit StorageClassDevicesetName in bug 2269099 for 4.16
• BZ - 2294383 - [UI] Provider Mode is shown in StorageSystem creation wizard.
• BZ - 2296991 - PG state is not active+clean in arbiter deployment

CVEs

• CVE-2023-3128
• CVE-2023-4822
• CVE-2023-6597
• CVE-2023-43646
• CVE-2023-47108
• CVE-2023-49568
• CVE-2023-49569
• CVE-2024-0450
• CVE-2024-1394
• CVE-2024-5042
• CVE-2024-24783
• CVE-2024-24785
• CVE-2024-24786
• CVE-2024-28176
• CVE-2024-28180
• CVE-2024-28863
• CVE-2024-37890

References

• https://access.redhat.com/security/updates/classification/#important