Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2015:1862-01] Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update

Advisory ID: RHSA-2015:1862-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://access.redhat.com/errata/RHSA-2015:1862

Issue date: 2015-10-08

CVE Names: CVE-2015-5271

=====================================================================

 

1. Summary:

 

Updated packages that fix one security issue, several bugs, and add various

enhancements are now available for Red Hat Enterprise Linux OpenStack

Platform 7.0 director for Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having Moderate security

impact. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available from the CVE link in the

References section.

 

2. Relevant releases/architectures:

 

Openstack 7.0 director for RHEL 7 - noarch

 

3. Description:

 

Red Hat Enterprise Linux OpenStack Platform director provides the

facilities for deploying and monitoring a private or public

infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux

OpenStack Platform.

 

A flaw was discovered in the pipeline ordering of OpenStack Object

Storage's staticweb middleware in the swiftproxy configuration generated

from the openstack-tripleo-heat-templates package (OpenStack director).

The staticweb middleware was incorrectly configured before the Identity

Service, and under some conditions an attacker could use this flaw to gain

unauthenticated access to private data. (CVE-2015-5271)

 

This issue was discovered by Christian Schwede and Emilien Macchi of

Red Hat.

 

This update also fixes numerous bugs and adds various enhancements.

Space precludes documenting all of these changes in this advisory.

Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7

Release Notes, linked to in the References section, for information on the

most significant of these changes.

 

All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are

advised to upgrade to these updated packages, which correct these issues

and add these enhancements.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1223022 - Ceilometer API port not allowed in firewall rules on undercloud

1226376 - Neutron API port not allowed in firewall rules on undercloud

1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting?

1231777 - Its possible to scale up beyond the number of free nodes

1233949 - overcloud horizon apache config doesn't appear to use a network vip

1235320 - Unhelpful failure when incorrect parameters are given

1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true

1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation

1236663 - No output for upload images command

1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars

1237020 - undercloud GUI- Image field is mandatory when setting VM for deploy overcloud

1240260 - introspection timed out for 2 VM nodes

1241199 - openstack baremetal configure boot is not safe to run a second time

1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments

1243015 - Overcloud stack name hard-coded

1243032 - Hard-coded reference to instackenv.json

1243062 - On deployment failure, no reason is returned

1243121 - Neutron port quota fails larger overcloud deployments

1243472 - don't save UpdateIdentifier in tuskar when running package update

1243601 - Overcloud deploys default to qemu instead of kvm

1243829 - overcloud image upload creates duplicate images

1244001 - bulk introspection with active nodes fails

1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead?

1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer?

1244856 - openstack overcloud update stack overcloud requires an undocumented argument

1244864 - VXLAN should be default neutron network type

1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[iP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL

1245714 - set mem overcommit to 1:1

1246596 - Add support for network validation tests

1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf

1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.'

1248172 - inspection: clean failed with pxe_ilo

1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf

1250249 - After deploying, system load charts shown on the overview page are incorrect

1250250 - When deploying from UI we miss to add params based on scale logic

1251566 - Undercloud mariadb max_connection default is too low

1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint

1252219 - ovs bond on controller is not seeing dhcp packet

1252437 - [Discovery] Gathers wrong information about disks available

1252509 - rhel-osp-director: Fail to "openstack overcloud update stack": "ERROR: openstack unexpected end of regular expression"

1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration.

1253465 - [RFE] Allow for customization of the Ceph pools name and client username

1253628 - external ceph patches break tuskar based deploys

1253777 - HA overcloud deployment argument for NTP server should not be optional

1254897 - Not configuring neutron mechanism drivers in any puppet based deploys

1255910 - overcloud node delete of one compute node removed all of them

1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org --reg-activation-key ''", following a failed attempt to update it with "openstack overcloud update stack --templates

1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly

1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom

1257642 - yum hanged infinitely on nova-compute cleanup when do an update

1259393 - [RFE] Add support to register and deploy nodes with fake_pxe

1259905 - Integrate yum updates of overcloud with Puppet

1260736 - missing module python-ironic-inspector-client

1260991 - Running the same deploy command twice results with :"Deployment failed: Not enough nodes - available: 2, requested: 5"

1261045 - Big Switch ML2 networking plugin configuration

1261048 - controllerExtraConfig support

1261067 - Keystone notifications support

1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware

1261921 - up[censored] overcloud stack packages doesn't stop cluster and will cause it to be down

1262059 - Include the bigswitch networking packages in the image by default

1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry, "openstack baremetal import --json instackenv.json" exits with: ERROR: openstack 'pm_addr'

1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled.

1265010 - Heat environment is overwritten on overcloud updates

1265777 - No DNS servers set on the overcloud nodes

1266082 - RHEL unregistration doesn't work when scaling down

1266253 - [Director] increase mariadb max_connection default value

1266327 - yum_update.sh fails due to incomplete --excludes list

1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified

1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director.

 

6. Package List:

 

Openstack 7.0 director for RHEL 7:

 

Source:

ahc-tools-0.1.1-6.el7ost.src.rpm

instack-undercloud-2.1.2-29.el7ost.src.rpm

openstack-ironic-discoverd-1.1.0-6.el7ost.src.rpm

openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.src.rpm

openstack-tripleo-heat-templates-0.8.6-71.el7ost.src.rpm

openstack-tripleo-image-elements-0.9.6-10.el7ost.src.rpm

openstack-tripleo-puppet-elements-0.0.1-5.el7ost.src.rpm

openstack-tuskar-0.4.18-4.el7ost.src.rpm

openstack-tuskar-ui-0.4.0-3.el7ost.src.rpm

os-cloud-config-0.2.8-7.el7ost.src.rpm

os-net-config-0.1.4-4.el7ost.src.rpm

python-hardware-0.14-7.el7ost.src.rpm

python-proliantutils-2.1.0-4.el7ost.src.rpm

python-rdomanager-oscplugin-0.0.10-8.el7ost.src.rpm

 

noarch:

ahc-tools-0.1.1-6.el7ost.noarch.rpm

instack-undercloud-2.1.2-29.el7ost.noarch.rpm

openstack-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm

openstack-ironic-discoverd-ramdisk-1.1.0-6.el7ost.noarch.rpm

openstack-tripleo-common-0.0.1.dev6-3.git49b57eb.el7ost.noarch.rpm

openstack-tripleo-heat-templates-0.8.6-71.el7ost.noarch.rpm

openstack-tripleo-image-elements-0.9.6-10.el7ost.noarch.rpm

openstack-tripleo-puppet-elements-0.0.1-5.el7ost.noarch.rpm

openstack-tuskar-0.4.18-4.el7ost.noarch.rpm

openstack-tuskar-ui-0.4.0-3.el7ost.noarch.rpm

os-cloud-config-0.2.8-7.el7ost.noarch.rpm

os-net-config-0.1.4-4.el7ost.noarch.rpm

python-hardware-0.14-7.el7ost.noarch.rpm

python-hardware-doc-0.14-7.el7ost.noarch.rpm

python-ironic-discoverd-1.1.0-6.el7ost.noarch.rpm

python-proliantutils-2.1.0-4.el7ost.noarch.rpm

python-rdomanager-oscplugin-0.0.10-8.el7ost.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-5271

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/version-7/release-notes

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWFsrHXlSAg2UNWIIRAtL2AKCk53FbRIBVvzO+Et6D8mDqXBAt0gCeOa8f

VQYax8tsROCKDKloTgxlz2k=

=otBI

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×