Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0212 OpenShift Container Platform 4.6.12 packages and security update 19 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.6.12 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Overwrite Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-28362 CVE-2020-25696 CVE-2020-25694 CVE-2020-25641 CVE-2020-13249 CVE-2020-8566 CVE-2020-8177 CVE-2020-2922 CVE-2020-2752 CVE-2020-2574 CVE-2020-2309 CVE-2020-2308 CVE-2020-2307 CVE-2020-2306 CVE-2020-2305 CVE-2020-2304 CVE-2020-1971 Reference: ESB-2021.0171 ESB-2020.4521 ESB-2020.4516 ESB-2020.4423 ESB-2020.2085 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0038 https://access.redhat.com/errata/RHSA-2021:0039 https://access.redhat.com/errata/RHSA-2021:0037 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.12 packages and security update Advisory ID: RHSA-2021:0038-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0038 Issue date: 2021-01-18 CVE Names: CVE-2020-2304 CVE-2020-2305 CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 CVE-2020-2309 CVE-2020-28362 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.12 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks (CVE-2020-2304) * jenkins-2-plugins/mercurial: XML parser is not preventing XML external entity (XXE) attacks (CVE-2020-2305) * jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint could result in information disclosure (CVE-2020-2306) * jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin (CVE-2020-2307) * jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates (CVE-2020-2308) * jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs (CVE-2020-2309) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.12. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2021:0037 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - - -minor. 4. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1895939 - CVE-2020-2304 jenkins-2-plugins/subversion: XML parser is not prevententing XML external entity (XXE) attacks 1895940 - CVE-2020-2305 jenkins-2-plugins/mercurial: XML parser is not prevententing XML external entity (XXE) attacks 1895941 - CVE-2020-2306 jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint could result in information disclosure 1895945 - CVE-2020-2307 jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin 1895946 - CVE-2020-2308 jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates 1895947 - CVE-2020-2309 jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 6. Package List: Red Hat OpenShift Container Platform 4.6: Source: jenkins-2-plugins-4.6.1608634578-1.el7.src.rpm openshift-4.6.0-202012190744.p0.git.94235.c62c6f7.el7.src.rpm openshift-ansible-4.6.0-202012172338.p0.git.0.a15d08c.el7.src.rpm openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el7.src.rpm noarch: jenkins-2-plugins-4.6.1608634578-1.el7.noarch.rpm openshift-ansible-4.6.0-202012172338.p0.git.0.a15d08c.el7.noarch.rpm openshift-ansible-test-4.6.0-202012172338.p0.git.0.a15d08c.el7.noarch.rpm x86_64: openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el7.x86_64.rpm openshift-clients-redistributable-4.6.0-202012172338.p0.git.3800.30af700.el7.x86_64.rpm openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.6: Source: atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.src.rpm console-login-helper-messages-0.20.3-1.rhaos4.6.el8.src.rpm cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.src.rpm jenkins-2-plugins-4.6.1609853716-1.el8.src.rpm openshift-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.src.rpm openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.src.rpm openshift-kuryr-4.6.0-202012171504.p0.git.2216.1fecf92.el8.src.rpm noarch: console-login-helper-messages-0.20.3-1.rhaos4.6.el8.noarch.rpm console-login-helper-messages-issuegen-0.20.3-1.rhaos4.6.el8.noarch.rpm console-login-helper-messages-profile-0.20.3-1.rhaos4.6.el8.noarch.rpm jenkins-2-plugins-4.6.1609853716-1.el8.noarch.rpm openshift-kuryr-cni-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm openshift-kuryr-common-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm openshift-kuryr-controller-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm python3-kuryr-kubernetes-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm ppc64le: atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.ppc64le.rpm cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.ppc64le.rpm openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.ppc64le.rpm s390x: atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.s390x.rpm cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.s390x.rpm openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.s390x.rpm x86_64: atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.x86_64.rpm cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.x86_64.rpm openshift-clients-redistributable-4.6.0-202012172338.p0.git.3800.30af700.el8.x86_64.rpm openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-2304 https://access.redhat.com/security/cve/CVE-2020-2305 https://access.redhat.com/security/cve/CVE-2020-2306 https://access.redhat.com/security/cve/CVE-2020-2307 https://access.redhat.com/security/cve/CVE-2020-2308 https://access.redhat.com/security/cve/CVE-2020-2309 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIUAwUBYAWx+tzjgjWX9erEAQgZuw/3ckY0s6rjWeCqac/q0rDMOgz+B2JWIcEn h9Z1tUwGB3mRai6370nRs4AEK2gs5BQLH7aTwwweXnaxQmHvpghFcZjKkFjeJPLr b0CirXqnwkF16tM+x7SL64nIrLj29/LJj/0aBBP7nvWmk9T4uKm0I5c46d4CsxTG yUSDL0AWOPir95qYqg4fZOdtP7WDUDg5jjr4hMD4hd3BpTB2ljqhFuh4bYsIBJXB pc8rP6d7WC70VB47NiWQosBgX4/s3NAIQoe9qvUsm70WcqZ1O+ro/rsO/8tT87r0 60VbzMxuGFC/2LCyD21uq3ClyO0HVYRrx7osHnwmqXOm3pIOoD1cBRSYZxLvQxD9 K5xUcd4F+M1dvEmo30S8hgsmsArNSR9lLqb79SdJ0GUCsWbsneNvvFq9ylPesDJq UXFG8Sx487U+2BdK+ypnF4a65gKVNln3iaYu1QUdB6hb0enjMIlduHs0n9LCfOFu 0tPizLaaB1YEn+0Mmt1r4m1Xoop2AUNSxAepM2aM5EQyyKjejSMpktloz/3kUgIO 5X1RCgtiTx1ulPK/FyRyk/jyCsEzBNrgwWQ5O3nnfCDn267Eh4JSI+l9+dtVlsqF mGGsKhiKUj8cSesRflt2BVOl3NdpIMCo2dq7xlDTBV6Rk+QOnaWHSanQme5l82Ry t9nOBUpkzw== =tMa0 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.6.12 extras and security update Advisory ID: RHSA-2021:0039-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0039 Issue date: 2021-01-18 CVE Names: CVE-2020-1971 CVE-2020-2304 CVE-2020-2305 CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 CVE-2020-2309 CVE-2020-8177 CVE-2020-25641 CVE-2020-28362 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.12. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2021:0037 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - - -minor. 3. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1888393 - Alert ElasticsearchBulkRequestsRejectionJumps never gets pending/firing due to there is no `bulk` thread pool. 1890801 - Changes on spec.logStore.elasticsearch.nodeCount not reflected when decreasing the number of nodes 1892794 - Reduce log chatter in cluster logging operator 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1901299 - Change ES Operator CSV to clarify the scope for this Operator 1907519 - [logforward]error_class=ArgumentError error="time must be a Fluent::EventTime (or Integer): Float" 1909614 - Old kibana index causing crashloop 1909616 - Facing error "Cannot authenticate user because admin user is not permitted to login via HTTP" in OCP 4.5.20 1913104 - Placeholder bug for OCP 4.6.0 extras release 5. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-2304 https://access.redhat.com/security/cve/CVE-2020-2305 https://access.redhat.com/security/cve/CVE-2020-2306 https://access.redhat.com/security/cve/CVE-2020-2307 https://access.redhat.com/security/cve/CVE-2020-2308 https://access.redhat.com/security/cve/CVE-2020-2309 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-25641 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYAXIPtzjgjWX9erEAQir1w//UnkkrCtAm4ZVRiNdu1De53RIuqfzi2Ck pUijLCmuM9YJE2q949bHpAlTOXF3Lk7ZFEN4RnbG9tSi6B7aX7uAPY9iprL+8CLA G4cIW8Nn2HFGM0MUOzMhFhDwHhp+veXkxeD6ptMLCBMIG8K1dWq4MICBA4hxwPmD R9MQTPiNY2C+M3FlGl3OuPg/4OuLETvgJcjXCn98O6dGk72/uMs85A0+2AQ+QDI/ EUJIIwz7pNlU6bmAuTwsKCGShP7bm69W+lKG8gDlRYaZFowzuTkAFzEH6j88ZF7R atm0QeqtWGnagSJ+62zI2Qt0n8JdLXO6PHoNEzNBfTc5SR0e8GPxzAyRyryT+fiK 1zVHICcTThKOFdMP54BsDkx7889ockd3E5XmcBRTeNWlbJCyTWEGa0fjVHRL1WvL /+OUIduecwrKWsdrjAPsh/ncVkLs6Hz6Ypz6C02WSSxD1XKHvd09Gb2h3BWRfcKg OUodTNfdWW74evVgIfAwxRzRoS9XhfkiUOkguDLfdmlTekNNyFJWK8JaqgVveIKd drgap/u9MVSdHQoy0qKbiZFU2p5uGY7zq07eoEy81zjafwEspugdR3sANIfY1ag6 hVnIPe7XWs/tdljwrHaHsCUju2APoFswtKEaT6putqa/9Nw0e/TlYTCrvLoib4+9 kPZMH5lOWjA= =EPJM - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.6.12 bug fix and security update Advisory ID: RHSA-2021:0037-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0037 Issue date: 2021-01-18 CVE Names: CVE-2020-1971 CVE-2020-2304 CVE-2020-2305 CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 CVE-2020-2309 CVE-2020-2574 CVE-2020-2752 CVE-2020-2922 CVE-2020-8177 CVE-2020-8566 CVE-2020-13249 CVE-2020-25641 CVE-2020-25694 CVE-2020-25696 CVE-2020-28362 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.12 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.6.12. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:0038 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Security Fix(es): * kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 (CVE-2020-8566) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-x86_64 The image digest is sha256:5c3618ab914eb66267b7c552a9b51c3018c3a8f8acf08ce1ff7ae4bfdd3a82bd (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-s390x The image digest is sha256:9e78700d5b1b8618d67d39f12a2c163f08e537eb4cea89cd28d1aa3f4ea356bb (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.6.12-ppc64le The image digest is sha256:290cd8207d81123ba05c2f4f6f29c99c4001e1afbbfdee94c327ceb81ab75924 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - - -minor. 3. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1810470 - [Flake] volume expansion tests occasionally flake with EBS CSI driver 1811341 - Subpath test pod did not start within 5 minutes 1814282 - Storage e2es leaving namespaces/pods around 1836931 - `oc explain localvolume` returns empty description 1842747 - Not READYTOUSE volumesnapshot instance can not be deleted 1843008 - Fix reconcilliation of manifests for 4.6 channel for LSO 1850161 - [4.6] the skipVersion should exactly match regex in art.yaml 1852619 - must-gather creates empty files occasionally 1866843 - upgrade got stuck because of FailedAttachVolume 1867704 - cluster-storage-operator needs to grant pod list/watch permissions to aws operator 1867757 - Rebase node-registrar sidebar with latest version 1871439 - Bump node registrar golang version 1871955 - Allow snapshot operator to run on masters 1872000 - Allow ovirt controller to run on master nodes 1872244 - [aws-ebs-csi-driver] build fails 1872290 - storage operator does not install on ovirt 1872500 - Update resizer sidecar in CSI operators to use timeout parameter than csiTimeout 1873168 - add timeout parameter to resizer for aws 1877084 - tune resizer to have higher timeout than 2mins 1879221 - [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress 1881625 - replace goautoreneg library in LSO 1886640 - CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 1888909 - Placeholder bug for OCP 4.6.0 rpm release 1889416 - Installer complains about not enough vcpu for the baremetal flavor where generic bm flavor is being used 1889936 - Backport timecache LRU fix 1894244 - [Backport 4.6] IO archive contains more records of than is the limit 1894678 - Installer panics on invalid flavor 1894878 - Helm chart fails to install using developer console because of TLS certificate error 1895325 - [OSP] External mode cluster creation disabled for Openstack and oVirt platform 1895426 - unable to edit an application with a custom builder image 1895434 - unable to edit custom template application 1897337 - Mounts failing with error "Failed to start transient scope unit: Argument list too long" 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1898178 - [OVN] EgressIP does not guard against node IP assignment 1899266 - [4.6z] Baremetal IPI with IPv6 control plane: nodes respond with duplicate packets to ICMP6 echo requests 1899622 - [4.6z] configure-ovs.sh doesn't configure bonding options 1900736 - [SR-IOV] Backport request to SR-IOV operator version 4.6 - SriovNetworkNodePolicies apply ignoring the spec.nodeSelector. 1900792 - Track all resource counts via telemetry 1901736 - additionalSecurityGroupIDs not working for master nodes 1903353 - Etcd container leaves grep and lsof zombie processes 1905947 - [Internal Mode] Object gateway (RGW) in unknown state after OCP upgrade. 1906428 - [release-4.6]: When using webhooks in OCP 4.5 fails to rollout latest deploymentconfig 1906723 - File /etc/NetworkManager/system-connections/default_connection.nmconnection is incompatible with SR-IOV operator 1906836 - [sig-arch][Early] Managed cluster should start all core operators: monitoring: container has runAsNonRoot and image has non-numeric user (nobody) 1907203 - clusterresourceoverride-operator has version: 1.0.0 every build 1908472 - High Podready Latency due to timed out waiting for annotations 1908749 - [GSS] Unable to deploy OCS 4.5.2 on OCP 4.6.1, cannot `Create OCS Cluster Service` 1908803 - [OVN] Network Policy fails to work when project label gets overwritten 1908847 - [4.6.z] RHCOS 4.6 - Missing Initiatorname 1909062 - ARO/Azure: excessive pod memory allocation causes node lockup 1909248 - Intermittent packet drop from pod to pod 1909682 - When scaling down the status of the node is stuck on deleting 1909990 - oVirt provider uses depricated cluster-api project 1910066 - OpenShift YAML editor jumps to top every few seconds 1910104 - [oVirt] Node is not removed when VM has been removed from oVirt engine 1911790 - [Assisted-4.6] [Staging] reduce disk speed requirement for test/dev environments 1913103 - Placeholder bug for OCP 4.6.0 rpm release 1913105 - Placeholder bug for OCP 4.6.0 metadata release 1913263 - [4.6] Unable to schedule a pod due to Insufficient ephemeral-storage 1913329 - [Assisted-4.6] [Staging] Installation fails to start 1914988 - [4.6.z] real-time kernel in RHCOS is not synchronized 1915007 - Fixed by revert -- Upgrade to OCP 4.6.9 results in cluster-wide DNS and connectivity issues due to bad NetworkPolicy flows 5. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/cve/CVE-2020-2304 https://access.redhat.com/security/cve/CVE-2020-2305 https://access.redhat.com/security/cve/CVE-2020-2306 https://access.redhat.com/security/cve/CVE-2020-2307 https://access.redhat.com/security/cve/CVE-2020-2308 https://access.redhat.com/security/cve/CVE-2020-2309 https://access.redhat.com/security/cve/CVE-2020-2574 https://access.redhat.com/security/cve/CVE-2020-2752 https://access.redhat.com/security/cve/CVE-2020-2922 https://access.redhat.com/security/cve/CVE-2020-8177 https://access.redhat.com/security/cve/CVE-2020-8566 https://access.redhat.com/security/cve/CVE-2020-13249 https://access.redhat.com/security/cve/CVE-2020-25641 https://access.redhat.com/security/cve/CVE-2020-25694 https://access.redhat.com/security/cve/CVE-2020-25696 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYAXQr9zjgjWX9erEAQhINxAAjh7aW1WwDkpKJ6CeA/YpDjZmlkHATXTl GjxB6A67OIVKzNbNhydIu9lsZnYaYCk7MQVAbua9BN0VxDv6Wcg3+NicCCaRYntm yTqh4L0pKd9/yrMF0WAshrw/Z8QJgnyEnCXDCKltHFkNa+d9Zu6HrSEqAnLYFneU jZ8CVB4FzA9sgCntvQnzoqxToA0iICT4znhJws3qTf+1WFbQNWHpyYgo8p0oJqbK 0TWv0hcuMNA1xfbhqRH2uW2RLJIJJxTixi2iHA3N9WZlQE26/6p67L12OH7SKmcI ve8b6fCT/co1O27AJk4gzyqkyVNzXjBOEFT1wPigB0CQRoTJmC+tqtD1nKIkdMaQ pc7hOkXx6FjKjFC8Q/laW5N8e98897lhklSzaEI3d4V4SBzAAg2eNztPNoOs/AWS hGUaiByVjg88lV1JahNOom3mv6rqHTNZufYGNRmDImHovrDJWDLMW6SUSDLVa/Ib 6x/JX5bRn4YATlulIrR/3czkO6S+J/y6k5eJONbvgErQWxGYx/Zej+b20om4vU+A pLQ8xS2gR0OQo0aIPetZsB6t70Ng9r3HlR1yZvpcHPjcSVQd6YmXfj4ZX+dDnufE Qh9cn+8VBLHk/HGhhYYVrrW6mF1ZpYCw8UNY+D8FTmNgoGUIF5Kgbil20BVfD7IG l4Zmr01HNY4= =+mgi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYAYWQuNLKJtyKPYoAQjBSw//WKCyCCd/d9tGl9a9X0Z1AluipRqmSj/1 EvBH5sG2XjRm90YFlZvtIpFn5l+iZvTJj/6uwRvIp4ITu7gHuYRZJrRKRnpDa06z d9CcN53kB/J7pmksUZp0/FAqy4hvBUjE93b/DlihBkyPTPiLh5tfcIOzlXcYeDDu pYe75mdd9ZAqtCOW3iunzeOr3siC1g+hilrq0mLHNVsoasMcFHWJ+Bz+/tadN5vo 3jOLtbjYcUMniTEWAY6i23ezoa9m96GB6C6SDRYD8hhFGeQc205odbbGY1cBigft Nxyv1J3wWQcF0H4y4gvY9/0cFPbWEjj9af9fJ0tQX2NopDzqXRHDJV8cxrbjSPb5 OvkVPZaI7hZDNGwsejk0QSl9S09ne7NQ2qm/dC1zyBdodp4dDwiIPpbr9wei7pg4 Oe/cL7q8l9/FbEqlZwdOVCEcnIGQNPy9mgprKqRllojmbdJSMQUnpycu4c39Fu5Z 0Sir6C3fSjpJEb1YSxepAezH9jygC8SoBVXnhkKdnTWjUkA4BsoQ2My/qPFocozo lyiJhYKD7rcIUmMi9pnBd0AFNNgr3laQQ6yuUsBO0VcEUe/UomSiaNvQUZWAuoW4 G7PbXbfegv82js4SmrwAJ8tQKgwtjM2P28FuAShf/+KblaALGTpoiXb6YzD6WTAv dkggl5hpi8k= =8P3H -----END PGP SIGNATURE-----