Operating System:

[RedHat]

Published:

19 January 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0212
     OpenShift Container Platform 4.6.12 packages and security update
                              19 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.6.12
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Overwrite Arbitrary Files       -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-28362 CVE-2020-25696 CVE-2020-25694
                   CVE-2020-25641 CVE-2020-13249 CVE-2020-8566
                   CVE-2020-8177 CVE-2020-2922 CVE-2020-2752
                   CVE-2020-2574 CVE-2020-2309 CVE-2020-2308
                   CVE-2020-2307 CVE-2020-2306 CVE-2020-2305
                   CVE-2020-2304 CVE-2020-1971 

Reference:         ESB-2021.0171
                   ESB-2020.4521
                   ESB-2020.4516
                   ESB-2020.4423
                   ESB-2020.2085

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0038
   https://access.redhat.com/errata/RHSA-2021:0039
   https://access.redhat.com/errata/RHSA-2021:0037

Comment: This bulletin contains three (3) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.6.12 packages and security update
Advisory ID:       RHSA-2021:0038-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0038
Issue date:        2021-01-18
CVE Names:         CVE-2020-2304 CVE-2020-2305 CVE-2020-2306 
                   CVE-2020-2307 CVE-2020-2308 CVE-2020-2309 
                   CVE-2020-28362 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.6.12 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container
Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* jenkins-2-plugins/subversion: XML parser is not preventing XML external
entity (XXE) attacks (CVE-2020-2304)

* jenkins-2-plugins/mercurial: XML parser is not preventing XML external
entity (XXE) attacks (CVE-2020-2305)

* jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint
could result in information disclosure (CVE-2020-2306)

* jenkins-2-plugins/kubernetes: Jenkins controller environment variables
are accessible in Kubernetes Plugin (CVE-2020-2307)

* jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes
Plugin allows listing pod templates (CVE-2020-2308)

* jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes
Plugin allows enumerating credentials IDs (CVE-2020-2309)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.6.12. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHSA-2021:0037

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- - -minor.

4. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.

5. Bugs fixed (https://bugzilla.redhat.com/):

1895939 - CVE-2020-2304 jenkins-2-plugins/subversion: XML parser is not prevententing XML external entity (XXE) attacks
1895940 - CVE-2020-2305 jenkins-2-plugins/mercurial: XML parser is not prevententing XML external entity (XXE) attacks
1895941 - CVE-2020-2306 jenkins-2-plugins/mercurial: Missing permission check in an HTTP endpoint could result in information disclosure
1895945 - CVE-2020-2307 jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin
1895946 - CVE-2020-2308 jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates
1895947 - CVE-2020-2309 jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers

6. Package List:

Red Hat OpenShift Container Platform 4.6:

Source:
jenkins-2-plugins-4.6.1608634578-1.el7.src.rpm
openshift-4.6.0-202012190744.p0.git.94235.c62c6f7.el7.src.rpm
openshift-ansible-4.6.0-202012172338.p0.git.0.a15d08c.el7.src.rpm
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el7.src.rpm

noarch:
jenkins-2-plugins-4.6.1608634578-1.el7.noarch.rpm
openshift-ansible-4.6.0-202012172338.p0.git.0.a15d08c.el7.noarch.rpm
openshift-ansible-test-4.6.0-202012172338.p0.git.0.a15d08c.el7.noarch.rpm

x86_64:
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el7.x86_64.rpm
openshift-clients-redistributable-4.6.0-202012172338.p0.git.3800.30af700.el7.x86_64.rpm
openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.6:

Source:
atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.src.rpm
console-login-helper-messages-0.20.3-1.rhaos4.6.el8.src.rpm
cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.src.rpm
jenkins-2-plugins-4.6.1609853716-1.el8.src.rpm
openshift-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.src.rpm
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.src.rpm
openshift-kuryr-4.6.0-202012171504.p0.git.2216.1fecf92.el8.src.rpm

noarch:
console-login-helper-messages-0.20.3-1.rhaos4.6.el8.noarch.rpm
console-login-helper-messages-issuegen-0.20.3-1.rhaos4.6.el8.noarch.rpm
console-login-helper-messages-profile-0.20.3-1.rhaos4.6.el8.noarch.rpm
jenkins-2-plugins-4.6.1609853716-1.el8.noarch.rpm
openshift-kuryr-cni-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm
openshift-kuryr-common-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm
openshift-kuryr-controller-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm
python3-kuryr-kubernetes-4.6.0-202012171504.p0.git.2216.1fecf92.el8.noarch.rpm

ppc64le:
atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.ppc64le.rpm
cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm
cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm
cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.ppc64le.rpm
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.ppc64le.rpm
openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.ppc64le.rpm

s390x:
atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.s390x.rpm
cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm
cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm
cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.s390x.rpm
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.s390x.rpm
openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.s390x.rpm

x86_64:
atomic-openshift-service-idler-4.6.0-202012171504.p0.git.15.f4535bc.el8.x86_64.rpm
cri-o-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm
cri-o-debuginfo-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm
cri-o-debugsource-1.19.1-2.rhaos4.6.git2af9ecf.el8.x86_64.rpm
openshift-clients-4.6.0-202012172338.p0.git.3800.30af700.el8.x86_64.rpm
openshift-clients-redistributable-4.6.0-202012172338.p0.git.3800.30af700.el8.x86_64.rpm
openshift-hyperkube-4.6.0-202012190744.p0.git.94235.c62c6f7.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-2304
https://access.redhat.com/security/cve/CVE-2020-2305
https://access.redhat.com/security/cve/CVE-2020-2306
https://access.redhat.com/security/cve/CVE-2020-2307
https://access.redhat.com/security/cve/CVE-2020-2308
https://access.redhat.com/security/cve/CVE-2020-2309
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIUAwUBYAWx+tzjgjWX9erEAQgZuw/3ckY0s6rjWeCqac/q0rDMOgz+B2JWIcEn
h9Z1tUwGB3mRai6370nRs4AEK2gs5BQLH7aTwwweXnaxQmHvpghFcZjKkFjeJPLr
b0CirXqnwkF16tM+x7SL64nIrLj29/LJj/0aBBP7nvWmk9T4uKm0I5c46d4CsxTG
yUSDL0AWOPir95qYqg4fZOdtP7WDUDg5jjr4hMD4hd3BpTB2ljqhFuh4bYsIBJXB
pc8rP6d7WC70VB47NiWQosBgX4/s3NAIQoe9qvUsm70WcqZ1O+ro/rsO/8tT87r0
60VbzMxuGFC/2LCyD21uq3ClyO0HVYRrx7osHnwmqXOm3pIOoD1cBRSYZxLvQxD9
K5xUcd4F+M1dvEmo30S8hgsmsArNSR9lLqb79SdJ0GUCsWbsneNvvFq9ylPesDJq
UXFG8Sx487U+2BdK+ypnF4a65gKVNln3iaYu1QUdB6hb0enjMIlduHs0n9LCfOFu
0tPizLaaB1YEn+0Mmt1r4m1Xoop2AUNSxAepM2aM5EQyyKjejSMpktloz/3kUgIO
5X1RCgtiTx1ulPK/FyRyk/jyCsEzBNrgwWQ5O3nnfCDn267Eh4JSI+l9+dtVlsqF
mGGsKhiKUj8cSesRflt2BVOl3NdpIMCo2dq7xlDTBV6Rk+QOnaWHSanQme5l82Ry
t9nOBUpkzw==
=tMa0
- -----END PGP SIGNATURE-----

- ------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.6.12 extras and security update
Advisory ID:       RHSA-2021:0039-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0039
Issue date:        2021-01-18
CVE Names:         CVE-2020-1971 CVE-2020-2304 CVE-2020-2305 
                   CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 
                   CVE-2020-2309 CVE-2020-8177 CVE-2020-25641 
                   CVE-2020-28362 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.6.12 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.6.12. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHSA-2021:0037

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- - -minor.

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1888393 - Alert ElasticsearchBulkRequestsRejectionJumps never gets pending/firing due to there is no `bulk` thread pool.
1890801 - Changes on spec.logStore.elasticsearch.nodeCount not reflected when decreasing the number of nodes
1892794 - Reduce log chatter in cluster logging operator
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1901299 - Change ES Operator CSV to clarify the scope for this Operator
1907519 - [logforward]error_class=ArgumentError error="time must be a Fluent::EventTime (or Integer): Float"
1909614 - Old kibana index causing crashloop
1909616 - Facing error "Cannot authenticate user because admin user is not permitted to login via HTTP" in OCP 4.5.20
1913104 - Placeholder bug for OCP 4.6.0 extras release

5. References:

https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-2304
https://access.redhat.com/security/cve/CVE-2020-2305
https://access.redhat.com/security/cve/CVE-2020-2306
https://access.redhat.com/security/cve/CVE-2020-2307
https://access.redhat.com/security/cve/CVE-2020-2308
https://access.redhat.com/security/cve/CVE-2020-2309
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-25641
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAXIPtzjgjWX9erEAQir1w//UnkkrCtAm4ZVRiNdu1De53RIuqfzi2Ck
pUijLCmuM9YJE2q949bHpAlTOXF3Lk7ZFEN4RnbG9tSi6B7aX7uAPY9iprL+8CLA
G4cIW8Nn2HFGM0MUOzMhFhDwHhp+veXkxeD6ptMLCBMIG8K1dWq4MICBA4hxwPmD
R9MQTPiNY2C+M3FlGl3OuPg/4OuLETvgJcjXCn98O6dGk72/uMs85A0+2AQ+QDI/
EUJIIwz7pNlU6bmAuTwsKCGShP7bm69W+lKG8gDlRYaZFowzuTkAFzEH6j88ZF7R
atm0QeqtWGnagSJ+62zI2Qt0n8JdLXO6PHoNEzNBfTc5SR0e8GPxzAyRyryT+fiK
1zVHICcTThKOFdMP54BsDkx7889ockd3E5XmcBRTeNWlbJCyTWEGa0fjVHRL1WvL
/+OUIduecwrKWsdrjAPsh/ncVkLs6Hz6Ypz6C02WSSxD1XKHvd09Gb2h3BWRfcKg
OUodTNfdWW74evVgIfAwxRzRoS9XhfkiUOkguDLfdmlTekNNyFJWK8JaqgVveIKd
drgap/u9MVSdHQoy0qKbiZFU2p5uGY7zq07eoEy81zjafwEspugdR3sANIfY1ag6
hVnIPe7XWs/tdljwrHaHsCUju2APoFswtKEaT6putqa/9Nw0e/TlYTCrvLoib4+9
kPZMH5lOWjA=
=EPJM
- -----END PGP SIGNATURE-----

- -------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.6.12 bug fix and security update
Advisory ID:       RHSA-2021:0037-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0037
Issue date:        2021-01-18
CVE Names:         CVE-2020-1971 CVE-2020-2304 CVE-2020-2305 
                   CVE-2020-2306 CVE-2020-2307 CVE-2020-2308 
                   CVE-2020-2309 CVE-2020-2574 CVE-2020-2752 
                   CVE-2020-2922 CVE-2020-8177 CVE-2020-8566 
                   CVE-2020-13249 CVE-2020-25641 CVE-2020-25694 
                   CVE-2020-25696 CVE-2020-28362 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.6.12 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container
Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.6.12. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:0038

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Security Fix(es):

* kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
(CVE-2020-8566)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.12-x86_64

The image digest is
sha256:5c3618ab914eb66267b7c552a9b51c3018c3a8f8acf08ce1ff7ae4bfdd3a82bd

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.12-s390x

The image digest is
sha256:9e78700d5b1b8618d67d39f12a2c163f08e537eb4cea89cd28d1aa3f4ea356bb

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.6.12-ppc64le

The image digest is
sha256:290cd8207d81123ba05c2f4f6f29c99c4001e1afbbfdee94c327ceb81ab75924

All OpenShift Container Platform 4.6 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- - -minor.

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1810470 - [Flake] volume expansion tests occasionally flake with EBS CSI driver
1811341 - Subpath test pod did not start within 5 minutes
1814282 - Storage e2es leaving namespaces/pods around
1836931 - `oc explain localvolume` returns empty description
1842747 - Not READYTOUSE volumesnapshot instance can not be deleted
1843008 - Fix reconcilliation of manifests for 4.6 channel for LSO
1850161 - [4.6] the skipVersion should exactly match regex in art.yaml
1852619 - must-gather creates empty files occasionally
1866843 - upgrade got stuck because of FailedAttachVolume
1867704 - cluster-storage-operator needs to grant pod list/watch permissions to aws operator
1867757 - Rebase node-registrar sidebar with latest version
1871439 - Bump node registrar golang version
1871955 - Allow snapshot operator to run on masters
1872000 - Allow ovirt controller to run on master nodes
1872244 - [aws-ebs-csi-driver] build fails
1872290 - storage operator does not install on ovirt
1872500 - Update resizer sidecar in CSI operators to use timeout parameter than csiTimeout
1873168 - add timeout parameter to resizer for aws
1877084 - tune resizer to have higher timeout than 2mins
1879221 - [Assisted-4.6][Staging] assisted-service API does not prevent a request with another user's credentials from setting cluster installation progress
1881625 - replace goautoreneg library in LSO
1886640 - CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
1888909 - Placeholder bug for OCP 4.6.0 rpm release
1889416 - Installer complains about not enough vcpu for the baremetal flavor where generic bm flavor is being used
1889936 - Backport timecache LRU fix
1894244 - [Backport 4.6] IO archive contains more records of than is the limit
1894678 - Installer panics on invalid flavor
1894878 - Helm chart fails to install using developer console because of TLS certificate error
1895325 - [OSP] External mode cluster creation disabled for Openstack and oVirt platform
1895426 - unable to edit an application with a custom builder image
1895434 - unable to edit custom template application
1897337 - Mounts failing with error "Failed to start transient scope unit: Argument list too long"
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1898178 - [OVN] EgressIP does not guard against node IP assignment
1899266 - [4.6z] Baremetal IPI with IPv6 control plane: nodes respond with duplicate packets to ICMP6 echo requests
1899622 - [4.6z] configure-ovs.sh doesn't configure bonding options
1900736 - [SR-IOV] Backport request to SR-IOV operator version 4.6 - SriovNetworkNodePolicies apply ignoring the spec.nodeSelector.
1900792 - Track all resource counts via telemetry
1901736 - additionalSecurityGroupIDs not working for master nodes
1903353 - Etcd container leaves grep and lsof zombie processes
1905947 - [Internal Mode] Object gateway (RGW) in unknown state after OCP upgrade.
1906428 - [release-4.6]: When using webhooks in OCP 4.5 fails to rollout latest deploymentconfig
1906723 - File /etc/NetworkManager/system-connections/default_connection.nmconnection  is incompatible with SR-IOV operator
1906836 - [sig-arch][Early] Managed cluster should start all core operators: monitoring: container has runAsNonRoot and image has non-numeric user (nobody)
1907203 - clusterresourceoverride-operator has version: 1.0.0 every build
1908472 - High Podready Latency due to timed out waiting for annotations
1908749 - [GSS] Unable to deploy OCS 4.5.2 on OCP 4.6.1, cannot `Create OCS Cluster Service`
1908803 - [OVN] Network Policy fails to work when project label gets overwritten
1908847 - [4.6.z] RHCOS 4.6 - Missing Initiatorname
1909062 - ARO/Azure: excessive pod memory allocation causes node lockup
1909248 - Intermittent packet drop from pod to pod
1909682 - When scaling down the status of the node is stuck on deleting
1909990 - oVirt provider uses depricated cluster-api project
1910066 - OpenShift YAML editor jumps to top every few seconds
1910104 - [oVirt] Node is not removed when VM has been removed from oVirt engine
1911790 - [Assisted-4.6] [Staging] reduce disk speed requirement for test/dev environments
1913103 - Placeholder bug for OCP 4.6.0 rpm release
1913105 - Placeholder bug for OCP 4.6.0 metadata release
1913263 - [4.6] Unable to schedule a pod due to Insufficient ephemeral-storage
1913329 - [Assisted-4.6] [Staging] Installation fails to start
1914988 - [4.6.z] real-time kernel in RHCOS is not synchronized
1915007 - Fixed by revert -- Upgrade to OCP 4.6.9 results in cluster-wide DNS and connectivity issues due to bad NetworkPolicy flows

5. References:

https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-2304
https://access.redhat.com/security/cve/CVE-2020-2305
https://access.redhat.com/security/cve/CVE-2020-2306
https://access.redhat.com/security/cve/CVE-2020-2307
https://access.redhat.com/security/cve/CVE-2020-2308
https://access.redhat.com/security/cve/CVE-2020-2309
https://access.redhat.com/security/cve/CVE-2020-2574
https://access.redhat.com/security/cve/CVE-2020-2752
https://access.redhat.com/security/cve/CVE-2020-2922
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-8566
https://access.redhat.com/security/cve/CVE-2020-13249
https://access.redhat.com/security/cve/CVE-2020-25641
https://access.redhat.com/security/cve/CVE-2020-25694
https://access.redhat.com/security/cve/CVE-2020-25696
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAXQr9zjgjWX9erEAQhINxAAjh7aW1WwDkpKJ6CeA/YpDjZmlkHATXTl
GjxB6A67OIVKzNbNhydIu9lsZnYaYCk7MQVAbua9BN0VxDv6Wcg3+NicCCaRYntm
yTqh4L0pKd9/yrMF0WAshrw/Z8QJgnyEnCXDCKltHFkNa+d9Zu6HrSEqAnLYFneU
jZ8CVB4FzA9sgCntvQnzoqxToA0iICT4znhJws3qTf+1WFbQNWHpyYgo8p0oJqbK
0TWv0hcuMNA1xfbhqRH2uW2RLJIJJxTixi2iHA3N9WZlQE26/6p67L12OH7SKmcI
ve8b6fCT/co1O27AJk4gzyqkyVNzXjBOEFT1wPigB0CQRoTJmC+tqtD1nKIkdMaQ
pc7hOkXx6FjKjFC8Q/laW5N8e98897lhklSzaEI3d4V4SBzAAg2eNztPNoOs/AWS
hGUaiByVjg88lV1JahNOom3mv6rqHTNZufYGNRmDImHovrDJWDLMW6SUSDLVa/Ib
6x/JX5bRn4YATlulIrR/3czkO6S+J/y6k5eJONbvgErQWxGYx/Zej+b20om4vU+A
pLQ8xS2gR0OQo0aIPetZsB6t70Ng9r3HlR1yZvpcHPjcSVQd6YmXfj4ZX+dDnufE
Qh9cn+8VBLHk/HGhhYYVrrW6mF1ZpYCw8UNY+D8FTmNgoGUIF5Kgbil20BVfD7IG
l4Zmr01HNY4=
=+mgi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAYWQuNLKJtyKPYoAQjBSw//WKCyCCd/d9tGl9a9X0Z1AluipRqmSj/1
EvBH5sG2XjRm90YFlZvtIpFn5l+iZvTJj/6uwRvIp4ITu7gHuYRZJrRKRnpDa06z
d9CcN53kB/J7pmksUZp0/FAqy4hvBUjE93b/DlihBkyPTPiLh5tfcIOzlXcYeDDu
pYe75mdd9ZAqtCOW3iunzeOr3siC1g+hilrq0mLHNVsoasMcFHWJ+Bz+/tadN5vo
3jOLtbjYcUMniTEWAY6i23ezoa9m96GB6C6SDRYD8hhFGeQc205odbbGY1cBigft
Nxyv1J3wWQcF0H4y4gvY9/0cFPbWEjj9af9fJ0tQX2NopDzqXRHDJV8cxrbjSPb5
OvkVPZaI7hZDNGwsejk0QSl9S09ne7NQ2qm/dC1zyBdodp4dDwiIPpbr9wei7pg4
Oe/cL7q8l9/FbEqlZwdOVCEcnIGQNPy9mgprKqRllojmbdJSMQUnpycu4c39Fu5Z
0Sir6C3fSjpJEb1YSxepAezH9jygC8SoBVXnhkKdnTWjUkA4BsoQ2My/qPFocozo
lyiJhYKD7rcIUmMi9pnBd0AFNNgr3laQQ6yuUsBO0VcEUe/UomSiaNvQUZWAuoW4
G7PbXbfegv82js4SmrwAJ8tQKgwtjM2P28FuAShf/+KblaALGTpoiXb6YzD6WTAv
dkggl5hpi8k=
=8P3H
-----END PGP SIGNATURE-----