VARIoT IoT vulnerabilities database

BHU Wi-Fi Router is a wireless router from China BHU. A security vulnerability exists in the BHU Wi-Fi Router. An attacker could use this vulnerability to perform unauthorized operations, obtain sensitive information, and execute arbitrary code in the context of an application

The BIOS for Lenovo ThinkCentre E93, M6500t/s, M6600, M6600q, M6600t/s, M73p, M800, M83, M8500t/s, M8600t/s, M900, M93, and M93P devices; ThinkServer RQ940, RS140, TS140, TS240, TS440, and TS540 devices; and ThinkStation E32, P300, and P310 devices might allow local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key. Supplementary information : CWE Vulnerability type by CWE-254: Security Features ( Security function ) Has been identified. Lenovo Secure Boot is prone to a local security-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Lenovo ThinkCentre E93, etc. are all computer products of China Lenovo (Lenovo). There are security vulnerabilities in the BIOS of several Lenovo products. The following products are affected: Lenovo ThinkCentre E93, M6500t/s, M6600, M6600q, M6600t/s, M73p, M800, M83, M8500t/s, M8600t/s, M900, M93, M93P, ThinkServer RQ940, RS140, TS140, TS240, TS440, TS540, ThinkStation E32, P300, P310

The (1) Device Manager, (2) Tiered Storage Manager, (3) Replication Manager, (4) Replication Monitor, and (5) Hitachi Automation Director (HAD) components in HPE XP P9000 Command View Advanced Edition Software before 8.4.1-00 and XP7 Command View Advanced Edition Suite before 8.4.1-00 allow remote attackers to obtain sensitive information via unspecified vectors. Multiple HP Products are prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain sensitive information that may lead to further attacks

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. TLS (Transport Layer Security) is a set of protocols used to provide confidentiality and data integrity between two communication applications. SSH (full name Secure Shell) is a set of security protocols based on the application layer and transport layer developed by the Network Working Group of the Internet Engineering Task Force (IETF). IPSec (full name Internet Protocol Security) is a set of IP security protocols established by the IPSec group of the Internet Engineering Task Force (IETF). Both DES and Triple DES are encryption algorithms. There are information leakage vulnerabilities in the DES and Triple DES encryption algorithms used in the TLS, SSH, and IPSec protocols and other protocols and products. This vulnerability stems from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.8.2 bug fix and security update Advisory ID: RHSA-2021:2438-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:2438 Issue date: 2021-07-27 CVE Names: CVE-2016-2183 CVE-2020-7774 CVE-2020-15106 CVE-2020-15112 CVE-2020-15113 CVE-2020-15114 CVE-2020-15136 CVE-2020-26160 CVE-2020-26541 CVE-2020-28469 CVE-2020-28500 CVE-2020-28852 CVE-2021-3114 CVE-2021-3121 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3636 CVE-2021-20206 CVE-2021-20271 CVE-2021-20291 CVE-2021-21419 CVE-2021-21623 CVE-2021-21639 CVE-2021-21640 CVE-2021-21648 CVE-2021-22133 CVE-2021-23337 CVE-2021-23362 CVE-2021-23368 CVE-2021-23382 CVE-2021-25735 CVE-2021-25737 CVE-2021-26539 CVE-2021-26540 CVE-2021-27292 CVE-2021-28092 CVE-2021-29059 CVE-2021-29622 CVE-2021-32399 CVE-2021-33034 CVE-2021-33194 CVE-2021-33909 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.8.2 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.2. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:2437 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-rel ease-notes.html Security Fix(es): * SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183) * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * etcd: Large slice causes panic in decodeRecord method (CVE-2020-15106) * etcd: DoS in wal/wal.go (CVE-2020-15112) * etcd: directories created via os.MkdirAll are not checked for permissions (CVE-2020-15113) * etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS (CVE-2020-15114) * etcd: no authentication is performed against endpoints provided in the - --endpoints flag (CVE-2020-15136) * jwt-go: access restriction bypass vulnerability (CVE-2020-26160) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) * containernetworking-cni: Arbitrary path injection via type field in CNI configuration (CVE-2021-20206) * containers/storage: DoS via malicious image (CVE-2021-20291) * prometheus: open redirect under the /new endpoint (CVE-2021-29622) * golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194) * go.elastic.co/apm: leaks sensitive HTTP headers during panic (CVE-2021-22133) Space precludes listing in detail the following additional CVEs fixes: (CVE-2021-27292), (CVE-2021-28092), (CVE-2021-29059), (CVE-2021-23382), (CVE-2021-26539), (CVE-2021-26540), (CVE-2021-23337), (CVE-2021-23362) and (CVE-2021-23368) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.2-x86_64 The image digest is ssha256:0e82d17ababc79b10c10c5186920232810aeccbccf2a74c691487090a2c98ebc (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.2-s390x The image digest is sha256:a284c5c3fa21b06a6a65d82be1dc7e58f378aa280acd38742fb167a26b91ecb5 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.8.2-ppc64le The image digest is sha256:da989b8e28bccadbb535c2b9b7d3597146d14d254895cd35f544774f374cdd0f All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1725981 - oc explain does not work well with full resource.group names 1747270 - [osp] Machine with name "<cluster-id>-worker"couldn't join the cluster 1772993 - rbd block devices attached to a host are visible in unprivileged container pods 1786273 - [4.6] KAS pod logs show "error building openapi models ... has invalid property: anyOf" for CRDs 1786314 - [IPI][OSP] Install fails on OpenStack with self-signed certs unless the node running the installer has the CA cert in its system trusts 1801407 - Router in v4v6 mode puts brackets around IPv4 addresses in the Forwarded header 1812212 - ArgoCD example application cannot be downloaded from github 1817954 - [ovirt] Workers nodes are not numbered sequentially 1824911 - PersistentVolume yaml editor is read-only with system:persistent-volume-provisioner ClusterRole 1825219 - openshift-apiserver becomes False after env runs some time due to communication between one master to pods on another master fails with "Unable to connect to the server" 1825417 - The containerruntimecontroller doesn't roll back to CR-1 if we delete CR-2 1834551 - ClusterOperatorDown fires when operator is only degraded; states will block upgrades 1835264 - Intree provisioner doesn't respect PVC.spec.dataSource sometimes 1839101 - Some sidebar links in developer perspective don't follow same project 1840881 - The KubeletConfigController cannot process multiple confs for a pool/ pool changes 1846875 - Network setup test high failure rate 1848151 - Console continues to poll the ClusterVersion resource when the user doesn't have authority 1850060 - After upgrading to 3.11.219 timeouts are appearing. 1852637 - Kubelet sets incorrect image names in node status images section 1852743 - Node list CPU column only show usage 1853467 - container_fs_writes_total is inconsistent with CPU/memory in summarizing cgroup values 1857008 - [Edge] [BareMetal] Not provided STATE value for machines 1857477 - Bad helptext for storagecluster creation 1859382 - check-endpoints panics on graceful shutdown 1862084 - Inconsistency of time formats in the OpenShift web-console 1864116 - Cloud credential operator scrolls warnings about unsupported platform 1866222 - Should output all options when runing `operator-sdk init --help` 1866318 - [RHOCS Usability Study][Dashboard] Users found it difficult to navigate to the OCS dashboard 1866322 - [RHOCS Usability Study][Dashboard] Alert details page does not help to explain the Alert 1866331 - [RHOCS Usability Study][Dashboard] Users need additional tooltips or definitions 1868755 - [vsphere] terraform provider vsphereprivate crashes when network is unavailable on host 1868870 - CVE-2020-15113 etcd: directories created via os.MkdirAll are not checked for permissions 1868872 - CVE-2020-15112 etcd: DoS in wal/wal.go 1868874 - CVE-2020-15114 etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS 1868880 - CVE-2020-15136 etcd: no authentication is performed against endpoints provided in the --endpoints flag 1868883 - CVE-2020-15106 etcd: Large slice causes panic in decodeRecord method 1871303 - [sig-instrumentation] Prometheus when installed on the cluster should have important platform topology metrics 1871770 - [IPI baremetal] The Keepalived.conf file is not indented evenly 1872659 - ClusterAutoscaler doesn't scale down when a node is not needed anymore 1873079 - SSH to api and console route is possible when the clsuter is hosted on Openstack 1873649 - proxy.config.openshift.io should validate user inputs 1874322 - openshift/oauth-proxy: htpasswd using SHA1 to store credentials 1874931 - Accessibility - Keyboard shortcut to exit YAML editor not easily discoverable 1876918 - scheduler test leaves taint behind 1878199 - Remove Log Level Normalization controller in cluster-config-operator release N+1 1878655 - [aws-custom-region] creating manifests take too much time when custom endpoint is unreachable 1878685 - Ingress resource with "Passthrough" annotation does not get applied when using the newer "networking.k8s.io/v1" API 1879077 - Nodes tainted after configuring additional host iface 1879140 - console auth errors not understandable by customers 1879182 - switch over to secure access-token logging by default and delete old non-sha256 tokens 1879184 - CVO must detect or log resource hotloops 1879495 - [4.6] namespace \“openshift-user-workload-monitoring\” does not exist” 1879638 - Binary file uploaded to a secret in OCP 4 GUI is not properly converted to Base64-encoded string 1879944 - [OCP 4.8] Slow PV creation with vsphere 1880757 - AWS: master not removed from LB/target group when machine deleted 1880758 - Component descriptions in cloud console have bad description (Managed by Terraform) 1881210 - nodePort for router-default metrics with NodePortService does not exist 1881481 - CVO hotloops on some service manifests 1881484 - CVO hotloops on deployment manifests 1881514 - CVO hotloops on imagestreams from cluster-samples-operator 1881520 - CVO hotloops on (some) clusterrolebindings 1881522 - CVO hotloops on clusterserviceversions packageserver 1881662 - Error getting volume limit for plugin kubernetes.io/<name> in kubelet logs 1881694 - Evidence of disconnected installs pulling images from the local registry instead of quay.io 1881938 - migrator deployment doesn't tolerate masters 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability 1883587 - No option for user to select volumeMode 1883993 - Openshift 4.5.8 Deleting pv disk vmdk after delete machine 1884053 - cluster DNS experiencing disruptions during cluster upgrade in insights cluster 1884800 - Failed to set up mount unit: Invalid argument 1885186 - Removing ssh keys MC does not remove the key from authorized_keys 1885349 - [IPI Baremetal] Proxy Information Not passed to metal3 1885717 - activeDeadlineSeconds DeadlineExceeded does not show terminated container statuses 1886572 - auth: error contacting auth provider when extra ingress (not default) goes down 1887849 - When creating new storage class failure_domain is missing. 1888712 - Worker nodes do not come up on a baremetal IPI deployment with control plane network configured on a vlan on top of bond interface due to Pending CSRs 1889689 - AggregatedAPIErrors alert may never fire 1890678 - Cypress: Fix 'structure' accesibility violations 1890828 - Intermittent prune job failures causing operator degradation 1891124 - CP Conformance: CRD spec and status failures 1891301 - Deleting bmh by "oc delete bmh' get stuck 1891696 - [LSO] Add capacity UI does not check for node present in selected storageclass 1891766 - [LSO] Min-Max filter's from OCS wizard accepts Negative values and that cause PV not getting created 1892642 - oauth-server password metrics do not appear in UI after initial OCP installation 1892718 - HostAlreadyClaimed: The new route cannot be loaded with a new api group version 1893850 - Add an alert for requests rejected by the apiserver 1893999 - can't login ocp cluster with oc 4.7 client without the username 1895028 - [gcp-pd-csi-driver-operator] Volumes created by CSI driver are not deleted on cluster deletion 1895053 - Allow builds to optionally mount in cluster trust stores 1896226 - recycler-pod template should not be in kubelet static manifests directory 1896321 - MachineSet scaling from 0 is not available or evaluated incorrectly for the new or changed instance types 1896751 - [RHV IPI] Worker nodes stuck in the Provisioning Stage if the machineset has a long name 1897415 - [Bare Metal - Ironic] provide the ability to set the cipher suite for ipmitool when doing a Bare Metal IPI install 1897621 - Auth test.Login test.logs in as kubeadmin user: Timeout 1897918 - [oVirt] e2e tests fail due to kube-apiserver not finishing 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability 1899057 - fix spurious br-ex MAC address error log 1899187 - [Openstack] node-valid-hostname.service failes during the first boot leading to 5 minute provisioning delay 1899587 - [External] RGW usage metrics shown on Object Service Dashboard is incorrect 1900454 - Enable host-based disk encryption on Azure platform 1900819 - Scaled ingress replicas following sharded pattern don't balance evenly across multi-AZ 1901207 - Search Page - Pipeline resources table not immediately updated after Name filter applied or removed 1901535 - Remove the managingOAuthAPIServer field from the authentication.operator API 1901648 - "do you need to set up custom dns" tooltip inaccurate 1902003 - Jobs Completions column is not sorting when there are "0 of 1" and "1 of 1" in the list. 1902076 - image registry operator should monitor status of its routes 1902247 - openshift-oauth-apiserver apiserver pod crashloopbackoffs 1903055 - [OSP] Validation should fail when no any IaaS flavor or type related field are given 1903228 - Pod stuck in Terminating, runc init process frozen 1903383 - Latest RHCOS 47.83. builds failing to install: mount /root.squashfs failed 1903553 - systemd container renders node NotReady after deleting it 1903700 - metal3 Deployment doesn't have unique Pod selector 1904006 - The --dir option doest not work for command `oc image extract` 1904505 - Excessive Memory Use in Builds 1904507 - vsphere-problem-detector: implement missing metrics 1904558 - Random init-p error when trying to start pod 1905095 - Images built on OCP 4.6 clusters create manifests that result in quay.io (and other registries) rejecting those manifests 1905147 - ConsoleQuickStart Card's prerequisites is a combined text instead of a list 1905159 - Installation on previous unused dasd fails after formatting 1905331 - openshift-multus initContainer multus-binary-copy, etc. are not requesting required resources: cpu, memory 1905460 - Deploy using virtualmedia for disabled provisioning network on real BM(HPE) fails 1905577 - Control plane machines not adopted when provisioning network is disabled 1905627 - Warn users when using an unsupported browser such as IE 1905709 - Machine API deletion does not properly handle stopped instances on AWS or GCP 1905849 - Default volumesnapshotclass should be created when creating default storageclass 1906056 - Bundles skipped via the `skips` field cannot be pinned 1906102 - CBO produces standard metrics 1906147 - ironic-rhcos-downloader should not use --insecure 1906304 - Unexpected value NaN parsing x/y attribute when viewing pod Memory/CPU usage chart 1906740 - [aws]Machine should be "Failed" when creating a machine with invalid region 1907309 - Migrate controlflow v1alpha1 to v1beta1 in storage 1907315 - the internal load balancer annotation for AWS should use "true" instead of "0.0.0.0/0" as value 1907353 - [4.8] OVS daemonset is wasting resources even though it doesn't do anything 1907614 - Update kubernetes deps to 1.20 1908068 - Enable DownwardAPIHugePages feature gate 1908169 - The example of Import URL is "Fedora cloud image list" for all templates. 1908170 - sriov network resource injector: Hugepage injection doesn't work with mult container 1908343 - Input labels in Manage columns modal should be clickable 1908378 - [sig-network] pods should successfully create sandboxes by getting pod - Static Pod Failures 1908655 - "Evaluating rule failed" for "record: node:node_num_cpu:sum" rule 1908762 - [Dualstack baremetal cluster] multicast traffic is not working on ovn-kubernetes 1908765 - [SCALE] enable OVN lflow data path groups 1908774 - [SCALE] enable OVN DB memory trimming on compaction 1908916 - CNO: turn on OVN DB RAFT diffs once all master DB pods are capable of it 1909091 - Pod/node/ip/template isn't showing when vm is running 1909600 - Static pod installer controller deadlocks with non-existing installer pod, WAS: kube-apisrever of clsuter operator always with incorrect status due to pleg error 1909849 - release-openshift-origin-installer-e2e-aws-upgrade-fips-4.4 is perm failing 1909875 - [sig-cluster-lifecycle] Cluster version operator acknowledges upgrade : timed out waiting for cluster to acknowledge upgrade 1910067 - UPI: openstacksdk fails on "server group list" 1910113 - periodic-ci-openshift-release-master-ocp-4.5-ci-e2e-44-stable-to-45-ci is never passing 1910318 - OC 4.6.9 Installer failed: Some pods are not scheduled: 3 node(s) didn't match node selector: AWS compute machines without status 1910378 - socket timeouts for webservice communication between pods 1910396 - 4.6.9 cred operator should back-off when provisioning fails on throttling 1910500 - Could not list CSI provisioner on web when create storage class on GCP platform 1911211 - Should show the cert-recovery-controller version correctly 1911470 - ServiceAccount Registry Authfiles Do Not Contain Entries for Public Hostnames 1912571 - libvirt: Support setting dnsmasq options through the install config 1912820 - openshift-apiserver Available is False with 3 pods not ready for a while during upgrade 1913112 - BMC details should be optional for unmanaged hosts 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913341 - GCP: strange cluster behavior in CI run 1913399 - switch to v1beta1 for the priority and fairness APIs 1913525 - Panic in OLM packageserver when invoking webhook authorization endpoint 1913532 - After a 4.6 to 4.7 upgrade, a node went unready 1913974 - snapshot test periodically failing with "can't open '/mnt/test/data': No such file or directory" 1914127 - Deletion of oc get svc router-default -n openshift-ingress hangs 1914446 - openshift-service-ca-operator and openshift-service-ca pods run as root 1914994 - Panic observed in k8s-prometheus-adapter since k8s 1.20 1915122 - Size of the hostname was preventing proper DNS resolution of the worker node names 1915693 - Not able to install gpu-operator on cpumanager enabled node. 1915971 - Role and Role Binding breadcrumbs do not work as expected 1916116 - the left navigation menu would not be expanded if repeat clicking the links in Overview page 1916118 - [OVN] Source IP is not EgressIP if configured allow 0.0.0.0/0 in the EgressFirewall 1916392 - scrape priority and fairness endpoints for must-gather 1916450 - Alertmanager: add title and text fields to Adv. config. section of Slack Receiver form 1916489 - [sig-scheduling] SchedulerPriorities [Serial] fails with "Error waiting for 1 pods to be running - probably a timeout: Timeout while waiting for pods with labels to be ready" 1916553 - Default template's description is empty on details tab 1916593 - Destroy cluster sometimes stuck in a loop 1916872 - need ability to reconcile exgw annotations on pod add 1916890 - [OCP 4.7] api or api-int not available during installation 1917241 - [en_US] The tooltips of Created date time is not easy to read in all most of UIs. 1917282 - [Migration] MCO stucked for rhel worker after enable the migration prepare state 1917328 - It should default to current namespace when create vm from template action on details page 1917482 - periodic-ci-openshift-release-master-ocp-4.7-e2e-metal-ipi failing with "cannot go from state 'deploy failed' to state 'manageable'" 1917485 - [oVirt] ovirt machine/machineset object has missing some field validations 1917667 - Master machine config pool updates are stalled during the migration from SDN to OVNKube. 1917906 - [oauth-server] bump k8s.io/apiserver to 1.20.3 1917931 - [e2e-gcp-upi] failing due to missing pyopenssl library 1918101 - [vsphere]Delete Provisioning machine took about 12 minutes 1918376 - Image registry pullthrough does not support ICSP, mirroring e2es do not pass 1918442 - Service Reject ACL does not work on dualstack 1918723 - installer fails to write boot record on 4k scsi lun on s390x 1918729 - Add hide/reveal button for the token field in the KMS configuration page 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918785 - Pod request and limit calculations in console are incorrect 1918910 - Scale from zero annotations should not requeue if instance type missing 1919032 - oc image extract - will not extract files from image rootdir - "error: unexpected directory from mapping tests.test" 1919048 - Whereabouts IPv6 addresses not calculated when leading hextets equal 0 1919151 - [Azure] dnsrecords with invalid domain should not be published to Azure dnsZone 1919168 - `oc adm catalog mirror` doesn't work for the air-gapped cluster 1919291 - [Cinder-csi-driver] Filesystem did not expand for on-line volume resize 1919336 - vsphere-problem-detector should check if datastore is part of datastore cluster 1919356 - Add missing profile annotation in cluster-update-keys manifests 1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration 1919398 - Permissive Egress NetworkPolicy (0.0.0.0/0) is blocking all traffic 1919406 - OperatorHub filter heading "Provider Type" should be "Source" 1919737 - hostname lookup delays when master node down 1920209 - Multus daemonset upgrade takes the longest time in the cluster during an upgrade 1920221 - GCP jobs exhaust zone listing query quota sometimes due to too many initializations of cloud provider in tests 1920300 - cri-o does not support configuration of stream idle time 1920307 - "VM not running" should be "Guest agent required" on vm details page in dev console 1920532 - Problem in trying to connect through the service to a member that is the same as the caller. 1920677 - Various missingKey errors in the devconsole namespace 1920699 - Operation cannot be fulfilled on clusterresourcequotas.quota.openshift.io error when creating different OpenShift resources 1920901 - [4.7]"500 Internal Error" for prometheus route in https_proxy cluster 1920903 - oc adm top reporting unknown status for Windows node 1920905 - Remove DNS lookup workaround from cluster-api-provider 1921106 - A11y Violation: button name(s) on Utilization Card on Cluster Dashboard 1921184 - kuryr-cni binds to wrong interface on machine with two interfaces 1921227 - Fix issues related to consuming new extensions in Console static plugins 1921264 - Bundle unpack jobs can hang indefinitely 1921267 - ResourceListDropdown not internationalized 1921321 - SR-IOV obliviously reboot the node 1921335 - ThanosSidecarUnhealthy 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1921720 - test: openshift-tests.[sig-cli] oc observe works as expected [Suite:openshift/conformance/parallel] 1921763 - operator registry has high memory usage in 4.7... cleanup row closes 1921778 - Push to stage now failing with semver issues on old releases 1921780 - Search page not fully internationalized 1921781 - DefaultList component not internationalized 1921878 - [kuryr] Egress network policy with namespaceSelector in Kuryr behaves differently than in OVN-Kubernetes 1921885 - Server-side Dry-run with Validation Downloads Entire OpenAPI spec often 1921892 - MAO: controller runtime manager closes event recorder 1921894 - Backport Avoid node disruption when kube-apiserver-to-kubelet-signer is rotated 1921937 - During upgrade /etc/hostname becomes a directory, nodes are set with kubernetes.io/hostname=localhost label 1921953 - ClusterServiceVersion property inference does not infer package and version 1922063 - "Virtual Machine" should be "Templates" in template wizard 1922065 - Rootdisk size is default to 15GiB in customize wizard 1922235 - [build-watch] e2e-aws-upi - e2e-aws-upi container setup failing because of Python code version mismatch 1922264 - Restore snapshot as a new PVC: RWO/RWX access modes are not click-able if parent PVC is deleted 1922280 - [v2v] on the upstream release, In VM import wizard I see RHV but no oVirt 1922646 - Panic in authentication-operator invoking webhook authorization 1922648 - FailedCreatePodSandBox due to "failed to pin namespaces [uts]: [pinns:e]: /var/run/utsns exists and is not a directory: File exists" 1922764 - authentication operator is degraded due to number of kube-apiservers 1922992 - some button text on YAML sidebar are not translated 1922997 - [Migration]The SDN migration rollback failed. 1923038 - [OSP] Cloud Info is loaded twice 1923157 - Ingress traffic performance drop due to NodePort services 1923786 - RHV UPI fails with unhelpful message when ASSET_DIR is not set. 1923811 - Registry claims Available=True despite .status.readyReplicas == 0 while .spec.replicas == 2 1923847 - Error occurs when creating pods if configuring multiple key-only labels in default cluster-wide node selectors or project-wide node selectors 1923984 - Incorrect anti-affinity for UWM prometheus 1924020 - panic: runtime error: index out of range [0] with length 0 1924075 - kuryr-controller restart when enablePortPoolsPrepopulation = true 1924083 - "Activity" Pane of Persistent Storage tab shows events related to Noobaa too 1924140 - [OSP] Typo in OPENSHFIT_INSTALL_SKIP_PREFLIGHT_VALIDATIONS variable 1924171 - ovn-kube must handle single-stack to dual-stack migration 1924358 - metal UPI setup fails, no worker nodes 1924502 - Failed to start transient scope unit: Argument list too long / systemd[1]: Failed to set up mount unit: Invalid argument 1924536 - 'More about Insights' link points to support link 1924585 - "Edit Annotation" are not correctly translated in Chinese 1924586 - Control Plane status and Operators status are not fully internationalized 1924641 - [User Experience] The message "Missing storage class" needs to be displayed after user clicks Next and needs to be rephrased 1924663 - Insights operator should collect related pod logs when operator is degraded 1924701 - Cluster destroy fails when using byo with Kuryr 1924728 - Difficult to identify deployment issue if the destination disk is too small 1924729 - Create Storageclass for CephFS provisioner assumes incorrect default FSName in external mode (side-effect of fix for Bug 1878086) 1924747 - InventoryItem doesn't internationalize resource kind 1924788 - Not clear error message when there are no NADs available for the user 1924816 - Misleading error messages in ironic-conductor log 1924869 - selinux avc deny after installing OCP 4.7 1924916 - PVC reported as Uploading when it is actually cloning 1924917 - kuryr-controller in crash loop if IP is removed from secondary interfaces 1924953 - newly added 'excessive etcd leader changes' test case failing in serial job 1924968 - Monitoring list page filter options are not translated 1924983 - some components in utils directory not localized 1925017 - [UI] VM Details-> Network Interfaces, 'Name,' is displayed instead on 'Name' 1925061 - Prometheus backed by a PVC may start consuming a lot of RAM after 4.6 -> 4.7 upgrade due to series churn 1925083 - Some texts are not marked for translation on idp creation page. 1925087 - Add i18n support for the Secret page 1925148 - Shouldn't create the redundant imagestream when use `oc new-app --name=testapp2 -i ` with exist imagestream 1925207 - VM from custom template - cloudinit disk is not added if creating the VM from custom template using customization wizard 1925216 - openshift installer fails immediately failed to fetch Install Config 1925236 - OpenShift Route targets every port of a multi-port service 1925245 - oc idle: Clusters upgrading with an idled workload do not have annotations on the workload's service 1925261 - Items marked as mandatory in KMS Provider form are not enforced 1925291 - Baremetal IPI - While deploying with IPv6 provision network with subnet other than /64 masters fail to PXE boot 1925343 - [ci] e2e-metal tests are not using reserved instances 1925493 - Enable snapshot e2e tests 1925586 - cluster-etcd-operator is leaking transports 1925614 - Error: InstallPlan.operators.coreos.com not found 1925698 - On GCP, load balancers report kube-apiserver fails its /readyz check 50% of the time, causing load balancer backend churn and disruptions to apiservers 1926029 - [RFE] Either disable save or give warning when no disks support snapshot 1926054 - Localvolume CR is created successfully, when the storageclass name defined in the localvolume exists. 1926072 - Close button (X) does not work in the new "Storage cluster exists" Warning alert message(introduced via fix for Bug 1867400) 1926082 - Insights operator should not go degraded during upgrade 1926106 - [ja_JP][zh_CN] Create Project, Delete Project and Delete PVC modal are not fully internationalized 1926115 - Texts in “Insights” popover on overview page are not marked for i18n 1926123 - Pseudo bug: revert "force cert rotation every couple days for development" in 4.7 1926126 - some kebab/action menu translation issues 1926131 - Add HPA page is not fully internationalized 1926146 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it 1926154 - Create new pool with arbiter - wrong replica 1926278 - [oVirt] consume K8S 1.20 packages 1926279 - Pod ignores mtu setting from sriovNetworkNodePolicies in case of PF partitioning 1926285 - ignore pod not found status messages 1926289 - Accessibility: Modal content hidden from screen readers 1926310 - CannotRetrieveUpdates alerts on Critical severity 1926329 - [Assisted-4.7][Staging] monitoring stack in staging is being overloaded by the amount of metrics being exposed by assisted-installer pods and scraped by prometheus. 1926336 - Service details can overflow boxes at some screen widths 1926346 - move to go 1.15 and registry.ci.openshift.org 1926364 - Installer timeouts because proxy blocked connection to Ironic API running on bootstrap VM 1926465 - bootstrap kube-apiserver does not have --advertise-address set – was: [BM][IPI][DualStack] Installation fails cause Kubernetes service doesn't have IPv6 endpoints 1926484 - API server exits non-zero on 2 SIGTERM signals 1926547 - OpenShift installer not reporting IAM permission issue when removing the Shared Subnet Tag 1926579 - Setting .spec.policy is deprecated and will be removed eventually. Please use .spec.profile instead is being logged every 3 seconds in scheduler operator log 1926598 - Duplicate alert rules are displayed on console for thanos-querier api return wrong results 1926776 - "Template support" modal appears when select the RHEL6 common template 1926835 - [e2e][automation] prow gating use unsupported CDI version 1926843 - pipeline with finally tasks status is improper 1926867 - openshift-apiserver Available is False with 3 pods not ready for a while during upgrade 1926893 - When deploying the operator via OLM (after creating the respective catalogsource), the deployment "lost" the `resources` section. 1926903 - NTO may fail to disable stalld when relying on Tuned '[service]' plugin 1926931 - Inconsistent ovs-flow rule on one of the app node for egress node 1926943 - vsphere-problem-detector: Alerts in CI jobs 1926977 - [sig-devex][Feature:ImageEcosystem][Slow] openshift sample application repositories rails/nodejs 1927013 - Tables don't render properly at smaller screen widths 1927017 - CCO does not relinquish leadership when restarting for proxy CA change 1927042 - Empty static pod files on UPI deployments are confusing 1927047 - multiple external gateway pods will not work in ingress with IP fragmentation 1927068 - Workers fail to PXE boot when IPv6 provisionining network has subnet other than /64 1927075 - [e2e][automation] Fix pvc string in pvc.view 1927118 - OCP 4.7: NVIDIA GPU Operator DCGM metrics not displayed in OpenShift Console Monitoring Metrics page 1927244 - UPI installation with Kuryr timing out on bootstrap stage 1927263 - kubelet service takes around 43 secs to start container when started from stopped state 1927264 - FailedCreatePodSandBox due to multus inability to reach apiserver 1927310 - Performance: Console makes unnecessary requests for en-US messages on load 1927340 - Race condition in OperatorCondition reconcilation 1927366 - OVS configuration service unable to clone NetworkManager's connections in the overlay FS 1927391 - Fix flake in TestSyncPodsDeletesWhenSourcesAreReady 1927393 - 4.7 still points to 4.6 catalog images 1927397 - p&f: add auto update for priority & fairness bootstrap configuration objects 1927423 - Happy "Not Found" and no visible error messages on error-list page when /silences 504s 1927465 - Homepage dashboard content not internationalized 1927678 - Reboot interface defaults to softPowerOff so fencing is too slow 1927731 - /usr/lib/dracut/modules.d/30ignition/ignition --version sigsev 1927797 - 'Pod(s)' should be included in the pod donut label when a horizontal pod autoscaler is enabled 1927882 - Can't create cluster role binding from UI when a project is selected 1927895 - global RuntimeConfig is overwritten with merge result 1927898 - i18n Admin Notifier 1927902 - i18n Cluster Utilization dashboard duration 1927903 - "CannotRetrieveUpdates" - critical error in openshift web console 1927925 - Manually misspelled as Manualy 1927941 - StatusDescriptor detail item and Status component can cause runtime error when the status is an object or array 1927942 - etcd should use socket option (SO_REUSEADDR) instead of wait for port release on process restart 1927944 - cluster version operator cycles terminating state waiting for leader election 1927993 - Documentation Links in OKD Web Console are not Working 1928008 - Incorrect behavior when we click back button after viewing the node details in Internal-attached mode 1928045 - N+1 scaling Info message says "single zone" even if the nodes are spread across 2 or 0 zones 1928147 - Domain search set in the required domains in Option 119 of DHCP Server is ignored by RHCOS on RHV 1928157 - 4.7 CNO claims to be done upgrading before it even starts 1928164 - Traffic to outside the cluster redirected when OVN is used and NodePort service is configured 1928297 - HAProxy fails with 500 on some requests 1928473 - NetworkManager overlay FS not being created on None platform 1928512 - sap license management logs gatherer 1928537 - Cannot IPI with tang/tpm disk encryption 1928640 - Definite error message when using StorageClass based on azure-file / Premium_LRS 1928658 - Update plugins and Jenkins version to prepare openshift-sync-plugin 1.0.46 release 1928850 - Unable to pull images due to limited quota on Docker Hub 1928851 - manually creating NetNamespaces will break things and this is not obvious 1928867 - golden images - DV should not be created with WaitForFirstConsumer 1928869 - Remove css required to fix search bug in console caused by pf issue in 2021.1 1928875 - Update translations 1928893 - Memory Pressure Drop Down Info is stating "Disk" capacity is low instead of memory 1928931 - DNSRecord CRD is using deprecated v1beta1 API 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1929052 - Add new Jenkins agent maven dir for 3.6 1929056 - kube-apiserver-availability.rules are failing evaluation 1929110 - LoadBalancer service check test fails during vsphere upgrade 1929136 - openshift isn't able to mount nfs manila shares to pods 1929175 - LocalVolumeSet: PV is created on disk belonging to other provisioner 1929243 - Namespace column missing in Nodes Node Details / pods tab 1929277 - Monitoring workloads using too high a priorityclass 1929281 - Update Tech Preview badge to transparent border color when upgrading to PatternFly v4.87.1 1929314 - ovn-kubernetes endpoint slice controller doesn't run on CI jobs 1929359 - etcd-quorum-guard uses origin-cli [4.8] 1929577 - Edit Application action overwrites Deployment envFrom values on save 1929654 - Registry for Azure uses legacy V1 StorageAccount 1929693 - Pod stuck at "ContainerCreating" status 1929733 - oVirt CSI driver operator is constantly restarting 1929769 - Getting 404 after switching user perspective in another tab and reload Project details 1929803 - Pipelines shown in edit flow for Workloads created via ContainerImage flow 1929824 - fix alerting on volume name check for vsphere 1929917 - Bare-metal operator is firing for ClusterOperatorDown for 15m during 4.6 to 4.7 upgrade 1929944 - The etcdInsufficientMembers alert fires incorrectly when any instance is down and not when quorum is lost 1930007 - filter dropdown item filter and resource list dropdown item filter doesn't support multi selection 1930015 - OS list is overlapped by buttons in template wizard 1930064 - Web console crashes during VM creation from template when no storage classes are defined 1930220 - Cinder CSI driver is not able to mount volumes under heavier load 1930240 - Generated clouds.yaml incomplete when provisioning network is disabled 1930248 - After creating a remediation flow and rebooting a worker there is no access to the openshift-web-console 1930268 - intel vfio devices are not expose as resources 1930356 - Darwin binary missing from mirror.openshift.com 1930393 - Gather info about unhealthy SAP pods 1930546 - Monitoring-dashboard-workload keep loading when user with cluster-role cluster-monitoring-view login develoer console 1930570 - Jenkins templates are displayed in Developer Catalog twice 1930620 - the logLevel field in containerruntimeconfig can't be set to "trace" 1930631 - Image local-storage-mustgather in the doc does not come from product registry 1930893 - Backport upstream patch 98956 for pod terminations 1931005 - Related objects page doesn't show the object when its name is empty 1931103 - remove periodic log within kubelet 1931115 - Azure cluster install fails with worker type workers Standard_D4_v2 1931215 - [RFE] Cluster-api-provider-ovirt should handle affinity groups 1931217 - [RFE] Installer should create RHV Affinity group for OCP cluster VMS 1931467 - Kubelet consuming a large amount of CPU and memory and node becoming unhealthy 1931505 - [IPI baremetal] Two nodes hold the VIP post remove and start of the Keepalived container 1931522 - Fresh UPI install on BM with bonding using OVN Kubernetes fails 1931529 - SNO: mentioning of 4 nodes in error message - Cluster network CIDR prefix 24 does not contain enough addresses for 4 hosts each one with 25 prefix (128 addresses) 1931629 - Conversational Hub Fails due to ImagePullBackOff 1931637 - Kubeturbo Operator fails due to ImagePullBackOff 1931652 - [single-node] etcd: discover-etcd-initial-cluster graceful termination race. 1931658 - [single-node] cluster-etcd-operator: cluster never pivots from bootstrapIP endpoint 1931674 - [Kuryr] Enforce nodes MTU for the Namespaces and Pods 1931852 - Ignition HTTP GET is failing, because DHCP IPv4 config is failing silently 1931883 - Fail to install Volume Expander Operator due to CrashLookBackOff 1931949 - Red Hat Integration Camel-K Operator keeps stuck in Pending state 1931974 - Operators cannot access kubeapi endpoint on OVNKubernetes on ipv6 1931997 - network-check-target causes upgrade to fail from 4.6.18 to 4.7 1932001 - Only one of multiple subscriptions to the same package is honored 1932097 - Apiserver liveness probe is marking it as unhealthy during normal shutdown 1932105 - machine-config ClusterOperator claims level while control-plane still updating 1932133 - AWS EBS CSI Driver doesn’t support “csi.storage.k8s.io/fsTyps” parameter 1932135 - When “iopsPerGB” parameter is not set, event for AWS EBS CSI Driver provisioning is not clear 1932152 - When “iopsPerGB” parameter is set to a wrong number, events for AWS EBS CSI Driver provisioning are not clear 1932154 - [AWS ] machine stuck in provisioned phase , no warnings or errors 1932182 - catalog operator causing CPU spikes and bad etcd performance 1932229 - Can’t find kubelet metrics for aws ebs csi volumes 1932281 - [Assisted-4.7][UI] Unable to change upgrade channel once upgrades were discovered 1932323 - CVE-2021-26540 sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element 1932324 - CRIO fails to create a Pod in sandbox stage - starting container process caused: process_linux.go:472: container init caused: Running hook #0:: error running hook: exit status 255, stdout: , stderr: \"\n" 1932362 - CVE-2021-26539 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation 1932401 - Cluster Ingress Operator degrades if external LB redirects http to https because of new "canary" route 1932453 - Update Japanese timestamp format 1932472 - Edit Form/YAML switchers cause weird collapsing/code-folding issue 1932487 - [OKD] origin-branding manifest is missing cluster profile annotations 1932502 - Setting MTU for a bond interface using Kernel arguments is not working 1932618 - Alerts during a test run should fail the test job, but were not 1932624 - ClusterMonitoringOperatorReconciliationErrors is pending at the end of an upgrade and probably should not be 1932626 - During a 4.8 GCP upgrade OLM fires an alert indicating the operator is unhealthy 1932673 - Virtual machine template provided by red hat should not be editable. The UI allows to edit and then reverse the change after it was made 1932789 - Proxy with port is unable to be validated if it overlaps with service/cluster network 1932799 - During a hive driven baremetal installation the process does not go beyond 80% in the bootstrap VM 1932805 - e2e: test OAuth API connections in the tests by that name 1932816 - No new local storage operator bundle image is built 1932834 - enforce the use of hashed access/authorize tokens 1933101 - Can not upgrade a Helm Chart that uses a library chart in the OpenShift dev console 1933102 - Canary daemonset uses default node selector 1933114 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it [Suite:openshift/conformance/parallel/minimal] 1933159 - multus DaemonSets should use maxUnavailable: 33% 1933173 - openshift-sdn/sdn DaemonSet should use maxUnavailable: 10% 1933174 - openshift-sdn/ovs DaemonSet should use maxUnavailable: 10% 1933179 - network-check-target DaemonSet should use maxUnavailable: 10% 1933180 - openshift-image-registry/node-ca DaemonSet should use maxUnavailable: 10% 1933184 - openshift-cluster-csi-drivers DaemonSets should use maxUnavailable: 10% 1933263 - user manifest with nodeport services causes bootstrap to block 1933269 - Cluster unstable replacing an unhealthy etcd member 1933284 - Samples in CRD creation are ordered arbitarly 1933414 - Machines are created with unexpected name for Ports 1933599 - bump k8s.io/apiserver to 1.20.3 1933630 - [Local Volume] Provision disk failed when disk label has unsupported value like ":" 1933664 - Getting Forbidden for image in a container template when creating a sample app 1933708 - Grafana is not displaying deployment config resources in dashboard `Default /Kubernetes / Compute Resources / Namespace (Workloads)` 1933711 - EgressDNS: Keep short lived records at most 30s 1933730 - [AI-UI-Wizard] Toggling "Use extra disks for local storage" checkbox highlights the "Next" button to move forward but grays out once clicked 1933761 - Cluster DNS service caps TTLs too low and thus evicts from its cache too aggressively 1933772 - MCD Crash Loop Backoff 1933805 - TargetDown alert fires during upgrades because of normal upgrade behavior 1933857 - Details page can throw an uncaught exception if kindObj prop is undefined 1933880 - Kuryr-Controller crashes when it's missing the status object 1934021 - High RAM usage on machine api termination node system oom 1934071 - etcd consuming high amount of memory and CPU after upgrade to 4.6.17 1934080 - Both old and new Clusterlogging CSVs stuck in Pending during upgrade 1934085 - Scheduling conformance tests failing in a single node cluster 1934107 - cluster-authentication-operator builds URL incorrectly for IPv6 1934112 - Add memory and uptime metadata to IO archive 1934113 - mcd panic when there's not enough free disk space 1934123 - [OSP] First public endpoint is used to fetch ignition config from Glance URL (with multiple endpoints) on OSP 1934163 - Thanos Querier restarting and gettin alert ThanosQueryHttpRequestQueryRangeErrorRateHigh 1934174 - rootfs too small when enabling NBDE 1934176 - Machine Config Operator degrades during cluster update with failed to convert Ignition config spec v2 to v3 1934177 - knative-camel-operator CreateContainerError "container_linux.go:366: starting container process caused: chdir to cwd (\"/home/nonroot\") set in config.json failed: permission denied" 1934216 - machineset-controller stuck in CrashLoopBackOff after upgrade to 4.7.0 1934229 - List page text filter has input lag 1934397 - Extend OLM operator gatherer to include Operator/ClusterServiceVersion conditions 1934400 - [ocp_4][4.6][apiserver-auth] OAuth API servers are not ready - PreconditionNotReady 1934516 - Setup different priority classes for prometheus-k8s and prometheus-user-workload pods 1934556 - OCP-Metal images 1934557 - RHCOS boot image bump for LUKS fixes 1934643 - Need BFD failover capability on ECMP routes 1934711 - openshift-ovn-kubernetes ovnkube-node DaemonSet should use maxUnavailable: 10% 1934773 - Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP) 1934905 - CoreDNS's "errors" plugin is not enabled for custom upstream resolvers 1935058 - Can’t finish install sts clusters on aws government region 1935102 - Error: specifying a root certificates file with the insecure flag is not allowed during oc login 1935155 - IGMP/MLD packets being dropped 1935157 - [e2e][automation] environment tests broken 1935165 - OCP 4.6 Build fails when filename contains an umlaut 1935176 - Missing an indication whether the deployed setup is SNO. 1935269 - Topology operator group shows child Jobs. Not shown in details view's resources. 1935419 - Failed to scale worker using virtualmedia on Dell R640 1935528 - [AWS][Proxy] ingress reports degrade with CanaryChecksSucceeding=False in the cluster with proxy setting 1935539 - Openshift-apiserver CO unavailable during cluster upgrade from 4.6 to 4.7 1935541 - console operator panics in DefaultDeployment with nil cm 1935582 - prometheus liveness probes cause issues while replaying WAL 1935604 - high CPU usage fails ingress controller 1935667 - pipelinerun status icon rendering issue 1935706 - test: Detect when the master pool is still updating after upgrade 1935732 - Update Jenkins agent maven directory to be version agnostic [ART ocp build data] 1935814 - Pod and Node lists eventually have incorrect row heights when additional columns have long text 1935909 - New CSV using ServiceAccount named "default" stuck in Pending during upgrade 1936022 - DNS operator performs spurious updates in response to API's defaulting of daemonset's terminationGracePeriod and service's clusterIPs 1936030 - Ingress operator performs spurious updates in response to API's defaulting of NodePort service's clusterIPs field 1936223 - The IPI installer has a typo. It is missing the word "the" in "the Engine". 1936336 - Updating multus-cni builder & base images to be consistent with ART 4.8 (closed) 1936342 - kuryr-controller restarting after 3 days cluster running - pools without members 1936443 - Hive based OCP IPI baremetal installation fails to connect to API VIP port 22623 1936488 - [sig-instrumentation][Late] Alerts shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured: Prometheus query error 1936515 - sdn-controller is missing some health checks 1936534 - When creating a worker with a used mac-address stuck on registering 1936585 - configure alerts if the catalogsources are missing 1936620 - OLM checkbox descriptor renders switch instead of checkbox 1936721 - network-metrics-deamon not associated with a priorityClassName 1936771 - [aws ebs csi driver] The event for Pod consuming a readonly PVC is not clear 1936785 - Configmap gatherer doesn't include namespace name (in the archive path) in case of a configmap with binary data 1936788 - RBD RWX PVC creation with Filesystem volume mode selection is creating RWX PVC with Block volume mode instead of disabling Filesystem volume mode selection 1936798 - Authentication log gatherer shouldn't scan all the pod logs in the openshift-authentication namespace 1936801 - Support ServiceBinding 0.5.0+ 1936854 - Incorrect imagestream is shown as selected in knative service container image edit flow 1936857 - e2e-ovirt-ipi-install-install is permafailing on 4.5 nightlies 1936859 - ovirt 4.4 -> 4.5 upgrade jobs are permafailing 1936867 - Periodic vsphere IPI install is broken - missing pip 1936871 - [Cinder CSI] Topology aware provisioning doesn't work when Nova and Cinder AZs are different 1936904 - Wrong output YAML when syncing groups without --confirm 1936983 - Topology view - vm details screen isntt stop loading 1937005 - when kuryr quotas are unlimited, we should not sent alerts 1937018 - FilterToolbar component does not handle 'null' value for 'rowFilters' prop 1937020 - Release new from image stream chooses incorrect ID based on status 1937077 - Blank White page on Topology 1937102 - Pod Containers Page Not Translated 1937122 - CAPBM changes to support flexible reboot modes 1937145 - [Local storage] PV provisioned by localvolumeset stays in "Released" status after the pod/pvc deleted 1937167 - [sig-arch] Managed cluster should have no crashlooping pods in core namespaces over four minutes 1937244 - [Local Storage] The model name of aws EBS doesn't be extracted well 1937299 - pod.spec.volumes.awsElasticBlockStore.partition is not respected on NVMe volumes 1937452 - cluster-network-operator CI linting fails in master branch 1937459 - Wrong Subnet retrieved for Service without Selector 1937460 - [CI] Network quota pre-flight checks are failing the installation 1937464 - openstack cloud credentials are not getting configured with correct user_domain_name across the cluster 1937466 - KubeClientCertificateExpiration alert is confusing, without explanation in the documentation 1937496 - Metrics viewer in OCP Console is missing date in a timestamp for selected datapoint 1937535 - Not all image pulls within OpenShift builds retry 1937594 - multiple pods in ContainerCreating state after migration from OpenshiftSDN to OVNKubernetes 1937627 - Bump DEFAULT_DOC_URL for 4.8 1937628 - Bump upgrade channels for 4.8 1937658 - Description for storage class encryption during storagecluster creation needs to be updated 1937666 - Mouseover on headline 1937683 - Wrong icon classification of output in buildConfig when the destination is a DockerImage 1937693 - ironic image "/" cluttered with files 1937694 - [oVirt] split ovirt providerIDReconciler logic into NodeController and ProviderIDController 1937717 - If browser default font size is 20, the layout of template screen breaks 1937722 - OCP 4.8 vuln due to BZ 1936445 1937929 - Operand page shows a 404:Not Found error for OpenShift GitOps Operator 1937941 - [RFE]fix wording for favorite templates 1937972 - Router HAProxy config file template is slow to render due to repetitive regex compilations 1938131 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go 1938321 - Cannot view PackageManifest objects in YAML on 'Home > Search' page nor 'CatalogSource details > Operators tab' 1938465 - thanos-querier should set a CPU request on the thanos-query container 1938466 - packageserver deployment sets neither CPU or memory request on the packageserver container 1938467 - The default cluster-autoscaler should get default cpu and memory requests if user omits them 1938468 - kube-scheduler-operator has a container without a CPU request 1938492 - Marketplace extract container does not request CPU or memory 1938493 - machine-api-operator declares restrictive cpu and memory limits where it should not 1938636 - Can't set the loglevel of the container: cluster-policy-controller and kube-controller-manager-recovery-controller 1938903 - Time range on dashboard page will be empty after drog and drop mouse in the graph 1938920 - ovnkube-master/ovs-node DaemonSets should use maxUnavailable: 10% 1938947 - Update blocked from 4.6 to 4.7 when using spot/preemptible instances 1938949 - [VPA] Updater failed to trigger evictions due to "vpa-admission-controller" not found 1939054 - machine healthcheck kills aws spot instance before generated 1939060 - CNO: nodes and masters are upgrading simultaneously 1939069 - Add source to vm template silently failed when no storage class is defined in the cluster 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1939168 - Builds failing for OCP 3.11 since PR#25 was merged 1939226 - kube-apiserver readiness probe appears to be hitting /healthz, not /readyz 1939227 - kube-apiserver liveness probe appears to be hitting /healthz, not /livez 1939232 - CI tests using openshift/hello-world broken by Ruby Version Update 1939270 - fix co upgradeableFalse status and reason 1939294 - OLM may not delete pods with grace period zero (force delete) 1939412 - missed labels for thanos-ruler pods 1939485 - CVE-2021-20291 containers/storage: DoS via malicious image 1939547 - Include container="POD" in resource queries 1939555 - VSphereProblemDetectorControllerDegraded: context canceled during upgrade to 4.8.0 1939573 - after entering valid git repo url on add flow page, throwing warning message instead Validated 1939580 - Authentication operator is degraded during 4.8 to 4.8 upgrade and normal 4.8 e2e runs 1939606 - Attempting to put a host into maintenance mode warns about Ceph cluster health, but no storage cluster problems are apparent 1939661 - support new AWS region ap-northeast-3 1939726 - clusteroperator/network should not change condition/Degraded during normal serial test execution 1939731 - Image registry operator reports unavailable during normal serial run 1939734 - Node Fanout Causes Excessive WATCH Secret Calls, Taking Down Clusters 1939740 - dual stack nodes with OVN single ipv6 fails on bootstrap phase 1939752 - ovnkube-master sbdb container does not set requests on cpu or memory 1939753 - Delete HCO is stucking if there is still VM in the cluster 1939815 - Change the Warning Alert for Encrypted PVs in Create StorageClass(provisioner:RBD) page 1939853 - [DOC] Creating manifests API should not allow folder in the "file_name" 1939865 - GCP PD CSI driver does not have CSIDriver instance 1939869 - [e2e][automation] Add annotations to datavolume for HPP 1939873 - Unlimited number of characters accepted for base domain name 1939943 - `cluster-kube-apiserver-operator check-endpoints` observed a panic: runtime error: invalid memory address or nil pointer dereference 1940030 - cluster-resource-override: fix spelling mistake for run-level match expression in webhook configuration 1940057 - Openshift builds should use a wach instead of polling when checking for pod status 1940142 - 4.6->4.7 updates stick on OpenStackCinderCSIDriverOperatorCR_OpenStackCinderDriverControllerServiceController_Deploying 1940159 - [OSP] cluster destruction fails to remove router in BYON (with provider network) with Kuryr as primary network 1940206 - Selector and VolumeTableRows not i18ned 1940207 - 4.7->4.6 rollbacks stuck on prometheusrules admission webhook "no route to host" 1940314 - Failed to get type for Dashboard Kubernetes / Compute Resources / Namespace (Workloads) 1940318 - No data under 'Current Bandwidth' for Dashboard 'Kubernetes / Networking / Pod' 1940322 - Split of dashbard is wrong, many Network parts 1940337 - rhos-ipi installer fails with not clear message when openstack tenant doesn't have flavors needed for compute machines 1940361 - [e2e][automation] Fix vm action tests with storageclass HPP 1940432 - Gather datahubs.installers.datahub.sap.com resources from SAP clusters 1940488 - After fix for CVE-2021-3344, Builds do not mount node entitlement keys 1940498 - pods may fail to add logical port due to lr-nat-del/lr-nat-add error messages 1940499 - hybrid-overlay not logging properly before exiting due to an error 1940518 - Components in bare metal components lack resource requests 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1940704 - prjquota is dropped from rootflags if rootfs is reprovisioned 1940755 - [Web-console][Local Storage] LocalVolumeSet could not be created from web-console without detail error info 1940865 - Add BareMetalPlatformType into e2e upgrade service unsupported list 1940876 - Components in ovirt components lack resource requests 1940889 - Installation failures in OpenStack release jobs 1940933 - [sig-arch] Check if alerts are firing during or after upgrade success: AggregatedAPIDown on v1beta1.metrics.k8s.io 1940939 - Wrong Openshift node IP as kubelet setting VIP as node IP 1940940 - csi-snapshot-controller goes unavailable when machines are added removed to cluster 1940950 - vsphere: client/bootstrap CSR double create 1940972 - vsphere: [4.6] CSR approval delayed for unknown reason 1941000 - cinder storageclass creates persistent volumes with wrong label failure-domain.beta.kubernetes.io/zone in multi availability zones architecture on OSP 16. 1941334 - [RFE] Cluster-api-provider-ovirt should handle auto pinning policy 1941342 - Add `kata-osbuilder-generate.service` as part of the default presets 1941456 - Multiple pods stuck in ContainerCreating status with the message "failed to create container for [kubepods burstable podxxx] : dbus: connection closed by user" being seen in the journal log 1941526 - controller-manager-operator: Observed a panic: nil pointer dereference 1941592 - HAProxyDown not Firing 1941606 - [assisted operator] Assisted Installer Operator CSV related images should be digests for icsp 1941625 - Developer -> Topology - i18n misses 1941635 - Developer -> Monitoring - i18n misses 1941636 - BM worker nodes deployment with virtual media failed while trying to clean raid 1941645 - Developer -> Builds - i18n misses 1941655 - Developer -> Pipelines - i18n misses 1941667 - Developer -> Project - i18n misses 1941669 - Developer -> ConfigMaps - i18n misses 1941759 - Errored pre-flight checks should not prevent install 1941798 - Some details pages don't have internationalized ResourceKind labels 1941801 - Many filter toolbar dropdowns haven't been internationalized 1941815 - From the web console the terminal can no longer connect after using leaving and returning to the terminal view 1941859 - [assisted operator] assisted pod deploy first time in error state 1941901 - Toleration merge logic does not account for multiple entries with the same key 1941915 - No validation against template name in boot source customization 1941936 - when setting parameters in containerRuntimeConfig, it will show incorrect information on its description 1941980 - cluster-kube-descheduler operator is broken when upgraded from 4.7 to 4.8 1941990 - Pipeline metrics endpoint changed in osp-1.4 1941995 - fix backwards incompatible trigger api changes in osp1.4 1942086 - Administrator -> Home - i18n misses 1942117 - Administrator -> Workloads - i18n misses 1942125 - Administrator -> Serverless - i18n misses 1942193 - Operand creation form - broken/cutoff blue line on the Accordion component (fieldGroup) 1942207 - [vsphere] hostname are changed when upgrading from 4.6 to 4.7.x causing upgrades to fail 1942271 - Insights operator doesn't gather pod information from openshift-cluster-version 1942375 - CRI-O failing with error "reserving ctr name" 1942395 - The status is always "Updating" on dc detail page after deployment has failed. 1942521 - [Assisted-4.7] [Staging][OCS] Minimum memory for selected role is failing although minimum OCP requirement satisfied 1942522 - Resolution fails to sort channel if inner entry does not satisfy predicate 1942536 - Corrupted image preventing containers from starting 1942548 - Administrator -> Networking - i18n misses 1942553 - CVE-2021-22133 go.elastic.co/apm: leaks sensitive HTTP headers during panic 1942555 - Network policies in ovn-kubernetes don't support external traffic from router when the endpoint publishing strategy is HostNetwork 1942557 - Query is reporting "no datapoint" when label cluster="" is set but work when the label is removed or when running directly in Prometheus 1942608 - crictl cannot list the images with an error: error locating item named "manifest" for image with ID 1942614 - Administrator -> Storage - i18n misses 1942641 - Administrator -> Builds - i18n misses 1942673 - Administrator -> Pipelines - i18n misses 1942694 - Resource names with a colon do not display property in the browser window title 1942715 - Administrator -> User Management - i18n misses 1942716 - Quay Container Security operator has Medium <-> Low colors reversed 1942725 - [SCC] openshift-apiserver degraded when creating new pod after installing Stackrox which creates a less privileged SCC [4.8] 1942736 - Administrator -> Administration - i18n misses 1942749 - Install Operator form should use info icon for popovers 1942837 - [OCPv4.6] unable to deploy pod with unsafe sysctls 1942839 - Windows VMs fail to start on air-gapped environments 1942856 - Unable to assign nodes for EgressIP even if the egress-assignable label is set 1942858 - [RFE]Confusing detach volume UX 1942883 - AWS EBS CSI driver does not support partitions 1942894 - IPA error when provisioning masters due to an error from ironic.conductor - /dev/sda is busy 1942935 - must-gather improvements 1943145 - vsphere: client/bootstrap CSR double create 1943175 - unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies (set azure storage account TLS version default to 1.2) 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1943219 - unable to install IPI PRIVATE OpenShift cluster in Azure - SSH access from the Internet should be blocked 1943224 - cannot upgrade openshift-kube-descheduler from 4.7.2 to latest 1943238 - The conditions table does not occupy 100% of the width. 1943258 - [Assisted-4.7][Staging][Advanced Networking] Cluster install fails while waiting for control plane 1943314 - [OVN SCALE] Combine Logical Flows inside Southbound DB. 1943315 - avoid workload disruption for ICSP changes 1943320 - Baremetal node loses connectivity with bonded interface and OVNKubernetes 1943329 - TLSSecurityProfile missing from KubeletConfig CRD Manifest 1943356 - Dynamic plugins surfaced in the UI should be referred to as "Console plugins" 1943539 - crio-wipe is failing to start "Failed to shutdown storage before wiping: A layer is mounted: layer is in use by a container" 1943543 - DeploymentConfig Rollback doesn't reset params correctly 1943558 - [assisted operator] Assisted Service pod unable to reach self signed local registry in disco environement 1943578 - CoreDNS caches NXDOMAIN responses for up to 900 seconds 1943614 - add bracket logging on openshift/builder calls into buildah to assist test-platform team triage 1943637 - upgrade from ocp 4.5 to 4.6 does not clear SNAT rules on ovn 1943649 - don't use hello-openshift for network-check-target 1943667 - KubeDaemonSetRolloutStuck fires during upgrades too often because it does not accurately detect progress 1943719 - storage-operator/vsphere-problem-detector causing upgrades to fail that would have succeeded in past versions 1943804 - API server on AWS takes disruption between 70s and 110s after pod begins termination via external LB 1943845 - Router pods should have startup probes configured 1944121 - OVN-kubernetes references AddressSets after deleting them, causing ovn-controller errors 1944160 - CNO: nbctl daemon should log reconnection info 1944180 - OVN-Kube Master does not release election lock on shutdown 1944246 - Ironic fails to inspect and move node to "manageable' but get bmh remains in "inspecting" 1944268 - openshift-install AWS SDK is missing endpoints for the ap-northeast-3 region 1944509 - Translatable texts without context in ssh expose component 1944581 - oc project not works with cluster proxy 1944587 - VPA could not take actions based on the recommendation when min-replicas=1 1944590 - The field name "VolumeSnapshotContent" is wrong on VolumeSnapshotContent detail page 1944602 - Consistant fallures of features/project-creation.feature Cypress test in CI 1944631 - openshif authenticator should not accept non-hashed tokens 1944655 - [manila-csi-driver-operator] openstack-manila-csi-nodeplugin pods stucked with ".. still connecting to unix:///var/lib/kubelet/plugins/csi-nfsplugin/csi.sock" 1944660 - dm-multipath race condition on bare metal causing /boot partition mount failures 1944674 - Project field become to "All projects" and disabled in "Review and create virtual machine" step in devconsole 1944678 - Whereabouts IPAM CNI duplicate IP addresses assigned to pods 1944761 - field level help instances do not use common util component <FieldLevelHelp> 1944762 - Drain on worker node during an upgrade fails due to PDB set for image registry pod when only a single replica is present 1944763 - field level help instances do not use common util component <FieldLevelHelp> 1944853 - Update to nodejs >=14.15.4 for ARM 1944974 - Duplicate KubeControllerManagerDown/KubeSchedulerDown alerts 1944986 - Clarify the ContainerRuntimeConfiguration cr description on the validation 1945027 - Button 'Copy SSH Command' does not work 1945085 - Bring back API data in etcd test 1945091 - In k8s 1.21 bump Feature:IPv6DualStack tests are disabled 1945103 - 'User credentials' shows even the VM is not running 1945104 - In k8s 1.21 bump '[sig-storage] [cis-hostpath] [Testpattern: Generic Ephemeral-volume' tests are disabled 1945146 - Remove pipeline Tech preview badge for pipelines GA operator 1945236 - Bootstrap ignition shim doesn't follow proxy settings 1945261 - Operator dependency not consistently chosen from default channel 1945312 - project deletion does not reset UI project context 1945326 - console-operator: does not check route health periodically 1945387 - Image Registry deployment should have 2 replicas and hard anti-affinity rules 1945398 - 4.8 CI failure: [Serial] [sig-auth][Feature:OAuthServer] [RequestHeaders] [IdP] test RequestHeaders IdP [Suite:openshift/conformance/serial] 1945431 - alerts: SystemMemoryExceedsReservation triggers too quickly 1945443 - operator-lifecycle-manager-packageserver flaps Available=False with no reason or message 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1945548 - catalog resource update failed if spec.secrets set to "" 1945584 - Elasticsearch operator fails to install on 4.8 cluster on ppc64le/s390x 1945599 - Optionally set KERNEL_VERSION and RT_KERNEL_VERSION 1945630 - Pod log filename no longer in <pod-name>-<container-name>.log format 1945637 - QE- Automation- Fixing smoke test suite for pipeline-plugin 1945646 - gcp-routes.sh running as initrc_t unnecessarily 1945659 - [oVirt] remove ovirt_cafile from ovirt-credentials secret 1945677 - Need ACM Managed Cluster Info metric enabled for OCP monitoring telemetry 1945687 - Dockerfile needs updating to new container CI registry 1945700 - Syncing boot mode after changing device should be restricted to Supermicro 1945816 - " Ingresses " should be kept in English for Chinese 1945818 - Chinese translation issues: Operator should be the same with English `Operators` 1945849 - Unnecessary series churn when a new version of kube-state-metrics is rolled out 1945910 - [aws] support byo iam roles for instances 1945948 - SNO: pods can't reach ingress when the ingress uses a different IPv6. 1946079 - Virtual master is not getting an IP address 1946097 - [oVirt] oVirt credentials secret contains unnecessary "ovirt_cafile" 1946119 - panic parsing install-config 1946243 - No relevant error when pg limit is reached in block pools page 1946307 - [CI] [UPI] use a standardized and reliable way to install google cloud SDK in UPI image 1946320 - Incorrect error message in Deployment Attach Storage Page 1946449 - [e2e][automation] Fix cloud-init tests as UI changed 1946458 - Edit Application action overwrites Deployment envFrom values on save 1946459 - In bare metal IPv6 environment, [sig-storage] [Driver: nfs] tests are failing in CI. 1946479 - In k8s 1.21 bump BoundServiceAccountTokenVolume is disabled by default 1946497 - local-storage-diskmaker pod logs "DeviceSymlinkExists" and "not symlinking, could not get lock: <nil>" 1946506 - [on-prem] mDNS plugin no longer needed 1946513 - honor use specified system reserved with auto node sizing 1946540 - auth operator: only configure webhook authenticators for internal auth when oauth-apiserver pods are ready 1946584 - Machine-config controller fails to generate MC, when machine config pool with dashes in name presents under the cluster 1946607 - etcd readinessProbe is not reflective of actual readiness 1946705 - Fix issues with "search" capability in the Topology Quick Add component 1946751 - DAY2 Confusing event when trying to add hosts to a cluster that completed installation 1946788 - Serial tests are broken because of router 1946790 - Marketplace operator flakes Available=False OperatorStarting during updates 1946838 - Copied CSVs show up as adopted components 1946839 - [Azure] While mirroring images to private registry throwing error: invalid character '<' looking for beginning of value 1946865 - no "namespace:kube_pod_container_resource_requests_cpu_cores:sum" and "namespace:kube_pod_container_resource_requests_memory_bytes:sum" metrics 1946893 - the error messages are inconsistent in DNS status conditions if the default service IP is taken 1946922 - Ingress details page doesn't show referenced secret name and link 1946929 - the default dns operator's Progressing status is always True and cluster operator dns Progressing status is False 1947036 - "failed to create Matchbox client or connect" on e2e-metal jobs or metal clusters via cluster-bot 1947066 - machine-config-operator pod crashes when noProxy is * 1947067 - [Installer] Pick up upstream fix for installer console output 1947078 - Incorrect skipped status for conditional tasks in the pipeline run 1947080 - SNO IPv6 with 'temporary 60-day domain' option fails with IPv4 exception 1947154 - [master] [assisted operator] Unable to re-register an SNO instance if deleting CRDs during install 1947164 - Print "Successfully pushed" even if the build push fails. 1947176 - OVN-Kubernetes leaves stale AddressSets around if the deletion was missed. 1947293 - IPv6 provision addresses range larger then /64 prefix (e.g. /48) 1947311 - When adding a new node to localvolumediscovery UI does not show pre-existing node name's 1947360 - [vSphere csi driver operator] operator pod runs as “BestEffort” qosClass 1947371 - [vSphere csi driver operator] operator doesn't create “csidriver” instance 1947402 - Single Node cluster upgrade: AWS EBS CSI driver deployment is stuck on rollout 1947478 - discovery v1 beta1 EndpointSlice is deprecated in Kubernetes 1.21 (OCP 4.8) 1947490 - If Clevis on a managed LUKs volume with Ignition enables, the system will fails to automatically open the LUKs volume on system boot 1947498 - policy v1 beta1 PodDisruptionBudget is deprecated in Kubernetes 1.21 (OCP 4.8) 1947663 - disk details are not synced in web-console 1947665 - Internationalization values for ceph-storage-plugin should be in file named after plugin 1947684 - MCO on SNO sometimes has rendered configs and sometimes does not 1947712 - [OVN] Many faults and Polling interval stuck for 4 seconds every roughly 5 minutes intervals. 1947719 - 8 APIRemovedInNextReleaseInUse info alerts display 1947746 - Show wrong kubernetes version from kube-scheduler/kube-controller-manager operator pods 1947756 - [azure-disk-csi-driver-operator] Should allow more nodes to be updated simultaneously for speeding up cluster upgrade 1947767 - [azure-disk-csi-driver-operator] Uses the same storage type in the sc created by it as the default sc? 1947771 - [kube-descheduler]descheduler operator pod should not run as “BestEffort” qosClass 1947774 - CSI driver operators use "Always" imagePullPolicy in some containers 1947775 - [vSphere csi driver operator] doesn’t use the downstream images from payload. 1947776 - [vSphere csi driver operator] Should allow more nodes to be updated simultaneously for speeding up cluster upgrade 1947779 - [LSO] Should allow more nodes to be updated simultaneously for speeding up LSO upgrade 1947785 - Cloud Compute: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947789 - Console: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947791 - MCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947793 - DevEx: APIRemovedInNextReleaseInUse info alerts display 1947794 - OLM: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component does not trigger APIRemovedInNextReleaseInUse alert 1947795 - Networking: APIRemovedInNextReleaseInUse info alerts display 1947797 - CVO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947798 - Images: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947800 - Ingress: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1947801 - Kube Storage Version Migrator APIRemovedInNextReleaseInUse info alerts display 1947803 - Openshift Apiserver: APIRemovedInNextReleaseInUse info alerts display 1947806 - Re-enable h2spec, http/2 and grpc-interop e2e tests in openshift/origin 1947828 - `download it` link should save pod log in <pod-name>-<container-name>.log format 1947866 - disk.csi.azure.com.spec.operatorLogLevel is not updated when CSO loglevel is changed 1947917 - Egress Firewall does not reliably apply firewall rules 1947946 - Operator upgrades can delete existing CSV before completion 1948011 - openshift-controller-manager constantly reporting type "Upgradeable" status Unknown 1948012 - service-ca constantly reporting type "Upgradeable" status Unknown 1948019 - [4.8] Large number of requests to the infrastructure cinder volume service 1948022 - Some on-prem namespaces missing from must-gather 1948040 - cluster-etcd-operator: etcd is using deprecated logger 1948082 - Monitoring should not set Available=False with no reason on updates 1948137 - CNI DEL not called on node reboot - OCP 4 CRI-O. 1948232 - DNS operator performs spurious updates in response to API's defaulting of daemonset's maxSurge and service's ipFamilies and ipFamilyPolicy fields 1948311 - Some jobs failing due to excessive watches: the server has received too many requests and has asked us to try again later 1948359 - [aws] shared tag was not removed from user provided IAM role 1948410 - [LSO] Local Storage Operator uses imagePullPolicy as "Always" 1948415 - [vSphere csi driver operator] clustercsidriver.spec.logLevel doesn't take effective after changing 1948427 - No action is triggered after click 'Continue' button on 'Show community Operator' windows 1948431 - TechPreviewNoUpgrade does not enable CSI migration 1948436 - The outbound traffic was broken intermittently after shutdown one egressIP node 1948443 - OCP 4.8 nightly still showing v1.20 even after 1.21 merge 1948471 - [sig-auth][Feature:OpenShiftAuthorization][Serial] authorization TestAuthorizationResourceAccessReview should succeed [Suite:openshift/conformance/serial] 1948505 - [vSphere csi driver operator] vmware-vsphere-csi-driver-operator pod restart every 10 minutes 1948513 - get-resources.sh doesn't honor the no_proxy settings 1948524 - 'DeploymentUpdated' Updated Deployment.apps/downloads -n openshift-console because it changed message is printed every minute 1948546 - VM of worker is in error state when a network has port_security_enabled=False 1948553 - When setting etcd spec.LogLevel is not propagated to etcd operand 1948555 - A lot of events "rpc error: code = DeadlineExceeded desc = context deadline exceeded" were seen in azure disk csi driver verification test 1948563 - End-to-End Secure boot deployment fails "Invalid value for input variable" 1948582 - Need ability to specify local gateway mode in CNO config 1948585 - Need a CI jobs to test local gateway mode with bare metal 1948592 - [Cluster Network Operator] Missing Egress Router Controller 1948606 - DNS e2e test fails "[sig-arch] Only known images used by tests" because it does not use a known image 1948610 - External Storage [Driver: disk.csi.azure.com] [Testpattern: Dynamic PV (block volmode)] multiVolume [Slow] should access to two volumes with the same volume mode and retain data across pod recreation on the same node [LinuxOnly] 1948626 - TestRouteAdmissionPolicy e2e test is failing often 1948628 - ccoctl needs to plan for future (non-AWS) platform support in the CLI 1948634 - upgrades: allow upgrades without version change 1948640 - [Descheduler] operator log reports key failed with : kubedeschedulers.operator.openshift.io "cluster" not found 1948701 - unneeded CCO alert already covered by CVO 1948703 - p&f: probes should not get 429s 1948705 - [assisted operator] SNO deployment fails - ClusterDeployment shows `bootstrap.ign was not found` 1948706 - Cluster Autoscaler Operator manifests missing annotation for ibm-cloud-managed profile 1948708 - cluster-dns-operator includes a deployment with node selector of masters for the IBM cloud managed profile 1948711 - thanos querier and prometheus-adapter should have 2 replicas 1948714 - cluster-image-registry-operator targets master nodes in ibm-cloud-managed-profile 1948716 - cluster-ingress-operator deployment targets master nodes for ibm-cloud-managed profile 1948718 - cluster-network-operator deployment manifest for ibm-cloud-managed profile contains master node selector 1948719 - Machine API components should use 1.21 dependencies 1948721 - cluster-storage-operator deployment targets master nodes for ibm-cloud-managed profile 1948725 - operator lifecycle manager does not include profile annotations for ibm-cloud-managed 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1948771 - ~50% of GCP upgrade jobs in 4.8 failing with "AggregatedAPIDown" alert on packages.coreos.com 1948782 - Stale references to the single-node-production-edge cluster profile 1948787 - secret.StringData shouldn't be used for reads 1948788 - Clicking an empty metrics graph (when there is no data) should still open metrics viewer 1948789 - Clicking on a metrics graph should show request and limits queries as well on the resulting metrics page 1948919 - Need minor update in message on channel modal 1948923 - [aws] installer forces the platform.aws.amiID option to be set, while installing a cluster into GovCloud or C2S region 1948926 - Memory Usage of Dashboard 'Kubernetes / Compute Resources / Pod' contain wrong CPU query 1948936 - [e2e][automation][prow] Prow script point to deleted resource 1948943 - (release-4.8) Limit the number of collected pods in the workloads gatherer 1948953 - Uninitialized cloud provider error when provisioning a cinder volume 1948963 - [RFE] Cluster-api-provider-ovirt should handle hugepages 1948966 - Add the ability to run a gather done by IO via a Kubernetes Job 1948981 - Align dependencies and libraries with latest ironic code 1948998 - style fixes by GoLand and golangci-lint 1948999 - Can not assign multiple EgressIPs to a namespace by using automatic way. 1949019 - PersistentVolumes page cannot sync project status automatically which will block user to create PV 1949022 - Openshift 4 has a zombie problem 1949039 - Wrong env name to get podnetinfo for hugepage in app-netutil 1949041 - vsphere: wrong image names in bundle 1949042 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should pass the http2 tests (on OpenStack) 1949050 - Bump k8s to latest 1.21 1949061 - [assisted operator][nmstate] Continuous attempts to reconcile InstallEnv in the case of invalid NMStateConfig 1949063 - [sig-network] Conntrack should be able to preserve UDP traffic when server pod cycles for a NodePort service 1949075 - Extend openshift/api for Add card customization 1949093 - PatternFly v4.96.2 regression results in a.pf-c-button hover issues 1949096 - Restore private git clone tests 1949099 - network-check-target code cleanup 1949105 - NetworkPolicy ... should enforce ingress policy allowing any port traffic to a server on a specific protocol 1949145 - Move openshift-user-critical priority class to CCO 1949155 - Console doesn't correctly check for favorited or last namespace on load if project picker used 1949180 - Pipelines plugin model kinds aren't picked up by parser 1949202 - sriov-network-operator not available from operatorhub on ppc64le 1949218 - ccoctl not included in container image 1949237 - Bump OVN: Lots of conjunction warnings in ovn-controller container logs 1949277 - operator-marketplace: deployment manifests for ibm-cloud-managed profile have master node selectors 1949294 - [assisted operator] OPENSHIFT_VERSIONS in assisted operator subscription does not propagate 1949306 - need a way to see top API accessors 1949313 - Rename vmware-vsphere-* images to vsphere-* images before 4.8 ships 1949316 - BaremetalHost resource automatedCleaningMode ignored due to outdated vendoring 1949347 - apiserver-watcher support for dual-stack 1949357 - manila-csi-controller pod not running due to secret lack(in another ns) 1949361 - CoreDNS resolution failure for external hostnames with "A: dns: overflow unpacking uint16" 1949364 - Mention scheduling profiles in scheduler operator repository 1949370 - Testability of: Static pod installer controller deadlocks with non-existing installer pod, WAS: kube-apisrever of clsuter operator always with incorrect status due to pleg error 1949384 - Edit Default Pull Secret modal - i18n misses 1949387 - Fix the typo in auto node sizing script 1949404 - label selector on pvc creation page - i18n misses 1949410 - The referred role doesn't exist if create rolebinding from rolebinding tab of role page 1949411 - VolumeSnapshot, VolumeSnapshotClass and VolumeSnapshotConent Details tab is not translated - i18n misses 1949413 - Automatic boot order setting is done incorrectly when using by-path style device names 1949418 - Controller factory workers should always restart on panic() 1949419 - oauth-apiserver logs "[SHOULD NOT HAPPEN] failed to update managedFields for authentication.k8s.io/v1, Kind=TokenReview: failed to convert new object (authentication.k8s.io/v1, Kind=TokenReview)" 1949420 - [azure csi driver operator] pvc.status.capacity and pv.spec.capacity are processed not the same as in-tree plugin 1949435 - ingressclass controller doesn't recreate the openshift-default ingressclass after deleting it 1949480 - Listeners timeout are constantly being updated 1949481 - cluster-samples-operator restarts approximately two times per day and logs too many same messages 1949509 - Kuryr should manage API LB instead of CNO 1949514 - URL is not visible for routes at narrow screen widths 1949554 - Metrics of vSphere CSI driver sidecars are not collected 1949582 - OCP v4.7 installation with OVN-Kubernetes fails with error "egress bandwidth restriction -1 is not equals" 1949589 - APIRemovedInNextEUSReleaseInUse Alert Missing 1949591 - Alert does not catch removed api usage during end-to-end tests. 1949593 - rename DeprecatedAPIInUse alert to APIRemovedInNextReleaseInUse 1949612 - Install with 1.21 Kubelet is spamming logs with failed to get stats failed command 'du' 1949626 - machine-api fails to create AWS client in new regions 1949661 - Kubelet Workloads Management changes for OCPNODE-529 1949664 - Spurious keepalived liveness probe failures 1949671 - System services such as openvswitch are stopped before pod containers on system shutdown or reboot 1949677 - multus is the first pod on a new node and the last to go ready 1949711 - cvo unable to reconcile deletion of openshift-monitoring namespace 1949721 - Pick 99237: Use the audit ID of a request for better correlation 1949741 - Bump golang version of cluster-machine-approver 1949799 - ingresscontroller should deny the setting when spec.tuningOptions.threadCount exceed 64 1949810 - OKD 4.7 unable to access Project Topology View 1949818 - Add e2e test to perform MCO operation Single Node OpenShift 1949820 - Unable to use `oc adm top is` shortcut when asking for `imagestreams` 1949862 - The ccoctl tool hits the panic sometime when running the delete subcommand 1949866 - The ccoctl fails to create authentication file when running the command `ccoctl aws create-identity-provider` with `--output-dir` parameter 1949880 - adding providerParameters.gcp.clientAccess to existing ingresscontroller doesn't work 1949882 - service-idler build error 1949898 - Backport RP#848 to OCP 4.8 1949907 - Gather summary of PodNetworkConnectivityChecks 1949923 - some defined rootVolumes zones not used on installation 1949928 - Samples Operator updates break CI tests 1949935 - Fix incorrect access review check on start pipeline kebab action 1949956 - kaso: add minreadyseconds to ensure we don't have an LB outage on kas 1949967 - Update Kube dependencies in MCO to 1.21 1949972 - Descheduler metrics: populate build info data and make the metrics entries more readeable 1949978 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should pass the h2spec conformance tests [Suite:openshift/conformance/parallel/minimal] 1949990 - (release-4.8) Extend the OLM operator gatherer to include CSV display name 1949991 - openshift-marketplace pods are crashlooping 1950007 - [CI] [UPI] easy_install is not reliable enough to be used in an image 1950026 - [Descheduler] Need better way to handle evicted pod count for removeDuplicate pod strategy 1950047 - CSV deployment template custom annotations are not propagated to deployments 1950112 - SNO: machine-config pool is degraded: error running chcon -R -t var_run_t /run/mco-machine-os-content/os-content-321709791 1950113 - in-cluster operators need an API for additional AWS tags 1950133 - MCO creates empty conditions on the kubeletconfig object 1950159 - Downstream ovn-kubernetes repo should have no linter errors 1950175 - Update Jenkins and agent base image to Go 1.16 1950196 - ssh Key is added even with 'Expose SSH access to this virtual machine' unchecked 1950210 - VPA CRDs use deprecated API version 1950219 - KnativeServing is not shown in list on global config page 1950232 - [Descheduler] - The minKubeVersion should be 1.21 1950236 - Update OKD imagestreams to prefer centos7 images 1950270 - should use "kubernetes.io/os" in the dns/ingresscontroller node selector description when executing oc explain command 1950284 - Tracking bug for NE-563 - support user-defined tags on AWS load balancers 1950341 - NetworkPolicy: allow-from-router policy does not allow access to service when the endpoint publishing strategy is HostNetwork on OpenshiftSDN network 1950379 - oauth-server is in pending/crashbackoff at beginning 50% of CI runs 1950384 - [sig-builds][Feature:Builds][sig-devex][Feature:Jenkins][Slow] openshift pipeline build perm failing 1950409 - Descheduler operator code and docs still reference v1beta1 1950417 - The Marketplace Operator is building with EOL k8s versions 1950430 - CVO serves metrics over HTTP, despite a lack of consumers 1950460 - RFE: Change Request Size Input to Number Spinner Input 1950471 - e2e-metal-ipi-ovn-dualstack is failing with etcd unable to bootstrap 1950532 - Include "update" when referring to operator approval and channel 1950543 - Document non-HA behaviors in the MCO (SingleNodeOpenshift) 1950590 - CNO: Too many OVN netFlows collectors causes ovnkube pods CrashLoopBackOff 1950653 - BuildConfig ignores Args 1950761 - Monitoring operator deployments anti-affinity rules prevent their rollout on single-node 1950908 - kube_pod_labels metric does not contain k8s labels 1950912 - [e2e][automation] add devconsole tests 1950916 - [RFE]console page show error when vm is poused 1950934 - Unnecessary rollouts can happen due to unsorted endpoints 1950935 - Updating cluster-network-operator builder & base images to be consistent with ART 1950978 - the ingressclass cannot be removed even after deleting the related custom ingresscontroller 1951007 - ovn master pod crashed 1951029 - Drainer panics on missing context for node patch 1951034 - (release-4.8) Split up the GatherClusterOperators into smaller parts 1951042 - Panics every few minutes in kubelet logs post-rebase 1951043 - Start Pipeline Modal Parameters should accept empty string defaults 1951058 - [gcp-pd-csi-driver-operator] topology and multipods capabilities are not enabled in e2e tests 1951066 - [IBM][ROKS] Enable volume snapshot controllers on IBM Cloud 1951084 - avoid benign "Path \"/run/secrets/etc-pki-entitlement\" from \"/etc/containers/mounts.conf\" doesn't exist, skipping" messages 1951158 - Egress Router CRD missing Addresses entry 1951169 - Improve API Explorer discoverability from the Console 1951174 - re-pin libvirt to 6.0.0 1951203 - oc adm catalog mirror can generate ICSPs that exceed etcd's size limit 1951209 - RerunOnFailure runStrategy shows wrong VM status (Starting) on Succeeded VMI 1951212 - User/Group details shows unrelated subjects in role bindings tab 1951214 - VM list page crashes when the volume type is sysprep 1951339 - Cluster-version operator does not manage operand container environments when manifest lacks opinions 1951387 - opm index add doesn't respect deprecated bundles 1951412 - Configmap gatherer can fail incorrectly 1951456 - Docs and linting fixes 1951486 - Replace "kubevirt_vmi_network_traffic_bytes_total" with new metrics names 1951505 - Remove deprecated techPreviewUserWorkload field from CMO's configmap 1951558 - Backport Upstream 101093 for Startup Probe Fix 1951585 - enterprise-pod fails to build 1951636 - assisted service operator use default serviceaccount in operator bundle 1951637 - don't rollout a new kube-apiserver revision on oauth accessTokenInactivityTimeout changes 1951639 - Bootstrap API server unclean shutdown causes reconcile delay 1951646 - Unexpected memory climb while container not in use 1951652 - Add retries to opm index add 1951670 - Error gathering bootstrap log after pivot: The bootstrap machine did not execute the release-image.service systemd unit 1951671 - Excessive writes to ironic Nodes 1951705 - kube-apiserver needs alerts on CPU utlization 1951713 - [OCP-OSP] After changing image in machine object it enters in Failed - Can't find created instance 1951853 - dnses.operator.openshift.io resource's spec.nodePlacement.tolerations godoc incorrectly describes default behavior 1951858 - unexpected text '0' on filter toolbar on RoleBinding tab 1951860 - [4.8] add Intel XXV710 NIC model (1572) support in SR-IOV Operator 1951870 - sriov network resources injector: user defined injection removed existing pod annotations 1951891 - [migration] cannot change ClusterNetwork CIDR during migration 1951952 - [AWS CSI Migration] Metrics for cloudprovider error requests are lost 1952001 - Delegated authentication: reduce the number of watch requests 1952032 - malformatted assets in CMO 1952045 - Mirror nfs-server image used in jenkins-e2e 1952049 - Helm: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1952079 - rebase openshift/sdn to kube 1.21 1952111 - Optimize importing from @patternfly/react-tokens 1952174 - DNS operator claims to be done upgrading before it even starts 1952179 - OpenStack Provider Ports UI Underscore Variables 1952187 - Pods stuck in ImagePullBackOff with errors like rpc error: code = Unknown desc = Error committing the finished image: image with ID "SomeLongID" already exists, but uses a different top layer: that ID 1952211 - cascading mounts happening exponentially on when deleting openstack-cinder-csi-driver-node pods 1952214 - Console Devfile Import Dev Preview broken 1952238 - Catalog pods don't report termination logs to catalog-operator 1952262 - Need support external gateway via hybrid overlay 1952266 - etcd operator bumps status.version[name=operator] before operands update 1952268 - etcd operator should not set Degraded=True EtcdMembersDegraded on healthy machine-config node reboots 1952282 - CSR approver races with nodelink controller and does not requeue 1952310 - VM cannot start up if the ssh key is added by another template 1952325 - [e2e][automation] Check support modal in ssh tests and skip template parentSupport 1952333 - openshift/kubernetes vulnerable to CVE-2021-3121 1952358 - Openshift-apiserver CO unavailable in fresh OCP 4.7.5 installations 1952367 - No VM status on overview page when VM is pending 1952368 - worker pool went degraded due to no rpm-ostree on rhel worker during applying new mc 1952372 - VM stop action should not be there if the VM is not running 1952405 - console-operator is not reporting correct Available status 1952448 - Switch from Managed to Disabled mode: no IP removed from configuration and no container metal3-static-ip-manager stopped 1952460 - In k8s 1.21 bump '[sig-network] Firewall rule control plane should not expose well-known ports' test is disabled 1952473 - Monitor pod placement during upgrades 1952487 - Template filter does not work properly 1952495 - “Create” button on the Templates page is confuse 1952527 - [Multus] multi-networkpolicy does wrong filtering 1952545 - Selection issue when inserting YAML snippets 1952585 - Operator links for 'repository' and 'container image' should be clickable in OperatorHub 1952604 - Incorrect port in external loadbalancer config 1952610 - [aws] image-registry panics when the cluster is installed in a new region 1952611 - Tracking bug for OCPCLOUD-1115 - support user-defined tags on AWS EC2 Instances 1952618 - 4.7.4->4.7.8 Upgrade Caused OpenShift-Apiserver Outage 1952625 - Fix translator-reported text issues 1952632 - 4.8 installer should default ClusterVersion channel to stable-4.8 1952635 - Web console displays a blank page- white space instead of cluster information 1952665 - [Multus] multi-networkpolicy pod continue restart due to OOM (out of memory) 1952666 - Implement Enhancement 741 for Kubelet 1952667 - Update Readme for cluster-baremetal-operator with details about the operator 1952684 - cluster-etcd-operator: metrics controller panics on invalid response from client 1952728 - It was not clear for users why Snapshot feature was not available 1952730 - “Customize virtual machine” and the “Advanced” feature are confusing in wizard 1952732 - Users did not understand the boot source labels 1952741 - Monitoring DB: after set Time Range as Custom time range, no data display 1952744 - PrometheusDuplicateTimestamps with user workload monitoring enabled 1952759 - [RFE]It was not immediately clear what the Star icon meant 1952795 - cloud-network-config-controller CRD does not specify correct plural name 1952819 - failed to configure pod interface: error while waiting on flows for pod: timed out waiting for OVS flows 1952820 - [LSO] Delete localvolume pv is failed 1952832 - [IBM][ROKS] Enable the Web console UI to deploy OCS in External mode on IBM Cloud 1952891 - Upgrade failed due to cinder csi driver not deployed 1952904 - Linting issues in gather/clusterconfig package 1952906 - Unit tests for configobserver.go 1952931 - CI does not check leftover PVs 1952958 - Runtime error loading console in Safari 13 1953019 - [Installer][baremetal][metal3] The baremetal IPI installer fails on delete cluster with: failed to clean baremetal bootstrap storage pool 1953035 - Installer should error out if publish: Internal is set while deploying OCP cluster on any on-prem platform 1953041 - openshift-authentication-operator uses 3.9k% of its requested CPU 1953077 - Handling GCP's: Error 400: Permission accesscontextmanager.accessLevels.list is not valid for this resource 1953102 - kubelet CPU use during an e2e run increased 25% after rebase 1953105 - RHCOS system components registered a 3.5x increase in CPU use over an e2e run before and after 4/9 1953169 - endpoint slice controller doesn't handle services target port correctly 1953257 - Multiple EgressIPs per node for one namespace when "oc get hostsubnet" 1953280 - DaemonSet/node-resolver is not recreated by dns operator after deleting it 1953291 - cluster-etcd-operator: peer cert DNS SAN is populated incorrectly 1953418 - [e2e][automation] Fix vm wizard validate tests 1953518 - thanos-ruler pods failed to start up for "cannot unmarshal DNS message" 1953530 - Fix openshift/sdn unit test flake 1953539 - kube-storage-version-migrator: priorityClassName not set 1953543 - (release-4.8) Add missing sample archive data 1953551 - build failure: unexpected trampoline for shared or dynamic linking 1953555 - GlusterFS tests fail on ipv6 clusters 1953647 - prometheus-adapter should have a PodDisruptionBudget in HA topology 1953670 - ironic container image build failing because esp partition size is too small 1953680 - ipBlock ignoring all other cidr's apart from the last one specified 1953691 - Remove unused mock 1953703 - Inconsistent usage of Tech preview badge in OCS plugin of OCP Console 1953726 - Fix issues related to loading dynamic plugins 1953729 - e2e unidling test is flaking heavily on SNO jobs 1953795 - Ironic can't virtual media attach ISOs sourced from ingress routes 1953798 - GCP e2e (parallel and upgrade) regularly trigger KubeAPIErrorBudgetBurn alert, also happens on AWS 1953803 - [AWS] Installer should do pre-check to ensure user-provided private hosted zone name is valid for OCP cluster 1953810 - Allow use of storage policy in VMC environments 1953830 - The oc-compliance build does not available for OCP4.8 1953846 - SystemMemoryExceedsReservation alert should consider hugepage reservation 1953977 - [4.8] packageserver pods restart many times on the SNO cluster 1953979 - Ironic caching virtualmedia images results in disk space limitations 1954003 - Alerts shouldn't report any alerts in firing or pending state: openstack-cinder-csi-driver-controller-metrics TargetDown 1954025 - Disk errors while scaling up a node with multipathing enabled 1954087 - Unit tests for kube-scheduler-operator 1954095 - Apply user defined tags in AWS Internal Registry 1954105 - TaskRuns Tab in PipelineRun Details Page makes cluster based calls for TaskRuns 1954124 - oc set volume not adding storageclass to pvc which leads to issues using snapshots 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954177 - machine-api: admissionReviewVersions v1beta1 is going to be removed in 1.22 1954187 - multus: admissionReviewVersions v1beta1 is going to be removed in 1.22 1954248 - Disable Alertmanager Protractor e2e tests 1954317 - [assisted operator] Environment variables set in the subscription not being inherited by the assisted-service container 1954330 - NetworkPolicy: allow-from-router with label policy-group.network.openshift.io/ingress: "" does not work on a upgraded cluster 1954421 - Get 'Application is not available' when access Prometheus UI 1954459 - Error: Gateway Time-out display on Alerting console 1954460 - UI, The status of "Used Capacity Breakdown [Pods]" is "Not available" 1954509 - FC volume is marked as unmounted after failed reconstruction 1954540 - Lack translation for local language on pages under storage menu 1954544 - authn operator: endpoints controller should use the context it creates 1954554 - Add e2e tests for auto node sizing 1954566 - Cannot update a component (`UtilizationCard`) error when switching perspectives manually 1954597 - Default image for GCP does not support ignition V3 1954615 - Undiagnosed panic detected in pod: pods/openshift-cloud-credential-operator_cloud-credential-operator 1954634 - apirequestcounts does not honor max users 1954638 - apirequestcounts should indicate removedinrelease of empty instead of 2.0 1954640 - Support of gatherers with different periods 1954671 - disable volume expansion support in vsphere csi driver storage class 1954687 - localvolumediscovery and localvolumset e2es are disabled 1954688 - LSO has missing examples for localvolumesets 1954696 - [API-1009] apirequestcounts should indicate useragent 1954715 - Imagestream imports become very slow when doing many in parallel 1954755 - Multus configuration should allow for net-attach-defs referenced in the openshift-multus namespace 1954765 - CCO: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1954768 - baremetal-operator: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component won't access APIs that trigger APIRemovedInNextReleaseInUse alert 1954770 - Backport upstream fix for Kubelet getting stuck in DiskPressure 1954773 - OVN: check (see bug 1947801#c4 steps) audit log to find deprecated API access related to this component to ensure this component does not trigger APIRemovedInNextReleaseInUse alert 1954783 - [aws] support byo private hosted zone 1954790 - KCM Alert PodDisruptionBudget At and Limit do not alert with maxUnavailable or MinAvailable by percentage 1954830 - verify-client-go job is failing for release-4.7 branch 1954865 - Add necessary priority class to pod-identity-webhook deployment 1954866 - Add necessary priority class to downloads 1954870 - Add necessary priority class to network components 1954873 - dns server may not be specified for clusters with more than 2 dns servers specified by openstack. 1954891 - Add necessary priority class to pruner 1954892 - Add necessary priority class to ingress-canary 1954931 - (release-4.8) Remove legacy URL anonymization in the ClusterOperator related resources 1954937 - [API-1009] `oc get apirequestcount` shows blank for column REQUESTSINCURRENTHOUR 1954959 - unwanted decorator shown for revisions in topology though should only be shown only for knative services 1954972 - TechPreviewNoUpgrade featureset can be undone 1954973 - "read /proc/pressure/cpu: operation not supported" in node-exporter logs 1954994 - should update to 2.26.0 for prometheus resources label 1955051 - metrics "kube_node_status_capacity_cpu_cores" does not exist 1955089 - Support [sig-cli] oc observe works as expected test for IPv6 1955100 - Samples: APIRemovedInNextReleaseInUse info alerts display 1955102 - Add vsphere_node_hw_version_total metric to the collected metrics 1955114 - 4.7-e2e-metal-ipi-ovn-dualstack intermittent test failures, worker hostname is overwritten by NM 1955196 - linuxptp-daemon crash on 4.8 1955226 - operator updates apirequestcount CRD over and over 1955229 - release-openshift-origin-installer-e2e-aws-calico-4.7 is permfailing 1955256 - stop collecting API that no longer exists 1955324 - Kubernetes Autoscaler should use Go 1.16 for testing scripts 1955336 - Failure to Install OpenShift on GCP due to Cluster Name being similar to / contains "google" 1955414 - 4.8 -> 4.7 rollbacks broken on unrecognized flowschema openshift-etcd-operator 1955445 - Drop crio image metrics with high cardinality 1955457 - Drop container_memory_failures_total metric because of high cardinality 1955467 - Disable collection of node_mountstats_nfs metrics in node_exporter 1955474 - [aws-ebs-csi-driver] rebase from version v1.0.0 1955478 - Drop high-cardinality metrics from kube-state-metrics which aren't used 1955517 - Failed to upgrade from 4.6.25 to 4.7.8 due to the machine-config degradation 1955548 - [IPI][OSP] OCP 4.6/4.7 IPI with kuryr exceeds defined serviceNetwork range 1955554 - MAO does not react to events triggered from Validating Webhook Configurations 1955589 - thanos-querier should have a PodDisruptionBudget in HA topology 1955595 - Add DevPreviewLongLifecycle Descheduler profile 1955596 - Pods stuck in creation phase on realtime kernel SNO 1955610 - release-openshift-origin-installer-old-rhcos-e2e-aws-4.7 is permfailing 1955622 - 4.8-e2e-metal-assisted jobs: Timeout of 360 seconds expired waiting for Cluster to be in status ['installing', 'error'] 1955701 - [4.8] RHCOS boot image bump for RHEL 8.4 Beta 1955749 - OCP branded templates need to be translated 1955761 - packageserver clusteroperator does not set reason or message for Available condition 1955783 - NetworkPolicy: ACL audit log message for allow-from-router policy should also include the namespace to distinguish between two policies similarly named configured in respective namespaces 1955803 - OperatorHub - console accepts any value for "Infrastructure features" annotation 1955822 - CIS Benchmark 5.4.1 Fails on ROKS 4: Prefer using secrets as files over secrets as environment variables 1955854 - Ingress clusteroperator reports Degraded=True/Available=False if any ingresscontroller is degraded or unavailable 1955862 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated 1955874 - Webscale: sriov vfs are not created and sriovnetworknodestate indicates sync succeeded - state is not correct 1955879 - Customer tags cannot be seen in S3 level when set spec.managementState from Managed-> Removed-> Managed in configs.imageregistry with high ratio 1955969 - Workers cannot be deployed attached to multiple networks. 1956079 - Installer gather doesn't collect any networking information 1956208 - Installer should validate root volume type 1956220 - Set htt proxy system properties as expected by kubernetes-client 1956281 - Disconnected installs are failing with kubelet trying to pause image from the internet 1956334 - Event Listener Details page does not show Triggers section 1956353 - test: analyze job consistently fails 1956372 - openshift-gcp-routes causes disruption during upgrade by stopping before all pods terminate 1956405 - Bump k8s dependencies in cluster resource override admission operator 1956411 - Apply custom tags to AWS EBS volumes 1956480 - [4.8] Bootimage bump tracker 1956606 - probes FlowSchema manifest not included in any cluster profile 1956607 - Multiple manifests lack cluster profile annotations 1956609 - [cluster-machine-approver] CSRs for replacement control plane nodes not approved after restore from backup 1956610 - manage-helm-repos manifest lacks cluster profile annotations 1956611 - OLM CRD schema validation failing against CRs where the value of a string field is a blank string 1956650 - The container disk URL is empty for Windows guest tools 1956768 - aws-ebs-csi-driver-controller-metrics TargetDown 1956826 - buildArgs does not work when the value is taken from a secret 1956895 - Fix chatty kubelet log message 1956898 - fix log files being overwritten on container state loss 1956920 - can't open terminal for pods that have more than one container running 1956959 - ipv6 disconnected sno crd deployment hive reports success status and clusterdeployrmet reporting false 1956978 - Installer gather doesn't include pod names in filename 1957039 - Physical VIP for pod -> Svc -> Host is incorrectly set to an IP of 169.254.169.2 for Local GW 1957041 - Update CI e2echart with more node info 1957127 - Delegated authentication: reduce the number of watch requests 1957131 - Conformance tests for OpenStack require the Cinder client that is not included in the "tests" image 1957146 - Only run test/extended/router/idle tests on OpenshiftSDN or OVNKubernetes 1957149 - CI: "Managed cluster should start all core operators" fails with: OpenStackCinderDriverStaticResourcesControllerDegraded: "volumesnapshotclass.yaml" (string): missing dynamicClient 1957179 - Incorrect VERSION in node_exporter 1957190 - CI jobs failing due too many watch requests (prometheus-operator) 1957198 - Misspelled console-operator condition 1957227 - Issue replacing the EnvVariables using the unsupported ConfigMap 1957260 - [4.8] [gcp] Installer is missing new region/zone europe-central2 1957261 - update godoc for new build status image change trigger fields 1957295 - Apply priority classes conventions as test to openshift/origin repo 1957315 - kuryr-controller doesn't indicate being out of quota 1957349 - [Azure] Machine object showing Failed phase even node is ready and VM is running properly 1957374 - mcddrainerr doesn't list specific pod 1957386 - Config serve and validate command should be under alpha 1957446 - prepare CCO for future without v1beta1 CustomResourceDefinitions 1957502 - Infrequent panic in kube-apiserver in aws-serial job 1957561 - lack of pseudolocalization for some text on Cluster Setting page 1957584 - Routes are not getting created when using hostname without FQDN standard 1957597 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone 1957645 - Event "Updated PrometheusRule.monitoring.coreos.com/v1 because it changed" is frequently looped with weird empty {} changes 1957708 - e2e-metal-ipi and related jobs fail to bootstrap due to multiple VIP's 1957726 - Pod stuck in ContainerCreating - Failed to start transient scope unit: Connection timed out 1957748 - Ptp operator pod should have CPU and memory requests set but not limits 1957756 - Device Replacemet UI, The status of the disk is "replacement ready" before I clicked on "start replacement" 1957772 - ptp daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent 1957775 - CVO creating cloud-controller-manager too early causing upgrade failures 1957809 - [OSP] Install with invalid platform.openstack.machinesSubnet results in runtime error 1957822 - Update apiserver tlsSecurityProfile description to include Custom profile 1957832 - CMO end-to-end tests work only on AWS 1957856 - 'resource name may not be empty' is shown in CI testing 1957869 - baremetal IPI power_interface for irmc is inconsistent 1957879 - cloud-controller-manage ClusterOperator manifest does not declare relatedObjects 1957889 - Incomprehensible documentation of the GatherClusterOperatorPodsAndEvents gatherer 1957893 - ClusterDeployment / Agent conditions show "ClusterAlreadyInstalling" during each spoke install 1957895 - Cypress helper projectDropdown.shouldContain is not an assertion 1957908 - Many e2e failed requests caused by kube-storage-version-migrator-operator's version reads 1957926 - "Add Capacity" should allow to add n*3 (or n*4) local devices at once 1957951 - [aws] destroy can get blocked on instances stuck in shutting-down state 1957967 - Possible test flake in listPage Cypress view 1957972 - Leftover templates from mdns 1957976 - Ironic execute_deploy_steps command to ramdisk times out, resulting in a failed deployment in 4.7 1957982 - Deployment Actions clickable for view-only projects 1957991 - ClusterOperatorDegraded can fire during installation 1958015 - "config-reloader-cpu" and "config-reloader-memory" flags have been deprecated for prometheus-operator 1958080 - Missing i18n for login, error and selectprovider pages 1958094 - Audit log files are corrupted sometimes 1958097 - don't show "old, insecure token format" if the token does not actually exist 1958114 - Ignore staged vendor files in pre-commit script 1958126 - [OVN]Egressip doesn't take effect 1958158 - OAuth proxy container for AlertManager and Thanos are flooding the logs 1958216 - ocp libvirt: dnsmasq options in install config should allow duplicate option names 1958245 - cluster-etcd-operator: static pod revision is not visible from etcd logs 1958285 - Deployment considered unhealthy despite being available and at latest generation 1958296 - OLM must explicitly alert on deprecated APIs in use 1958329 - pick 97428: add more context to log after a request times out 1958367 - Build metrics do not aggregate totals by build strategy 1958391 - Update MCO KubeletConfig to mixin the API Server TLS Security Profile Singleton 1958405 - etcd: current health checks and reporting are not adequate to ensure availability 1958406 - Twistlock flags mode of /var/run/crio/crio.sock 1958420 - openshift-install 4.7.10 fails with segmentation error 1958424 - aws: support more auth options in manual mode 1958439 - Install/Upgrade button on Install/Upgrade Helm Chart page does not work with Form View 1958492 - CCO: pod-identity-webhook still accesses APIRemovedInNextReleaseInUse 1958643 - All pods creation stuck due to SR-IOV webhook timeout 1958679 - Compression on pool can't be disabled via UI 1958753 - VMI nic tab is not loadable 1958759 - Pulling Insights report is missing retry logic 1958811 - VM creation fails on API version mismatch 1958812 - Cluster upgrade halts as machine-config-daemon fails to parse `rpm-ostree status` during cluster upgrades 1958861 - [CCO] pod-identity-webhook certificate request failed 1958868 - ssh copy is missing when vm is running 1958884 - Confusing error message when volume AZ not found 1958913 - "Replacing an unhealthy etcd member whose node is not ready" procedure results in new etcd pod in CrashLoopBackOff 1958930 - network config in machine configs prevents addition of new nodes with static networking via kargs 1958958 - [SCALE] segfault with ovnkube adding to address set 1958972 - [SCALE] deadlock in ovn-kube when scaling up to 300 nodes 1959041 - LSO Cluster UI,"Troubleshoot" link does not exist after scale down osd pod 1959058 - ovn-kubernetes has lock contention on the LSP cache 1959158 - packageserver clusteroperator Available condition set to false on any Deployment spec change 1959177 - Descheduler dev manifests are missing permissions 1959190 - Set LABEL io.openshift.release.operator=true for driver-toolkit image addition to payload 1959194 - Ingress controller should use minReadySeconds because otherwise it is disrupted during deployment updates 1959278 - Should remove prometheus servicemonitor from openshift-user-workload-monitoring 1959294 - openshift-operator-lifecycle-manager:olm-operator-serviceaccount should not rely on external networking for health check 1959327 - Degraded nodes on upgrade - Cleaning bootversions: Read-only file system 1959406 - Difficult to debug performance on ovn-k without pprof enabled 1959471 - Kube sysctl conformance tests are disabled, meaning we can't submit conformance results 1959479 - machines doesn't support dual-stack loadbalancers on Azure 1959513 - Cluster-kube-apiserver does not use library-go for audit pkg 1959519 - Operand details page only renders one status donut no matter how many 'podStatuses' descriptors are used 1959550 - Overly generic CSS rules for dd and dt elements breaks styling elsewhere in console 1959564 - Test verify /run filesystem contents failing 1959648 - oc adm top --help indicates that oc adm top can display storage usage while it cannot 1959650 - Gather SDI-related MachineConfigs 1959658 - showing a lot "constructing many client instances from the same exec auth config" 1959696 - Deprecate 'ConsoleConfigRoute' struct in console-operator config 1959699 - [RFE] Collect LSO pod log and daemonset log managed by LSO 1959703 - Bootstrap gather gets into an infinite loop on bootstrap-in-place mode 1959711 - Egressnetworkpolicy doesn't work when configure the EgressIP 1959786 - [dualstack]EgressIP doesn't work on dualstack cluster for IPv6 1959916 - Console not works well against a proxy in front of openshift clusters 1959920 - UEFISecureBoot set not on the right master node 1959981 - [OCPonRHV] - Affinity Group should not create by default if we define empty affinityGroupsNames: [] 1960035 - iptables is missing from ose-keepalived-ipfailover image 1960059 - Remove "Grafana UI" link from Console Monitoring > Dashboards page 1960089 - ImageStreams list page, detail page and breadcrumb are not following CamelCase conventions 1960129 - [e2e][automation] add smoke tests about VM pages and actions 1960134 - some origin images are not public 1960171 - Enable SNO checks for image-registry 1960176 - CCO should recreate a user for the component when it was removed from the cloud providers 1960205 - The kubelet log flooded with reconcileState message once CPU manager enabled 1960255 - fixed obfuscation permissions 1960257 - breaking changes in pr template 1960284 - ExternalTrafficPolicy Local does not preserve connections correctly on shutdown, policy Cluster has significant performance cost 1960323 - Address issues raised by coverity security scan 1960324 - manifests: extra "spec.version" in console quickstarts makes CVO hotloop 1960330 - manifests: invalid selector in ServiceMonitor makes CVO hotloop 1960334 - manifests: invalid selector in ServiceMonitor makes CVO hotloop 1960337 - manifests: invalid selector in ServiceMonitor makes CVO hotloop 1960339 - manifests: unset "preemptionPolicy" makes CVO hotloop 1960531 - Items under 'Current Bandwidth' for Dashboard 'Kubernetes / Networking / Pod' keep added for every access 1960534 - Some graphs of console dashboards have no legend and tooltips are difficult to undstand compared with grafana 1960546 - Add virt_platform metric to the collected metrics 1960554 - Remove rbacv1beta1 handling code 1960612 - Node disk info in overview/details does not account for second drive where /var is located 1960619 - Image registry integration tests use old-style OAuth tokens 1960683 - GlobalConfigPage is constantly requesting resources 1960711 - Enabling IPsec runtime causing incorrect MTU on Pod interfaces 1960716 - Missing details for debugging 1960732 - Outdated manifests directory in CSI driver operator repositories 1960757 - [OVN] hostnetwork pod can access MCS port 22623 or 22624 on master 1960758 - oc debug / oc adm must-gather do not require openshift/tools and openshift/must-gather to be "the newest" 1960767 - /metrics endpoint of the Grafana UI is accessible without authentication 1960780 - CI: failed to create PDB "service-test" the server could not find the requested resource 1961064 - Documentation link to network policies is outdated 1961067 - Improve log gathering logic 1961081 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget in CMO logs 1961091 - Gather MachineHealthCheck definitions 1961120 - CSI driver operators fail when upgrading a cluster 1961173 - recreate existing static pod manifests instead of updating 1961201 - [sig-network-edge] DNS should answer A and AAAA queries for a dual-stack service is constantly failing 1961314 - Race condition in operator-registry pull retry unit tests 1961320 - CatalogSource does not emit any metrics to indicate if it's ready or not 1961336 - Devfile sample for BuildConfig is not defined 1961356 - Update single quotes to double quotes in string 1961363 - Minor string update for " No Storage classes found in cluster, adding source is disabled." 1961393 - DetailsPage does not work with group~version~kind 1961452 - Remove "Alertmanager UI" link from Console Monitoring > Alerting page 1961466 - Some dropdown placeholder text on route creation page is not translated 1961472 - openshift-marketplace pods in CrashLoopBackOff state after RHACS installed with an SCC with readOnlyFileSystem set to true 1961506 - NodePorts do not work on RHEL 7.9 workers (was "4.7 -> 4.8 upgrade is stuck at Ingress operator Degraded with rhel 7.9 workers") 1961536 - clusterdeployment without pull secret is crashing assisted service pod 1961538 - manifests: invalid namespace in ClusterRoleBinding makes CVO hotloop 1961545 - Fixing Documentation Generation 1961550 - HAproxy pod logs showing error "another server named 'pod:httpd-7c7ccfffdc-wdkvk:httpd:8080-tcp:10.128.x.x:8080' was already defined at line 326, please use distinct names" 1961554 - respect the shutdown-delay-duration from OpenShiftAPIServerConfig 1961561 - The encryption controllers send lots of request to an API server 1961582 - Build failure on s390x 1961644 - NodeAuthenticator tests are failing in IPv6 1961656 - driver-toolkit missing some release metadata 1961675 - Kebab menu of taskrun contains Edit options which should not be present 1961701 - Enhance gathering of events 1961717 - Update runtime dependencies to Wallaby builds for bugfixes 1961829 - Quick starts prereqs not shown when description is long 1961852 - Excessive lock contention when adding many pods selected by the same NetworkPolicy 1961878 - Add Sprint 199 translations 1961897 - Remove history listener before console UI is unmounted 1961925 - New ManagementCPUsOverride admission plugin blocks pod creation in clusters with no nodes 1962062 - Monitoring dashboards should support default values of "All" 1962074 - SNO:the pod get stuck in CreateContainerError and prompt "failed to add conmon to systemd sandbox cgroup: dial unix /run/systemd/private: connect: resource temporarily unavailable" after adding a performanceprofile 1962095 - Replace gather-job image without FQDN 1962153 - VolumeSnapshot routes are ambiguous, too generic 1962172 - Single node CI e2e tests kubelet metrics endpoints intermittent downtime 1962219 - NTO relies on unreliable leader-for-life implementation. 1962256 - use RHEL8 as the vm-example 1962261 - Monitoring components requesting more memory than they use 1962274 - OCP on RHV installer fails to generate an install-config with only 2 hosts in RHV cluster 1962347 - Cluster does not exist logs after successful installation 1962392 - After upgrade from 4.5.16 to 4.6.17, customer's application is seeing re-transmits 1962415 - duplicate zone information for in-tree PV after enabling migration 1962429 - Cannot create windows vm because kubemacpool.io denied the request 1962525 - [Migration] SDN migration stuck on MCO on RHV cluster 1962569 - NetworkPolicy details page should also show Egress rules 1962592 - Worker nodes restarting during OS installation 1962602 - Cloud credential operator scrolls info "unable to provide upcoming..." on unsupported platform 1962630 - NTO: Ship the current upstream TuneD 1962687 - openshift-kube-storage-version-migrator pod failed due to Error: container has runAsNonRoot and image will run as root 1962698 - Console-operator can not create resource console-public configmap in the openshift-config-managed namespace 1962718 - CVE-2021-29622 prometheus: open redirect under the /new endpoint 1962740 - Add documentation to Egress Router 1962850 - [4.8] Bootimage bump tracker 1962882 - Version pod does not set priorityClassName 1962905 - Ramdisk ISO source defaulting to "http" breaks deployment on a good amount of BMCs 1963068 - ironic container should not specify the entrypoint 1963079 - KCM/KS: ability to enforce localhost communication with the API server. 1963154 - Current BMAC reconcile flow skips Ironic's deprovision step 1963159 - Add Sprint 200 translations 1963204 - Update to 8.4 IPA images 1963205 - Installer is using old redirector 1963208 - Translation typos/inconsistencies for Sprint 200 files 1963209 - Some strings in public.json have errors 1963211 - Fix grammar issue in kubevirt-plugin.json string 1963213 - Memsource download script running into API error 1963219 - ImageStreamTags not internationalized 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 1963267 - Warning: Invalid DOM property `classname`. Did you mean `className`? console warnings in volumes table 1963502 - create template from is not descriptive 1963676 - in vm wizard when selecting an os template it looks like selecting the flavor too 1963833 - Cluster monitoring operator crashlooping on single node clusters due to segfault 1963848 - Use OS-shipped stalld vs. the NTO-shipped one. 1963866 - NTO: use the latest k8s 1.21.1 and openshift vendor dependencies 1963871 - cluster-etcd-operator:[build] upgrade to go 1.16 1963896 - The VM disks table does not show easy links to PVCs 1963912 - "[sig-network] DNS should provide DNS for {services, cluster, subdomain, hostname}" failures on vsphere 1963932 - Installation failures in bootstrap in OpenStack release jobs 1963964 - Characters are not escaped on config ini file causing Kuryr bootstrap to fail 1964059 - rebase openshift/sdn to kube 1.21.1 1964197 - Failing Test vendor/k8s.io/kube-aggregator/pkg/apiserver TestProxyCertReload due to hardcoded certificate expiration 1964203 - e2e-metal-ipi, e2e-metal-ipi-ovn-dualstack and e2e-metal-ipi-ovn-ipv6 are failing due to "Unknown provider baremetal" 1964243 - The `oc compliance fetch-raw` doesn’t work for disconnected cluster 1964270 - Failed to install 'cluster-kube-descheduler-operator' with error: "clusterkubedescheduleroperator.4.8.0-202105211057.p0.assembly.stream\": must be no more than 63 characters" 1964319 - Network policy "deny all" interpreted as "allow all" in description page 1964334 - alertmanager/prometheus/thanos-querier /metrics endpoints are not secured 1964472 - Make project and namespace requirements more visible rather than giving me an error after submission 1964486 - Bulk adding of CIDR IPS to whitelist is not working 1964492 - Pick 102171: Implement support for watch initialization in P&F 1964625 - NETID duplicate check is only required in NetworkPolicy Mode 1964748 - Sync upstream 1.7.2 downstream 1964756 - PVC status is always in 'Bound' status when it is actually cloning 1964847 - Sanity check test suite missing from the repo 1964888 - opoenshift-apiserver imagestreamimports depend on >34s timeout support, WAS: transport: loopyWriter.run returning. connection error: desc = "transport is closing" 1964936 - error log for "oc adm catalog mirror" is not correct 1964979 - Add mapping from ACI to infraenv to handle creation order issues 1964997 - Helm Library charts are showing and can be installed from Catalog 1965024 - [DR] backup and restore should perform consistency checks on etcd snapshots 1965092 - [Assisted-4.7] [Staging][OLM] Operators deployments start before all workers finished installation 1965283 - 4.7->4.8 upgrades: cluster operators are not ready: openshift-controller-manager (Upgradeable=Unknown NoData: ), service-ca (Upgradeable=Unknown NoData: 1965330 - oc image extract fails due to security capabilities on files 1965334 - opm index add fails during image extraction 1965367 - Typo in in etcd-metric-serving-ca resource name 1965370 - "Route" is not translated in Korean or Chinese 1965391 - When storage class is already present wizard do not jumps to "Stoarge and nodes" 1965422 - runc is missing Provides oci-runtime in rpm spec 1965522 - [v2v] Multiple typos on VM Import screen 1965545 - Pod stuck in ContainerCreating: Unit ...slice already exists 1965909 - Replace "Enable Taint Nodes" by "Mark nodes as dedicated" 1965921 - [oVirt] High performance VMs shouldn't be created with Existing policy 1965929 - kube-apiserver should use cert auth when reaching out to the oauth-apiserver with a TokenReview request 1966077 - `hidden` descriptor is visible in the Operator instance details page` 1966116 - DNS SRV request which worked in 4.7.9 stopped working in 4.7.11 1966126 - root_ca_cert_publisher_sync_duration_seconds metric can have an excessive cardinality 1966138 - (release-4.8) Update K8s & OpenShift API versions 1966156 - Issue with Internal Registry CA on the service pod 1966174 - No storage class is installed, OCS and CNV installations fail 1966268 - Workaround for Network Manager not supporting nmconnections priority 1966401 - Revamp Ceph Table in Install Wizard flow 1966410 - kube-controller-manager should not trigger APIRemovedInNextReleaseInUse alert 1966416 - (release-4.8) Do not exceed the data size limit 1966459 - 'policy/v1beta1 PodDisruptionBudget' and 'batch/v1beta1 CronJob' appear in image-registry-operator log 1966487 - IP address in Pods list table are showing node IP other than pod IP 1966520 - Add button from ocs add capacity should not be enabled if there are no PV's 1966523 - (release-4.8) Gather MachineAutoScaler definitions 1966546 - [master] KubeAPI - keep day1 after cluster is successfully installed 1966561 - Workload partitioning annotation workaround needed for CSV annotation propagation bug 1966602 - don't require manually setting IPv6DualStack feature gate in 4.8 1966620 - The bundle.Dockerfile in the repo is obsolete 1966632 - [4.8.0] [assisted operator] Unable to re-register an SNO instance if deleting CRDs during install 1966654 - Alertmanager PDB is not created, but Prometheus UWM is 1966672 - Add Sprint 201 translations 1966675 - Admin console string updates 1966677 - Change comma to semicolon 1966683 - Translation bugs from Sprint 201 files 1966684 - Verify "Creating snapshot for claim <1>{pvcName}</1>" displays correctly 1966697 - Garbage collector logs every interval - move to debug level 1966717 - include full timestamps in the logs 1966759 - Enable downstream plugin for Operator SDK 1966795 - [tests] Release 4.7 broken due to the usage of wrong OCS version 1966813 - "Replacing an unhealthy etcd member whose node is not ready" procedure results in new etcd pod in CrashLoopBackOff 1966862 - vsphere IPI - local dns prepender is not prepending nameserver 127.0.0.1 1966892 - [master] [Assisted-4.8][SNO] SNO node cannot transition into "Writing image to disk" from "Waiting for bootkub[e" 1966952 - [4.8.0] [Assisted-4.8][SNO][Dual Stack] DHCPv6 settings "ipv6.dhcp-duid=ll" missing from dual stack install 1967104 - [4.8.0] InfraEnv ctrl: log the amount of NMstate Configs baked into the image 1967126 - [4.8.0] [DOC] KubeAPI docs should clarify that the InfraEnv Spec pullSecretRef is currently ignored 1967197 - 404 errors loading some i18n namespaces 1967207 - Getting started card: console customization resources link shows other resources 1967208 - Getting started card should use semver library for parsing the version instead of string manipulation 1967234 - Console is continuously polling for ConsoleLink acm-link 1967275 - Awkward wrapping in getting started dashboard card 1967276 - Help menu tooltip overlays dropdown 1967398 - authentication operator still uses previous deleted pod ip rather than the new created pod ip to do health check 1967403 - (release-4.8) Increase workloads fingerprint gatherer pods limit 1967423 - [master] clusterDeployments controller should take 1m to reqeueue when failing with AddOpenshiftVersion 1967444 - openshift-local-storage pods found with invalid priority class, should be openshift-user-critical or begin with system- while running e2e tests 1967531 - the ccoctl tool should extend MaxItems when listRoles, the default value 100 is a little small 1967578 - [4.8.0] clusterDeployments controller should take 1m to reqeueue when failing with AddOpenshiftVersion 1967591 - The ManagementCPUsOverride admission plugin should not mutate containers with the limit 1967595 - Fixes the remaining lint issues 1967614 - prometheus-k8s pods can't be scheduled due to volume node affinity conflict 1967623 - [OCPonRHV] - ./openshift-install installation with install-config doesn't work if ovirt-config.yaml doesn't exist and user should fill the FQDN URL 1967625 - Add OpenShift Dockerfile for cloud-provider-aws 1967631 - [4.8.0] Cluster install failed due to timeout while "Waiting for control plane" 1967633 - [4.8.0] [Assisted-4.8][SNO] SNO node cannot transition into "Writing image to disk" from "Waiting for bootkube" 1967639 - Console whitescreens if user preferences fail to load 1967662 - machine-api-operator should not use deprecated "platform" field in infrastructures.config.openshift.io 1967667 - Add Sprint 202 Round 1 translations 1967713 - Insights widget shows invalid link to the OCM 1967717 - Insights Advisor widget is missing a description paragraph and contains deprecated naming 1967745 - When setting DNS node placement by toleration to not tolerate master node, effect value should not allow string other than "NoExecute" 1967803 - should update to 7.5.5 for grafana resources version label 1967832 - Add more tests for periodic.go 1967833 - Add tasks pool to tasks_processing 1967842 - Production logs are spammed on "OCS requirements validation status Insufficient hosts to deploy OCS. A minimum of 3 hosts is required to deploy OCS" 1967843 - Fix null reference to messagesToSearch in gather_logs.go 1967902 - [4.8.0] Assisted installer chrony manifests missing index numberring 1967933 - Network-Tools debug scripts not working as expected 1967945 - [4.8.0] [assisted operator] Assisted Service Postgres crashes msg: "mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied" 1968019 - drain timeout and pool degrading period is too short 1968067 - [master] Agent validation not including reason for being insufficient 1968168 - [4.8.0] KubeAPI - keep day1 after cluster is successfully installed 1968175 - [4.8.0] Agent validation not including reason for being insufficient 1968373 - [4.8.0] BMAC re-attaches installed node on ISO regeneration 1968385 - [4.8.0] Infra env require pullSecretRef although it shouldn't be required 1968435 - [4.8.0] Unclear message in case of missing clusterImageSet 1968436 - Listeners timeout updated to remain using default value 1968449 - [4.8.0] Wrong Install-config override documentation 1968451 - [4.8.0] Garbage collector not cleaning up directories of removed clusters 1968452 - [4.8.0] [doc] "Mirror Registry Configuration" doc section needs clarification of functionality and limitations 1968454 - [4.8.0] backend events generated with wrong namespace for agent 1968455 - [4.8.0] Assisted Service operator's controllers are starting before the base service is ready 1968515 - oc should set user-agent when talking with registry 1968531 - Sync upstream 1.8.0 downstream 1968558 - [sig-cli] oc adm storage-admin [Suite:openshift/conformance/parallel] doesn't clean up properly 1968567 - [OVN] Egress router pod not running and openshift.io/scc is restricted 1968625 - Pods using sr-iov interfaces failign to start for Failed to create pod sandbox 1968700 - catalog-operator crashes when status.initContainerStatuses[].state.waiting is nil 1968701 - Bare metal IPI installation is failed due to worker inspection failure 1968754 - CI: e2e-metal-ipi-upgrade failing on KubeletHasDiskPressure, which triggers machine-config RequiredPoolsFailed 1969212 - [FJ OCP4.8 Bug - PUBLIC VERSION]: Masters repeat reboot every few minutes during workers provisioning 1969284 - Console Query Browser: Can't reset zoom to fixed time range after dragging to zoom 1969315 - [4.8.0] BMAC doesn't check if ISO Url changed before queuing BMH for reconcile 1969352 - [4.8.0] Creating BareMetalHost without the "inspect.metal3.io" does not automatically add it 1969363 - [4.8.0] Infra env should show the time that ISO was generated. 1969367 - [4.8.0] BMAC should wait for an ISO to exist for 1 minute before using it 1969386 - Filesystem's Utilization doesn't show in VM overview tab 1969397 - OVN bug causing subports to stay DOWN fails installations 1969470 - [4.8.0] Misleading error in case of install-config override bad input 1969487 - [FJ OCP4.8 Bug]: Avoid always do delete_configuration clean step 1969525 - Replace golint with revive 1969535 - Topology edit icon does not link correctly when branch name contains slash 1969538 - Install a VolumeSnapshotClass by default on CSI Drivers that support it 1969551 - [4.8.0] Assisted service times out on GetNextSteps due to `oc adm release info` taking too long 1969561 - Test "an end user can use OLM can subscribe to the operator" generates deprecation alert 1969578 - installer: accesses v1beta1 RBAC APIs and causes APIRemovedInNextReleaseInUse to fire 1969599 - images without registry are being prefixed with registry.hub.docker.com instead of docker.io 1969601 - manifest for networks.config.openshift.io CRD uses deprecated apiextensions.k8s.io/v1beta1 1969626 - Portfoward stream cleanup can cause kubelet to panic 1969631 - EncryptionPruneControllerDegraded: etcdserver: request timed out 1969681 - MCO: maxUnavailable of ds/machine-config-daemon does not get updated due to missing resourcemerge check 1969712 - [4.8.0] Assisted service reports a malformed iso when we fail to download the base iso 1969752 - [4.8.0] [assisted operator] Installed Clusters are missing DNS setups 1969773 - [4.8.0] Empty cluster name on handleEnsureISOErrors log after applying InfraEnv.yaml 1969784 - WebTerminal widget should send resize events 1969832 - Applying a profile with multiple inheritance where parents include a common ancestor fails 1969891 - Fix rotated pipelinerun status icon issue in safari 1969900 - Test files should not use deprecated APIs that will trigger APIRemovedInNextReleaseInUse 1969903 - Provisioning a large number of hosts results in an unexpected delay in hosts becoming available 1969951 - Cluster local doesn't work for knative services created from dev console 1969969 - ironic-rhcos-downloader container uses and old base image 1970062 - ccoctl does not work with STS authentication 1970068 - ovnkube-master logs "Failed to find node ips for gateway" error 1970126 - [4.8.0] Disable "metrics-events" when deploying using the operator 1970150 - master pool is still upgrading when machine config reports level / restarts on osimageurl change 1970262 - [4.8.0] Remove Agent CRD Status fields not needed 1970265 - [4.8.0] Add State and StateInfo to DebugInfo in ACI and Agent CRDs 1970269 - [4.8.0] missing role in agent CRD 1970271 - [4.8.0] Add ProgressInfo to Agent and AgentClusterInstalll CRDs 1970381 - Monitoring dashboards: Custom time range inputs should retain their values 1970395 - [4.8.0] SNO with AI/operator - kubeconfig secret is not created until the spoke is deployed 1970401 - [4.8.0] AgentLabelSelector is required yet not supported 1970415 - SR-IOV Docs needs documentation for disabling port security on a network 1970470 - Add pipeline annotation to Secrets which are created for a private repo 1970494 - [4.8.0] Missing value-filling of log line in assisted-service operator pod 1970624 - 4.7->4.8 updates: AggregatedAPIDown for v1beta1.metrics.k8s.io 1970828 - "500 Internal Error" for all openshift-monitoring routes 1970975 - 4.7 -> 4.8 upgrades on AWS take longer than expected 1971068 - Removing invalid AWS instances from the CF templates 1971080 - 4.7->4.8 CI: KubePodNotReady due to MCD's 5m sleep between drain attempts 1971188 - Web Console does not show OpenShift Virtualization Menu with VirtualMachine CRDs of version v1alpha3 ! 1971293 - [4.8.0] Deleting agent from one namespace causes all agents with the same name to be deleted from all namespaces 1971308 - [4.8.0] AI KubeAPI AgentClusterInstall confusing "Validated" condition about VIP not matching machine network 1971529 - [Dummy bug for robot] 4.7.14 upgrade to 4.8 and then downgrade back to 4.7.14 doesn't work - clusteroperator/kube-apiserver is not upgradeable 1971589 - [4.8.0] Telemetry-client won't report metrics in case the cluster was installed using the assisted operator 1971630 - [4.8.0] ACM/ZTP with Wan emulation fails to start the agent service 1971632 - [4.8.0] ACM/ZTP with Wan emulation, several clusters fail to step past discovery 1971654 - [4.8.0] InfraEnv controller should always requeue for backend response HTTP StatusConflict (code 409) 1971739 - Keep /boot RW when kdump is enabled 1972085 - [4.8.0] Updating configmap within AgentServiceConfig is not logged properly 1972128 - ironic-static-ip-manager container still uses 4.7 base image 1972140 - [4.8.0] ACM/ZTP with Wan emulation, SNO cluster installs do not show as installed although they are 1972167 - Several operators degraded because Failed to create pod sandbox when installing an sts cluster 1972213 - Openshift Installer| UEFI mode | BM hosts have BIOS halted 1972262 - [4.8.0] "baremetalhost.metal3.io/detached" uses boolean value where string is expected 1972426 - Adopt failure can trigger deprovisioning 1972436 - [4.8.0] [DOCS] AgentServiceConfig examples in operator.md doc should each contain databaseStorage + filesystemStorage 1972526 - [4.8.0] clusterDeployments controller should send an event to InfraEnv for backend cluster registration 1972530 - [4.8.0] no indication for missing debugInfo in AgentClusterInstall 1972565 - performance issues due to lost node, pods taking too long to relaunch 1972662 - DPDK KNI modules need some additional tools 1972676 - Requirements for authenticating kernel modules with X.509 1972687 - Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings 1972690 - [4.8.0] infra-env condition message isn't informative in case of missing pull secret 1972702 - [4.8.0] Domain dummy.com (not belonging to Red Hat) is being used in a default configuration 1972768 - kube-apiserver setup fail while installing SNO due to port being used 1972864 - New `local-with-fallback` service annotation does not preserve source IP 1973018 - Ironic rhcos downloader breaks image cache in upgrade process from 4.7 to 4.8 1973117 - No storage class is installed, OCS and CNV installations fail 1973233 - remove kubevirt images and references 1973237 - RHCOS-shipped stalld systemd units do not use SCHED_FIFO to run stalld. 1973428 - Placeholder bug for OCP 4.8.0 image release 1973667 - [4.8] NetworkPolicy tests were mistakenly marked skipped 1973672 - fix ovn-kubernetes NetworkPolicy 4.7->4.8 upgrade issue 1973995 - [Feature:IPv6DualStack] tests are failing in dualstack 1974414 - Uninstalling kube-descheduler clusterkubedescheduleroperator.4.6.0-202106010807.p0.git.5db84c5 removes some clusterrolebindings 1974447 - Requirements for nvidia GPU driver container for driver toolkit 1974677 - [4.8.0] KubeAPI CVO progress is not available on CR/conditions only in events. 1974718 - Tuned net plugin fails to handle net devices with n/a value for a channel 1974743 - [4.8.0] All resources not being cleaned up after clusterdeployment deletion 1974746 - [4.8.0] File system usage not being logged appropriately 1974757 - [4.8.0] Assisted-service deployed on an IPv6 cluster installed with proxy: agentclusterinstall shows error pulling an image from quay. 1974773 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster 1974839 - CVE-2021-29059 nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string 1974850 - [4.8] coreos-installer failing Execshield 1974931 - [4.8.0] Assisted Service Operator should be Infrastructure Operator for Red Hat OpenShift 1974978 - 4.8.0.rc0 upgrade hung, stuck on DNS clusteroperator progressing 1975155 - Kubernetes service IP cannot be accessed for rhel worker 1975227 - [4.8.0] KubeAPI Move conditions consts to CRD types 1975360 - [4.8.0] [master] timeout on kubeAPI subsystem test: SNO full install and validate MetaData 1975404 - [4.8.0] Confusing behavior when multi-node spoke workers present when only controlPlaneAgents specified 1975432 - Alert InstallPlanStepAppliedWithWarnings does not resolve 1975527 - VMware UPI is configuring static IPs via ignition rather than afterburn 1975672 - [4.8.0] Production logs are spammed on "Found unpreparing host: id 08f22447-2cf1-a107-eedf-12c7421f7380 status insufficient" 1975789 - worker nodes rebooted when we simulate a case where the api-server is down 1975938 - gcp-realtime: e2e test failing [sig-storage] Multi-AZ Cluster Volumes should only be allowed to provision PDs in zones where nodes exist [Suite:openshift/conformance/parallel] [Suite:k8s] 1975964 - 4.7 nightly upgrade to 4.8 and then downgrade back to 4.7 nightly doesn't work - ingresscontroller "default" is degraded 1976079 - [4.8.0] Openshift Installer| UEFI mode | BM hosts have BIOS halted 1976263 - [sig-cli] oc adm must-gather runs successfully for audit logs [Suite:openshift/conformance/parallel] 1976376 - disable jenkins client plugin test whose Jenkinsfile references master branch openshift/origin artifacts 1976590 - [Tracker] [SNO][assisted-operator][nmstate] Bond Interface is down when booting from the discovery ISO 1977233 - [4.8] Unable to authenticate against IDP after upgrade to 4.8-rc.1 1977351 - CVO pod skipped by workload partitioning with incorrect error stating cluster is not SNO 1977352 - [4.8.0] [SNO] No DNS to cluster API from assisted-installer-controller 1977426 - Installation of OCP 4.6.13 fails when teaming interface is used with OVNKubernetes 1977479 - CI failing on firing CertifiedOperatorsCatalogError due to slow livenessProbe responses 1977540 - sriov webhook not worked when upgrade from 4.7 to 4.8 1977607 - [4.8.0] Post making changes to AgentServiceConfig assisted-service operator is not detecting the change and redeploying assisted-service pod 1977924 - Pod fails to run when a custom SCC with a specific set of volumes is used 1980788 - NTO-shipped stalld can segfault 1981633 - enhance service-ca injection 1982250 - Performance Addon Operator fails to install after catalog source becomes ready 1982252 - olm Operator is in CrashLoopBackOff state with error "couldn't cleanup cross-namespace ownerreferences" 5. References: https://access.redhat.com/security/cve/CVE-2016-2183 https://access.redhat.com/security/cve/CVE-2020-7774 https://access.redhat.com/security/cve/CVE-2020-15106 https://access.redhat.com/security/cve/CVE-2020-15112 https://access.redhat.com/security/cve/CVE-2020-15113 https://access.redhat.com/security/cve/CVE-2020-15114 https://access.redhat.com/security/cve/CVE-2020-15136 https://access.redhat.com/security/cve/CVE-2020-26160 https://access.redhat.com/security/cve/CVE-2020-26541 https://access.redhat.com/security/cve/CVE-2020-28469 https://access.redhat.com/security/cve/CVE-2020-28500 https://access.redhat.com/security/cve/CVE-2020-28852 https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/cve/CVE-2021-3636 https://access.redhat.com/security/cve/CVE-2021-20206 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-20291 https://access.redhat.com/security/cve/CVE-2021-21419 https://access.redhat.com/security/cve/CVE-2021-21623 https://access.redhat.com/security/cve/CVE-2021-21639 https://access.redhat.com/security/cve/CVE-2021-21640 https://access.redhat.com/security/cve/CVE-2021-21648 https://access.redhat.com/security/cve/CVE-2021-22133 https://access.redhat.com/security/cve/CVE-2021-23337 https://access.redhat.com/security/cve/CVE-2021-23362 https://access.redhat.com/security/cve/CVE-2021-23368 https://access.redhat.com/security/cve/CVE-2021-23382 https://access.redhat.com/security/cve/CVE-2021-25735 https://access.redhat.com/security/cve/CVE-2021-25737 https://access.redhat.com/security/cve/CVE-2021-26539 https://access.redhat.com/security/cve/CVE-2021-26540 https://access.redhat.com/security/cve/CVE-2021-27292 https://access.redhat.com/security/cve/CVE-2021-28092 https://access.redhat.com/security/cve/CVE-2021-29059 https://access.redhat.com/security/cve/CVE-2021-29622 https://access.redhat.com/security/cve/CVE-2021-32399 https://access.redhat.com/security/cve/CVE-2021-33034 https://access.redhat.com/security/cve/CVE-2021-33194 https://access.redhat.com/security/cve/CVE-2021-33909 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYQCOF9zjgjWX9erEAQjsEg/+NSFQdRcZpqA34LWRtxn+01y2MO0WLroQ d4o+3h0ECKYNRFKJe6n7z8MdmPpvV2uNYN0oIwidTESKHkFTReQ6ZolcV/sh7A26 Z7E+hhpTTObxAL7Xx8nvI7PNffw3CIOZSpnKws5TdrwuMkH5hnBSSZntP5obp9Vs ImewWWl7CNQtFewtXbcmUojNzIvU1mujES2DTy2ffypLoOW6kYdJzyWubigIoR6h gep9HKf1X4oGPuDNF5trSdxKwi6W68+VsOA25qvcNZMFyeTFhZqowot/Jh1HUHD8 TWVpDPA83uuExi/c8tE8u7VZgakWkRWcJUsIw68VJVOYGvpP6K/MjTpSuP2itgUX X//1RGQM7g6sYTCSwTOIrMAPbYH0IMbGDjcS4fSZcfg6c+WJnEpZ72ZgjHZV8mxb 1BtQSs2lil48/cwDKM0yMO2nYsKiz4DCCx2W5izP0rLwNA8Hvqh9qlFgkxJWWOvA mtBCelB0E74qrE4NXbX+MIF7+ZQKjd1evE91/VWNs0FLR/xXdP3C5ORLU3Fag0G/ 0oTV73NdxP7IXVAdsECwU2AqS9ne1y01zJKtd7hq7H/wtkbasqCNq5J7HikJlLe6 dpKh5ZRQzYhGeQvho9WQfz/jd4HZZTcB6wxrWubbd05bYt/i/0gau90LpuFEuSDx +bLvJlpGiMg= =NJcM -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . OpenSSL Security Advisory [22 Sep 2016] ======================================== OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. OpenSSL 1.1.0 users should upgrade to 1.1.0a OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. SSL_peek() hang on empty record (CVE-2016-6305) =============================================== Severity: Moderate OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0a This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The fix was developed by Matt Caswell of the OpenSSL development team. SWEET32 Mitigation (CVE-2016-2183) ================================== Severity: Low SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these ciphersuites disabled by default. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the OpenSSL development team. OOB write in MDC2_Update() (CVE-2016-6303) ========================================== Severity: Low An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Malformed SHA512 ticket DoS (CVE-2016-6302) =========================================== Severity: Low If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB write in BN_bn2dec() (CVE-2016-2182) ======================================== Severity: Low The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB read in TS_OBJ_print_bio() (CVE-2016-2180) ============================================== Severity: Low The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Pointer arithmetic undefined behaviour (CVE-2016-2177) ====================================================== Severity: Low Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. Constant time flag not preserved in DSA signing (CVE-2016-2178) =============================================================== Severity: Low Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by César Pereida. DTLS buffered message DoS (CVE-2016-2179) ========================================= Severity: Low In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. By opening many simulataneous connections an attacker could cause a DoS attack through memory exhaustion. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was developed by Matt Caswell of the OpenSSL development team. DTLS replay protection DoS (CVE-2016-2181) ========================================== Severity: Low A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit team. The fix was developed by Matt Caswell of the OpenSSL development team. Certificate message OOB reads (CVE-2016-6306) ============================================= Severity: Low In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate request and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. OpenSSL 1.1.0 is not affected. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) ========================================================================== Severity: Low A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect DTLS users. OpenSSL 1.1.0 TLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) ============================================================================= Severity: Low This issue is very similar to CVE-2016-6307. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect TLS users. OpenSSL 1.1.0 DTLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20160922.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. (CVE-2017-9788) * It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. Upstream acknowledges Karthikeyan Bhargavan (Inria) and GaA<<tan Leurent (Inria) as the original reporters of CVE-2016-2183. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Bugs fixed (https://bugzilla.redhat.com/): 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest 6. JIRA issues fixed (https://issues.jboss.org/): JBCS-329 - Unable to load large CRL openssl problem JBCS-336 - Errata for httpd 2.4.23 SP2 RHEL 7 7. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 6 to version 6 SR16-FP41. Security Fix(es): * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1413554 - CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) 1413583 - CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) 1413653 - CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) 1413717 - CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) 1413882 - CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) 1413906 - CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) 1413911 - CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) 1413920 - CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) 1413923 - CVE-2016-5549 OpenJDK: ECDSA implementation timing attack (Libraries, 8168724) 1413955 - CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) 1414163 - CVE-2017-3259 Oracle JDK: unspecified vulnerability fixed in 6u141, 7u131, and 8u121 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.i386.rpm ppc: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.s390.rpm java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.s390.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.s390.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.s390.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.i386.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el5_11.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el6_8.i686.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.41-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. ========================================================================== Ubuntu Security Notice USN-3087-2 September 23, 2016 openssl regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: USN-3087-1 introduced a regression in OpenSSL. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. We apologize for the inconvenience. (CVE-2016-6304) Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. This issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2178) Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. (CVE-2016-2179) Shi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio() function. (CVE-2016-2180) It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. (CVE-2016-2181) Shi Lei discovered that OpenSSL incorrectly validated division results. (CVE-2016-2182) Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves DES from the HIGH cipher list to MEDIUM. (CVE-2016-2183) Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. (CVE-2016-6302) Shi Lei discovered that OpenSSL incorrectly handled memory in the MDC2_Update() function. (CVE-2016-6303) Shi Lei discovered that OpenSSL incorrectly performed certain message length checks. (CVE-2016-6306) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.5 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.21 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.38 After a standard system update you need to reboot your computer to make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201707-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: IcedTea: Multiple vulnerabilities Date: July 05, 2017 Bugs: #607676, #609562, #618874, #619458 ID: 201707-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in IcedTea, the worst of which may allow execution of arbitrary code. Background ========== IcedTea's aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-java/icedtea-bin < 3.4.0 >= 3.4.0 < 7.2.6.10 >= 7.2.6.10 Description =========== Multiple vulnerabilities have been discovered in IcedTea. Please review the CVE identifiers referenced below for details. Note: If the web browser plug-in provided by the dev-java/icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Workaround ========== There is no known workaround at this time. Resolution ========== All IcedTea binary 7.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/icedtea-bin-7.2.6.10:7" All IcedTea binary 3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.4.0:8" References ========== [ 1 ] CVE-2016-2183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183 [ 2 ] CVE-2016-5546 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5546 [ 3 ] CVE-2016-5547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5547 [ 4 ] CVE-2016-5548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5548 [ 5 ] CVE-2016-5549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5549 [ 6 ] CVE-2016-5552 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5552 [ 7 ] CVE-2017-3231 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3231 [ 8 ] CVE-2017-3241 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3241 [ 9 ] CVE-2017-3252 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3252 [ 10 ] CVE-2017-3253 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3253 [ 11 ] CVE-2017-3260 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3260 [ 12 ] CVE-2017-3261 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3261 [ 13 ] CVE-2017-3272 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3272 [ 14 ] CVE-2017-3289 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3289 [ 15 ] CVE-2017-3509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3509 [ 16 ] CVE-2017-3511 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3511 [ 17 ] CVE-2017-3512 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3512 [ 18 ] CVE-2017-3514 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3514 [ 19 ] CVE-2017-3526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3526 [ 20 ] CVE-2017-3533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3533 [ 21 ] CVE-2017-3539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3539 [ 22 ] CVE-2017-3544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3544 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201707-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --eW2Ih3ajF3BNoJIAD1VrIt2me1kNx637S-- . Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1873004 - [downstream] Should indicate the version info instead of the commit info 1887759 - [release 4.6] Gather MachineConfigPools 1889676 - [release 4.6] Gather top installplans and their count 1889865 - operator-registry image needs clean up in /tmp 1890274 - [4.6] External IP doesn't work if the IP address is not assigned to a node 1890452 - Adding BYOK disk encryption through DES 1891697 - Handle missing labels as empty. 1891892 - The windows oc.exe binary does not have version metadata 1893409 - [release-4.6] MCDPivotError alert/metric missing 1893738 - Examining agones helm chart resources results in "Oh no!" 1894916 - [4.6] Panic output due to timeouts in openshift-apiserver 1896919 - start creating new-style Secrets for AWS 1898672 - Pod gets stuck in ContainerCreating state with exhausted Whereabouts IPAM range with a daemonset 1899107 - [4.6] ironic-api used by metal3 is over provisioned and consumes a lot of RAM 1899535 - ds/machine-config-daemon takes 100+ minutes to rollout on 250 node cluster 1901602 - Extra reboot during 4.5 -> 4.6 upgrade 1901605 - CNO blocks editing Kuryr options 1903649 - Automated cleaning is disabled by default 1903887 - dns daemonset rolls out slowly in large clusters 1904091 - Missing registry v1 protocol usage metric on telemetry 1904577 - [4.6] Local storage operator doesn't include correctly populate LocalVolumeDiscoveryResult in console 1905031 - (release-4.6) Collect spec config for clusteroperator resources 1905195 - [release-4.6] Detecting broken connections to the Kube API takes up to 15 minutes 1905573 - [4.6] Changing the bound token service account issuer invalids previously issued bound tokens 1905788 - Role name missing on create role binding form 1906332 - update discovery burst to reflect lots of CRDs on openshift clusters 1906741 - KeyError: 'nodeName' on NP deletion 1906796 - [SA] verify-image-signature using service account does not work 1907827 - Kn resources are not showing in Topology if triggers has KSVC and IMC as subscriber 1907830 - "Evaluating rule failed" for "record: cluster:kube_persistentvolumeclaim_resource_requests_storage_bytes:provisioner:sum" and "record: cluster:kubelet_volume_stats_used_bytes:provisioner:sum" 1909673 - scale up / down buttons available on pod details side panel 1912388 - [OVN]: `make check` broken on 4.6 1912430 - thanosRuler.resources.requests does not take effect in user-workload-monitoring-config confimap 1913109 - oc debug of an init container no longer works 1913645 - Improved Red Hat image and crashlooping OpenShift pod collection 1915560 - OCP 4.4.9: EtcdMemberIPMigratorDegraded: rpc error: code = Canceled desc = grpc: the client connection is closing 1916096 - [oVirt] csi operator panics if ovirt-engine suddenly becomes unavailable. 1916100 - [oVirt] Consume 23-10 ovirt sdk - csi operator 1916347 - Updating scheduling component builder & base images to be consistent with ART 1916857 - configs.imageregistry.operator.openshift.io cluster does not update its status fields after URL change 1916907 - dns-node-resolver corrupts /etc/hosts if internal registry is not in use 1917240 - [4.6] Network Policies are not working as expected with OVN-Kubernetes when traffic hairpins back to the same source through a service 1917498 - Regression OLM uses scoped client for CRD installation 1917547 - oc adm catalog mirror does not mirror the index image itself 1917548 - [4.6] Cannot filter the platform/arch of the index image 1917549 - Failed to mirror operator catalog - error: destination registry required 1917550 - oc adm catalog mirror command attempts to pull from registry.redhat.io when using --from-dir option 1917609 - [4.6z] Deleting an exgw causes pods to no longer route to other exgws 1918194 - with sharded ingresscontrollers, all shards reload when any endpoint changes 1918202 - Grafana - The resulting dataset is too large to graph (OCS RBD volumes being counted as disks) 1918525 - OLM enters infinite loop if Pending CSV replaces itself 1918779 - [Negative Test] After deleting metal3 pod, scaling worker stuck on provisioning state 1918792 - [BUG] Thanos having possible memory leak consuming huge amounts of node's memory and killing them 1918961 - [IPI on vsphere] Executing 'openshift-installer destroy cluster' leaves installer tag categories in vsphere 1920764 - CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250 1920873 - Failure to upgrade operator when a Service is included in a Bundle 1920995 - kuryr-cni pods using unreasonable amount of CPU 1921450 - CVE-2021-3344 openshift/builder: privilege escalation during container image builds via mounted secrets 1921473 - test-cmd is failing on volumes.sh pretty consistently 1921599 - OCP 4.5 to 4.6 upgrade for "aws-ebs-csi-driver-operator" fails when "defaultNodeSelector" is set 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03765en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbgn03765en_us Version: 2 HPESBGN03765 rev.2 - HPE LoadRunner and HPE Performance Center, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-08-30 Last Updated: 2017-08-29 Potential Security Impact: Remote: Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A security vulnerability in the DES/3DES block ciphers used in the TLS protocol could potentially impact HPE LoadRunner and HPE Performance Center resulting in remote disclosure of information. This is also known as the SWEET32 attack. - HPE Performance Center - All versions - HP LoadRunner - All versions BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-2183 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE LoadRunner and HPE Performance Center. * <https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facets arch/document/KM02853399?lang=en&cc=us&hpappid=202392_SSO_PRO_HPE> HISTORY Version:1 (rev.1) - 9 August 2017 Initial release Version:2 (rev.2) - 30 August 2017 Version update Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. ( Memory corruption ) It may be in a state. Apple iOS is prone to a memory-corruption vulnerability. Failed exploit attempts may result in a denial-of-service condition. Versions prior to Apple iOS 9.3.5 are vulnerable. Kernel is one of the kernel components. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-08-25-1 iOS 9.3.5 iOS 9.3.5 is now available and addresses the following: Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to disclose kernel memory Description: A validation issue was addressed through improved input sanitization. CVE-2016-4655: Citizen Lab and Lookout Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4656: Citizen Lab and Lookout WebKit Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4657: Citizen Lab and Lookout Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "9.3.5". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXvzhMAAoJEIOj74w0bLRGBAMP/RvcCKskvhLhBTixjPNBWWqE VFuQCMGif3Q9/2vLv9tQxeesXdG30Rn7LkCSStR0ZhSPrNFlSDlhHj/KOLFd5en+ lgctmToXnLQl+FzTnN0Tn872R3VENBl78OiP6K1urDJHMs1OwGgORyyKQgcaGcDZ GCBK7PUaK/yKVXfm1SJsMcyNL3lRGd05OnCPaXJruMZlbTWidK7R649oodPIIX+H cokqXBjM94M/Y6BUbPAeEh4lSk6ukygYHeb+JuTTj0AQ+82qIkWctkZLIVHZDLak aaTxLFpH9T9BAOTKSnpwFZa0Nj912OSkFbIbCMNyCcX/l7z2Pd+EVg/7rEEZBW+I yyo67JsXWQtCP9/P5El3V1lepNfuGOpRM5S+B/X2X+774QV/Xx8blVXTeDdDAk++ bHblfQKx2Xlkrznl+SFLnDfY5d8TlRmLEcQu1N7DiN22I1Qi9eXdzicBrCHyY3s0 sFTj577aBQ2gyH6EWTg4VfZHKKXtzPTNuSpAwobK8HKacezUhCXQ0BScmS47UMHu uk/sdirJX1GAfD0P7bcOsnTdMHG+vkXIFTuV+JsGcpg136kdg7rejVIsj/AKRChz f+e/7YsJIpMQriDr4w07huosClXKqSw64ygPyP0KYHTjO1picPocw1SF7eqyeng0 C6oESP46AbWYUbdihpm7 =PDst -----END PGP SIGNATURE-----

WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. Apple iOS used in etc. WebKit is prone to an unspecified memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. A security vulnerability exists in WebKit in versions prior to Apple iOS 9.3.5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-08-25-1 iOS 9.3.5 iOS 9.3.5 is now available and addresses the following: Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to disclose kernel memory Description: A validation issue was addressed through improved input sanitization. CVE-2016-4655: Citizen Lab and Lookout Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4656: Citizen Lab and Lookout WebKit Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4657: Citizen Lab and Lookout Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "9.3.5". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXvzhMAAoJEIOj74w0bLRGBAMP/RvcCKskvhLhBTixjPNBWWqE VFuQCMGif3Q9/2vLv9tQxeesXdG30Rn7LkCSStR0ZhSPrNFlSDlhHj/KOLFd5en+ lgctmToXnLQl+FzTnN0Tn872R3VENBl78OiP6K1urDJHMs1OwGgORyyKQgcaGcDZ GCBK7PUaK/yKVXfm1SJsMcyNL3lRGd05OnCPaXJruMZlbTWidK7R649oodPIIX+H cokqXBjM94M/Y6BUbPAeEh4lSk6ukygYHeb+JuTTj0AQ+82qIkWctkZLIVHZDLak aaTxLFpH9T9BAOTKSnpwFZa0Nj912OSkFbIbCMNyCcX/l7z2Pd+EVg/7rEEZBW+I yyo67JsXWQtCP9/P5El3V1lepNfuGOpRM5S+B/X2X+774QV/Xx8blVXTeDdDAk++ bHblfQKx2Xlkrznl+SFLnDfY5d8TlRmLEcQu1N7DiN22I1Qi9eXdzicBrCHyY3s0 sFTj577aBQ2gyH6EWTg4VfZHKKXtzPTNuSpAwobK8HKacezUhCXQ0BScmS47UMHu uk/sdirJX1GAfD0P7bcOsnTdMHG+vkXIFTuV+JsGcpg136kdg7rejVIsj/AKRChz f+e/7YsJIpMQriDr4w07huosClXKqSw64ygPyP0KYHTjO1picPocw1SF7eqyeng0 C6oESP46AbWYUbdihpm7 =PDst -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3166-1 January 10, 2017 webkit2gtk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in WebKitGTK+. Software Description: - webkit2gtk: JavaScript engine library from WebKitGTK+ - GObject introspection Details: A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libjavascriptcoregtk-4.0-18 2.14.2-0ubuntu0.16.04.1 libwebkit2gtk-4.0-37 2.14.2-0ubuntu0.16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3166-1 CVE-2016-4613, CVE-2016-4657, CVE-2016-4666, CVE-2016-4707, CVE-2016-4728, CVE-2016-4733, CVE-2016-4734, CVE-2016-4735, CVE-2016-4759, CVE-2016-4760, CVE-2016-4761, CVE-2016-4762, CVE-2016-4764, CVE-2016-4765, CVE-2016-4767, CVE-2016-4768, CVE-2016-4769, CVE-2016-7578 Package Information: https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.2-0ubuntu0.16.04.1

The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app. Apple iOS is prone to a local information-disclosure vulnerability. Local attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Kernel is one of the kernel components. CVE-2016-4655: Citizen Lab and Lookout iOS 10.0.1 also includes the security content of iOS 10. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2016-08-25-1 iOS 9.3.5 iOS 9.3.5 is now available and addresses the following: Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to disclose kernel memory Description: A validation issue was addressed through improved input sanitization. CVE-2016-4655: Citizen Lab and Lookout Kernel Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4656: Citizen Lab and Lookout WebKit Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2016-4657: Citizen Lab and Lookout Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "9.3.5". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXvzhMAAoJEIOj74w0bLRGBAMP/RvcCKskvhLhBTixjPNBWWqE VFuQCMGif3Q9/2vLv9tQxeesXdG30Rn7LkCSStR0ZhSPrNFlSDlhHj/KOLFd5en+ lgctmToXnLQl+FzTnN0Tn872R3VENBl78OiP6K1urDJHMs1OwGgORyyKQgcaGcDZ GCBK7PUaK/yKVXfm1SJsMcyNL3lRGd05OnCPaXJruMZlbTWidK7R649oodPIIX+H cokqXBjM94M/Y6BUbPAeEh4lSk6ukygYHeb+JuTTj0AQ+82qIkWctkZLIVHZDLak aaTxLFpH9T9BAOTKSnpwFZa0Nj912OSkFbIbCMNyCcX/l7z2Pd+EVg/7rEEZBW+I yyo67JsXWQtCP9/P5El3V1lepNfuGOpRM5S+B/X2X+774QV/Xx8blVXTeDdDAk++ bHblfQKx2Xlkrznl+SFLnDfY5d8TlRmLEcQu1N7DiN22I1Qi9eXdzicBrCHyY3s0 sFTj577aBQ2gyH6EWTg4VfZHKKXtzPTNuSpAwobK8HKacezUhCXQ0BScmS47UMHu uk/sdirJX1GAfD0P7bcOsnTdMHG+vkXIFTuV+JsGcpg136kdg7rejVIsj/AKRChz f+e/7YsJIpMQriDr4w07huosClXKqSw64ygPyP0KYHTjO1picPocw1SF7eqyeng0 C6oESP46AbWYUbdihpm7 =PDst -----END PGP SIGNATURE-----

XML external entity (XXE) vulnerability in the Hyper Management Module (HMM) in Huawei E9000 rack servers with software before V100R001C00SPC296 allows remote authenticated users to read arbitrary files or cause a denial of service (web service outage) via a crafted XML document. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. HuaweiE9000Chassis is a blade server of China's Huawei company. An XML external entity injection vulnerability exists in the HuaweiE9000ChassisV100R001C00 version. An attacker could exploit the vulnerability to obtain sensitive information and may also cause a denial of service. Failed attacks may cause a denial-of-service condition

Huawei FusionCompute before V100R005C10CP7002 stores cleartext AES keys in a file, which allows remote authenticated users to obtain sensitive information via unspecified vectors. Huawei FusionCompute is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Huawei FusionCompute is an enterprise-level open server virtualization solution based on Xen open source design developed by China's Huawei (Huawei). The solution provides automation, advanced integration and management capabilities for virtualized data centers

The Tiger uRouter Wireless Router is an enterprise-class intelligent routing product produced and sold by China Tiger Technology. There are multiple vulnerabilities in the URouter wireless router. An unauthenticated attacker bypasses the system's authentication mechanism by providing a random SID cookie value to the router; accessing the router's system log can use the data in the log to hijack the router's administrator session; using a hard-coded SID Values to hijack DMS users, get administrator privileges on the router; inject system-level control commands, and execute these commands with root privileges.

Format string vulnerability in Huawei AR100, AR120, AR150, AR200, AR500, AR550, AR1200, AR2200, AR2500, AR3200, and AR3600 routers with software before V200R007C00SPC900 and NetEngine 16EX routers with software before V200R007C00SPC900 allows remote authenticated users to cause a denial of service via format string specifiers in vectors involving partial commands. Huawei AR120 is an AR series enterprise router product of China Huawei. A remote attacker could exploit the vulnerability to cause a denial of service. The following products and versions are affected: AR100, AR120, AR150, AR200, AR500, AR550, AR1200, AR2200, AR2500, AR3200, AR3600 V200R005, V200R006, V200R007C00, NetEngine 16EX V200R005, V200R00000, V20

The Intelligent Baseboard Management Controller (iBMC) in Huawei RH1288 V3 servers with software before V100R003C00SPC613, RH2288 V3 servers with software before V100R003C00SPC617, RH2288H V3 servers with software before V100R003C00SPC515, RH5885 V3 servers with software before V100R003C10SPC102, and XH620 V3, XH622 V3, and XH628 V3 servers with software before V100R003C00SPC610 might allow remote attackers to decrypt encrypted data and consequently obtain sensitive information by leveraging selection of an insecure SSL encryption algorithm. plural Huawei Product Intelligent Baseboard Management Controller (iBMC) Contains a vulnerability that can decrypt encrypted data and, as a result, retrieve important information.Unsafe by a third party SSL By using the choice of encryption algorithm, the encrypted data can be decrypted and as a result, important information can be obtained. HuaweiRH1288 and other servers are Huawei's servers in China. An insecure encryption algorithm vulnerability exists in several Huawei products. A remote attacker can exploit this vulnerability to obtain sensitive information. Huawei Servers are prone to a security weakness. The following products and versions are affected: The following products and versions are affected: Huawei RH1288 V3 V100R003C00SPC613 previous version, RH2288 V3 V100R003C00SPC617 previous version, RH2288H V3 V100R003C00SPC515 previous version, RH5885 V3 V100R003C10SPC102 previous version, XH620 V3 , XH622 V3 , XH628 Versions earlier than V3 V100R003C00SPC610

The Intelligent Baseboard Management Controller (iBMC) in Huawei RH1288 V3 servers with software before V100R003C00SPC613; RH2288 V3 servers with software before V100R003C00SPC617; RH2288H V3 servers with software before V100R003C00SPC515; RH5885 V3 servers with software before V100R003C10SPC102; and XH620 V3, XH622 V3, and XH628 V3 servers with software before V100R003C00SPC610 allows local users to cause a denial of service (iBMC resource consumption) via unspecified vectors. plural Huawei Product Intelligent Baseboard Management Controller (iBMC) The denial of service (iBMC Resource consumption ) There is a vulnerability that can be exploited.Denial of service by local user (iBMC Resource consumption ) May be in a state. Multiple Huawei Servers are prone to a local denial-of-service vulnerability. A local attacker can exploit this issue to cause a denial-of-service condition. Intelligent Baseboard Management Controller (iBMC) is one of the software used to manage the server control unit. There are resource management vulnerabilities in the iBMC of various Huawei servers. The following products and versions are affected: Huawei RH1288 V3 V100R003C00SPC613 previous version, RH2288 V3 V100R003C00SPC617 previous version, RH2288H V3 V100R003C00SPC515 previous version, RH5885 V3 V100R003C10SPC102 previous version, XH620 V3 , XH622 V3 , XH628 V3 V100R003C00SPC610 previous version

Cisco AnyConnect Secure Mobility Client before 4.2.05015 and 4.3.x before 4.3.02039 mishandles pathnames, which allows local users to gain privileges via a crafted INF file, aka Bug ID CSCuz92464. A local attacker may exploit this issue to execute arbitrary commands with elevated SYSTEM privileges. This issue is being tracked by Cisco Bug ID CSCuz92464. The vulnerability is caused by the program not handling path names correctly

The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. OpenSSL is prone to denial-of-service vulnerability. An attacker may exploit this issue to cause a denial-of-service condition. OpenSSL Security Advisory [22 Sep 2016] ======================================== OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. OpenSSL 1.1.0 users should upgrade to 1.1.0a OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. SSL_peek() hang on empty record (CVE-2016-6305) =============================================== Severity: Moderate OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an empty record. This could be exploited by a malicious peer in a Denial Of Service attack. OpenSSL 1.1.0 users should upgrade to 1.1.0a This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The fix was developed by Matt Caswell of the OpenSSL development team. SWEET32 Mitigation (CVE-2016-2183) ================================== Severity: Low SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these ciphersuites disabled by default. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the OpenSSL development team. OOB write in MDC2_Update() (CVE-2016-6303) ========================================== Severity: Low An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Malformed SHA512 ticket DoS (CVE-2016-6302) =========================================== Severity: Low If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB write in BN_bn2dec() (CVE-2016-2182) ======================================== Severity: Low The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. OOB read in TS_OBJ_print_bio() (CVE-2016-2180) ============================================== Severity: Low The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Pointer arithmetic undefined behaviour (CVE-2016-2177) ====================================================== Severity: Low Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 4th May 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. Constant time flag not preserved in DSA signing (CVE-2016-2178) =============================================================== Severity: Low Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by César Pereida. DTLS buffered message DoS (CVE-2016-2179) ========================================= Severity: Low In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. By opening many simulataneous connections an attacker could cause a DoS attack through memory exhaustion. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was developed by Matt Caswell of the OpenSSL development team. DTLS replay protection DoS (CVE-2016-2181) ========================================== Severity: Low A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 21st November 2015 by the OCAP audit team. The fix was developed by Matt Caswell of the OpenSSL development team. Certificate message OOB reads (CVE-2016-6306) ============================================= Severity: Low In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate request and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. OpenSSL 1.1.0 is not affected. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) ========================================================================== Severity: Low A TLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect DTLS users. OpenSSL 1.1.0 TLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) ============================================================================= Severity: Low This issue is very similar to CVE-2016-6307. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect TLS users. OpenSSL 1.1.0 DTLS users should upgrade to 1.1.0a This issue was reported to OpenSSL on 18th September 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL development team. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20160922.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: openssl security update Advisory ID: RHSA-2016:1940-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html Issue date: 2016-09-27 CVE Names: CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 CVE-2016-2181 CVE-2016-2182 CVE-2016-6302 CVE-2016-6304 CVE-2016-6306 ===================================================================== 1. Summary: An update for openssl is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-2178) * It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. (CVE-2016-2181) * An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. (CVE-2016-2182) * A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default. * An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. (CVE-2016-6302) * Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177) * An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. (CVE-2016-6306) Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 5. Bugs fixed (https://bugzilla.redhat.com/): 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation 1359615 - CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio() 1367340 - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 1369113 - CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1369504 - CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer 1369855 - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 1377594 - CVE-2016-6306 openssl: certificate message OOB reads 1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm ppc64: openssl-1.0.1e-48.el6_8.3.ppc.rpm openssl-1.0.1e-48.el6_8.3.ppc64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.ppc.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm openssl-devel-1.0.1e-48.el6_8.3.ppc.rpm openssl-devel-1.0.1e-48.el6_8.3.ppc64.rpm s390x: openssl-1.0.1e-48.el6_8.3.s390.rpm openssl-1.0.1e-48.el6_8.3.s390x.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.s390.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm openssl-devel-1.0.1e-48.el6_8.3.s390.rpm openssl-devel-1.0.1e-48.el6_8.3.s390x.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm ppc64: openssl-debuginfo-1.0.1e-48.el6_8.3.ppc64.rpm openssl-perl-1.0.1e-48.el6_8.3.ppc64.rpm openssl-static-1.0.1e-48.el6_8.3.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-48.el6_8.3.s390x.rpm openssl-perl-1.0.1e-48.el6_8.3.s390x.rpm openssl-static-1.0.1e-48.el6_8.3.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: openssl-1.0.1e-48.el6_8.3.src.rpm i386: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-1.0.1e-48.el6_8.3.i686.rpm openssl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.3.i686.rpm openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: openssl-debuginfo-1.0.1e-48.el6_8.3.i686.rpm openssl-perl-1.0.1e-48.el6_8.3.i686.rpm openssl-static-1.0.1e-48.el6_8.3.i686.rpm x86_64: openssl-debuginfo-1.0.1e-48.el6_8.3.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm ppc64: openssl-1.0.1e-51.el7_2.7.ppc64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc64.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc64.rpm ppc64le: openssl-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-devel-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-libs-1.0.1e-51.el7_2.7.ppc64le.rpm s390x: openssl-1.0.1e-51.el7_2.7.s390x.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm openssl-devel-1.0.1e-51.el7_2.7.s390.rpm openssl-devel-1.0.1e-51.el7_2.7.s390x.rpm openssl-libs-1.0.1e-51.el7_2.7.s390.rpm openssl-libs-1.0.1e-51.el7_2.7.s390x.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssl-debuginfo-1.0.1e-51.el7_2.7.ppc.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64.rpm openssl-perl-1.0.1e-51.el7_2.7.ppc64.rpm openssl-static-1.0.1e-51.el7_2.7.ppc.rpm openssl-static-1.0.1e-51.el7_2.7.ppc64.rpm ppc64le: openssl-debuginfo-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-perl-1.0.1e-51.el7_2.7.ppc64le.rpm openssl-static-1.0.1e-51.el7_2.7.ppc64le.rpm s390x: openssl-debuginfo-1.0.1e-51.el7_2.7.s390.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.s390x.rpm openssl-perl-1.0.1e-51.el7_2.7.s390x.rpm openssl-static-1.0.1e-51.el7_2.7.s390.rpm openssl-static-1.0.1e-51.el7_2.7.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssl-1.0.1e-51.el7_2.7.src.rpm x86_64: openssl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-devel-1.0.1e-51.el7_2.7.i686.rpm openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm openssl-libs-1.0.1e-51.el7_2.7.i686.rpm openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-51.el7_2.7.i686.rpm openssl-debuginfo-1.0.1e-51.el7_2.7.x86_64.rpm openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm openssl-static-1.0.1e-51.el7_2.7.i686.rpm openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2177 https://access.redhat.com/security/cve/CVE-2016-2178 https://access.redhat.com/security/cve/CVE-2016-2179 https://access.redhat.com/security/cve/CVE-2016-2180 https://access.redhat.com/security/cve/CVE-2016-2181 https://access.redhat.com/security/cve/CVE-2016-2182 https://access.redhat.com/security/cve/CVE-2016-6302 https://access.redhat.com/security/cve/CVE-2016-6304 https://access.redhat.com/security/cve/CVE-2016-6306 https://access.redhat.com/security/updates/classification/#important https://www.openssl.org/news/secadv/20160922.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX6nnFXlSAg2UNWIIRAqklAJ9uGMit/wxZ0CfuGjR7Vi2+AjmGMwCfTpEI xpTW7ApBLmKhVjs49DGYouI= =4VgY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). After installing the updated packages, the httpd daemon will be restarted automatically. Additional information can be found at https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ CVE-2016-2178 Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the DSA code. CVE-2016-2179 / CVE-2016-2181 Quan Luo and the OCAP audit team discovered denial of service vulnerabilities in DTLS. For the stable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u4. For the unstable distribution (sid), these problems will be fixed soon. ========================================================================== Ubuntu Security Notice USN-3087-2 September 23, 2016 openssl regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: USN-3087-1 introduced a regression in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. We apologize for the inconvenience. This issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2178) Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. (CVE-2016-2181) Shi Lei discovered that OpenSSL incorrectly validated division results. (CVE-2016-2182) Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. (CVE-2016-2183) Shi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. (CVE-2016-6303) Shi Lei discovered that OpenSSL incorrectly performed certain message length checks. (CVE-2016-6306) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.5 Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.21 Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.38 After a standard system update you need to reboot your computer to make all the necessary changes. Description: This release adds the new Apache HTTP Server 2.4.29 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes, enhancements and component upgrades included in this release. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/): JBCS-373 - Errata for httpd 2.4.29 GA RHEL 7 7

Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows remote attackers to execute arbitrary commands via "special characters," a different vulnerability than CVE-2016-7109. Huawei UMA is prone to multiple command-injection vulnerabilities. Attackers can exploit these issues to obtain sensitive information or execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition. Versions prior to UMA V200R001C00SPC200 are vulnerable. Through the centralized management and control of accounts, authentication, authorization and audit of various IT resources, the platform can meet the needs of users for IT operation and maintenance management and IT internal control and external audit. A remote attacker can use specially crafted characters to exploit this vulnerability to obtain sensitive information of the device, or modify device data, causing the device to fail

Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 SPH206 allows remote authenticated users to obtain the MD5 hashes of arbitrary user passwords via unspecified vectors. Huawei UMA is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit these issues to bypass security restrictions and gain access to potentially sensitive information. This may aid in other attacks. Huawei Unified Maintenance Audit (UMA) is a set of IT core resource operation and maintenance management and security audit platform of China Huawei (Huawei). Through the centralized management and control of accounts, authentication, authorization and audit of various IT resources, the platform can meet the needs of users for IT operation and maintenance management and IT internal control and external audit. Information disclosure vulnerabilities exist in Huawei UMA V200R001C00SPC200 and earlier versions

Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows remote attackers to execute arbitrary commands via "special characters," a different vulnerability than CVE-2016-7110. Huawei UMA is prone to multiple command-injection vulnerabilities. Attackers can exploit these issues to obtain sensitive information or execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition. Versions prior to UMA V200R001C00SPC200 are vulnerable. Through the centralized management and control of accounts, authentication, authorization and audit of various IT resources, the platform can meet the needs of users for IT operation and maintenance management and IT internal control and external audit

Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 SPH206 allows remote attackers to reset arbitrary user passwords and consequently affect system data integrity via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Huawei UMA is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit these issues to bypass security restrictions and gain access to potentially sensitive information. This may aid in other attacks. Through the centralized management and control of accounts, authentication, authorization and audit of various IT resources, the platform can meet the needs of users for IT operation and maintenance management and IT internal control and external audit. A password reset vulnerability exists in Huawei UMA V200R001C00SPC200 and earlier versions

Moxa OnCell G3100V2 devices before 2.8 and G3111, G3151, G3211, and G3251 devices before 1.7 do not properly restrict authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. Supplementary information : CWE Vulnerability type by CWE-285: Improper Authorization ( Inappropriate authentication ) Has been identified. http://cwe.mitre.org/data/definitions/285.htmlRound robin by a third party (brute-force) Access may be gained through an attack. MoxaOnCellG3100V2 and so on are Moxa's IP gateway products. A remote attacker can exploit the vulnerability to gain access by exploiting a brute force attack. Moxa OnCell is prone to a remote unspecified authentication bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. The following products are vulnerable: OnCell G3100V2 Series versions prior to 2.8 are vulnerable. OnCell G3111/G3151/G3211/G3251 Series versions prior to 1.7 are vulnerable. A security vulnerability exists in several Moxa products