Important: Release of containers for OSP 16.2.z director operator tech preview

Topic

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

Description

Release osp-director-operator images

Security Fix(es):

• go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)
• go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)
• go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)
• go-getter: command injection vulnerability [Important] (CVE-2022-26945)
• golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565)
• containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)

Solution

OSP 16.2 Release - OSP Director Operator Containers tech preview

Affected Products

• Red Hat OpenStack 16.2 x86_64

Fixes

• BZ - 2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories
• BZ - 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
• BZ - 2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
• BZ - 2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)
• BZ - 2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
• BZ - 2092928 - CVE-2022-26945 go-getter: command injection vulnerability

CVEs

• CVE-2021-3634
• CVE-2021-3737
• CVE-2021-4189
• CVE-2021-40528
• CVE-2021-41103
• CVE-2021-43565
• CVE-2022-1271
• CVE-2022-1621
• CVE-2022-1629
• CVE-2022-22576
• CVE-2022-25313
• CVE-2022-25314
• CVE-2022-26945
• CVE-2022-27774
• CVE-2022-27776
• CVE-2022-27782
• CVE-2022-29824
• CVE-2022-30321
• CVE-2022-30322
• CVE-2022-30323

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/errata/RHSA-2022:4991
• https://access.redhat.com/containers