10 - RHSA-2015:0789

Problem Description:

Updated openstack-packstack and openstack-puppet-modules packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 6.0.

Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7 - noarch

3. Description:

PackStack is a command-line utility for deploying OpenStack on existing servers over an SSH connection. Deployment options are provided either interactively, using the command line, or non-interactively by means of a text file containing a set of preconfigured values for OpenStack parameters. PackStack is suitable for proof-of-concept installations. PackStack is suitable for deploying proof-of-concept installations.

It was discovered that the puppet manifests, as provided with the openstack-puppet-modules package, would configure the pcsd daemon with a known default password. If this password was not changed and an attacker was able to gain access to pcsd, they could potentially run shell commands as root. (CVE-2015-1842)

This issue was discovered by Alessandro Vozza of Red Hat.

This update also fixes the following bugs:

* If OpenStack Networking is enabled, Packstack would display a warning if the Network Manager service is active on hosts. (BZ#1117277)

* A quiet dependency on a newer version of selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials and malfunction under some circumstances. The following workarounds allow the OpenStack services to function correctly:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost. (BZ#1195252)

* A typo in the code caused a Sahara option that uses OpenStack Networking to be always false. Sahara now uses OpenStack Networking if the parameter 'CONFIG_NEUTRON_INSTALL is set to 'y'. (BZ#1199047)

* Prior to this update, users had to install the OpenStack Unified Client separately after an installation of Packstack. Packstack now installs it by default. (BZ#1199114)

* This enhancement updates Packstack to retain temporary directories when running an installation in debug mode. This assists with troubleshooting activities. As a result, temporary directories are not deleted when running Packstack with the --debug command line option. (BZ#1199565)

* Prior to this update, some validators did not use 'validate_not_empty' to ensure that certain parameters contained values. As a result, a number of internal validations could not be properly handled, leading to the possibility of unexpected errors. This update fixes validators to use validate_not_empty when required, resulting in correct validation behavior from validators. (BZ#11995889)

In addition to the above issues, this update also addresses bugs and enhancements which can be found in the Red Hat Enterprise Linux OpenStack Platform Technical Notes, linked to in the References section.

All openstack-packstack and openstack-puppet-modules users are advised to upgrade to these updated packages, which correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1117277 - Test Packstack/RHEL OSP on RHEL 7 nodes where Network Manager is NOT disabled 1123117 - Deploy Keystone in Apache httpd 1171744 - Configure TCP keepalive setting via puppet-rabbitmq 1172305 - [RFE] Support Keystone read-only LDAP configuration with domain-specific identity backends 1173930 - Horizon help url in RHEL-OSP6 points to the RHEL-OSP5 documentation 1187343 - Packstack does not install Ironic with CONFIG_IRONIC_INSTALL flag set to "y" 1187706 - problems with puppet-keystone LDAP support 1193889 - puppet restart neutron server every 30 minutes on evironments deployed by staypuft 1195252 - [keystone] - selinux denial 1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup 1199047 - The value of use_neutron is set to false (instead of true) when neutron is used. 1199072 - packstack does not set ironic password 1199076 - glance_image provider doesn't respect custom region name 1199085 - RHOS backport RDO fix for packstack error: Error: sysctl -p /etc/sysctl.conf returned 255 instead of one of 1199114 - add openstack unified client 1199423 - Use flake8 and hacking instead of pep8 for Python syntax checks 1199427 - Cherrypick documentation fixes from RDO 1199519 - Packstack install AMQP with SSL, fails to start rabbitmq service 1199547 - Install rhos-log-collector only on RHEL systems 1199549 - Backport packstack RDO fixes for rebased modules 1199562 - RFE: Allow command-line options with --gen-answer-file 1199565 - Do not delete temporary directories after a failed installation in debug mode 1199589 - Cherry pick internal Packstack enhancements from RDO 1199677 - Update OSP OPM to the latest RDO package 1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password 1202107 - packstack --help throws a traceback at the end of the output 1204482 - nova-novncproxy fails with ValidationError: Origin header protocol does not match this host