5 - RHSA-2015:1862

Problem Description:

Updated packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 7.0 director for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Openstack 7.0 director for RHEL 7 - noarch

3. Description:

Red Hat Enterprise Linux OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat Enterprise Linux OpenStack Platform.

A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data. (CVE-2015-5271)

This issue was discovered by Christian Schwede and Emilien Macchi of Red Hat.

This update also fixes numerous bugs and adds various enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux OpenStack Platform 7 Release Notes, linked to in the References section, for information on the most significant of these changes.

All Red Hat Enterprise Linux OpenStack Platform 7.0 director users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1223022 - Ceilometer API port not allowed in firewall rules on undercloud 1226376 - Neutron API port not allowed in firewall rules on undercloud 1228862 - Can `openstack undercloud install` have a --force-clean option so an error doesn't require restarting? 1231777 - Its possible to scale up beyond the number of free nodes 1233949 - overcloud horizon apache config doesn't appear to use a network vip 1235320 - Unhelpful failure when incorrect parameters are given 1235325 - "openstack baremetal configure boot" should skip nodes that have maintenance=true 1236136 - All overcloud keystone endpoints get configured with the public IP when using network isolation 1236663 - No output for upload images command 1236707 - undercloud.conf.sample incorrectly states that heat db encryption key can be 8,16, or 32 chars 1237020 - undercloud GUI- Image field is mandatory when setting VM for deploy overcloud 1240260 - introspection timed out for 2 VM nodes 1241199 - openstack baremetal configure boot is not safe to run a second time 1241668 - 'openstack help overcloud deploy' : doesn't cover comments/explanation for all deployment --arguments 1243015 - Overcloud stack name hard-coded 1243032 - Hard-coded reference to instackenv.json 1243062 - On deployment failure, no reason is returned 1243121 - Neutron port quota fails larger overcloud deployments 1243472 - don't save UpdateIdentifier in tuskar when running package update 1243601 - Overcloud deploys default to qemu instead of kvm 1243829 - overcloud image upload creates duplicate images 1244001 - bulk introspection with active nodes fails 1244026 - [RFE] Overcloud nodes deployed by OSP-Director are using DHCP; can they be statically assigned instead? 1244032 - [RFE] Can OSP-Director deploy an HA overcloud which uses a hardware load balancer? 1244856 - openstack overcloud update stack overcloud requires an undocumented argument 1244864 - VXLAN should be default neutron network type 1245212 - rhel-osp-director: Running "ahc-match" on a setup with enabled SSL yields error: ironicclient.openstack.common.apiclient.exceptions.ConnectionRefused: Error communicating with https://[IP]:13385/ [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL 1245714 - set mem overcommit to 1:1 1246596 - Add support for network validation tests 1247015 - openstack undercloud install doesn't create rabbit user if you set custom passwords in undercloud.conf 1247722 - messages report Introspection for one of the nodes 'has timed out' while the command returns ' Discovery completed.' 1248172 - inspection: clean failed with pxe_ilo 1249640 - Installers need to configure tempest with deployment-specific values and export a partial tempest.conf 1250249 - After deploying, system load charts shown on the overview page are incorrect 1250250 - When deploying from UI we miss to add params based on scale logic 1251566 - Undercloud mariadb max_connection default is too low 1252054 - Default deployment through GUI doesn't create cinder v2 service and endpoint 1252219 - ovs bond on controller is not seeing dhcp packet 1252437 - [Discovery] Gathers wrong information about disks available 1252509 - rhel-osp-director: Fail to "openstack overcloud update stack": "ERROR: openstack unexpected end of regular expression" 1252553 - rhel-osp-director: UI: Limited selection for public interface under service configuration. 1253465 - [RFE] Allow for customization of the Ceph pools name and client username 1253628 - external ceph patches break tuskar based deploys 1253777 - HA overcloud deployment argument for NTP server should not be optional 1254897 - Not configuring neutron mechanism drivers in any puppet based deploys 1255910 - overcloud node delete of one compute node removed all of them 1255931 - rhel-osp-director: rhel-osp-director: unable to delete a heat stack deployed with "--rhel-reg --reg-method portal --reg-org --reg-activation-key ''", following a failed attempt to update it with "openstack overcloud update stack --templates 1256477 - ironic ipmitool intermittently timing out causing API requests to process slowly 1257414 - [HA] critical resource constraints missing from pacemaker config make things go kaboom 1257642 - yum hanged infinitely on nova-compute cleanup when do an update 1259393 - [RFE] Add support to register and deploy nodes with fake_pxe 1259905 - Integrate yum updates of overcloud with Puppet 1260736 - missing module python-ironic-inspector-client 1260991 - Running the same deploy command twice results with :"Deployment failed: Not enough nodes - available: 2, requested: 5" 1261045 - Big Switch ML2 networking plugin configuration 1261048 - controllerExtraConfig support 1261067 - Keystone notifications support 1261697 - CVE-2015-5271 openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware 1261921 - updating overcloud stack packages doesn't stop cluster and will cause it to be down 1262059 - Include the bigswitch networking packages in the image by default 1262454 - os-cloud-config: with fake_pxe pm_type in instackenv.json and thus no pm_addr entry, "openstack baremetal import --json instackenv.json" exits with: ERROR: openstack 'pm_addr' 1262995 - osp-d deployment fails on network validation scripts when network-isolation is not enabled. 1265010 - Heat environment is overwritten on overcloud updates 1265777 - No DNS servers set on the overcloud nodes 1266082 - RHEL unregistration doesn't work when scaling down 1266253 - [Director] increase mariadb max_connection default value 1266327 - yum_update.sh fails due to incomplete --excludes list 1266911 - CLI should not force --neutron-tunnel-types if --neutron-disable-tunneling is specified 1267883 - Unable to control the file_descriptors limit for rabbitmq-server via the director.