A new OSP 16.2.z director operator tech preview has been released to address several security issues.

RHSA-2022:5673-01: Important: Release of containers for OSP 16.2.z director operator tech preview

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID: RHSA-2022:5673-01
Product: Red Hat OpenStack Platform
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:5673
Issue date: 2022-07-20
CVE Names: CVE-2021-3634 CVE-2021-3737 CVE-2021-4189
CVE-2021-40528 CVE-2021-41103 CVE-2021-43565
CVE-2022-1271 CVE-2022-1621 CVE-2022-1629
CVE-2022-22576 CVE-2022-25313 CVE-2022-25314
CVE-2022-26945 CVE-2022-27774 CVE-2022-27776
CVE-2022-27782 CVE-2022-29824 CVE-2022-30321
CVE-2022-30322 CVE-2022-30323
=====================================================================

1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with
several Important security fixes, are available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)
* go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)
* go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)
* go-getter: command injection vulnerability [Important] (CVE-2022-26945)
* golang.org/x/crypto: empty plaintext packet causes panic [Moderate]
(CVE-2021-43565)
* containerd: insufficiently restricted permissions on container root and
plugin directories [Moderate] (CVE-2021-41103)

3. Solution:

OSP 16.2 Release - OSP Director Operator Containers tech preview

4. Bugs fixed (  https://bugzilla.redhat.com/):

2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
2092928 - CVE-2022-26945 go-getter: command injection vulnerability

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-3737
  https://access.redhat.com/security/cve/CVE-2021-4189
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2021-41103
  https://access.redhat.com/security/cve/CVE-2021-43565
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-1621
  https://access.redhat.com/security/cve/CVE-2022-1629
  https://access.redhat.com/security/cve/CVE-2022-22576
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-26945
  https://access.redhat.com/security/cve/CVE-2022-27774
  https://access.redhat.com/security/cve/CVE-2022-27776
  https://access.redhat.com/security/cve/CVE-2022-27782
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/cve/CVE-2022-30321
  https://access.redhat.com/security/cve/CVE-2022-30322
  https://access.redhat.com/security/cve/CVE-2022-30323
  https://access.redhat.com/security/updates/classification/#important
  https://access.redhat.com/errata/RHSA-2022:4991
  https://access.redhat.com/containers

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.