ID

VAR-202107-1506


CVE

CVE-2021-36980


TITLE

Open vSwitch  Vulnerabilities in the use of freed memory

Trust: 0.8

sources: JVNDB: JVNDB-2021-009864

DESCRIPTION

Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Open vSwitch ( alias openvswitch) Is vulnerable to the use of freed memory.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. ========================================================================== Ubuntu Security Notice USN-5065-1 September 08, 2021 openvswitch vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.04 LTS Summary: Open vSwitch could be made to crash or run programs if it received specially crafted network traffic. Software Description: - openvswitch: Ethernet virtual switch Details: It was discovered that Open vSwitch incorrectly handled decoding RAW_ENCAP actions. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: openvswitch-common 2.15.0-0ubuntu3.1 Ubuntu 20.04 LTS: openvswitch-common 2.13.3-0ubuntu0.20.04.2 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.9.0 bug fix and security update Advisory ID: RHSA-2021:3759-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:3759 Issue date: 2021-10-18 CVE Names: CVE-2021-3121 CVE-2021-26539 CVE-2021-26540 CVE-2021-28092 CVE-2021-28169 CVE-2021-29059 CVE-2021-31525 CVE-2021-32690 CVE-2021-33194 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34428 CVE-2021-34558 CVE-2021-36980 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.0. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2021:3758 Security Fix(es): * gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121) * sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation (CVE-2021-26539) * sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element (CVE-2021-26540) * nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092) * nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string (CVE-2021-29059) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * helm: information disclosure vulnerability (CVE-2021-32690) * golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-x86_64 The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-s390x The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-ppc64le The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61 All OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor 3. Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1786835 - oc is crashing while mirroring registry 1856355 - Scrolling of pf4 tables is far less performant than the previous version 1862429 - LocalVolumeSet object can be deleted with in-use PVs. May result in data leak 1868221 - Missing /etc/mtab symlink in CRI-O containers 1882490 - Azure installer misses hyphen in master NIC names 1883378 - Openapi spec is missing for prometheus-adapter aggregated api-resources 1890676 - Cypress: Fix 'aria-hidden-focus' accesibility violations 1898877 - keepalived consumes 100% of cpu 1903519 - Wrong Ingress to Route conversion for wildcard hostnames 1903632 - After upgrading a customer openshift cluster to 4.6.4 the openshift marketplace pods are in ImagePullBackOff state 1904155 - Graphs on utilization tab don't respect timespan selection 1905326 - kube-apiserver initContainer setup is not requesting required resources: cpu, memory 1905851 - [REF] Create volumesnapshotclass for Manila csi driver by default Storage/Manila CSI Driver 1906315 - "cannot populate chunk **" error in prometheus container logs 1908677 - Reenable [sig-network] SCTP [Feature:SCTP] [LinuxOnly] should create a Pod with SCTP HostPort [Suite:openshift/conformance/parallel] [Suite:k8s] 1908772 - A11y Violation: Dev Console Nav Menu UL contains non-LI elements 1909058 - [cinder-csi-driver operator] always report fake event continuously in openstack-cinder-csi-driver-operator log 1913618 - Completed pods skew the Quota metrics 1914398 - multus admission controller and metrics daemon running as root 1914414 - SRIOV enablement for Emulex Corporation OneConnect NIC (10df:0720) is not working anymore 1914837 - Machine API Termination Handlers should be tested 1918562 - [cinder-csi-driver-operator] does not detect csi driver work status 1921139 - revert "force cert rotation every couple days for development" in 4.8 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923111 - Install plans permanently fail due to CRD resource modified or similar transient errors 1924695 - Non-ascii passwords are accepted but don't work 1925180 - Deployment creates a huge number of ReplicaSets - image-lookup bits 1925203 - [RFE] [OCPonRHV] - High Performance Mode in OCP on RHV - huge pages, CPU and Numa pinning configuration 1925276 - Double instance create AWS 1925524 - openshift-jenkins-sync plugin does not scale on OCP 4 1928668 - Prometheus is collecting metrics for completed pods 1928816 - When using idrac-virtualmedia, the bios_interface gets set to idrac-wsman 1928856 - OCP Conformance test fails if MachineSet resource type is not present 1928942 - [Assisted-4.7] [Minimal-ISO] [Started image download] "Started image download" event missing important info: Content-Length: and Content-Disposition filename in both API and UI events 1932139 - The downstream darwin/amd64 `opm` binary fails to output the version info 1932323 - CVE-2021-26540 sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element 1932362 - CVE-2021-26539 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation 1934443 - Installation of OCP 4.6.13 fails when teaming interface is used with OVNKubernetes 1936408 - [VMware-LSO] pod re-attach time took more then 60 sec. 1936919 - AlertmanagerMembersInconsistent fires too quickly, causing serial-test noise 1937696 - [Assisted-4.7]node/hostnames vs bmh names inconsistency, skipped cluster index in name 1938282 - [4.9] Kuryr won't remove LB members on Endpoints object removal 1939045 - [OCPv4.6] pod to pod communication broken on PFCP procotol over UDP 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940059 - [GSS][RFE] Integrate ceph dashboard with OCS 1941224 - Serial e2e should not complain about the authentication operator going Progressing=True during the "test RequestHeaders IdP" test-case 1942122 - Egress IP iptables rules not added due to iptables: Resource temporarily unavailable 1942164 - [sig-cluster-lifecycle] cluster upgrade should be fast 1942657 - ingress operator stays degraded after privateZone fixed in DNS 1943265 - Negative Memory Utilization for Cluster Compute Resources Dashboard 1943284 - opm index prune will fail if the working directory does not have write permissions 1943334 - [ovnkube] node pod should taint NoSchedule on termination; clear on startup 1943378 - OpenStack machine_controller does not remove boot volumes when reconciler errors 1946178 - [Assisted-4.7] [Staging][OCS] Cluster validation messages improvements 1947005 - cluster-monitoring-view role allows to create alert silences 1947740 - [single-node] "Failed to watch" errors in openshift-state-metrics container 1948089 - openshift-apiserver should not set Available=False APIServicesAvailable on update 1948090 - Storage should not set Available=False APIServices_Error AWSEBSCSIDriverOperatorCRAvailable on update 1948603 - Azure CSI driver does not pass e2e-azure-csi tests 1948607 - vSphere CSI driver does not pass e2e-vsphere-csi tests 1948720 - Spacing issues in Chinese translations 1949497 - apiversion is still policy/v1betal when user creates pdb via oc create command 1949840 - CMO reports unavailable during upgrades 1950173 - Non-fatal: prometheus.env.yaml: no such file or directory 1950534 - OPM fails to deprecate bundles 1951812 - [master] [assisted operator] Assisted Service Postgres crashes msg: "mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied" 1952101 - Can't re-build index if any bundles have been truncated 1952224 - Some quickly deleted pods are never cleaned up by kubelet after 20m 1952457 - In k8s 1.21 bump '[sig-node] crictl should be able to run crictl on the node' test is disabled 1952737 - [RFE]Users had difficulty distinguishing between “ Supported” and “Provided” 1953063 - Update default AWS instance type in machine-api-operator 1953113 - HAProxy template doesn't allow HSTS header to be case insensitive or include spaces 1953127 - NetworkPolicy tests were mistakenly marked skipped 1953182 - [Azure disk csi driver] volume expansion failed on filesystem resizing 1953185 - [Azure disk csi dirver operator] doesn't use the credential created by CCO 1953674 - [RFE] Add resize to ovirt CSI driver 1954869 - Add necessary priority class to marketplace components 1955192 - ExternalIP feature do not work on ovn-kuberenetes 1955292 - Describe quota output should show units 1955435 - "requestURI":"/apis/user.openshift.io/v1/users/kube:admin" from system:apiserver got code 422 1955586 - ThanosSidecarUnhealthy will never fire if the sidecar is never healthy. 1956081 - kube-apiserver setup fail while installing SNO due to port being used 1956830 - "oc adm top nodes" output give negative numbers 1956836 - AVC denial when setting hostname on GCP using "set-valid-hostname.sh" script 1956879 - authentication errors with "square/go-jose: error in cryptographic primitive" are observed in the CI 1956955 - Services sync causes too many ovn load balancer deletes 1956989 - In k8s 1.21 bump some sig-network tests are disabled due to being permanently broken on e2e-metal-ipi-ovn-ipv6 1957498 - cluster-etcd-operator: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21 1957609 - [aws]Machine tags should have precedence over Infrastructure 1957634 - prometheus-adapter panics on GetNodeMetrics 1957761 - SR-IOV daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent 1957886 - In k8s 1.21 bump TTLAfterFinished is disabled 1958107 - SR-IOV network operator pods should not run in best-effort QoS 1958154 - Custom AWS user tags limit not supported (openshift/api says max=25), install fails when >=10 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1958375 - Return IPv6 traffic from the application pod is getting dropped when f5 pod is scaled to more than one. 1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies 1958390 - API Services unavailable after upgrade from 4.5.38 to 4.6.27 1958888 - 4.7.6 -> 4.7.9 upgrade: leader election stuck 1959200 - failed to configure pod interface: error while waiting on OVS.Interface.external-ids:ovn-installed for pod: timed out while waiting for OVS port binding 1959290 - openshift-kube-apiserver-operator should not rely on external networking for health check 1959586 - [master] All resources not being cleaned up after clusterdeployment deletion 1959798 - DNAT rules for external IP services wrong in ovn-kubernetes 1959906 - External gateway fails to add duplicate OVN ECMP route 1959957 - After a channel head is deprecated, the channel still exists in the index, but with no installable content = BAD UX 1960101 - CNO: exportNetworkFlows accepts invalid TCP/UDP port numbers 1960152 - Manilacsi becomes degraded even though it is not available with the underlying Openstack 1960455 - Performance Addon Operator fails to install after catalog source becomes ready 1960485 - Cannot use DASD at virtio block device when installing RHCOS on KVM 1960559 - Remove v1beta1 handling code 1960574 - Managed cluster should ensure SR-IOV pods components have system-* priority class associated 1960680 - [SCC] openshift-apiserver degraded when a SCC with high priority is created 1961226 - Can't ssh too IPA on worker nodes 1961757 - ovn-kubernetes: Enable ovn-controller lflow-cache limits (memory and/or size) 1961811 - Creating a configmap for a CA without a trailing newline in source file results in non-working CA verification 1962344 - [SCALE] ovn-controller running up to 30 second poll intervals due to full recompute 1962387 - Upgrade from Openshift 4.5 -> 4.6 Results in Orphaned Address sets 1962414 - ed25519 keys do not work when FIPS is enabled 1962951 - Can't enable column diffs in 4.9 1962957 - [master] Assisted service reports a malformed iso when we fail to download the base iso 1963027 - Upload qcow2 to PVC too small : "Error Uploading Data Request fail with status code 400" 1963132 - Installer: Remove the word 'Northern' from us-east4 (Ashburn, Northern Virginia, USA) to make it consistent 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 1963943 - For baremetal clusters, the node->terminal is not available 1964231 - Client certificate used to contact kubelet is not loaded dynamically 1964266 - [RFE] add external-resizer side car container 1964471 - [master] Confusing behavior when multi-node spoke workers present when only controlPlaneAgents specified 1964482 - Ipv6 IP addresses are not accepted for whitelisting 1964540 - CAPO: It's impossible to make port a trunk when it's defined in `ports` field 1964591 - [master] ACM/ZTP with Wan emulation fails to start the agent service 1964623 - [master] File system usage not being logged appropriately 1964786 - Serial console does not load 1964902 - NetworkPolicy Ingress rules table shows confusing text in From column 1964941 - If loading dynamic plugin times out, the UI throws a syntax error 1965074 - [OVN Kubernetes] ovnkube errors observed on 100 node clusters during uperf testing Fatal error: ofport of patch-br-ex_ip-<node_ip>.us-east-2.compute.internal-to-br-int has changed from [] to 2 1965080 - machine-api-operator constantly makes unauthorized AWS calls to DescribeInternetGateways 1965117 - [master] Post making changes to AgentServiceConfig assisted-service operator is not detecting the change and redeploying assisted-service pod 1965263 - [volume snapshot] "oc get volumesnapshotcontent" should display the volumesnapshot namespace info 1965365 - Accessibility - Resource and Events filter select options do not move cursor focus into search input on click, inhibits keyboard navigation 1965562 - recycler-for-nfs-... does not set requests or priorityClassName 1965930 - NetworkPolicy is not translated in Korean or Chinese 1965984 - Console Dashboard performance leads to empty visualizations 1965992 - Gracefully shutdown taking around 6-7 mins (libvirt provider) 1966129 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted 1966480 - Console-operator's controllers are passed resourceSyncer which is not used (refactoring) 1966485 - [master] Operator-managed assisted Service doesn't wait for CVO to finish before reporting back 1966499 - portworx-operator causes APIRemovedInNextReleaseInUse alert 1966586 - [Assisted-4.7] [Staging] 200 OK returned when setting invalid Base DNS domain using API 1967047 - Console overview section shows operators are upgrading even though it is not actually upgrading. 1967108 - AsyncComponent loader comparison may result in false positive 1967228 - 503 Error page contains license for a vulnerable release of Bootstrap 1967316 - Sweep frontend/public folder for i18n 1967483 - coreos-installer fails to download Ignition (DNS error, failed to lookup address) 1967516 - Incorrect warning message on network type selection 1967527 - CPU spikes not captured in Grafana causing issue to understand HPA behavior 1967621 - Operator fails to install and OLM tries to delete nonexistent catalog pods under openshift-marketplace/redhat-marketplace 1967658 - OLM: Failure alert message for copied CSV not helpful 1967695 - managedFields is missing in provisioning-configuration json object 1967808 - Readiness "exec" probes causes zombie process on certain container images 1967885 - Creating a VM from the UI on OKD 4.7 fails with "the API version in the data (kubevirt/v1) does not match the expected API version (kubevirt/v1alpha3)" 1967934 - Hide input box of add capacity modal for attached devices mode 1967956 - [master] Assisted-service deployed on an IPv6 cluster installed with proxy: agentclusterinstall shows error pulling an image from quay. 1967979 - Masthead dropdowns options are not accessible via the keyboard 1968043 - [master] backend events generated with wrong namespace for agent 1968124 - [master] [doc] "Mirror Registry Configuration" doc section needs clarification of functionality and limitations 1968125 - [master] [DOCS] AgentServiceConfig examples in operator.md doc should each contain databaseStorage + filesystemStorage 1968324 - [master] Unclear message in case of missing clusterImageSet 1968336 - [master] missing role in agent CRD 1968404 - [master] Wrong Install-config override documentation 1968406 - [master] Misleading error in case of install-config override bad input 1968423 - [master] CR finalizers block resource deletions if the assisted-service POD is not available 1968425 - [master] AgentLabelSelector is required yet not supported 1968448 - [master] KubeAPI CVO progress is not available on CR/conditions only in events. 1968525 - Warning: Encountered two children with the same key in Operator Details page 1968552 - [master] BMAC should wait for an ISO to exist for 1 minute before using it 1968569 - Creating a network policy in OVN-Kubernetes can be very inefficient. 1968570 - [master] Misleading error when ClusterImageSet specifies OpenShift version lower than 4.8 1968572 - Assisted Service does not escape backslash characters on public SSH keys 1969324 - [master] Remove Agent CRD Status fields not needed 1969371 - [AWS] destroyer tried to search resources in other china region. 1969374 - [OSP] Document how to update domain for image registry in version <4.8 1969391 - [master] infra-env condition message isn't informative in case of missing pull secret 1969404 - revert "force cert rotation every couple days for development" in 4.9 1969471 - HAProxy tests in sdn-network-stress job are flaky 1969477 - [master] Assisted service times out on GetNextSteps due to `oc adm release info` taking too long 1969494 - [master] no indication for missing debugInfo in AgentClusterInstall 1969546 - OLM: Scroll shadow in wrong position in operator details modal 1969547 - [master] SNO with AI/operator - kubeconfig secret is not created until the spoke is deployed 1969719 - vsphere-problem-detector cannot connect to vCenter API over https 1969761 - sriov webhook not worked when upgrade from 4.7 to 4.8 1969766 - [master] Empty cluster name on handleEnsureISOErrors log after applying InfraEnv.yaml 1969796 - [master] Updating configmap within AgentServiceConfig is not logged properly 1969902 - OLM fails with 'ResolutionFailed' found more than one head for channel 1969989 - KMS connection details for new storageclass can not be changed in StorageClass creation form after 9 connection details are stored in csi-kms-connection-details configmap 1969998 - [OCP 4.9 tracker] kubelet service fail to load EnvironmentFile due to SELinux denial 1970011 - “managed by” link goes to the incorrect URL (unlike the correct ownerRef link) 1970063 - [master] AgentServiceConfig mirror registry requires both ca-bundle.crt and registries.conf 1970129 - OVS logging in must gather is missing previous logging levels 1970147 - Weak Cipher in openshift-monitoring 1970179 - [4.9] Bootimage bump tracker 1970261 - [master] Add State and StateInfo to DebugInfo in ACI and Agent CRDs 1970270 - [master] Add ProgressInfo to Agent and AgentClusterInstalll CRDs 1970315 - 4.7 -> 4.8 upgrades fail on "[sig-network] pods should successfully create sandboxes by other" for pods which eventually start 1970332 - Page disappears while creating Storage Class for rbd provisioner via UI 1970421 - CVO does not provide a good enough reason to why an upgrade payload pull failed 1970437 - [oVirt] Add guaranteed memory field to oVirt Machine Object 1970466 - Console's OperatorHub leads users to unrelated install plan, if subscription does not have its own 1970604 - Add IDP menu items are not translated 1970910 - Uninstalling kube-descheduler clusterkubedescheduleroperator.4.6.0-202106010807.p0.git.5db84c5 removes some clusterrolebindings 1970962 - Exception inside the Jenkins Master pod 1970980 - Remove usage of i18nKey 1970985 - periodic ci-4.8-upgrade-from-stable-4.7-e2e-*-ovn-upgrade are permafailing on service/ingress disruption 1971032 - Add Sprint 202 Round 2 translations 1971046 - apiserver stops responding during an e2e run (non-graceful shutdown) on GCP 1971162 - Installation failed by enabling OCS from AI because of Virtual_Floppy as HDD listed in UI 1971207 - installer only created one worker node and the install failed 1971332 - oc new-build command does not pick automatic source clone secret in OpenShift 4.7 1971499 - Should not show getting started links when add page customization disabled these entries 1971518 - Cluster deletion misses trunk ports and loop over until timeout 1971532 - Admin project list should not use internal ids as link titles 1971537 - Support cgroups v2 (Podman on Fedora 31+) 1971544 - Event sources in Developer console lists also action and sink kamelets 1971602 - e2e-metal-ipi-upgrade for 4.7 to 4.8 is permafailing 1971624 - [release-4.9] kube-apiserver failed to load SNI cert and key 1971640 - [master] InfraEnv controller should always requeue for backend response HTTP StatusConflict (code 409) 1971690 - Remove "unsupported" tag from ARM 64 oc binary in console 1971715 - [OCP 4.7] "configure-ovs.sh" leaves static ip in old interface 1971738 - Keep /boot RW when kdump is enabled 1971808 - New `local-with-fallback` service annotation does not preserve source IP 1971899 - The ciphers in theTLS profiles for the kubelet, the `oc explain` output don't match the kubelet.conf file 1972003 - Get invalid date when edit custom time range on monitoring dashboards 1972009 - [REF]Image registry pullthough should support pull image from the mirror registry with auth via imagecontentsourcepolicy 1972011 - Dashboards display different time range when drag&drop on the first dashboard 1972016 - Set a specific time range, but Dashboards display data with a different time range 1972028 - Upgrade is failed when upgrade SNO cluster on gcp platform 1972060 - typo in operators available 1972096 - [master] Domain dummy.com (not belonging to Red Hat) is being used in a default configuration 1972131 - ironic-static-ip-manager container still uses 4.7 base image 1972272 - [master] "baremetalhost.metal3.io/detached" uses boolean value where string is expected 1972287 - [mlx5] traffic from Node port is not offloaded 1972351 - Bump jenkins version to 2.289.1 1972374 - Adopt failure can trigger deprovisioning 1972383 - Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings 1972393 - PDB PUT /status is 1/6th of total write load on busy cluster continuously (should be 1/100 or so) 1972514 - add check for accessing traffic from status in ksvc 1972524 - bootstrap vm does not get right configuration for dhcp6 1972525 - [master] clusterDeployments controller should send an event to InfraEnv for backend cluster registration 1972572 - Ironic rhcos downloader re-downloads same image in upgrade process from 4.7 to 4.8 1972582 - [oVirt] Installing with an oVirt network with 2 vnics on the same network causes the installer to not create tfvars and fail with terraform error 1972598 - [master] Install retry per recreating ACI, BMH error status is not cleared 1972678 - Requirements for authenticating kernel modules with X.509 1972682 - DPDK KNI modules need some additional tools 1972684 - [Feature:IPv6DualStack] tests are failing in dualstack 1972747 - Allow Cluster-api-provider-ovirt using auto pinning new namings 1972753 - ironic hardware inspection failed due to NewConnectionError causes bm nodes stuck 1972776 - improve dual-stack install-config validation 1972777 - Unable to edit the default Health check probe values 1972829 - Upgrade tests should fail when ingress is disrupted 1972966 - Virtualization is not available in Home Overview 1972968 - "Add Disk" button should be disabled in common template disks tab 1972977 - The removed ingresscontrollers should not be counted in ingress_controller_conditions metrics 1973005 - authentication operator degraded during 4.7.16 update 1973065 - Editing a Deployment drops annotations 1973076 - [oVirt] CSI driver is not waiting for disk to be OK on creation 1973147 - KubePersistentVolumeFillingUp - False Alert firing for PVCs with volumeMode as block. 1973154 - RHCOS-shipped stalld systemd units do not use SCHED_FIFO to run stalld. 1973160 - Monitoring UI disappear when we query a string 1973200 - remove kubevirt images and references 1973215 - [OVN] EgressIP no longer worked after a cluster upgrade 1973314 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted 1973315 - [master] Updating ISO URL does not create a correct log entry 1973318 - Image pruner does not use custom tolerations 1973333 - Investigate why strings removed in English files are showing up in langauge files 1973336 - Verify "Only {volumeMode} volume mode is available for {storageClass} with {accessMode} access mode" displays correctly 1973338 - Fix punctuation in string 1973340 - Add Sprint 203 translations 1973423 - Several operators degraded because Failed to create pod sandbox when installing an sts cluster 1973482 - 4.8.0.rc0 upgrade hung, stuck on DNS clusteroperator progressing 1973491 - Node exporter veth optimizations do not work if the network type is OVN 1973525 - machine-config-operator: remove runlevel from kni-infra namespace 1973565 - Dynamic plugin routes should be evaluated before static plugin routes 1973567 - Autoscaler log report error “Failed to watch *v1.CSIDriver” 1973576 - only show annotations.summary field on thanos-ruler Alerts page 1973582 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc certified-operators is not correct 1973643 - oc logs doesn't work with piepeline builds 1973679 - fix ovn-kubernetes NetworkPolicy 4.7->4.8 upgrade issue 1973724 - metal3 Pod cannot download RHCOS images using the provisioning network anymore 1973813 - NodePorts do not work on RHEL 7.9 workers (was "4.7 -> 4.8 upgrade is stuck at Ingress operator Degraded with rhel 7.9 workers") 1974077 - [Assisted-4.8] [Staging][Network Latency] Improve validation message: host with IP not found in inventory 1974083 - [RFE] When branding is not redhat, no need to explicitly mark community support. 1974085 - [Assisted-4.8] [Staging][Network Latency] Worker host IP appear in master validation message 1974237 - 4.7 -> 4.8 upgrades on AWS take longer than expected 1974277 - Tuned net plugin fails to handle net devices with n/a value for a channel 1974312 - linuxptp-daemon: remove not needed run-level 1 label 1974338 - [OCP4.7] maven image doesn't use JAVA_HOME env variable 1974350 - LB endpoint for API becomes unavailable briefly during openshift test suite 1974364 - [must-gather] ovs/ovn database should be exported or dumped, not compacted and copied 1974403 - OVN-Kube Node race occasionally leads to invalid pod IP 1974411 - Installation with multipath parameters in parmfile fails (DNS resolution missing) 1974429 - Requirements for nvidia GPU driver container for driver toolkit 1974453 - coreos-installer failing Execshield 1974501 - [master] Assisted Service Operator should be Infrastructure Operator for Red Hat OpenShift 1974520 - [release-4.9] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out 1974567 - vertical-pod-autoscaler-operator: remove runlevel from namespace manual install 1974598 - Sub-optimal cluster destroy strategy 1974603 - clusteroperators table output does omit condition messages 1974611 - In template list, the boot source provider column should be named boot source 1974640 - When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for reading and not for writing credentials 1974651 - dockerv1client tests fail due to unavailability of v1 API on registry-1.docker.io 1974689 - In customize create vm wizard, a warning "no registred model" 1974716 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster 1974755 - Status defaults were not internationalized 1974758 - aws-serial jobs are failing with false-positive MachineWithNoRunningPhase firing or pending 1974830 - KubeDeploymentReplicasMismatch alert will never fire 1974832 - The monitoring stack should alert when 2 Prometheus pods are scheduled on the same node 1974839 - CVE-2021-29059 nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string 1974967 - Prometheus Memory Usage 50-100% higher on 4.8+ OVN when under load 1974973 - ci-operator cannot import an s390x or a non-amd64 OCP release image 1975016 - OpenStack credentials for Kuryr Controller should be stored in a secret 1975038 - Cannot delete user created vm template 1975042 - Cannot customize windows template boot source 1975133 - Sync ironic containers with latest ironic code 1975157 - (release-4.9) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records 1975218 - [master] KubeAPI Move conditions consts to CRD types 1975232 - VM Create YAML page 404 error 1975283 - gcp-realtime: e2e test failing [sig-storage] Multi-AZ Cluster Volumes should only be allowed to provision PDs in zones where nodes exist [Suite:openshift/conformance/parallel] [Suite:k8s] 1975296 - machinehealthcheck controller does not consider nodes that still have the external remediation annotation 1975359 - [master] timeout on kubeAPI subsystem test: SNO full install and validate MetaData 1975379 - Console pods are scheduled on single master node 1975383 - No NTP sources defined in a cluster after assisted installation 1975391 - Install Operator description iframe shows double scrollbars when the browser sized is narrowed. 1975392 - Console and downloads pods should have more specific anti-affinity label selectors 1975475 - [aws] terraform may fail when the bootstrap instance profile is not ready 1975478 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance 1975491 - [Assisted-4.8] [Staging][Network latency] host_requirements api should contain network thresholds 1975529 - Production logs are spammed on "Validate Requirements status All host roles must be assigned to enable CNV." 1975539 - [ImageStreams] Remove stale cruft installed by CVO in earlier releases 1975542 - [Insights] Remove stale cruft installed by CVO in earlier releases 1975683 - baremetal-operator fails to build 1975696 - compareOwnerReference should not accept a reference 1975714 - Missing policy-group label on the openshift-console namespace manifest 1975715 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8. 1975779 - image pull keeps failing on upgrade 1975805 - [4.8.0] Install retry per recreating ACI, BMH error status is not cleared 1975820 - There are plugins remained after uninstall operator with multiple plugins enabled 1975824 - Alert InstallPlanStepAppliedWithWarnings does not resolve 1975825 - [v4.8] The `oc compliance fetch-raw` is unable to process results from suite: unexpected EOF 1975831 - Crio is using large amounts of node resources 1975913 - Unable to uncheck the optional workspace checkbox in pipeline builder 1975947 - Add egress ips to anonymizer 1976016 - Azure: Destroy cluster eventually fails when trying to delete a cluster while other resources (not related to the cluster) are present in the resource group 1976072 - Operand details page doesn't render correct format when x-descriptor path has None value 1976112 - batch/v1beta1 CronJob warning appears in image pruner pod when image registry is removed 1976125 - [BM][IPI] redfish inspect fails on nodes with nics where mac="": Expected a MAC address but received . 1976215 - Removed egressIP still shows as EXTERNAL_IP in the NorthBound DB. 1976217 - Chart empty state card different height than other cards on Metrics tab 1976243 - OLM operator index pod for Performance Addon Operator is missing Workload Partitioning Annotation 1976307 - CVO missing ImageStreams manifest delete annotation logic 1976326 - CI failing on firing CertifiedOperatorsCatalogError due to slow livenessProbe responses 1976373 - disable jenkins client plugin test whose Jenkinsfile references master branch openshift/origin artifacts 1976379 - CVO pod skipped by workload partitioning with incorrect error stating cluster is not SNO 1976753 - [sig-devex][Feature:Jenkins][Slow] Jenkins repos e2e openshift using slow openshift pipeline build Sync plugin tests using the ephemeral template expand_more 1976775 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit 1976776 - [master] Change agent's ReadyForInstallation condition into RequirementsMet 1976939 - Interacting with CatalogSource page.Interacting with CatalogSource page renders details about the redhat-operators catalog source 1976983 - [master] [assisted operator][docs] Setting automatedCleaningMode: metadata in BMH is overridden to disabled 1977027 - [oauth-apiserver] Remove stale cruft installed by CVO in earlier releases 1977037 - VNC console stays in Connecting state. 1977054 - [4.9] Unable to authenticate against IDP after upgrade to 4.8-rc.1 1977097 - build cleanup test failing on release-openshift-origin-installer-old-rhcos-e2e-aws-4.7 1977129 - openshift-installer: remove runlevel from openshift-kubevirt-infra namespace 1977279 - When applying the gateway annotation to a gateway pod or to a namespace, the per pod SNAT is not removed 1977330 - Single stack external gateway makes the pod not starting with dual stack clusters 1977346 - Fix obfuscation translation table secret 4.9 1977354 - [master] KUBE-API: Support move agent to different cluster in the same namespace 1977369 - vSphere Machines stuck in deleting phase if associated Node object is deleted 1977377 - [master] Add columns to the Agent CRD list 1977389 - Manila CSI driver is not in must-gather 1977435 - SNO - monitoring operator is not available cause failed: waiting for Alertmanager openshift-monitoring/main 1977444 - KubeAPI docs: Add a getting started guide 1977449 - [master] Fix flaky test: invalid NMState config YAML 1977454 - builds: e2e-proxy tests fail due to Redis security protections 1977595 - pseudo translation missing on OperatorHub page 1977655 - localization issue for volume mode tooltip message 1977753 - (release-4.9] Gather all MachineConfig definitions 1977807 - Prometheus PV is corrupted during CSI migration tests 1977884 - Upgrade from 4.8.0-rc.0 to 4.9.0-0.nightly-2021-06-24-073147 failing with multiple errors 1977920 - Pod fails to run when a custom SCC with a specific set of volumes is used 1977936 - OCS deployment using Multus: UI allows StorageCluster creation with empty public and cluster network in "Internal - Attached Devices" mode 1977972 - Kernel version in /etc/driver-toolkit-release.json not including architecture 1977981 - [External Mode] OpenShift Container Storage Overview does not display any dashboard by default unless specific tab is clicked 1978091 - Cluster Utilization item Network transfer shows 'No datapoints found' 1978137 - ovnkube-trace requires iproute to be installed in the pod 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1978193 - htpasswd provider for auth is not working as expected and give 401 error when user try to login 1978200 - RHEL 6 template should not be starred by default 1978202 - RHEL 6 template is tagged as "community" 1978213 - OpenStack quota checks inexact when using Kuryr 1978222 - User Management / Users: seeing "Add IdP" button although IdP exists 1978225 - User Management / Users: no progress visible suggesting that IdPs are not instant after configuration 1978268 - Exec probes fail clusterwide after upgrade to cri-o-1.19.2-4.rhaos4.6.git4f7cb5e.el7.x86_64 1978310 - OLM dependencies not fixing version 1978338 - "Prometheus metrics should be available after an upgrade" is panicking 1978340 - packageserver isn't following the OpenShift HA conventions 1978352 - [master] Add machine network cidr to cluster status 1978376 - Should not allow upgrades to 4.9 without admin acknowledgement that apis are being removed 1978403 - Add Sprint 203 Round 2 translations 1978416 - Convert TFunction to Trans component 1978421 - String updates (typos, etc.) 1978425 - Consolidate namespaces in console-app and console-shared plugins 1978429 - Typos in Pipelines Plugin strings 1978435 - SR-IOV doesn't show up in operatorhub for ppc64le 1978627 - When mount source with a long unexist name, the build keeps pending with unclear message 1978629 - [RFE]'oc describe build|buildconfig' should show mount souce info when add Secret Volume Mounts to buildconfig 1978649 - Object Service tab should not be part of OCP Console for ODF Managed Services 1978662 - monitoring operator needs to indicate non-durable data 1978691 - [4.9.0] OPENSHIFT_VERSIONS env var overrides AgentServiceConfig osImages: values 1978724 - Binary secret data isn't properly uploaded by ui 1978739 - [master] Provisioning SNOs bmh is stuck in ready state 1978749 - CVO doesn't honor noProxy while contacting Cincinnati endpoint 1978774 - Cluster-version operator loads proxy config from spec, not status 1978797 - external gateway pod deletes may not clean up ECMP routes 1978829 - ClusterMonitoringOperatorReconciliationErrors is firing during upgrades and should not be 1979009 - Change log message about EFI not being supported in assisted-installer 1979038 - Installation logs are not gathered from OCP Control planes nodes 1979114 - Cannot create vm from 'With YAML' on CNV 2.6.5 + OCP 4.8 1979116 - Cannot create vm from customize wizard on CNV 2.6.5 + OCP 4.8 1979169 - [docs] Unclear docs in automatedCleaningMode 1979190 - Cannot get guest information on CNV 2.6.5 + OCP 4.8 1979297 - SystemExceedsMemoryReservation prometheusRule manages wrongly hugepage reservation 1979300 - Upgrading from 4.7.11 to 4.8.0: Saw HybridOverlay logical router policies getting created without any existing hybridoverlay configuration 1979352 - Tuned affining containers to house keeping cpus 1979506 - The earlier version bundles that generated by pkgman-to-bundle won't be installed success 1979544 - olm Operator is in CrashLoopBackOff state with error "couldn't cleanup cross-namespace ownerreferences" 1979571 - Process is not terminated in pod terminal in UI. 1979620 - Applying an OLM descriptor to a deeply nested child property then doing the same for a parent property will cause the descriptor for the child to be removed. 1979738 - driver-toolkit gcc install unable to download extract-vmlinux script in ART builds 1979822 - mdns-publisher pods are crashing and restarting often. 1979996 - Dashboards do not support automatic unit transformation for time 1980029 - CI: openstacksdk 0.53 breaks UPI jobs 1980118 - Cannot launch debug container for pods in management workload partition 1980135 - On an IPv6 single stack cluster traffic between master nodes is sent via default gw instead of local subnet 1980187 - [sig-operator] an end user can use OLM can subscribe to the operator failing frequently 1980235 - OAuth proxy version is displayed should be removed. 1980257 - 'You are logged in as a temporary administrative user.' banner is shown for kubeadmin user with crc 1980357 - Getting the alert "V4SubnetAllocationThresholdExceeded" in newly installed cluster, Where subnet allocation is not more then 80% 1980364 - CI not working because Dockerfile references an ImageStream resource which isn't compatible with OLM 1980465 - etcd warning logs misleading 1980531 - additionalHelpActions 'HelpMenu' ConsoleLinks not translated 1980548 - Not all plugins' locales folders are listed in webpack.config.ts 1980658 - metal-ipi jobs are failing because of api server connection errors 1980679 - On a Azure IPI installation MCO fails to create new nodes 1980704 - Web console doesn't list all the registries credentials in a secret 1980753 - 4.7 minimal iso fails to boot 1980781 - NTO-shipped stalld can segfault 1980844 - The SystemMemoryExceedsReserved alert released in 4.6 seems to trigger on many clusters under load (default increase if possible?) 1980888 - Thanos querier probes are timing out 1980930 - Machine-api-operator is going through leader election even when API rollout takes ~60 sec in SNO 1981055 - ovn-kubernetes-master need to handle 60 seconds downtime of API server gracefully in SNO 1981090 - [IPI baremetal] 'Failed to get the sockets from the old process' error is reported in haproxy logs following haproxy reload 1981272 - When deleting PVC inside PVC page the status in the heading doesn't match the status field 1981399 - protractor tests are not able to run on release-4.8 and master 1981417 - Change OCM links from cloud. to console.redhat.com 1981425 - Update jenkins to 2.289.2 1981465 - Assisted installer wait for ready nodes on bootstrap kube-apiserver though it moved to one of the other masters 1981477 - Unable to attach Vsphere volume shows the error "failed to get canonical path" 1981498 - enhance service-ca injection 1981550 - AWS Elastic IP permissions are incorrectly required 1981639 - Imageregistry bumps out N+1 pods when set replicas to N(N>2) and Y(=workers number) pods are scheduled to different workers, the left pods will keep pending 1981832 - OLM fails with 'ResolutionFailed' found multiple channel heads 1981936 - openshift/builder base images inconsistent with ART 1981957 - Sync plugin v1.0.47 takes a very long time to pick up new builds 1981975 - Master Machine Config Pool degraded at install time 1981999 - [4.9] Bootimage bump tracker 1982046 - CVO gets stuck on resource deletion progress after re-creating the deleted resource 1982052 - [vsphere][upi] OVN vmxnet3 allmulti workaround doesn't apply when vmxnet3 is bonded 1982079 - Resource usage measurement data display the concatenation of English and translation sentence fragments in Cluster utilization of Home->Ovewview when moving the mouse over each resource usage chart 1982090 - Top consumers filter dropdown list is inconsistent with the translation of left menu when click usage data in each Cluster utilization row 1982150 - Add a TechPreviewBadge for Multus 1982153 - Accessibility (and cypress test) issue with empty category on Operator Hub page 1982170 - (release-4.9] Operator operation is not set when updating status 1982274 - OLM should block the OCP 4.8 upgrade to 4.9 when the operator installed with `olm.openShiftMaxVersion` annotation 1982300 - vsphere-problem-detector not showing wrong credentials event/alert on OCP Console 1982376 - Remove PatternFly override fixes now that upstream version include the fix 1982653 - Observe - Alerting - Create silence : time period values are in English 1982659 - Workloads - Jobs : 'Type' column's Value 'Non-parallel' is in English 1982680 - Abort signal is ignored when using safe-k8s-hook.tsx 1982682 - Namespace is not properly passed to k8sCreate 1982692 - Serverless - Eventing - Event Sources - Move sink: incomprehensible japanese sentence 1982727 - Serverless - Eventing - Brokers - Add Trigger : i18n misses 1982736 - Serverless - Eventing - Channels - Add Subscription : appearing Partial translation for fully translated text 1982751 - Serverless - Eventing - Subscriptions - Move Subscription : appearing partial translation 1982765 - Networking - Services - Edit Pod Selector : An incomprehensible Japanese sentence 1982766 - [on-prem] Make ingress keepalived check more tolerant to failures 1982776 - Namespaces - RoleBindings - Edit ClusterRoleBinding subject : An incomprehensible Japanese translation 1982781 - "opm index rm" doesn't remove deprecated bundles 1982868 - 4.8 ManagementCPUsOverride admission plugin blocks 4.7 deployments on empty topology 1982997 - Page header tools - Import YAML : i18n misses 1983032 - User Management - Users - Impersonate User : i18n misses 1983091 - Logic for getting default pull secret incorrect on project page 1983190 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia 1983205 - StatefulSet fails to deploy with error Readiness Probe exec failed open /dev/tty failure no such address when .spec.tty is set to true [OCP 4.6.34] 1983220 - A second scroll bar appears on the Node/Pod terminal page when resizing vertically 1983412 - [Assisted-4.8] [Integration][Network validations] "unable to unmarshall host" and "unexpected end of JSON input" errors when booting nodes 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983612 - When using boot-from-volume "image", InstanceCreate leaks volumes in case machine-controller is rebooted 1983673 - opm may prune bundles from the input 1983693 - Import from YAML shows warning when just pressing enter 1983707 - Import from YAML breaks console when three dash separator at the end 1983788 - Kubelet may start running before CRI-O 1983933 - [oVirt] CSI expansion should work in offline mode 1983975 - BMO fails to start with port conflict 1984030 - Reduce CPU overhead for ignore-listed NICs 1984031 - Create Silence form's "Created by" field is not populated after refreshing the page 1984047 - insight-operator logs a panic when shutdown, triggering panic detections in CI jobs 1984049 - Slow OVN Recovery on SNO 1984156 - Add sprint 204 translations 1984297 - There are spaces before VM description 1984365 - Dashboard Prometheus/Overview can't filter instance by job 1984414 - Excessive resource diff logging during updates 1984449 - [4.9] drop-icmp pod blocks direct SSH access to cluster nodes 1984481 - machine-api couldn't reconcile VMs with OVNKubernetes network type 1984538 - The openshift-operators namespace should not contain the openshift.io/cluster-monitoring namespace label 1984576 - PROVISIONING_INTERFACE missing from metal3 pod 1984582 - Metal IPI jobs are failing a high percentage of the time 1984608 - kube-scheduler needs to handle 60 seconds downtime of API server gracefully in SNO 1984635 - openshift-config-operator needs to handle 60 seconds downtime of API server gracefully in SNO 1984644 - openshift-service-ca-operator needs to handle 60 seconds downtime of API server gracefully in SNO 1984683 - sdn-controller needs to handle 60 seconds downtime of API server gracefully in SNO 1984736 - [master] ClusterDeployment controller watches all Secrets from all namespaces 1984807 - Move tooltip 'Restore is only enabled for offline virtual machine' to the button when it's disabled 1984942 - ApplyClusterRoleBinding triggers boundsError when adding new subject 1984954 - Normal user cannot create VM because it cannot access v2v-vmware configmap 1985033 - [OVN] [cluster network operator] Provide the option to configure probe intervals 1985080 - Downloaded log file (All task logs) contains logs of all taskrun in a single line 1985082 - namespace of monitoring rbac rules should not be hardcoded 1985125 - OperatorGroup status is not updated when it has cardinality conflits when targetNamespace is used 1985161 - Some localization issues 1985164 - Regular user cannot restore VM snapshot 1985197 - production builds doesn't load some locales successfully 1985336 - OpenShift SDN doesn't add NOTRACK rule to raw iptables table to prevent vxlan from reaching conntrack 1985366 - CCCMO using unregistered host ports 1985391 - Cluster Proxy not used during installation on OSP 1985447 - KubeAPIErrorBudgetBurn Missing namespace label 1985449 - [Assisted-4.8 ][SaaS] error raised "unable to unmarshal connectivity report for host ID xxxx:unexpected end of JSON input" in Assisted Service Pod log 1985483 - Cleaning a BMH deployed using live ISO results in a TLS failure 1985512 - allow-from-router feature doesn't work on v6 only single stack cluster 1985697 - package-server-manager needs to handle 60 seconds downtime of API server gracefully in SNO 1985711 - Registry image input isn't trimming at the start of input 1985721 - Pencil button is missing at Scheduling and resources requirements fields 1985737 - VM Details page , boot order is missing pencil edit button 1985773 - ptp4l crash when BC is configured 1985795 - OCPonRHV: pvc stuck on pending status when using preallocated storage domain 1985802 - cluster-version-operator needs to handle 60 seconds downtime of API server gracefully in SNO 1985846 - Adding ebs type "gp3" when create storage class from web console 1985850 - Update default value of volumeBindingMode from Immediate to WaitForFirstConsumer when create storageclass from web console 1985852 - The vmware-vsphere-csi-driver-webhook pod runs as “BestEffort” qosClass 1985895 - Order by 'Latest version' doesn't work on CustomResourceDefinitions list page 1985948 - [e2e]sysprep, ssh, tests fail from time to time 1985960 - oVirt 4.8 tests are failing on resize 1985997 - kube-apiserver in SNO must not brick the cluster when a config observer outputs invalid data that would eventually converge towards a running system in HA setup 1985998 - Re-enable 50 tests related to CSI failures 1986001 - Enable back `ResourceQuota should create a ResourceQuota and capture the life of a service` 1986003 - Bump to latest available 1.22.x k8s 1986061 - cluster network operator deploys a service monitor which is never picked up by cluster monitoring operator 1986090 - Cannot delete ClusterAutoscaler CR with foreground deletion 1986127 - UI crash when installing helm chart or right click installed chart in topology 1986129 - OpenShift web console not deployed after installing OCP 4.8.2 using single-node-developer profile 1986139 - The marketplace operator default catalogs need to use the v4.9 tags 1986148 - Bump API for Ingress RequiredHSTSPolicies field 1986174 - SRO should be able to read a complete chart form a ConfigMap. 1986215 - cluster-storage-operator needs to handle API server downtime gracefully in SNO 1986225 - [e2e][automation] add tests for vm snapshot feature 1986228 - Create e2e test for HSTS Feature 1986238 - Supermicro X12 fails to provision using Redfish BM HW Provisioning 1986243 - delete user-workload-monitoring-config configmap, can not find user metrics although no setting for enforcedTargetLimit 1986253 - Automation of Application groupings in topology 1986297 - Windows guest tool is always mounted even it's unchecked 1986306 - Enable back `[sig-cli] Kubectl client kubectl wait should ignore not found error with --for=delete` 1986307 - Enable back Feature:UDPConnectivity and NetworkPolicy tests 1986309 - Update ironic-agent container with latest bugfix code 1986311 - SRO crash when a incorrect chart is applied 1986322 - Update ironic container with latest bugfix code 1986324 - Update ironic-ipa-downloader container with latest bugfix code 1986375 - Avoid CMO being degraded when some nodes aren't available 1986389 - Textarea inside modal can be resized to larger width than modal 1986392 - Kubelet can't find Node after upgrade to external CCM on AWS/OpenStack 1986408 - Add NE-310 HSTS to 4.9 1986418 - kube-storage-version-migrator-operator needs to handle API server downtime gracefully in SNO 1986419 - aws-efs-csi-driver-operator CSV has upstream image references 1986420 - IPI of private cluster on GCP failed due to variable "cluster_public_ip" is not set 1986426 - Fix failing request on creating an ibm flash system via odf wizard 1986427 - rebase d/s metallb-operator to pickup AddressPool update fix and CI enhancements 1986437 - Bump openshift/api to support ExternalCloudProvider featuregate 1986440 - Bump OVN to ovn21.09-21.09.0-9.el8fdp 1986443 - OVN-kube master may report errors for "transaction failed" when creating logical ports 1986452 - Increase in RSS memory in CRI-O 1986453 - EUS Control loop to check for API server and node versions skew 1986462 - Bug in cluster-baremetal-operator when PreProvisioningOSDownloadURLs are specified in addition to ProvisioningOSDownloadURL 1986464 - Registry pull secret should be sent as base64 string 1986474 - vsphere-syncer build is failing 1986477 - cluster-node-tuning-operator needs to handle API server downtime gracefully in SNO 1986493 - Upload jar files: Java commands are JAVA_ARGS not the purported container command 1986495 - Missing translation in the Edit deployment form 1986501 - Fix bundle image for efs operator 1986540 - Cluster Proxy not used during installation on OSP 1986560 - etcd-operator needs to handle API server downtime gracefully in SNO 1986562 - lastTriggeredImageId is populated in BuildConfig spec 1986565 - [OCP48][WebUI] "How to seal boot source for template usage" link points to /foo 1986575 - Add e2e tests for haproxy timeout variables 1986631 - BuildConfig Environment tab: different errors when the form is not filled completely 1986632 - App Name & Name Values are not getting auto-populated for Deploy Image page in internal image registry 1986650 - Cypress: Globally installs Service Binding Operator operator fails at "Create Operand" step 1986654 - [OCP4.9 Bug] Auto cleaning step in Prepare stage failed 1986656 - [OCP4.9 Bug] Ironic node enters the clean failed state when the target node doesn't have a RAID controller. 1986676 - React Unique key warnings in pipelines and pipeline run details page 1986680 - [knative][flake] Fail to set traffic distribution due to "object has been modified" error 1986685 - panic when opm alpha diff 1986699 - we should take catalogsource into considering when showing Installed tile in OperatorHub catalog 1986704 - missing translation for Kafka Connections nav option 1986707 - CVO log "resource has already been removed" is confusing in a fresh install 1986729 - Event source Sink is not marked as required in create form 1986735 - Monitoring chart range selection does not work on Firefox 1986754 - In Home->Events Dashboard, 'more' and 'Show Less' are hardcodes when the browser set to Chinese language 1986757 - Keepalived fails with Liveness probe failed: command timed out 1986790 - Add disk modal gives error when not selecting storageClass 1986803 - Details page doesn't catch errors which happen on a tab 1986810 - [AUTH-13] oauth-proxy in default OpenShift components might fail to log users in if custom route certificate is configured 1986829 - [AUTH-20] Make prometheus authenticate with a certificate while scraping the cluster's core components metrics 1986833 - Gather Openshift Logging Stack Data 1986936 - Grafana shows wrong label on y-axis of network graphs 1986946 - High ICNI2 application pod creation times 1986971 - [RFE]Password of template is fixed, instead of a parameter 1986981 - Revise Alert Severity in OCP 4.9 1986988 - Pipeline builder workspace info popover is not accessible via keyboard 1986990 - Webhook tests should not use admission registration v1beta1 1987047 - VM console doesn't open to current console type when opened in a new window 1987083 - excludeMastersFromLB in Azure Cloud Config prevents service controller from adding masters 1987108 - Networking issue with vSphere clusters running HW14 and later 1987143 - update resources label for prometheus to 2.28.1 1987152 - [e2e][automation]deploy specific hpp version for tests 1987160 - opm alpha diff fails at headsonly mode 1987169 - Cannot create network attachment definition while operator is installed. 1987171 - When customizing boot source, password is shown in default font 1987192 - Disabled state/condition is not consistent 1987197 - Improve version checking in repository tooling 1987198 - The chart version dropdown says `Select the chart version` even when the dropdown is disabled 1987199 - NO-OP Helm Chart Rollback 1987230 - Operators should not create watch channels very often: bump apirequests upperbounds in 4.9 1987238 - A negative value applied for the "tlsInspectDelay" option caused the router pod to go into crashloop 1987250 - Remove diskEligible check from OCS 1987255 - Azure stack hub does not support zones, azure-cloud-provider crashes horribly on startup 1987279 - installer fails to destroy a cluster with a tagged access-point 1987289 - Epic ODC-5030 - Gherkin Scripts Design 1987344 - Links in help of the Edit Disk point to old documentation 1987845 - OpenStack IPI on provider network enforces unnecessary quotas 1987948 - Add high memory alert to Openshift 1988032 - cluster-autoscaler-operator and machine-api-operator tombstone manifests should contain CVO high-availability annotations 1988092 - Cypress: disable OLM globall install test, duplicate Operand tabs 1988123 - Driver Toolkit ART / OSBS builds are failing because of extract-vmlinux 1988133 - Cypress: enable OLM globall install test, handle multiple csv's crd versions 1988291 - 4.7 -> 4.8 upgrade, node-exporter can't rollout 1988349 - Insights report controller - set the corresponding clusteroperator condition correctly 1988351 - Add new OCM controller pulling periodically SCA certs 1988371 - AWS EBS: Mounting XFS volume clone or restored snapshot to same node failed 1988372 - Azure Disk: Mounting XFS volume clone or restored snapshot to same node failed 1988373 - GCE PD: Mounting XFS volume clone or restored snapshot to same node failed 1988374 - OpenStack Cinder: Mounting XFS volume clone or restored snapshot to same node failed 1988379 - Avoid connection pool full logs 1988424 - Only assign priority class in OCP environment for LSO 1988476 - remove dhclient binary from RHCOS 1988491 - quorum-guard health checks fail to report accurate health reporting 1988576 - Authentication operator fails to become available during upgrade to 4.8.2 1988801 - Router HAProxy backend balance option is blank missing random argument in haproxy.config 1988812 - [e2e][flaky] smoke tests may fail if vm already exist before vmi tests start 1988828 - oc adm must-gather runs successfully for audit logs 2e2 is failing 1988903 - Kms details empty in only MCG deployment 1988904 - Arbiter details not present in ODF wizard 1988905 - External mode deployments fails on parsing json in ODF wizard 1988976 - pkgman-to-bundle will exit with flag "--build-cmd" 1988992 - Worker machine object updated too many times [Azure] 1989005 - router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com" 1989044 - [ART] Error reconciling Dockerfile for openshift/ose-sriov-network-operator in OCP v4.9 1989051 - Machine API Spot tests should set valid value for maxPrice 1989055 - logins to the web console fail when custom certificate is in use for the OpenShift oauth-server 1989058 - router pod stuck in ContainerCreatin if removed configmap/router-client-ca-crl-default and update spec.clientTLS.clientCertificatePolicy 1989073 - KCM logs an error on startup when using external cloud providers 1989077 - vSphere CSI StorageClass events are repeated pathologically 1989101 - [ovirt] Update owners - csi-driver 1989102 - [ovirt] Update owners - csi-driver-operator 1989122 - rebase openshift/sdn to kube 1.22 1989143 - [e2e][automation] missing file for testing release-4.8 1989158 - re-enable disabled unidling e2e tests 1989215 - [openstack-cinder-csi-driver-operator] csi-liveness-probe is not deployed 1989246 - openshift-network-operator needs to handle API server downtime gracefully in SNO 1989335 - Etcd is degraded after upgrading to 4.9 with message "configmap openshift-config-managed/csr-controller-ca field manager is not valid" 1989342 - containernetworking-plugins: Add dpdk support to host-device plugin 1989391 - `oc adm groups sync` will generate useless data 1989417 - Enable back [sig-cli] oc adm storage-admin 1989423 - Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it` 1989431 - fail to "opm alpha diff" bundle image with heads-only mode. 1989440 - OCS Storage Cluster creation Multus network configuration not applied when only Cluster Network is selected 1989454 - Butane 0.13.0 generate MachineConfig object with ignition version 3.3.0 which is not supported in ocp4.9 1989456 - sriov operator cannot be upgraded to 4.9 from 4.8 1989460 - non-head bundle of the channel is included in output of opm alpha diff for heads-only mode 1989461 - kube-apiserver does not use the SO_REUSEPORT properly 1989462 - [v2v] MTV modal string changes 1989496 - typo in ClusterOperatorDegraded alert description part 1989504 - The code logic of channel clear is ambiguous, as well as the help info and output messages 1989505 - Enable back single oc observe test 1989507 - replace configmap with storageprofile 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1989600 - Registry server RSS and CPU utilization too high during normal operation 1989604 - IBMCLOUD: panic: runtime error: invalid memory address or nil pointer dereference 1989615 - HBO: Every node update triggers "lsp-add" for HBO ports unnecessarily 1989632 - Create EFS filesystem for dynamic provisioning 1989633 - staticpod/installer: backoff should not apply if latestAvailableRevision > targetRevision 1989688 - [SNO] Egress router pod not created in SNO ipv6 single stack cluster 1989694 - Bump OVN to ovn21.09-21.09.0-10.el8fdp 1989704 - Invalid olm.maxOpenShiftVersion properties have unclear/undefined behavior in OLM 1989707 - [Dev Only] Add HPA page shows error screen when you try to create HPA with default values 1989710 - Catalog operator wastes memory by caching complete copied CSVs 1989720 - Descheduler operator should allow configuration of PodLifetime seconds 1989722 - Descheduler operator should allow eviction based on soft topology constraints 1989724 - Descheduler operator should expose options for pods with PVCs and Local Storage 1989728 - Descheduler operator should verify config does not conflict with scheduler 1989734 - Whereabouts fails in 4.9 due to missing RBAC for leases 1989772 - openshift-controller-manager and operator needs to handle API server downtime gracefully in SNO 1989796 - the same bundle is in output of opm alpha diff 1989837 - [Migration] SDN migration rollback failed, stuck in MCO 1989839 - docs packages should not be installed in the ironic containers 1989842 - Console Observe > Metrics / Dashboards: Missing series appear in tooltip with value "0" 1989876 - Dashboards for OCS Storage System not available 1989887 - Metrics not shown in storage system list page under ODF 1989889 - UI crashes when accessing create new operand page 1989896 - CVE-2019-19794 : mdns-publisher uses miekg Go DNS package version < 1.1.25 1989914 - [e2e][flaky] increase timeouts 1989917 - OpenStack inconsistency reports on limits numbers for network quota check 1989961 - CI apiserver downtime calculation isn't quite right 1989973 - openshift-install explain text contains typo: cluster components will assume assume ownership of all resources 1989980 - Worker machine object updated too many times [vsphere] 1990012 - ControllerConfig Infrastructure does not match cluster Infrastructure resource 1990018 - Add Sprint 204 round 2 translations 1990024 - Eligible is misspelled in console-app 1990060 - [Assisted-4.8] Host returns no routes when routing table contains multipart 1990075 - azure-cloud-node-manager DaemonSet should use maxUnavailable: 10% 1990089 - Bundle validation does not fail for a bundle having multiple service account declaration with same name 1990115 - Multus whereabouts assigns duplicate IP addresses to pods when have large number of replicas 1990137 - Fix creation of EFS filesystem 1990140 - Samples operator management Removed failed to contact registry.redhat.io 1990146 - some controllers missing livenessProbe 1990205 - Console: Observe > Dashboards: "Cannot update during an existing state transition (such as within render)..." in browser developer console 1990206 - Incorrect AWS Supported instance type 1990316 - Deployment with virtualmedia fails on HP setup (real bm) - port missing in iso http path 1990432 - Volumes are accidentally deleted along with the machine [vsphere] 1990447 - Worker machine object updated too many times [gcp] 1990493 - [e2e][automation] test for storageProfile settings 1990496 - Cleaning can fail with SSLError "timed out" 1990541 - etcd: golang version should align with product 1990577 - Upgrade Ingress API version 1990601 - AzureDisk CSI driver is not installed by default on Azure Stack Hub 1990603 - [Descheduler] descheduler operator throws an error which reads "key failed with : scheduler.config.openshift.io "cluster" not found" 1990610 - Panic in the cluster-kube-apiserver-operator startup monitor enablement check 1990617 - Update Fedora CoreOS images to latest testing for OKD 1990631 - FailedToDeleteOVNLoadBalancer Error trying to delete the idling OVN LoadBalancer 1990725 - [Kuryr][4.9] KuryrSDNPodNotReady alert is missing the node name in the message 1990732 - Test failures caused by "volumeBindingMode" defaulting to "WaitForFirstConsumer" 1990781 - Large binary pkg/tool/gen-skus-map in Azure Disk repo 1990826 - New non-secure and secure routes without hsts annotation fail to get created in globally enforced hsts domain resources 1990850 - Registry databases that do not store properties as TEXT are not served 1990899 - PrivateIPAddressVersionCannotBeModified errors in CNO tests 1990970 - The development of ccoctl support for IBM left unused debug test binary in the source code 1990975 - ccoctl for IBM does not support not all possible environment variables to pass APIKEY 1990988 - Samples library sync fails container test on php 7.2 1991068 - cluster-etcd-operator: tls ciphers should be checked for validity 1991095 - [External Mode] Dashboard shows incorrect deployment mode 1991316 - namespace should be with openshift as prefix 1991338 - "Network Attachment Definitions" is not able to load by a regular user 1991357 - Fresh installation shows kube-apiserver error NodeInstallerDegraded: 1 nodes are failing on revision 4 1991439 - Some hardcodes are detected at the code level in OpenShift console components 1991507 - [sig-cli] Kubectl client Simple pod should return command exit codes [Suite:openshift/conformance/parallel] [Suite:k8s] 1991508 - ppc64le and s390x CI jobs are failing with exec format errors 1991519 - [e2e][flaky] fix kubevirt hco creation 1991548 - [e2e][automation] add tests for disk preallocation 1991551 - Idle service cannot be waked up 1991566 - [e2e][automation] Disable protractor test in prow 1991662 - OLM Catalog Templating 1991730 - e2e-aws-proxy is failing with "Invalid value: []string{"us-west-2d", "us-west-2b"}: No subnets provided for zones" 1991793 - ECMP routes with invalid next hops still result in OF groups getting programmed 1991814 - "oc adm inspect co storage" returns an error message when there is no openshift-manila-csi-driver ns. 1991860 - Insights Operator panics with invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference) 1991977 - Kamelet sources shown in openshift-operators in eventsources but in other namespace shows up only if user created IP CR 1992004 - ci/prow/e2e-gcp-console flake "Create Application from git form" 1992013 - ci/prow/e2e-gcp-console flake "Create Application from Devfile.Create Application" 1992016 - Expose kubelet configuration parameters 1992148 - [Azure CSI] cannot deploy Azure Disk on ASH because /etc/kubernetes is read-only fs 1992193 - Race condition in cluster-storage-operator 1992255 - csi-snapshot-controller needs to handle API server downtime gracefully in SNO 1992405 - Sync upstream 1.10.1 downstream 1992463 - OKD: Installation to Libvirt fails due to no space left in /run 1992493 - 3 alerts have no annotations summary and description 1992502 - select storage class dropdown fail when using CNV2.6.5 1992507 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines 1992508 - documentationBaseURL should be updated to 4.9 1992555 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines 1992557 - failed to start cri-o service due to /usr/libexec/crio/conmon is missing 1992560 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines 1992591 - 2 different oc binaries are used in the `cli-artifacts` image 1992673 - Failed OCP build of openshift/ose-etcd:v4.9.0 1992677 - OLM upgradeable condition message unclear with MaxOpenShiftVersion set 1992714 - use existing pvc hotplug crashes 1992730 - Dynamic Plugins: localization does not work for plugin 1992820 - [Knative] Event Sources should be under Serverless group together with Channel 1992823 - Cluster autoscaler should use Kubernetes 1.22 dependencies 1992857 - [Azure CSI] Not enough permissions to list config maps in openshift-config ns 1992875 - [Azure CSI] Driver Node controller can't get config from the secret of Azure Stack Hub 1992876 - Gather OKD specific journal logs 1992900 - openshift/kubernetes fails to build on ARM 1992950 - [e2e][automation] create template from wizard 1992974 - Revision/Route list table doesn't have proper alignment/styles in admin perspective 1993002 - The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accepts negative values 1993007 - e2e tests fail because operator does not delete SriovNetworks 1993055 - node_exporter task, log message wrong 1993078 - Enable Auth config for ironic-api 1993087 - Azure StackHub: cluster-cloud-controller-manager-operator / azure-cloud-controller-manager / azure-cloud-node-manager does not support OCP azure credentials secret format 1993147 - Add aria-label to different OCS dashboard components 1993148 - Monitoring UI doesn't make use of React's memoization features 1993159 - [Azure] Instead of updating the spec actuator updates status twice 1993195 - Testing performance of sync plugin 1993207 - failed to list resource groups: Can not get resource groups without account id in parameter by service id token 1993260 - SRO RBAC error when deploying ping-pong CR 1993286 - Minor OpenShift upgrades blocked when olm.maxOpenShiftVersion = current Y-stream+1 and current Z-stream > 0 1993306 - Flaky e2e test: Event Sources on default Developer Catalog 1993444 - NFD - cstate detection enabled on s390x 1993757 - OCP 4.8 etcd unhealthy 1993788 - VM creation (customize flow): storage class mismatch between actual SC and "Edit Disk" screen 1993793 - Move CSIDriver from v1beta to v1 1993840 - openshift-samples should not change condition Degraded/Available (upgrades) 1993851 - EFS CSI driver operator does not have an icon 1993886 - operand creation form doesn't render correct format 1993920 - Improve Sysprep helper text 1993922 - The kubeletconfig controller has wrong assumption regarding the number of kubelet configs 1993931 - Storage operators use older kubernetes client 1993934 - Update CSI sidecars 1993955 - [External Mode] Fix margin issue with Details card on Block and File Page 1993975 - [not user facing][infrastructure] remove kubevirt dependants for dynamic plugin 1993977 - kube-rbac-proxy panic 1993980 - Kubelet regularly freeze control groups causing issues further down 1993999 - Some hardcodes are detected at the code level in OpenShift console components 1994035 - SNO: LSO diskmaker pod using excessive cpu 1994060 - API response for host routes includes misleading family number when IPv6 is enabled 1994069 - [4.9] bump OVN to ovn21.09-21.09.0-13.el8fdp 1994103 - [IBMCLOUD] Needs to have Terraform code converted to steps. 1994113 - local volume tests create lot of events churn 1994139 - k8s 1.22 bump for operator-lifecycle-manager 1994155 - thanos fails to build with latest imagebuilder 1994172 - rhel node does not join cluster conmon validation: invalid conmon path 1994253 - On OKD templates provided by kubevirt provider and supported by red-hat are marked as community templates 1994257 - Audit errors alert not created 1994277 - Changing the memory manager policy via the kubelet config will drop the node to NotReady state 1994410 - When machine creation failed due to validations, error contains "failed to create connection to oVirt API" 1994434 - service account sriov-network-config-daemon disappeared when sriov operator upgrade from 4.8 to 4.9 version 1994439 - Review page of ODF wizard does not follow console guidelines 1994443 - openshift-console operator incorrectly reports Available=false 1994454 - upgrade from 4.6 to 4.7 to 4.8 with mcp worker "paused=true", crio report "panic: close of closed channel" which lead to a master Node go into Restart loop 1994480 - Cluster Infrastructure owned components should use 1.22 dependencies 1994586 - Create local volume set step says "An error has occurred" 1994613 - disable all CI tests that require IPv6 internet connectivity 1994642 - Update CSI drivers 1994643 - kube-apiserver must not return 404 to garbage collection controller before being ready 1994647 - [ipv6] ovn-nbctl calls to find with nexthop= need quotes for IPv6 1994648 - Resolution failed error condition in Subscription not being removed after resolution error is resolved. 1994707 - cluster-etcd-operator: handle unstarted member condition in status request. 1994857 - [UPGRADE] kube-apiserver is degraded after upgrading to 4.9 with error "configmap openshift-config-managed/csr-controller-ca field manager is not valid" 1994872 - [4.9] oc fail to mirror release payload to local disk 1994891 - NTO: use the latest k8s 1.22 and openshift vendor dependencies 1994927 - Enable back [sig-network] Networking should provide Internet connection for containers using DNS 1994973 - Fix bundle config 1994975 - Next button is enabled when the flash system endpoint is invalid 1994979 - Fix skipRange 1994981 - Local Storage Operator does not have an icon 1994986 - etcd check perf causes issues on clusters if run 1994991 - olm.skipRange replacement is noop 1994997 - olm.skipRange substitution is noop in ART builds 1995043 - Two storage systems got created while creating one from UI 1995049 - tech / dev preview badge in search resource dropdown missing styles 1995110 - olm.skipRange is not set 1995116 - Pod logs shows incorrect lines number in the log window top banner 1995148 - Secret key for mangement address is incorrect for flash system 1995198 - OLM tests are failing on aws arm64 1995291 - oc new-app/new-build commands should not mention docker 1995300 - opm validate does not detect cycles in channels 1995325 - Projects page fails to render due to calling more hooks than previous render 1995330 - ovn-kubernetes load-balancer operations are very expensive 1995386 - bz 1990140 fix broke retry on tbr connection test 1995387 - OpenStack 4.8 -> 4.9 upgrade is permafailing periodic-ci-openshift-release-master-ci-4.9-upgrade-from-stable-4.8-e2e-openstack-upgrade 1995468 - Nodes can't resolved IPv4 address in dual stack configuration 1995523 - Pipeline Builder form throws an error when clicked on `Add Task` 1995525 - All storage systems are listed in the details page of a particular storagesystem 1995573 - oc adm certificate approve|deny help shows kubectl in the examples 1995612 - Block pool details page breadcrumb link is not pointing storage system details page 1995614 - "beta.kubernetes.io/os" is deprecated since v1.14 1995653 - upgrade rbac rules to use v1 APIS for LSO 1995655 - 4.9 installer should default ClusterVersion channel to stable-4.9 1995695 - Get insights on series churn during upgrades 1995727 - sync plugin no longer catches build deletes that occur between restarts 1995785 - long living clusters may fail to upgrade because of an invalid conmon path 1995804 - Rewrite carry "UPSTREAM: <carry>: create termination events" to lifecycleEvents 1995816 - Reduce cardinality of ovn-kubernetes event handler metrics 1995898 - [Descheduler] - The minKubeVersion should be 1.22 1995901 - Warnings are shown in the browser for Monitoring types 1996031 - cloud-provider-openstack: Merge upstream 1.22 tag 1996032 - cluster-kube-apiserver-operator should not run with pre-release libraries 1996081 - csi-driver-nfs: Merge upstream 1996094 - Missing key errors on containers page 1996097 - [Feature:IPv6DualStack] tests are failing in dualstack after renamed 1996116 - Block pool list page and detail page menu action is not disabled for default pool 1996124 - Add release architecture to openshift-install version 1996139 - make verify target always fails for upstream staging commits 1996156 - UI breaks for topology nodes which doesn't have a SideBar 1996158 - Dynamic Plugins: Unable to add nav sections to admin perspective 1996159 - Dynamic Plugins: Visiting a plugin route directly causes a 404 page to flash briefly 1996212 - Cluster Resource Override Admission needs to be migrated from v1beta1 to v1 1996306 - Build root container image fails to download the kubebuilder 2.3.1 executable successfully in CI 1996501 - Instance types with less than 8GB memory are listed in AWS UPI templates, but they do not meet memory minimum requirement for cluster 1996506 - Fix crd version for SriovNetworkPoolConfig 1996531 - [Assisted-4.8] [Integration] No 80 minutes timeout when SNO cluster is hang on rebooting 1996535 - Project selector flickers on the creation of namespace between current and newly created one 1996539 - error when selecting knative service in topology 1996566 - Manually created invalid Kamelets should be skipped in the eventsources list 1996620 - [SCC] openshift-oauth-apiserver degraded when a SCC with high priority is created 1996622 - The Authorized SSH Key input box fail to fill the SSH key on Advanced page 1996644 - ODF Internal Dashboard Not showing up 1996646 - Ties between competing SCCs may have wrong reasoning in audit logs 1996689 - RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well 1996718 - KSM flag --node should be --nodes in CMO assets 1996779 - fix racy disk check for vsphere cloud provider 1996783 - cloud-provider-openstack: Bump to Go v1.16 and OCP v4.9 1996785 - Unused rules in CMO 1996792 - Quick search modal missing icons and have unnecessary scrollbar 1996878 - opm does not print sqlite deprecation warnings 1996881 - oc adm catalog mirror does not print sqlite deprecation warnings 1996914 - Failed to get ImpersonateHeaders TypeError: i.a is undefined 1996941 - Monitoring operator is degraded because expected 8 ready pods for "node-exporter" daemonset but got 6 when upgrading windows cluster to 4.9 1997029 - OCS Dashboard should not show when ODF is present 1997034 - Drop high cardinality cAdvisor metrics 1997048 - User can create same domain mapping multiple times 1997050 - CNO panic: runtime error: invalid memory address or nil pointer dereference 1997062 - crio-o: "no space left on device" issue is seen on latest 4.9 builds 1997079 - Custom time range not working 1997102 - Gherkin for observe tab in workload sidebar is not aligned with latest UI 1997108 - react warning loading dev perspective /topology 1997114 - EgressFirewall may fail to be applied due to address_set missing 1997122 - [LocalVolume] provisioning fails silently if device is already claimed 1997131 - Update the pipeline quicksearch with latest desgin 1997135 - Unable to start export if deleted export CR from different window 1997168 - Remove unused variable in parser config file 1997179 - Serverless installation is failing on CI jobs for e2e tests 1997183 - Update Kube dependencies in MCO to 1.22 1997187 - Update analyze script vendor size to 3.5MiB 1997207 - newETCD3Client does not use existing context 1997267 - Add translations from Sprint 205 part 2 1997270 - bump OVN to ovn21.09-21.09.0-15.el8fdp 1997347 - Take etcd backups before minor-version OpenShift updates 1997379 - [e2e][automation] add tests for showing multiple IP address on UI 1997407 - power-of-two balancing feature set "Random" as default balancing for passthrough routes 1997420 - Revert wrong change on api-usage rules 1997422 - Hardcode happens when create VolumeSnapshots 1997438 - Syntax error appears to breaks the ovn egressFirewall policy during the cluster upgrade 1997461 - [UI][LSO] "Local Storage Operator not installed" message statement is not appropriate 1997465 - Fix panic in the LRU cache 1997475 - e2e-agnostic-operator tests fail occasionally after 30 minutes because of timeout 1997482 - Remove mask from behind modal in Pipeline Builder Tekton Hub Integration 1997486 - Node Tuning Operator(NTO) - Missing [sysfs] section in openshift profile 1997507 - Cluster cloud controller manager operator fails to upgrade on a single node cluster 1997528 - instance:etcd_object_counts:sum and cluster:usage:resources:sum use the etcd_object_counts metric which is deprecated 1997596 - UpdateAvailable alert is re-triggered on pod and other label changes 1997655 - React warning when open pipeline list page (with at least one pipeline) 1997657 - Kubelet rejects pods that use resources that should be freed by completed pods 1997787 - Descheduler default for evict pods with PVCs is incorrect 1997790 - Add Azure Stack UPI Templates 1997811 - Marketplace Operator should use k8s 1.21+ dependencies 1997929 - MachineSets list and details page headings should follow same format with other resources 1997972 - CMO dependencies must be pinned for release 1997993 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia 1998015 - Observe > Metrics / Dashboards performance: Graph tooltips process all points even if they won't be displayed 1998031 - [bz-openshift-apiserver] clusteroperator/openshift-apiserver should not change condition/Degraded: master nodes drained too quickly 1998047 - Missing UI flags after install creation 1998146 - service VIP did not be removed after remove one node 1998168 - Final Toast has download which is a button and should be an anchor tag 1998207 - Helm upgrade on OpenShift 4.9 failing with schema errors 1998240 - Helm side panel should be consistent with operatorhub and show support URL 1998247 - Tuned configuration fails and does not recover when profile references a not yet existing performance profile configuration 1998311 - Enable Manual Credentials Mode on Azure Stack Hub 1998319 - Dynamic Plugins: dynamic route chunks are not lazy loading 1998347 - Language preference does not reflect on console load 1998364 - Inconsistent react-i18next mocks in unit tests 1998388 - User preference screen shows "Create Namespace" instead of "Create Project" 1998394 - [e2e][automation] add tests for RHEL9 template 1998408 - Git import flow: Dockerfile is detected but file name is not used 1998411 - Name is not autofilled when git URL contains trailing slash 1998413 - Expanding portions of Helm Form overlay section title and include an area which is disconnected 1998423 - upgrade from 4.8.6 to 4.9.0-0.nightly-2021-08-26-164418, blocked by dns upgrade due to FailedCreatePodSandBox for pods 1998431 - AppName & Name are not auto-updated when modifying the Internal registry details in container image page 1998466 - Cloud controller manager fails to upgrade on a single node cluster 1998508 - CNO reports incorrect status during slow/failed install 1998528 - Sync latest upstream bugfixes to OCP ironic container image 1998552 - Enforce OpenShift's defined kubelet version skew policies 1998563 - Column headers don't match content in pod and machine list 1998575 - Insert sample YAML do nothing on BuildConfig and was mistakenly shown when editing a resource 1998587 - BuildConfig form doesn't update app.openshift.io/vcs-uri annotation 1998598 - ptp operator can not enable event publisher sidecar 1998614 - Pod creation failed with CNI request timeout due to stale data in cache. 1998616 - Show fully qualified domain name (FQDN) a Service's page 1998637 - Update ironic-ipa-downloader container with latest tested code & RHEL updates 1998643 - e2e-metal-ipi-virtualmedia and e2e-metal-ipi-ovn-ipv6 are failing to install 1999018 - [ASH] upgrade stuck due to Cluster cloud controller manager deployment strategy error 1999026 - Detect ODF managed services when OCS operator is installed 1999039 - [UI] OpenShift Data Foundation Overview page is showing wrong status of storage system 1999075 - Move the selected workload to the full view in topology canvas 1999093 - Pods list appears to unmount / remount on some updates 1999119 - bump golang version of installer to 1.16 1999131 - [e2e][automation] adjust layout by cypress conventions 1999138 - [CNO] [OVN-K] The network-unavailable taint needs to be from upstream k8s and not ovn-k specific 1999159 - Remove evan from owners 1999168 - Busted VPA graphic in OperatorHub 1999179 - Import from git as Serverless Service creates an incomplete BuildConfig (Secret is missing) 1999185 - ptp config with summary_interval 0 throws parsing error in the log 1999187 - VPA E2E test aws-operator is failing due to use of removed v1beta1 RBAC API 1999210 - [e2e][automation] add tests for VM wizard Cloudinit editor fields 1999225 - Descheduler operator needs new profiles for 4.9 1999266 - Click issue in topology page context menu 1999292 - "System projects" does not align with the docs terminology, which uses "default projects" 1999297 - [Assisted-4.8 ][SaaS] vip-dhcp-allocation mode broken cannot set networking for cluster 1999326 - Automated day-2 configuration deployment for ZTP 1999393 - Form / YAML switch makes unnecessary network calls to save latest editor type 1999397 - Prometheus: data race in the loadWAL function 1999404 - [e2e][automation] add tests for rootdisk validations 1999421 - OKD: revert initial FCOS to 20210626.3.1 1999422 - Missing feature flags for new features 1999577 - RHCOS live ISO can fail to boot in UEFI mode; drops to grub shell 1999593 - SNO: Add e2e test for RT kernel switch 1999614 - Edit D/DC forms should display D/DC name being edited to provide context 1999615 - UI crashes when clicked on the grey background of the topology view if projects dropdown is open 1999627 - Import from git flow doesn't recommend build image when a Dockerfile exists 1999631 - Show advanced Git options is not clickable (again) in new Git import flow 1999648 - Remove remaining Storage Class in console-app 1999656 - pipeline run count chart discrepancies with other chart values 1999658 - E2E test failures due to github rate limiting 1999669 - BackingStore Details Page is breaking 1999674 - Warn users about using deprecated vSphere version 1999719 - last selected tab in topology side panel is not persisted 1999723 - Cannot Select Text with Cursor in QuickSearchModal bar 1999729 - Dynamic Plugin SDK component has wrong spelling 1999823 - Admin web-console should linkify ClusterVersion and ClusterOperator condition messages 1999852 - Bump OVN to ovn21.09-21.09.0-18.el8fdp 1999853 - cluster-storage-operator not honoring the control plane topology setting for the csi driver operator deployment 1999862 - ZTP example 'tuned-performance-patch' policy refers to the wrong tuned profile name 1999879 - Update ansible collections; follow on to 1.10 update. 1999951 - VPA won't operate on pods created by custom controllers 2000108 - Inspecting a chart takes to empty metrics 2000126 - high load on Prometheus using the ptp operator 2000144 - GetBundleForChannel registry endpoint performs significant needless work 2000146 - opm render includes channel metadata in properties when rendering bundles 2000186 - NetworkPolicy: allow from hostnetwork policy and allow from router (policy-group.network.openshift.io/ingress: "") does not work for network plugin openshiftSDN 2000191 - Make durations for CCCMO leader election operations compatible with the OpenShift standards 2000226 - Unable to have multiple charts in one configmap 2000253 - oc edit ptpconfig causes cloudevent sidecar to crash and restart 2000259 - Add Sprint 206 translations 2000294 - report apiversion of esxi host and vcenter server 2000321 - README file on github refers to '{product-title} but should be 'OpenShift' 2000352 - Default OVA import to HW15 2000391 - [e2e][automation] review skipped tests 2000440 - OCS Quick Start should not be shown unless you have proper privileges 2000473 - Observe > Dashboards: Dashboards are sometimes blank (no data loading) 2000491 - Remove TechPreview Badge from Red Hat integration camel K operator 2000492 - Conditional data gathering validation & refactoring 2000499 - If export app toast is not cleared by the user and a new one is triggered then old toast download gives 404 2000576 - Creating a StorageSystem with MCG only deployment is failing 2000584 - `[sig-storage] EmptyDir volumes pod should support memory backed volumes of specified size` is permafailing on OKD 4.9 2000589 - [sig-node] crictl should be able to run crictl on the node 2000590 - Warning on topology context menu right click 2000596 - (release-4.9) Update K8s & OpenShift API dependencies versions 2000607 - Domain mapping movement from one service to another is not intutive 2000608 - static pod startup monitor should log to a log file in addition to stderr 2000633 - Issue with the UI of observer page when screen size is reduced 2000636 - Edit Deployment form drops strategy data when switching type 2000689 - [block-pool-dashbaord] Expandable section in mirroring card is empty when no image for mirroring 2000721 - Bump OVS userland to openvswitch2.16-2.16.0-6.el8fdp 2000726 - ZTP PolicyGen failed to create CRs during synchronization of 1 site 2000768 - Quick Starts provide incorrect guidance when Che/CRW is installed 2000820 - (release-4.9) Gather PodSecurityPolicies names installed in a cluster 2000833 - Wepack warnings about missing types when running dev build 2000873 - Toast shows list style on uploadJar toast and export app toast 2000935 - add volume mode selection in storage creation (external IBM FlashSystem) 2000965 - [e2e][automation] remove login prompt check until it's clearly needed 2001263 - [e2e][automation] create vm from template list and action dropdown 2001288 - Virtualization is not available in Home Overview when CNV version is 2.6.z 2001292 - import vm action is not hidden 2001958 - Cluster becomes degraded if it can't talk to Manila 2001983 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster 2002196 - Pass down proxy env to operands failed for ansible type operator 2002197 - Pass down proxy env to operands failed for helm type operator 2002200 - Operator-lib proxy block the "ReadProxyVarsFromEnv" for go type operator 2002288 - [4.9] kube-proxy's userspace implementation consumes excessive CPU 2002338 - Bump descheduler to k8s 1.22 2002361 - Missing the ability to set networkType in SiteConfig during ZTP flow 2002374 - Inexplicably slow kubelet on bootstrap makes installation fail 2002502 - []corev1.EnvVar{} can't be appended to container.env 2002543 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log 2002561 - Failing tests: "volumeMode should fail in binding dynamic provisioned PV to PVC" 2003161 - [SCALE] ovnkube CNI: remove ovs flows check 2003197 - CRI-O leaks some children PIDs 2003245 - [4.9] Revert libovsdb client code 2003306 - Rejected pods should be filtered from admission regression 2003545 - Remove openshift:kubevirt-machine-controllers decleration from machine-api 2004137 - ptp/worker custom threshold doesn't change ptp events threshold 2004146 - Need Device plugin configuration for the NIC "needVhostNet" & "isRdma" 2004337 - [4.9] OVN CNI should ensure host veths are removed 2004340 - [4.9] Pod creation failed due to mismatched pod IP address in CNI and OVN 2004568 - Cluster-version operator does not remove unrecognized volume mounts 2004676 - [4.9] Boot option recovery menu prevents image boot 2004712 - TuneD issues with the recent ConfigParser changes. 2004924 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start 2004961 - output of "crictl inspectp" is not complete 2005108 - removing and recreating static pod manifest leaves pod in error state 2005462 - [4.9] ovn-kube may never attempt to retry a pod creation 2005476 - [4.9] [ICNI2] 'ErrorAddingLogicalPort' failed to handle external GW check: timeout waiting for namespace event 2006145 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable 2006432 - [4.9] Remove workaround keeping /boot RW for kdump support 2006782 - Missing ZTP ArgoCD Container Image 2006962 - [4.9] OS boot failure "x64 Exception Type 06 - Invalid Opcode Exception" 2007086 - [4.9] Bootimage bump tracker 2007089 - [4.9] Intermittent failure mounting /run/media/iso when booting live ISO from USB stick 2007324 - race condition can cause in cluster-bootstrap can cause crashlooping bootstrap kube-apiserver 2007458 - crio's selinux module has performance improvements when compiled with golang 1.16 2007684 - [4.9.z] PVs remain in Released state for a long time after the claim is deleted 2008619 - ImageStream with RHCOS version tag needed for RHODS GPU support 2008944 - Azure Stack UPI does not have Internal Load Balancer 2009059 - Placeholder bug for OCP 4.9.0 metadata release 2009342 - The serviceAccountIssuer field on Authentication CR is reseted to “” when installation process 2009467 - [4.9] container-selinux should come from rhel8-appstream 2009530 - Deployment upgrade is failing availability check 2009652 - [4.9] Multipath day1 not working on s390x 2009653 - [4.9] Bootimage bump tracker 2009738 - [IPI-on-GCP] 'Install a cluster with nested virtualization enabled' failed due to unable to launch compute instances 2009842 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo 2010066 - [Assisted-4.9][Integration] Unable to generate ISO with error: Failed to fetch base ISO information: NotFound 2010074 - [e2e][automation] CI tests fail because of wrong test cnv version installed 2010372 - Reverts PIE build mode for K8S components 2010486 - SRO package name collision between official and community version 2010529 - [backport 4.9] openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions 2010861 - Failure building EFS operator 2010954 - SRO CSV uses non default category "Drivers and plugins" 2011050 - Storage operator is not available after reboot cluster instances 2011087 - Backport audit log silence change 2011350 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24 2011701 - Bootkube tries to use oc after cluster bootstrap is done and there is no API 2011815 - Kubelet rejects pods that use resources that should be freed by completed pods 2011951 - [4.9] ClusterVersion Upgradeable=False MultipleReasons should include all messages 2011958 - [4.9] [tracker] Kubelet rejects pods that use resources that should be freed by completed pods 2011961 - [4.9] [tracker] Storage operator is not available after reboot cluster instances 2011985 - SRO bundle references non-existent image 2012008 - APIRemovedInNextReleaseInUse: give exact command in description 5. References: https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-26539 https://access.redhat.com/security/cve/CVE-2021-26540 https://access.redhat.com/security/cve/CVE-2021-28092 https://access.redhat.com/security/cve/CVE-2021-28169 https://access.redhat.com/security/cve/CVE-2021-29059 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-33194 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34428 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36980 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYW2xOdzjgjWX9erEAQhRpg/+NubKYuEEFCd+EYhr16pH3VlbzYBRZAxP Of5AIOpaqr7Nmij2fg1xokPBaB81PRf1Zh50t6025cr6+WaNggw8ina7YY4uJMKU t2pV4gKZuT6d2UNytZ9Hqw0H4gG9lSJz3nvjQ1Mb2RNhcAEeA8dk1UWdhUXe122L hqMLRr1WRkCDQ8z5WIRRWtvgEllWF5IufV+98zIKf5RslGFntETRrBw3OXZJItIS 03gcWNn+8QHoovqpdP5GfCpDSltsbk3I9rGPa7+/WFGWN39DdDRLr0VgbyU1TMxV ypuqThlfjJAIVTs+mHvtBDJ71REVh8mkDpLLnSnm8iym1ehsuBBqt1jIkPgu2vnr b1b75K9Y1YoMDLycbU7WcEfSjq8iqfYoVddzwkKSihmjPJeqCsTseOSl00s2HMaT 5DQHyvpwhzIYWw+vSiD2xolRI7j8VH6K3mvWM2aG3GrQNuLSgmd5l3Y115aW01JG ay1oDXj/k9Y5EeerGDS2IbrZhHRVy6Y5ach2deCBAUmA2gX2yTk88e6/F/WTGLL7 tKWcpu/QQJKg6rcDx7r5+G0aUlHpo7e06uxKwBr+MrCSNFj7TgRlN30ZkNMqrh4P 0v3fPfZdBFAAt6Akb7fxb6Pb+NMlGJF8Pa8RgncWAK7q7hwBlW8cV2x9aRdZnW/I UhVGDnha+dI= =BYf6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2021:3759 Security Fix(es): * jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) * openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action (CVE-2021-36980) * jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout 1984473 - CVE-2021-36980 openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action 6. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202311-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Open vSwitch: Multiple Vulnerabilities Date: November 26, 2023 Bugs: #765346, #769995, #803107, #887561 ID: 202311-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple denial of service vulnerabilites have been found in Open vSwitch. Background ========= Open vSwitch is a production quality multilayer virtual switch. Affected packages ================ Package Vulnerable Unaffected -------------------- ------------ ------------ net-misc/openvswitch < 2.17.6 >= 2.17.6 Description ========== Multiple vulnerabilities have been discovered in Open vSwitch. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Open vSwitch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.17.6" References ========= [ 1 ] CVE-2020-27827 https://nvd.nist.gov/vuln/detail/CVE-2020-27827 [ 2 ] CVE-2020-35498 https://nvd.nist.gov/vuln/detail/CVE-2020-35498 [ 3 ] CVE-2021-3905 https://nvd.nist.gov/vuln/detail/CVE-2021-3905 [ 4 ] CVE-2021-36980 https://nvd.nist.gov/vuln/detail/CVE-2021-36980 [ 5 ] CVE-2022-4337 https://nvd.nist.gov/vuln/detail/CVE-2022-4337 [ 6 ] CVE-2022-4338 https://nvd.nist.gov/vuln/detail/CVE-2022-4338 [ 7 ] CVE-2023-1668 https://nvd.nist.gov/vuln/detail/CVE-2023-1668 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202311-16 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 2.79

sources: NVD: CVE-2021-36980 // JVNDB: JVNDB-2021-009864 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-398812 // VULMON: CVE-2021-36980 // PACKETSTORM: 164563 // PACKETSTORM: 164080 // PACKETSTORM: 164543 // PACKETSTORM: 164542 // PACKETSTORM: 175917

AFFECTED PRODUCTS

vendor:openvswitchmodel:openvswitchscope:gteversion:2.11.0

Trust: 1.0

vendor:openvswitchmodel:openvswitchscope:lteversion:2.15.0

Trust: 1.0

vendor:open vswitchmodel:open vswitchscope:eqversion:2.11.0 to 2.15.0

Trust: 0.8

vendor:open vswitchmodel:open vswitchscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-009864 // NVD: CVE-2021-36980

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-36980
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-36980
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202107-1384
value: MEDIUM

Trust: 0.6

VULHUB: VHN-398812
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-36980
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-398812
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-36980
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2021-36980
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-398812 // JVNDB: JVNDB-2021-009864 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1384 // NVD: CVE-2021-36980

PROBLEMTYPE DATA

problemtype:CWE-416

Trust: 1.1

problemtype:Use of freed memory (CWE-416) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-398812 // JVNDB: JVNDB-2021-009864 // NVD: CVE-2021-36980

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202107-1384

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:ofp-actionsurl:https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f

Trust: 0.8

title:Open vSwitch Remediation of resource management error vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=157998

Trust: 0.6

title:Debian CVElist Bug Report Logs: openvswitch: CVE-2021-36980url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=3be4014cfdb7d8d1e263c272f11d4d7c

Trust: 0.1

title:Arch Linux Advisories: [ASA-202107-40] openvswitch: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202107-40

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2021-36980 log

Trust: 0.1

sources: VULMON: CVE-2021-36980 // JVNDB: JVNDB-2021-009864 // CNNVD: CNNVD-202107-1384

EXTERNAL IDS

db:NVDid:CVE-2021-36980

Trust: 3.9

db:JVNDBid:JVNDB-2021-009864

Trust: 0.8

db:PACKETSTORMid:164563

Trust: 0.7

db:PACKETSTORMid:164080

Trust: 0.7

db:PACKETSTORMid:164542

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.3466

Trust: 0.6

db:AUSCERTid:ESB-2021.3490

Trust: 0.6

db:AUSCERTid:ESB-2023.2040

Trust: 0.6

db:AUSCERTid:ESB-2021.3032

Trust: 0.6

db:AUSCERTid:ESB-2022.4446

Trust: 0.6

db:CS-HELPid:SB2021072017

Trust: 0.6

db:CS-HELPid:SB2021102117

Trust: 0.6

db:CNNVDid:CNNVD-202107-1384

Trust: 0.6

db:VULHUBid:VHN-398812

Trust: 0.1

db:VULMONid:CVE-2021-36980

Trust: 0.1

db:PACKETSTORMid:164543

Trust: 0.1

db:PACKETSTORMid:175917

Trust: 0.1

sources: VULHUB: VHN-398812 // VULMON: CVE-2021-36980 // JVNDB: JVNDB-2021-009864 // PACKETSTORM: 164563 // PACKETSTORM: 164080 // PACKETSTORM: 164543 // PACKETSTORM: 164542 // PACKETSTORM: 175917 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1384 // NVD: CVE-2021-36980

REFERENCES

url:https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851

Trust: 2.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-36980

Trust: 1.9

url:https://github.com/google/oss-fuzz-vulns/blob/main/vulns/openvswitch/osv-2020-2197.yaml

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/65c61b0c23a0d474696d7b1cea522a5016a8aeb3

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/6d67310f4d2524b466b98f05ebccc1add1e8cf35

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/77cccc74deede443e8b9102299efc869a52b65b2

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/8ce8dc34b5f73b30ce0c1869af9947013c3c6575

Trust: 1.8

url:https://github.com/openvswitch/ovs/commit/9926637a80d0d243dbf9c49761046895e9d1a8e2

Trust: 1.8

url:https://security.gentoo.org/glsa/202311-16

Trust: 1.1

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2040

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3032

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3466

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072017

Trust: 0.6

url:https://vigilance.fr/vulnerability/open-vswitch-reuse-after-free-via-decode-nxast-raw-encap-36347

Trust: 0.6

url:https://packetstormsecurity.com/files/164080/ubuntu-security-notice-usn-5065-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4446

Trust: 0.6

url:https://packetstormsecurity.com/files/164563/red-hat-security-advisory-2021-3942-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/164542/red-hat-security-advisory-2021-3758-01.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021102117

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3490

Trust: 0.6

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-36980

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-33196

Trust: 0.2

url:https://access.redhat.com/errata/rhsa-2021:3758

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-34428

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-33196

Trust: 0.2

url:https://docs.openshift.com/container-platform/4.9/updating/updating-cluster

Trust: 0.2

url:https://access.redhat.com/errata/rhsa-2021:3759

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-28169

Trust: 0.2

url:https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-34428

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-28169

Trust: 0.2

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991308

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://access.redhat.com/articles/2974891

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2021:3942

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-5065-1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openvswitch/2.15.0-0ubuntu3.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/openvswitch/2.13.3-0ubuntu0.20.04.2

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-26539

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33195

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32690

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3121

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-28092

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33197

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33195

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3121

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33198

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33194

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33198

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-31525

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-34558

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-29059

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-32690

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33194

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33197

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-29059

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-28092

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31525

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-26539

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-26540

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-34558

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-26540

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-3905

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-35498

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-4337

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-4338

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-1668

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-27827

Trust: 0.1

sources: VULHUB: VHN-398812 // VULMON: CVE-2021-36980 // JVNDB: JVNDB-2021-009864 // PACKETSTORM: 164563 // PACKETSTORM: 164080 // PACKETSTORM: 164543 // PACKETSTORM: 164542 // PACKETSTORM: 175917 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-1384 // NVD: CVE-2021-36980

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 164563 // PACKETSTORM: 164543 // PACKETSTORM: 164542

SOURCES

db:VULHUBid:VHN-398812
db:VULMONid:CVE-2021-36980
db:JVNDBid:JVNDB-2021-009864
db:PACKETSTORMid:164563
db:PACKETSTORMid:164080
db:PACKETSTORMid:164543
db:PACKETSTORMid:164542
db:PACKETSTORMid:175917
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202107-1384
db:NVDid:CVE-2021-36980

LAST UPDATE DATE

2024-08-14T13:11:34.710000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-398812date:2021-07-28T00:00:00
db:VULMONid:CVE-2021-36980date:2021-07-20T00:00:00
db:JVNDBid:JVNDB-2021-009864date:2022-06-02T07:30:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202107-1384date:2023-04-11T00:00:00
db:NVDid:CVE-2021-36980date:2023-11-26T11:15:08.053

SOURCES RELEASE DATE

db:VULHUBid:VHN-398812date:2021-07-20T00:00:00
db:VULMONid:CVE-2021-36980date:2021-07-20T00:00:00
db:JVNDBid:JVNDB-2021-009864date:2022-06-02T00:00:00
db:PACKETSTORMid:164563date:2021-10-20T15:45:55
db:PACKETSTORMid:164080date:2021-09-08T14:27:14
db:PACKETSTORMid:164543date:2021-10-19T15:15:35
db:PACKETSTORMid:164542date:2021-10-19T15:15:15
db:PACKETSTORMid:175917date:2023-11-27T15:42:18
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202107-1384date:2021-07-20T00:00:00
db:NVDid:CVE-2021-36980date:2021-07-20T07:15:08.113