ID

VAR-202205-2059

CVE

CVE-2022-1897

TITLE

Red Hat Security Advisory 2022-6714-01

DESCRIPTION

Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. Vim is a cross-platform text editor. There is a security vulnerability in versions prior to Vim 8.2, which is caused by an out-of-bounds write problem. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: RHACS 3.72 enhancement and security update Advisory ID: RHSA-2022:6714-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2022:6714 Issue date: 2022-09-26 CVE Names: CVE-2015-20107 CVE-2022-0391 CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-24675 CVE-2022-24921 CVE-2022-28327 CVE-2022-29154 CVE-2022-29526 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208 CVE-2022-34903 ===================================================================== 1. Summary: Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Release of RHACS 3.72 provides these changes: New features * Automatic removal of nonactive clusters from RHACS: RHACS provides the ability to configure your system to automatically remove nonactive clusters from RHACS so that you can monitor active clusters only. * Support for unauthenticated email integration: RHACS now supports unauthenticated SMTP for email integrations. This is insecure and not recommended. * Support for Quay robot accounts: RHACS now supports use of robot accounts in quay.io integrations. You can create robot accounts in Quay that allow you to share credentials for use in multiple repositories. * Ability to view Dockerfile lines in images that introduced components with Common Vulnerabilities and Exposures (CVEs): In the Images view, under Image Findings, you can view individual lines in the Dockerfile that introduced the components that have been identified as containing CVEs. * Network graph improvements: RHACS 3.72 includes some improvements to the Network Graph user interface. Known issue * RHACS shows the wrong severity when two severities exist for a single vulnerability in a single distribution. This issue occurs because RHACS scopes severities by namespace rather than component. There is no workaround. It is anticipated that an upcoming release will include a fix for this issue. (ROX-12527) Bug fixes * Before this update, the steps to configure OpenShift Container Platform OAuth for more than one URI were missing. The documentation has been revised to include instructions for configuring OAuth in OpenShift Container Platform to use more than one URI. For more information, see Creating additional routes for the OpenShift Container Platform OAuth server. (ROX-11296) * Before this update, the autogenerated image integration, such as a Docker registry integration, for a cluster is not deleted when the cluster is removed from Central. This issue is fixed. (ROX-9398) * Before this update, the Image OS policy criteria did not support regular expressions, or regex. However, the documentation indicated that regular expressions were supported. This issue is fixed by adding support for regular expressions for the Image OS policy criteria. (ROX-12301) * Before this update, the syslog integration did not respect a configured TCP proxy. This is now fixed. * Before this update, the scanner-db pod failed to start when a resource quota was set for the stackrox namespace, because the init-db container in the pod did not have any resources assigned to it. The init-db container for ScannerDB now specifies resource requests and limits that match the db container. (ROX-12291) Notable technical changes * Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally available (GA). RHACS 3.72 introduces support for analyzing images built with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux (RHEL) 9 RPMs for vulnerabilities. * Policy for CVEs with fixable CVSS of 6 or greater disabled by default: Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is no longer enabled by default for new RHACS installations. The configuration of this policy is not changed when upgrading an existing system. A new policy Privileged Containers with Important and Critical Fixable CVEs, which gives an alert for containers running in privileged mode that have important or critical fixable vulnerabilities, has been added. Security Fix(es) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) * golang: syscall: faccessat checks wrong group (CVE-2022-29526) * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To take advantage of the new features, bug fixes, and enhancements in RHACS 3.72 you are advised to upgrade to RHACS 3.72.0. 4. Bugs fixed (https://bugzilla.redhat.com/): 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. JIRA issues fixed (https://issues.jboss.org/): ROX-12799 - Release RHACS 3.72.0 6. References: https://access.redhat.com/security/cve/CVE-2015-20107 https://access.redhat.com/security/cve/CVE-2022-0391 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24921 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29526 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/updates/classification/#moderate https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYzH0ItzjgjWX9erEAQg2Yg//fDLYNktH9vd06FrD5L77TeiYnD/Zx+f5 fk12roODKMOpcV6BmnOyPG0a6POCmhHn1Dn6bOT+7Awx0b9A9cXXDk6jytkpDhh7 O0OxzWZVVvSzNe1TL3WN9vwZqSpAYON8euLBEb16E8pmEv7vXKll3wMQIlctp6Nr ey6DLL718z8ghXbtkkcGsBQqElM4jESvGm5xByMymfRFktvy9LSgTi+Zc7FY7gXL AHitJZiSm57D/pwUHvNltLLkxQfVAGuJXaTHYFyeIi6Z2pdDySYAXcr60mVd6eSh 9/7qGwdsQARwmr174s0xMWRcns6UDvwIWifiXl6FUnTZFlia+lC3xIP1o2CXwoFP Fr7LpF0L9h5BapjSRv1w6qkkJIyJhw5v9VmZQoQ3joZqRQi0I6qLOcp92eik63pM i11ppoeDNwjpSST40Ema3j9PflzxXB7PKBUfKWwqNc2dnWDkiEhNaXOAZ7MqgdLo MB3enlKV4deeWOb5OA1Vlv/lAAJM0h5AOgTIBddYs3CDsyoK9fKm1UF/BEhcWMyr kV3AJ0/zzAK6ev4hQmP8Ug4SbdiHNdM3X1vgH54OVJ3Al3E1nAEyYmELNUITrvXV jJI5thbVwK78vOX9yWcmpZm879BnHnUPzGbS0lF5FVJOSZ8E7LvOE7lCM/dg094z 0riGwT9O9Ys= =hArw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1937117 - Deletion of StorageCluster doesn't remove ceph toolbox pod 1947482 - The device replacement process when deleting the volume metadata need to be fixed or modified 1973317 - libceph: read_partial_message and bad crc/signature errors 1996829 - Permissions assigned to ceph auth principals when using external storage are too broad 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 2027724 - Warning log for rook-ceph-toolbox in ocs-operator log 2029298 - [GSS] Noobaa is not compatible with aws bucket lifecycle rule creation policies 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047173 - [RFE] Change controller-manager pod name in odf-lvm-operator to more relevant name to lvm 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function 2050897 - CVE-2022-0235 mcg-core-container: node-fetch: exposure of sensitive information to an unauthorized actor [openshift-data-foundation-4] 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control 2056697 - odf-csi-addons-operator subscription failed while using custom catalog source 2058211 - Add validation for CIDR field in DRPolicy 2060487 - [ODF to ODF MS] Consumer lost connection to provider API if the endpoint node is powered off/replaced 2060790 - ODF under Storage missing for OCP 4.11 + ODF 4.10 2061713 - [KMS] The error message during creation of encrypted PVC mentions the parameter in UPPER_CASE 2063691 - [GSS] [RFE] Add termination policy to s3 route 2064426 - [GSS][External Mode] exporter python script does not support FQDN for RGW endpoint 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2066514 - OCS operator to install Ceph prometheus alerts instead of Rook 2067079 - [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure 2069314 - OCS external mode should allow specifying names for all Ceph auth principals 2069319 - [RFE] OCS CephFS External Mode Multi-tenancy. Add cephfs subvolumegroup and path= caps per cluster. 2069812 - must-gather: rbd_vol_and_snap_info collection is broken 2069815 - must-gather: essential rbd mirror command outputs aren't collected 2070542 - After creating a new storage system it redirects to 404 error page instead of the "StorageSystems" page for OCP 4.11 2071494 - [DR] Applications are not getting deployed 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073920 - rook osd prepare failed with this error - failed to set kek as an environment variable: key encryption key is empty 2074810 - [Tracker for Bug 2074585] MCG standalone deployment page goes blank when the KMS option is enabled 2075426 - 4.10 must gather is not available after GA of 4.10 2075581 - [IBM Z] : ODF 4.11.0-38 deployment leaves the storagecluster in "Progressing" state although all the openshift-storage pods are up and Running 2076457 - After node replacement[provider], connection issue between consumer and provider if the provider node which was referenced MON-endpoint configmap (on consumer) is lost 2077242 - vg-manager missing permissions 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2079866 - [DR] odf-multicluster-console is in CLBO state 2079873 - csi-nfsplugin pods are not coming up after successful patch request to update "ROOK_CSI_ENABLE_NFS": "true"' 2080279 - CVE-2022-29810 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses 2081680 - Add the LVM Operator into the Storage category in OperatorHub 2082028 - UI does not have the option to configure capacity, security and networks,etc. during storagesystem creation 2082078 - OBC's not getting created on primary cluster when manageds3 set as "true" for mirrorPeer 2082497 - Do not filter out removable devices 2083074 - [Tracker for Ceph BZ #2086419] Two Ceph mons crashed in ceph-16.2.7/src/mon/PaxosService.cc: 193: FAILED ceph_assert(have_pending) 2083441 - LVM operator should deploy the volumesnapshotclass resource 2083953 - [Tracker for Ceph BZ #2084579] PVC created with ocs-storagecluster-ceph-nfs storageclass is moving to pending status 2083993 - Add missing pieces for storageclassclaim 2084041 - [Console Migration] Link-able storage system name directs to blank page 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group 2084201 - MCG operator pod is stuck in a CrashLoopBackOff; Panic Attack: [] an empty namespace may not be set when a resource name is provided" 2084503 - CLI falsely flags unique PVPool backingstore secrets as duplicates 2084546 - [Console Migration] Provider details absent under backing store in UI 2084565 - [Console Migration] The creation of new backing store , directs to a blank page 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2085351 - [DR] Mirrorpeer failed to create with msg Internal error occurred 2085357 - [DR] When drpolicy is create drcluster resources are getting created under default namespace 2086557 - Thin pool in lvm operator doesn't use all disks 2086675 - [UI]No option to "add capacity" via the Installed Operators tab 2086982 - ODF 4.11 deployment is failing 2086983 - [odf-clone] Mons IP not updated correctly in the rook-ceph-mon-endpoints cm 2087078 - [RDR] [UI] Multiple instances of Object Bucket, Object Bucket Claims and 'Overview' tab is present under Storage section on the Hub cluster when navigated back from the Managed cluster using the Hybrid console dropdown 2087107 - Set default storage class if none is set 2087237 - [UI] After clicking on Create StorageSystem, it navigates to Storage Systems tab but shows an error message 2087675 - ocs-metrics-exporter pod crashes on odf v4.11 2087732 - [Console Migration] Events page missing under new namespace store 2087755 - [Console Migration] Bucket Class details page doesn't have the complete details in UI 2088359 - Send VG Metrics even if storage is being consumed from thinPool alone 2088380 - KMS using vault on standalone MCG cluster is not enabled 2088506 - ceph-external-cluster-details-exporter.py should not accept hostname for rgw-endpoint 2088587 - Removal of external storage system with misconfigured cephobjectstore fails on noobaa webhook 2089296 - [MS v2] Storage cluster in error phase and 'ocs-provider-qe' addon installation failed with ODF 4.10.2 2089342 - prometheus pod goes into OOMKilled state during ocs-osd-controller-manager pod restarts 2089397 - [GSS]OSD pods CLBO after upgrade to 4.10 from 4.9. 2089552 - [MS v2] Cannot create StorageClassClaim 2089567 - [Console Migration] Improve the styling of Various Components 2089786 - [Console Migration] "Attach to deployment" option is missing in kebab menu for Object Bucket Claims . 2089795 - [Console Migration] Yaml and Events page is missing for Object Bucket Claims and Object Bucket. 2089797 - [RDR] rbd image failed to mount with msg rbd error output: rbd: sysfs write failed 2090278 - [LVMO] Some containers are missing resource requirements and limits 2090314 - [LVMO] CSV is missing some useful annotations 2090953 - [MCO] DRCluster created under default namespace 2091487 - [Hybrid Console] Multicluster dashboard is not displaying any metrics 2091638 - [Console Migration] Yaml page is missing for existing and newly created Block pool. 2091641 - MCG operator pod is stuck in a CrashLoopBackOff; MapSecretToNamespaceStores invalid memory address or nil pointer dereference 2091681 - Auto replication policy type detection is not happneing on DRPolicy creation page when ceph cluster is external 2091894 - All backingstores in cluster spontaneously change their own secret 2091951 - [GSS] OCS pods are restarting due to liveness probe failure 2091998 - Volume Snapshots not work with external restricted mode 2092143 - Deleting a CephBlockPool CR does not delete the underlying Ceph pool 2092217 - [External] UI for uploding JSON data for external cluster connection has some strict checks 2092220 - [Tracker for Ceph BZ #2096882] CephNFS is not reaching to Ready state on ODF on IBM Power (ppc64le) 2092349 - Enable zeroing on the thin-pool during creation 2092372 - [MS v2] StorageClassClaim is not reaching Ready Phase 2092400 - [MS v2] StorageClassClaim creation is failing with error "no StorageCluster found" 2093266 - [RDR] When mirroring is enabled rbd mirror daemon restart config should be enabled automatically 2093848 - Note about token for encrypted PVCs should be removed when only cluster wide encryption checkbox is selected 2094179 - MCO fails to create DRClusters when replication mode is synchronous 2094853 - [Console Migration] Description under storage class drop down in add capacity is missing . 2094856 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount 2095155 - Use tool `black` to format the python external script 2096209 - ReclaimSpaceJob fails on OCP 4.11 + ODF 4.10 cluster 2096414 - Compression status for cephblockpool is reported as Enabled and Disabled at the same time 2096509 - [Console Migration] Unable to select Storage Class in Object Bucket Claim creation page 2096513 - Infinite BlockPool tabs get created when the StorageSystem details page is opened 2096823 - After upgrading the cluster from ODF4.10 to ODF4.11, the ROOK_CSI_ENABLE_CEPHFS move to False 2096937 - Storage - Data Foundation: i18n misses 2097216 - Collect StorageClassClaim details in must-gather 2097287 - [UI] Dropdown doesn't close on it's own after arbiter zone selection on 'Capacity and nodes' page 2097305 - Add translations for ODF 4.11 2098121 - Managed ODF not getting detected 2098261 - Remove BlockPools(no use case) and Object(redundat with Overview) tab on the storagesystem page for NooBaa only and remove BlockPools tab for External mode deployment 2098536 - [KMS] PVC creation using vaulttenantsa method is failing due to token secret missing in serviceaccount 2099265 - [KMS] The storagesystem creation page goes blank when KMS is enabled 2099581 - StorageClassClaim with encryption gets into Failed state 2099609 - The red-hat-storage/topolvm release-4.11 needs to be synced with the upstream project 2099646 - Block pool list page kebab action menu is showing empty options 2099660 - OCS dashbaords not appearing unless user clicks on "Overview" Tab 2099724 - S3 secret namespace on the managed cluster doesn't match with the namespace in the s3profile 2099965 - rbd: provide option to disable setting metadata on RBD images 2100326 - [ODF to ODF] Volume snapshot creation failed 2100352 - Make lvmo pod labels more uniform 2100946 - Avoid temporary ceph health alert for new clusters where the insecure global id is allowed longer than necessary 2101139 - [Tracker for OCP BZ #2102782] topolvm-controller get into CrashLoopBackOff few minutes after install 2101380 - Default backingstore is rejected with message INVALID_SCHEMA_PARAMS SERVER account_api#/methods/check_external_connection 2103818 - Restored snapshot don't have any content 2104833 - Need to update configmap for IBM storage odf operator GA 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 5. Solution: The OpenShift Service Mesh Release Notes provide information on the features and known issues: https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html 4. JIRA issues fixed (https://issues.jboss.org/): OSSM-1105 - IOR doesn't support a host with namespace/ prefix OSSM-1205 - Specifying logging parameter will make istio-ingressgateway and istio-egressgateway failed to start OSSM-1668 - [Regression] jwksResolverCA field in SMCP is missing OSSM-1718 - Istio Operator pauses reconciliation when gateway deployed to non-control plane namespace OSSM-1775 - [Regression] Incorrect 3scale image specified for 2.0 control planes OSSM-1800 - IOR should copy labels from Gateway to Route OSSM-1805 - Reconcile SMCP when Kiali is not available OSSM-1846 - SMCP fails to reconcile when enabling PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER OSSM-1868 - Container release for Maistra 2.2.2 6. ========================================================================== Ubuntu Security Notice USN-5507-1 July 08, 2022 vim vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Vim. Software Description: - vim: Vi IMproved - enhanced vi editor Details: It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the program to crash, use unexpected values, or execute arbitrary code. (CVE-2022-1968) It was discovered that Vim incorrectly handled memory access. An attacker could potentially use this issue to cause the corruption of sensitive information, a crash, or arbitrary code execution. (CVE-2022-1897, CVE-2022-1942) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: vim 2:7.4.1689-3ubuntu1.5+esm10 In general, a standard system update will make all the necessary changes. Summary: An update is now available for RHOL-5.5-RHEL-8. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1415 - Allow users to tune fluentd LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image ` LOG-1713 - Reduce Permissions granted for prometheus-k8s service account LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created. LOG-2134 - The infra logs are sent to app-xx indices LOG-2159 - Cluster Logging Pods in CrashLoopBackOff LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages. LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext. LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not be collected. LOG-2242 - Log file metric exporter is still following /var/log/containers files. LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed LOG-2264 - Logging link should contain an icon LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them. LOG-2276 - Fluent config format is hard to read via configmap LOG-2290 - ClusterLogging Instance status in not getting updated in UI LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1 LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint. LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously LOG-2333 - Journal logs not reaching Elasticsearch output LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record. LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority" LOG-2384 - Provide a method to get authenticated from GCP LOG-2411 - [Vector] Audit logs forwarding not working. LOG-2412 - CLO's loki output url is parsed wrongly LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type LOG-2418 - EO supported time units don't match the units specified in CRDs. LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`. LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster. LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack. LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5] LOG-2522 - CLO supported time units don't match the units specified in CRDs. LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready. LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector. LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate LOG-2599 - Supported values for level field don't match documentation LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect LOG-2619 - containers violate PodSecurity -- Log Exporation LOG-2627 - containers violate PodSecurity -- Loki LOG-2649 - Level Critical should match the beginning of the line as the other levels LOG-2656 - Logging uses deprecated v1beta1 apis LOG-2664 - Deprecated Feature logs causing too much noise LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster LOG-2693 - Integration with Jaeger fails for ServiceMonitor LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" . LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance LOG-2725 - Upgrade logging-eventrouter Golang version and tags LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging. LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration LOG-2742 - unrecognized outputs when use the sts role secret LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards. LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack. LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image LOG-2765 - ingester pod can not be started in IPv6 cluster LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx LOG-2773 - No cluster-logging-operator-metrics service in logging 5.5 LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack. LOG-2784 - Japanese log messages are garbled at Kibana LOG-2793 - [Vector] OVN audit logs are missing the level field. LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF. LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector. LOG-2875 - Seeing a black rectangle box on the graph in Logs view LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error LOG-2877 - When there is no query entered, seeing error message on the Logs view LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen 6. Clusters and applications are all visible and managed from a single console—with security policy built in. Bugs fixed (https://bugzilla.redhat.com/): 2076856 - [doc] Remove 1.9.1 from Proxy Patch Documentation 2101411 - RHACM 2.3.12 images 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 5. 2109205 - HTTPS_PROXY ENV missing in some CSI driver operators 2109270 - Kube controllers crash when nodes are shut off in OpenStack 2109489 - Reply to arp requests on interfaces with no ip 2109709 - Namespace value is missing on the list when selecting "All namespaces" for operators 2109731 - alertmanager-main pods failing to start due to startupprobe timeout 2109866 - Cannot delete a Machine if a VM got stuck in ERROR 2109977 - storageclass should not be created for unsupported vsphere version 2110482 - [vsphere] failed to create cluster if datacenter is embedded in a Folder 2110723 - openshift-tests: allow -f to match tests for any test suite 2110737 - Master node in SchedulingDisabled after upgrade from 4.10.24 -> 4.11.0-rc.4 2111037 - Affinity rule created in console deployment for single-replica infrastructure 2111347 - dummy bug for 4.10.z bz2111335 2111471 - Node internal DNS address is not set for machine 2111475 - Fetch internal IPs of vms from dhcp server 2111587 - [4.11] Export OVS metrics 2111619 - Pods are unable to reach clusterIP services, ovn-controller isn't installing the group mod flows correctly 2111992 - OpenShift controller manager needs permissions to get/create/update leases for leader election 2112297 - bond-cni: Backport "mac duplicates" 4.11 2112353 - lifecycle.posStart hook does not have network connectivity. 2112908 - Search resource "virtualmachine" in "Home -> Search" crashes the console 2112912 - sum_irate doesn't work in OCP 4.8 2113926 - hypershift cluster deployment hang due to nil pointer dereference for hostedControlPlane.Spec.Etcd.Managed 2113938 - Fix e2e tests for [reboots][machine_config_labels] (tsc=nowatchdog) 2114574 - can not upgrade. Incorrect reading of olm.maxOpenShiftVersion 2114602 - Upgrade failing because restrictive scc is injected into version pod 2114964 - kola dhcp.propagation test failing 2115315 - README file for helm charts coded in Chinese shows messy characters when viewing in developer perspective. 2115435 - [4.11] INIT container stuck forever 2115564 - ClusterVersion availableUpdates is stale: PromQL conditional risks vs. slow/stuck Thanos 2115817 - Updates / config metrics are not available in 4.11 2116009 - Node Tuning Operator(NTO) - OCP upgrade failed due to node-tuning CO still progressing 2116557 - Order of config attributes are not maintained during conversion of PT4l from ptpconfig to ptp4l.0.config file 2117223 - kubernetes-nmstate-operator fails to install with error "no channel heads (entries not replaced by another entry) found in channel" 2117324 - catalog-operator fatal error: concurrent map writes 2117353 - kola dhcp.propagation test out of memory 2117370 - Migrate openshift-ansible to ansible-core 2117746 - Bump to latest k8s.io 1.24 release 2118214 - dummy bug for 4.10.z bz2118209 2118375 - pass the "--quiet" option via the buildconfig for s2i 5. Summary: The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/): 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key 2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key 2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key 2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2023:1325 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es): * goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238) * go-yaml: Denial of Service in go-yaml (CVE-2021-4235) * mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329) * golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * helm: Denial of service through through repository index file (CVE-2022-23525) * helm: Denial of service through schema file (CVE-2022-23526) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * vault: insufficient certificate revocation list checking (CVE-2022-41316) * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * x/net/http2/h2c: request smuggling (CVE-2022-41721) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724) * golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) * exporter-toolkit: authentication bypass via cache poisoning (CVE-2022-46146) * vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620) * hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665) * hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000) * helm: getHostByName Function Information Disclosure (CVE-2023-25165) * containerd: Supplementary groups are not set up properly (CVE-2023-25173) * runc: volume mount race condition (regression of CVE-2019-19921) (CVE-2023-27561) * runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration (CVE-2023-28642) * baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841) * runc: Rootless runc makes `/sys/fs/cgroup` writable (CVE-2023-25809) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags The sha values for the release are: (For x86_64 architecture) The image digest is sha256:74b23ed4bbb593195a721373ed6693687a9b444c97065ce8ac653ba464375711 (For s390x architecture) The image digest is sha256:a32d509d960eb3e889a22c4673729f95170489789c85308794287e6e9248fb79 (For ppc64le architecture) The image digest is sha256:bca0e4a4ed28b799e860e302c4f6bb7e11598f7c136c56938db0bf9593fb76f8 (For aarch64 architecture) The image digest is sha256:e07e4075c07fca21a1aed9d7f9c165696b1d0fa4940a219a000894e5683d846c All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1770297 - console odo download link needs to go to an official location or have caveats [openshift-4.4] 1853264 - Metrics produce high unbound cardinality 1877261 - [RFE] Mounted volume size issue when restore a larger size pvc than snapshot 1904573 - OpenShift: containers modify /etc/passwd group writable 1943194 - when using gpus, more nodes than needed are created by the node autoscaler 1948666 - After entering valid git repo url on Import from git page, throwing warning message instead Validated 1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated 2005232 - Pods list page should only show Create Pod button to user has sufficient permission 2016006 - Repositories list does not show the running pipelinerun as last pipelinerun 2027000 - The user is ignored when we create a new file using a MachineConfig 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047299 - nodeport not reachable port connection timeout 2050230 - Implement LIST call chunking in openshift-sdn 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2065166 - GCP - Less privileged service accounts are created with Service Account User role 2066388 - Wrong Error generates when https is missing in the value of `regionEndpoint` in `configs.imageregistry.operator.openshift.io/cluster` 2066664 - [cluster-storage-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles 2070744 - openshift-install destroy in us-gov-west-1 results in infinite loop - AWS govcloud 2075548 - Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode 2076619 - Could not create deployment with an unknown git repo and builder image build strategy 2078222 - egressIPs behave inconsistently towards in-cluster traffic (hosts and services backed by host-networked pods) 2079981 - PVs not deleting on azure (or very slow to delete) since CSI migration to azuredisk 2081858 - OVN-Kubernetes: SyncServices for nodePortWatcherIptables should propagate failures back to caller 2083087 - "Delete dependent objects of this resource" might cause confusions 2084452 - PodDisruptionBudgets help message should be semantic 2087043 - Cluster API components should use K8s 1.24 dependencies 2087553 - No rhcos-4.11/x86_64 images in the 2 new regions on alibabacloud, "ap-northeast-2 (South Korea (Seoul))" and "ap-southeast-7 (Thailand (Bangkok))" 2089093 - CVO hotloops on OperatorGroup due to the diff of "upgradeStrategy": string("Default") 2089138 - CVO hotloops on ValidatingWebhookConfiguration /performance-addon-operator 2090680 - upgrade for a disconnected cluster get hang on retrieving and verifying payload 2092567 - Network policy is not being applied as expected 2092811 - Datastore name is too long 2093339 - [rebase v1.24] Only known images used by tests 2095719 - serviceaccounts are not updated after upgrade from 4.10 to 4.11 2100181 - WebScale: configure-ovs.sh fails because it picks the wrong default interface 2100429 - [apiserver-auth] default SCC restricted allow volumes don't have "ephemeral" caused deployment with Generic Ephemeral Volumes stuck at Pending 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2104978 - MCD degrades are not overwrite-able by subsequent errors 2110565 - PDB: Remove add/edit/remove actions in Pod resource action menu 2110570 - Topology sidebar: Edit pod count shows not the latest replicas value when edit the count again 2110982 - On GCP, need to check load balancer health check IPs required for restricted installation 2113973 - operator scc is nor fixed when we define a custom scc with readOnlyRootFilesystem: true 2114515 - Getting critical NodeFilesystemAlmostOutOfSpace alert for 4K tmpfs 2115265 - Search page: LazyActionMenus are shown below Add/Remove from navigation button 2116686 - [capi] Cluster kind should be valid 2117374 - Improve Pod Admission failure for restricted-v2 denials that pass with restricted 2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking 2149436 - CVE-2022-46146 exporter-toolkit: authentication bypass via cache poisoning 2154196 - CVE-2022-23526 helm: Denial of service through schema file 2154202 - CVE-2022-23525 helm: Denial of service through through repository index file 2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2162182 - CVE-2022-41721 x/net/http2/h2c: request smuggling 2168458 - CVE-2023-25165 helm: getHostByName Function Information Disclosure 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 2175721 - CVE-2023-27561 runc: volume mount race condition (regression of CVE-2019-19921) 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2182883 - CVE-2023-28642 runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration 2182884 - CVE-2023-25809 runc: Rootless runc makes `/sys/fs/cgroup` writable 2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations 2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata 2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File 2190116 - CVE-2023-30841 baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-10036 - Enable aesgcm encryption provider by default in openshift/api OCPBUGS-10038 - Enable aesgcm encryption provider by default in openshift/cluster-config-operator OCPBUGS-10042 - Enable aesgcm encryption provider by default in openshift/cluster-kube-apiserver-operator OCPBUGS-10043 - Enable aesgcm encryption provider by default in openshift/cluster-openshift-apiserver-operator OCPBUGS-10044 - Enable aesgcm encryption provider by default in openshift/cluster-authentication-operator OCPBUGS-10047 - oc-mirror print log: unable to parse reference oci://mno/redhat-operator-index:v4.12 OCPBUGS-10057 - With WPC card configured as GM or BC, phc2sys clock lock state is shown as FREERUN in ptp metrics while it should be LOCKED OCPBUGS-10213 - aws: mismatch between RHCOS and AWS SDK regions OCPBUGS-10220 - Newly provisioned machines unable to join cluster OCPBUGS-10221 - Risk cache warming takes too long on channel changes OCPBUGS-10237 - Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry OCPBUGS-10239 - [release-4.13] Fix of ServiceAccounts gathering OCPBUGS-10249 - PollConsoleUpdates won't fire toast if one or more manifests errors when plugins change OCPBUGS-10267 - NetworkManager TUI quits regardless of a detected unsupported configuration OCPBUGS-10271 - [4.13] Netflink overflow alert OCPBUGS-10278 - Graph-data is not mounted on graph-builder correctly while install using graph-data image built by oc-mirror OCPBUGS-10281 - Openshift Ansible OVS version out of sync with RHCOS OCPBUGS-10291 - Broken link for Ansible tagging OCPBUGS-10298 - TenantID is ignored in some cases OCPBUGS-10320 - Catalogs should not be included in the ImageContentSourcePolicy.yaml OCPBUGS-10321 - command cannot be worked after chroot /host for oc debug pod OCPBUGS-1033 - Multiple extra manifests in the same file are not applied correctly OCPBUGS-10334 - Nutanix cloud-controller-manager pod not have permission to get/list ConfigMap OCPBUGS-10353 - kube-apiserver not receiving or processing shutdown signal after coreos 9.2 bump OCPBUGS-10367 - Pausing pools in OCP 4.13 will cause critical alerts to fire OCPBUGS-10377 - [gcp] IPI installation with Shielded VMs enabled failed on restarting the master machines OCPBUGS-10404 - Workload annotation missing from deployments OCPBUGS-10421 - RHCOS 4.13 live iso x84_64 contains restrictive policy.json OCPBUGS-10426 - node-topology is not exported due to kubelet.sock: connect: permission denied OCPBUGS-10427 - 4.1 born cluster fails to scale-up due to podman run missing `--authfile` flag OCPBUGS-10432 - CSI Inline Volume admission plugin does not log object name correctly OCPBUGS-10440 - OVN IPSec - does not create IPSec tunnels OCPBUGS-10474 - OpenShift pipeline TaskRun(s) column Duration is not present as column in UI OCPBUGS-10476 - Disable netlink mode of netclass collector in Node Exporter. OCPBUGS-1048 - if tag categories don't exist, the installation will fail to bootstrap OCPBUGS-10483 - [4.13 arm64 image][AWS EFS] Driver fails to get installed/exec format error OCPBUGS-10558 - MAPO failing to retrieve flavour information after rotating credentials OCPBUGS-10585 - [4.13] Request to update RHCOS installer bootimage metadata OCPBUGS-10586 - Console shows x509 error when requesting token from oauth endpoint OCPBUGS-10597 - The agent-tui shows again during the installation OCPBUGS-1061 - administrator console, monitoring-alertmanager-edit user list or create silence, "Observe - Alerting - Silences" page is pending OCPBUGS-10645 - 4.13: Operands running management side missing affinity, tolerations, node selector and priority rules than the operator OCPBUGS-10656 - create image command erroneously logs that Base ISO was obtained from release OCPBUGS-10657 - When releaseImage is a digest the create image command generates spurious warning OCPBUGS-10658 - Wrong PrimarySubnet in OpenstackProviderSpec when using Failure Domains OCPBUGS-10661 - machine API operator failing with No Major.Minor.Patch elements found OCPBUGS-10678 - Developer catalog shows ImageStreams as samples which has no sampleRepo OCPBUGS-10679 - Show type of sample on the samples view OCPBUGS-10689 - [IPI on BareMetal]: Workers failing inspection when installing with proxy OCPBUGS-10697 - [release-4.13] User is allowed to create IP Address pool with duplicate entries for namespace and matchExpression for serviceSelector and namespaceSelector OCPBUGS-10698 - [release-4.13] Already assigned IP address is removed from a service on editing the ip address pool. OCPBUGS-10710 - Metal virtual media job permafails during early bootstrap OCPBUGS-10716 - Image Registry default to Removed on IBM cloud after 4.13.0-ec.3 OCPBUGS-10739 - [4.13] Bootimage bump tracker OCPBUGS-10744 - [4.13] EgressFirewall status disappeared OCPBUGS-10746 - Downstream Operator-SDK v1.22.2 to OCP 4.13 OCPBUGS-10771 - upgrade test failure with "Cluster operator control-plane-machine-set is not available" OCPBUGS-10773 - TestNewAppRun unit test failing OCPBUGS-10792 - Hypershift namespace servicemonitor has wrong API group OCPBUGS-10793 - Ignore device list missing in Node Exporter OCPBUGS-10796 - [4.13] Egress firewall is not retried on error OCPBUGS-10799 - Network policy perf improvements OCPBUGS-10801 - [4.13] Upgrade to 4.10 stalled on timeout completing syncEgressFirewall OCPBUGS-10811 - Missing vCenter build number in telemetry OCPBUGS-10813 - SCOS bootstrap should skip pivot when root is not writable OCPBUGS-10826 - RHEL 9.2 doesn't contain the `kernel-abi-whitelists` package. OCPBUGS-10832 - Edit Deployment (and DC) form doesn't enable Save button when changing strategy type OCPBUGS-10833 - update the default pipelineRun template name OCPBUGS-10834 - [OVNK] [IC] Having only one leader election in the master process OCPBUGS-10873 - OVN to OVN-H migration seems broken OCPBUGS-10888 - oauth-server fails to invalidate cache, causing non existing groups being referenced OCPBUGS-10890 - Hypershift replace upgrade: node in NotReady after upgrading from a 4.14 image to another 4.14 image OCPBUGS-10891 - Cluster Autoscaler balancing similar nodes test fails randomly OCPBUGS-10892 - Passwords printed in log messages OCPBUGS-10893 - Remove unsupported warning in oc-mirror when using the --skip-pruning flag OCPBUGS-10902 - [IBMCloud] destroyed the private cluster, fail to cleanup the dns records OCPBUGS-10903 - [IBMCloud] fail to ssh to master/bootstrap/worker nodes from the bastion inside a customer vpc. OCPBUGS-10907 - move to rhel9 in DTK for 4.13 OCPBUGS-10914 - Node healthz server: return unhealthy when pod is to be deleted OCPBUGS-10919 - Update Samples Operator to use latest jenkins 4.12 release OCPBUGS-10923 - Cluster bootstrap waits for only one master to join before finishing OCPBUGS-10929 - Kube 1.26 for ovn-k OCPBUGS-10946 - For IPv6-primary dual-stack cluster, kubelet.service renders only single node-ip OCPBUGS-10951 - When imagesetconfigure without OCI FBC format config, but command with use-oci-feature flag, the oc-mirror command should check the imagesetconfigure firstly and print error immediately OCPBUGS-10953 - ovnkube-node does not close up correctly OCPBUGS-10955 - [release-4.13] NMstate complains about ping not working when adding multiple routing tables with different gateways OCPBUGS-10960 - [4.13] Vertical Scaling: do not trigger inadvertent machine deletion during bootstrap OCPBUGS-10965 - The network-tools image stream is missing in the cluster samples OCPBUGS-10982 - [4.13] nodeSelector in EgressFirewall doesn't work in dualstack cluster OCPBUGS-10989 - Agent create sub-command is returning fatal error OCPBUGS-10990 - EgressIP doesn't work in GCP XPN cluster OCPBUGS-11004 - Bootstrap kubelet client cert should include system:serviceaccounts group OCPBUGS-11010 - [vsphere] zone cluster installation fails if vSphere Cluster is embedded in Folder OCPBUGS-11022 - [4.13][scale] all egressfirewalls will be updated on every node update OCPBUGS-11023 - [4.13][scale] Ingress network policy creates more flows than before OCPBUGS-11031 - SNO OCP upgrade from 4.12 to 4.13 failed due to node-tuning operator is not available - tuned pod stuck at Terminating OCPBUGS-11032 - Update the validation interval for the cluster transfer to 12 hours OCPBUGS-11040 - --container-runtime is being removed in k8s 1.27 OCPBUGS-11054 - GCP: add europe-west12 region to the survey as supported region OCPBUGS-11055 - APIServer service isn't selected correctly for PublicAndPrivate cluster when external-dns is not configured OCPBUGS-11058 - [4.13] Conmon leaks symbolic links in /var/run/crio when pods are deleted OCPBUGS-11068 - nodeip-configuration not enabled for VSphere UPI OCPBUGS-11107 - Alerts display incorrect source when adding external alert sources OCPBUGS-11117 - The provided gcc RPM inside DTK does not match the gcc used to build the kernel OCPBUGS-11120 - DTK docs should mention the ubi9 base image instead of ubi8 OCPBUGS-11213 - BMH moves to deleting before all finalizers are processed OCPBUGS-11218 - "pipelines-as-code-pipelinerun-go" configMap is not been used for the Go repository OCPBUGS-11222 - kube-controller-manager cluster operator is degraded due connection refused while querying rules OCPBUGS-11227 - Relax CSR check due to k8s 1.27 changes OCPBUGS-11232 - All projects options shows as undefined after selection in Dev perspective Pipelines page OCPBUGS-11248 - Secret name variable get renders in Create Image pull secret alert OCPBUGS-1125 - Fix disaster recovery test [sig-etcd][Feature:DisasterRecovery][Disruptive] [Feature:EtcdRecovery] Cluster should restore itself after quorum loss [Serial] OCPBUGS-11257 - egressip cannot be assigned on hypershift hosted cluster node OCPBUGS-11261 - [AWS][4.13] installer get stuck if BYO private hosted zone is configured OCPBUGS-11263 - PTP KPI version 4.13 RC2 WPC - offset jumps to huge numbers OCPBUGS-11307 - Egress firewall node selector test missing OCPBUGS-11333 - startupProbe for UWM prometheus is still 15m OCPBUGS-11339 - ose-ansible-operator base image version is still 4.12 in the operators that generated by operator-sdk 4.13 OCPBUGS-11340 - ose-helm-operator base image version is still 4.12 in the operators that generated by operator-sdk 4.13 OCPBUGS-11341 - openshift-manila-csi-driver is missing the workload.openshift.io/allowed label OCPBUGS-11354 - CPMS: node readiness transitions not always trigger reconcile OCPBUGS-11384 - Switching from enabling realTime to disabling Realtime Workloadhint causes stalld to be enabled OCPBUGS-11390 - Service Binding Operator installation fails: "A subscription for this operator already exists in namespace ..." OCPBUGS-11424 - [release-4.13] new whereabouts reconciler relies on HOSTNAME which != spec.nodeName OCPBUGS-11427 - [release-4.13] whereabouts reads wrong annotation "k8s.v1.cni.cncf.io/networks-status", should be "k8s.v1.cni.cncf.io/network-status" OCPBUGS-11456 - PTP - When GM and downstream slaves are configured on same server, ptp metrics show slaves as FREERUN OCPBUGS-11458 - Ingress Takes 40s on Average Downtime During GCP OVN Upgrades OCPBUGS-11460 - CPMS doesn't always generate configurations for AWS OCPBUGS-11468 - Community operator cannot be mirrored due to malformed image address OCPBUGS-11469 - [release4.13] "exclude bundles with `olm.deprecated` property when rendering" not backport OCPBUGS-11473 - NS autolabeler requires RoleBinding subject namespace to be set when using ServiceAccount OCPBUGS-11485 - [4.13] NVMe disk by-id rename breaks LSO/ODF OCPBUGS-11503 - Update 4.13 cluster-network-operator image in Dockerfile to be consistent with ART OCPBUGS-11506 - CPMS e2e periodics tests timeout failures OCPBUGS-11507 - Potential 4.12 to 4.13 upgrade failure due to NIC rename OCPBUGS-11510 - Setting cpu-quota.crio.io to `disable` with crun causes container creation to fail OCPBUGS-11511 - [4.13] static container pod cannot be running due to CNI request failed with status 400 OCPBUGS-11529 - [Azure] fail to collect the vm serial log with ?gather bootstrap? OCPBUGS-11536 - Cluster monitoring operator runs node-exporter with btrfs collector OCPBUGS-11545 - multus-admission-controller should not run as root under Hypershift-managed CNO OCPBUGS-11558 - multus-admission-controller should not run as root under Hypershift-managed CNO OCPBUGS-11589 - Ensure systemd is compatible with rhel8 journalctl OCPBUGS-11598 - openshift-azure-routes triggered continously on rhel9 OCPBUGS-11606 - User configured In-cluster proxy configuration squashed in hypershift OCPBUGS-11643 - Updating kube-rbac-proxy images to be consistent with ART OCPBUGS-11657 - [4.13] Static IPv6 LACP bonding is randomly failing in RHCOS 413.92 OCPBUGS-11659 - Error extracting libnmstate.so.1.3.3 when create image OCPBUGS-11661 - AWS s3 policy changes block all OCP installs on AWS OCPBUGS-11669 - Bump to kubernetes 1.26.3 OCPBUGS-11683 - [4.13] Add Controller health to CEO liveness probe OCPBUGS-11694 - [4.13] Update legacy toolbox to use registry.redhat.io/rhel9/support-tools OCPBUGS-11706 - ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes OCPBUGS-11750 - TuningCNI cnf-test failure: sysctl allowlist update OCPBUGS-11765 - [4.13] Keep current OpenSSH default config in RHCOS 9 OCPBUGS-11776 - [4.13] VSphereStorageDriver does not document the platform default OCPBUGS-11778 - Upgrade SNO: no resolv.conf caused by failure in forcedns dispatcher script OCPBUGS-11787 - Update 4.14 ose-vmware-vsphere-csi-driver image to be consistent with ART OCPBUGS-11789 - [4.13] Bootimage bump tracker OCPBUGS-11799 - [4.13] Bootimage bump tracker OCPBUGS-11823 - [Reliability]kube-apiserver's memory usage keep increasing to max 3GB in 7 days OCPBUGS-11848 - PtpOperatorsConfig not applying correctly OCPBUGS-11866 - Pipeline is not removed when Deployment/DC/Knative Service or Application is deleted OCPBUGS-11870 - [4.13] Nodes in Ironic are created without namespaces initially OCPBUGS-11876 - oc-mirror generated file-based catalogs crashloop OCPBUGS-11908 - Got the `file exists` error when different digest direct to the same tag OCPBUGS-11917 - the warn message won't disappear in co/node-tuning when scale down machineset OCPBUGS-11919 - Console metrics could have a high cardinality (4.13) OCPBUGS-11950 - fail to create vSphere IPI cluster as apiVIP and ingressVIP are not in machine networks OCPBUGS-11955 - NTP config not applied OCPBUGS-11968 - Instance shouldn't be moved back from f to a OCPBUGS-11985 - [4.13] Ironic inspector service should be proxied OCPBUGS-12172 - Users don't know what type of resource is being created by Import from Git or Deploy Image flows OCPBUGS-12179 - agent-tui is failing to start when using libnmstate.2 OCPBUGS-12186 - Pipeline doesn't render correctly when displayed but looks fine in edit mode OCPBUGS-12198 - create hosted cluster failed with aws s3 access issue OCPBUGS-12212 - cluster failed to convert from dualstack to ipv4 single stack OCPBUGS-12225 - Add new OCP 4.13 storage admission plugin OCPBUGS-12257 - Catalogs rebuilt by oc-mirror are in crashloop : cache is invalid OCPBUGS-12259 - oc-mirror fails to complete with heads only complaining about devworkspace-operator OCPBUGS-12271 - Hypershift conformance test fails new cpu partitioning tests OCPBUGS-12272 - Importing a kn Service shows a non-working Open URL decorator also when the Add Route checkbox was unselected OCPBUGS-12273 - When Creating Sample Devfile from the Samples Page, Topology Icon is not set OCPBUGS-12450 - [4.13] Fix Flake TestAttemptToScaleDown/scale_down_only_by_one_machine_at_a_time OCPBUGS-12465 - --use-oci-feature leads to confusion and needs to be better named OCPBUGS-12478 - CSI driver + operator containers are not pinned to mgmt cores OCPBUGS-1264 - e2e-vsphere-zones failing due to unable to parse cloud-config OCPBUGS-12698 - redfish-virtualmedia mount not working OCPBUGS-12703 - redfish-virtualmedia mount not working OCPBUGS-12708 - [4.13] Changing a PreprovisioningImage ImageURL and/or ExtraKernelParams should reboot the host OCPBUGS-1272 - "opm alpha render-veneer basic" doesn't support pipe stdin OCPBUGS-12737 - Multus admission controller must have "hypershift.openshift.io/release-image" annotation when CNO is managed by Hypershift OCPBUGS-12786 - OLM CatalogSources in guest cluster cannot pull images if pre-GA OCPBUGS-12804 - Dual stack VIPs incompatible with EnableUnicast setting OCPBUGS-12854 - `cluster-reader` role cannot access "k8s.ovn.org" API Group resources OCPBUGS-12862 - IPv6 ingress VIP not configured in keepalived on vSphere Dual-stack OCPBUGS-12865 - Kubernetes-NMState CI is perma-failing OCPBUGS-12933 - Node Tuning Operator crashloops when in Hypershift mode OCPBUGS-12994 - TCP DNS Local Preference is not working for Openshift SDN OCPBUGS-12999 - Backport owners through 4.13, 4.12 OCPBUGS-13029 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-13057 - ppc64le releases don't install because ovs fails to start (invalid permissions) OCPBUGS-13069 - [whereabouts-cni] CNO must use reconciliation controller in order to support dual stack in 4.12 [4.13 dependency] OCPBUGS-13071 - CI fails on TestClientTLS OCPBUGS-13072 - Capture tests don't work in OVNK OCPBUGS-13076 - Load balancers/ Ingress controller removal race condition OCPBUGS-13157 - CI fails on TestRouterCompressionOperation OCPBUGS-13254 - Nutanix cloud provider should use Kubernetes 1.26 dependencies OCPBUGS-1327 - [IBMCloud] Worker machines unreachable during initial bring up OCPBUGS-1352 - OVN silently failing in case of a stuck pod OCPBUGS-1427 - Ignore non-ready endpoints when processing endpointslices OCPBUGS-1428 - service account token secret reference OCPBUGS-1435 - [Ingress Node Firewall Operator] [Web Console] Allow user to override namespace where the operator is installed, currently user can install it only in openshift-operators ns OCPBUGS-1443 - Unable to get ClusterVersion error while upgrading 4.11 to 4.12 OCPBUGS-1453 - TargetDown alert expression is NOT correctly joining kube-state-metrics metric OCPBUGS-1458 - cvo pod crashloop during bootstrap: featuregates: connection refused OCPBUGS-1486 - Avoid re-metric'ing the pods that are already setup when ovnkube-master disrupts/reinitializes/restarts/goes through leader election OCPBUGS-1557 - Default to floating automaticRestart for new GCP instances OCPBUGS-1560 - [vsphere] installation fails when only configure single zone in install-config OCPBUGS-1565 - Possible split brain with keepalived unicast OCPBUGS-1566 - Automation Offline CPUs Test cases OCPBUGS-1577 - Incorrect network configuration in worker node with two interfaces OCPBUGS-1604 - Common resources out-of-date when using multicluster switcher OCPBUGS-1606 - Multi-cluster: We should not filter OLM catalog by console pod architecture and OS on managed clusters OCPBUGS-1612 - [vsphere] installation errors out when missing topology in a failure domain OCPBUGS-1617 - Remove unused node.kubernetes.io/not-reachable toleration OCPBUGS-1627 - [vsphere] installation fails when setting user-defined folder in failure domain OCPBUGS-1646 - [osp][octavia lb] LBs type svcs not updated until all the LBs are created OCPBUGS-166 - 4.11 SNOs fail to complete install because of "failed to get pod annotation: timed out waiting for annotations: context deadline exceeded" OCPBUGS-1665 - Scorecard failed because of the request of PodSecurity OCPBUGS-1671 - Creating a statefulset with the example image from the UI on ARM64 leads to a Pod in crashloopbackoff due to the only-amd64 image provided OCPBUGS-1704 - [gcp] when the optional Service Usage API is disabled, IPI installation cannot succeed OCPBUGS-1725 - Affinity rule created in router deployment for single-replica infrastructure and "NodePortService" endpoint publishing strategy OCPBUGS-1741 - Can't load additional Alertmanager templates with latest 4.12 OpenShift OCPBUGS-1748 - PipelineRun templates must be fetched from OpenShift namespace OCPBUGS-1761 - osImages that cannot be pulled do not set the node as Degraded properly OCPBUGS-1769 - gracefully fail when iam:GetRole is denied OCPBUGS-1778 - Can't install clusters with schedulable masters OCPBUGS-1791 - Wait-for install-complete did not exit upon completion. OCPBUGS-1805 - [vsphere-csi-driver-operator] CSI cloud.conf doesn't list multiple datacenters when specified OCPBUGS-1807 - Ingress Operator startup bad log message formatting OCPBUGS-1844 - Ironic dnsmasq doesn't include existing DNS settings during iPXE boot OCPBUGS-1852 - [RHOCP 4.10] Subscription tab for operator doesn't land on correct URL OCPBUGS-186 - PipelineRun task status overlaps status text OCPBUGS-1998 - Cluster monitoring fails to achieve new level during upgrade w/ unavailable node OCPBUGS-2015 - TestCertRotationTimeUpgradeable failing consistently in kube-apiserver-operator OCPBUGS-2083 - OCP 4.10.33 uses a weak 3DES cipher in the VMWare CSI Operator for communication and provides no method to disable it OCPBUGS-2088 - User can set rendezvous host to be a worker OCPBUGS-2141 - doc link in PrometheusDataPersistenceNotConfigured message is 4.8 OCPBUGS-2145 - 'maxUnavailable' and 'minAvailable' on PDB creation page - i18n misses OCPBUGS-2209 - Hard eviction thresholds is different with k8s default when PAO is enabled OCPBUGS-2248 - [alibabacloud] IPI installation failed with master nodes being NotReady and CCM error "alicloud: unable to split instanceid and region from providerID" OCPBUGS-2260 - KubePodNotReady - Increase Tolerance During Master Node Restarts OCPBUGS-2306 - On Make Serverless page, to change values of the inputs minpod, maxpod and concurrency fields, we need to click the ? + ? or ? - ', it can't be changed by typing in it. OCPBUGS-2319 - metal-ipi upgrade success rate dropped 30+% in last week OCPBUGS-2384 - [2035720] [IPI on Alibabacloud] deploying a private cluster by 'publish: Internal' failed due to 'dns_public_record' OCPBUGS-2440 - unknown field logs in prometheus-operator OCPBUGS-2471 - BareMetalHost is available without cleaning if the cleaning attempt fails OCPBUGS-2479 - Right border radius is 0 for the pipeline visualization wrapper in dark mode OCPBUGS-2500 - Developer Topology always blanks with large contents when first rendering OCPBUGS-2513 - Disconnected cluster installation fails with pull secret must contain auth for "registry.ci.openshift.org" OCPBUGS-2525 - [CI Watcher] Ongoing timeout failures associated with multiple CRD-extensions tests OCPBUGS-2532 - Upgrades from 4.11.9 to latest 4.12.x Nightly builds do not succeed OCPBUGS-2551 - "Error loading" when normal user check operands on All namespaces OCPBUGS-2569 - ovn-k network policy races OCPBUGS-2579 - Helm Charts and Samples are not disabled in topology actions if actions are disabled in customization OCPBUGS-266 - Project Access tab cannot differentiate between users and groups OCPBUGS-2666 - `create a project` link not backed by RBAC check OCPBUGS-272 - Getting duplicate word "find" when kube-apiserver degraded=true if webhook matches a virtual resource OCPBUGS-2727 - ClusterVersionRecommendedUpdate condition blocks explicitly allowed upgrade which is not in the available updates OCPBUGS-2729 - should ignore enP.* NICs from node-exporter on Azure cluster OCPBUGS-2735 - Operand List Page Layout Incorrect on small screen size. OCPBUGS-2738 - CVE-2022-26945 CVE-2022-30321 CVE-2022-30322 CVE-2022-30323 ose-baremetal-installer-container: various flaws [openshift-4.13.z] OCPBUGS-2824 - The dropdown list component will be covered by deployment details page on Topology page OCPBUGS-2827 - OVNK: NAT issue for packets exceeding check_pkt_larger() for NodePort services that route to hostNetworked pods OCPBUGS-2841 - Need validation rule for supported arch OCPBUGS-2845 - Unable to use application credentials for Cinder CSI after OpenStack credentials update OCPBUGS-2847 - GCP XPN should only be available with Tech Preview OCPBUGS-2851 - [OCI feature] registries.conf support in oc mirror OCPBUGS-2852 - etcd failure: failed to make etcd client for endpoints [https://[2620:52:0:1eb:367x:5axx:xxx:xxx]:2379]: context deadline exceeded OCPBUGS-2868 - Container networking pods cannot be access hosted network pods on another node in ipv6 single stack cluster OCPBUGS-2873 - Prometheus doesn't reload TLS certificate and key files on disk OCPBUGS-2886 - The LoadBalaner section shouldn't be set when using Kuryr on cloud-provider OCPBUGS-2891 - AWS Deprovision Fails with unrecognized elastic load balancing resource type listener OCPBUGS-2895 - [RFE] 4.11 Azure DiskEncryptionSet static validation does not support upper-case letters OCPBUGS-2904 - If all the actions are disabled in add page, Details on/off toggle switch to be disabled OCPBUGS-2907 - provisioning of baremetal nodes fails when using multipath device as rootDeviceHints OCPBUGS-2921 - br-ex interface not configured makes ovnkube-node Pod to crashloop OCPBUGS-2922 - 'Status' column sorting doesn't work as expected OCPBUGS-2926 - Unable to gather OpenStack console logs since kernel cmd line has no console args OCPBUGS-2934 - Ingress node firewall pod 's events container on the node causing pod in CrashLoopBackOff state when sctp module is loaded on node OCPBUGS-2941 - CIRO unable to detect swift when content-type is omitted in 204-responses OCPBUGS-2946 - [AWS] curl network Loadbalancer always get "Connection time out" OCPBUGS-2948 - Whereabouts CNI timesout while iterating exclude range OCPBUGS-2988 - apiserver pods cannot reach etcd on single node IPv6 cluster: transport: authentication handshake failed: x509: certificate is valid for ::1, 127.0.0.1, ::1, fd69::2, not 2620:52:0:198::10" OCPBUGS-2991 - CI jobs are failing with: admission webhook "validation.csi.vsphere.vmware.com" denied the request OCPBUGS-2992 - metal3 pod crashloops on OKD in BareMetal IPI or assisted-installer bare metal installations OCPBUGS-2994 - Keepalived monitor stuck for long period of time on kube-api call while installing OCPBUGS-2996 - [4.13] Bootimage bump tracker OCPBUGS-3018 - panic in WaitForBootstrapComplete OCPBUGS-3021 - GCP: missing me-west1 region OCPBUGS-3024 - Service list shows undefined:80 when type is ExternalName or LoadBalancer OCPBUGS-3027 - Metrics are not available when running console in development mode OCPBUGS-3029 - BareMetalHost CR fails to delete on cluster cleanup OCPBUGS-3033 - Clicking the logo in the masthead goes to `/dashboards`, even if metrics are disabled OCPBUGS-3041 - Guard Pod Hostnames Too Long and Truncated Down Into Collisions With Other Masters OCPBUGS-3069 - Should show information on page if the upgrade to a target version doesn't take effect. OCPBUGS-3072 - Operator-sdk run bundle with old sqllite index image failed OCPBUGS-3079 - RPS hook only sets the first queue, but there are now many OCPBUGS-3085 - [IPI-BareMetal]: Dual stack deployment failed on BootStrap stage OCPBUGS-3093 - The control plane should tag AWS security groups at creation OCPBUGS-3096 - The terraform binaries shipped by the installer are not statically linked OCPBUGS-3109 - Change text colour for ConsoleNotification that notifies user that the cluster is being OCPBUGS-3114 - CNO reporting incorrect status OCPBUGS-3123 - Operator attempts to render both GA and Tech Preview API Extensions OCPBUGS-3127 - nodeip-configuration retries forever on network failure, blocking ovs-configuration, spamming syslog OCPBUGS-3168 - Add Capacity button does not exist after upgrade OCP version [OCP4.11->OCP4.12] OCPBUGS-3172 - Console shouldn't try to install dynamic plugins if permissions aren't available OCPBUGS-3180 - Regression in ptp-operator conformance tests OCPBUGS-3186 - [ibmcloud] unclear error msg when zones is not match with the Subnets in BYON install OCPBUGS-3192 - [4.8][OVN] RHEL 7.9 DHCP worker ovs-configuration fails OCPBUGS-3195 - Service-ca controller exits immediately with an error on sigterm OCPBUGS-3206 - [sdn2ovn] Migration failed in vsphere cluster OCPBUGS-3207 - SCOS build fails due to pinned kernel OCPBUGS-3214 - Installer does not always add router CA to kubeconfig OCPBUGS-3228 - Broken secret created while starting a Pipeline OCPBUGS-3235 - Topology gets stuck loading OCPBUGS-3245 - ovn-kubernetes ovnkube-master containers crashlooping after 4.11.0-0.okd-2022-10-15-073651 update OCPBUGS-3248 - CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4] OCPBUGS-3253 - No warning when using wait-for vs. agent wait-for commands OCPBUGS-3272 - Unhealthy Readiness probe failed message failing CI when ovnkube DBs are still coming up OCPBUGS-3275 - No-op: Unable to retrieve machine from node "xxx": expecting one machine for node xxx got: [] OCPBUGS-3277 - Install failure in create-cluster-and-infraenv.service OCPBUGS-3278 - Shouldn't need to put host data in platform baremetal section in installconfig OCPBUGS-3280 - Install ends in preparing-failed due to container-images-available validation OCPBUGS-3283 - remove unnecessary RBAC in KCM OCPBUGS-3292 - DaemonSet "/openshift-network-diagnostics/network-check-target" is not available OCPBUGS-3314 - 'gitlab.secretReference' disappears when the buildconfig is edited on ?From View? OCPBUGS-3316 - Branch name should sanitised to match actual github branch name in repository plr list OCPBUGS-3320 - New master will be created if add duplicated failuredomains in controlplanemachineset OCPBUGS-3331 - Update dependencies in CMO release 4.13 OCPBUGS-3334 - Console should be using v1 apiVersion for ConsolePlugin model OCPBUGS-3337 - revert "force cert rotation every couple days for development" in 4.12 OCPBUGS-3338 - Environment cannot find Python OCPBUGS-3358 - Revert BUILD-407 OCPBUGS-3372 - error message is too generic when creating a silence with end time before start OCPBUGS-3373 - cluster-monitoring-view user can not list servicemonitors on "Observe -> Targets" page OCPBUGS-3377 - CephCluster and StorageCluster resources use the same paths OCPBUGS-3381 - Make ovnkube-trace work on hypershift deployments OCPBUGS-3382 - Unable to configure cluster-wide proxy OCPBUGS-3391 - seccomp profile unshare.json missing from nodes OCPBUGS-3395 - Event Source is visible without even creating knative-eventing and knative-serving. OCPBUGS-3404 - IngressController.spec.nodePlacement.nodeSelector.matchExpressions does not work OCPBUGS-3414 - Missing 'ImageContentSourcePolicy' and 'CatalogSource' in the oci fbc feature implementation OCPBUGS-3424 - Azure Disk CSI Driver Operator gets degraded without "CSISnapshot" capability OCPBUGS-3426 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-3427 - Skip broken [sig-devex][Feature:ImageEcosystem] tests OCPBUGS-3438 - cloud-network-config-controller not using proxy settings of the management cluster OCPBUGS-3440 - Authentication operator doesn't respond to console being enabled OCPBUGS-3441 - Update cluster-authentication-operator not to go degraded without console OCPBUGS-3444 - [4.13] Descheduler pod is OOM killed when using descheduler-operator profiles on big clusters OCPBUGS-3456 - track `rhcos-4.12` branch for fedora-coreos-config submodule OCPBUGS-3458 - Surface ClusterVersion RetrievedUpdates condition messages OCPBUGS-3465 - IBM operator needs deployment manifest fixes OCPBUGS-3473 - Allow listing crio and kernel versions in machine-os components OCPBUGS-3476 - Show Tag label and tag name if tag is detected in repository PipelineRun list and details page OCPBUGS-3480 - Baremetal Provisioning fails on HP Gen9 systems due to eTag handling OCPBUGS-3499 - Route CRD validation behavior must be the same as openshift-apiserver behavior OCPBUGS-3501 - Route CRD host-assignment behavior must be the same as openshift-apiserver behavior OCPBUGS-3502 - CRD-based and openshift-apiserver-based Route validation/defaulting must use the shared implementation OCPBUGS-3508 - masters repeatedly losing connection to API and going NotReady OCPBUGS-3524 - The storage account for the CoreOS image is publicly accessible when deploying fully private cluster on Azure OCPBUGS-3526 - oc fails to extract layers that set xattr on Darwin OCPBUGS-3539 - [OVN-provider]loadBalancer svc with monitors not working OCPBUGS-3612 - [IPI] Baremetal ovs-configure.sh script fails to start secondary bridge br-ex1 OCPBUGS-3621 - EUS upgrade stuck on worker pool update: error running skopeo inspect --no-tags OCPBUGS-3648 - Container security operator Image Manifest Vulnerabilities encounters runtime errors under some circumstances OCPBUGS-3659 - Expose AzureDisk metrics port over HTTPS OCPBUGS-3662 - don't enforce PSa in 4.12 OCPBUGS-3667 - PTP 4.12 Regression - CLOCK REALTIME status is locked when physical interface is down OCPBUGS-3668 - 4.12.0-rc.0 fails to deploy on VMware IPI OCPBUGS-3676 - After node's reboot some pods fail to start - deleteLogicalPort failed for pod cannot delete GR SNAT for pod OCPBUGS-3693 - Router e2e: drop template.openshift.io apigroup dependency OCPBUGS-3709 - Special characters in subject name breaks prefilling role binding form OCPBUGS-3713 - [vsphere-problem-detector] fully qualified username must be used when checking permissions OCPBUGS-3714 - 'oc adm upgrade ...' should expose ClusterVersion Failing=True OCPBUGS-3739 - Pod stuck in containerCreating state when the node on which it is running is Terminated OCPBUGS-3744 - Egress router POD creation is failing while using openshift-sdn network plugin OCPBUGS-3755 - Create Alertmanager silence form does not explain the new "Negative matcher" option OCPBUGS-3761 - Consistent e2e test failure:Events.Events: event view displays created pod OCPBUGS-3765 - [RFE] Add kernel-rpm-macros to DTK image OCPBUGS-3771 - contrib/multicluster-environment.sh needs to be updated to work with ACM cluster proxy OCPBUGS-3776 - Manage columns tooltip remains displayed after dialog is closed OCPBUGS-3777 - [Dual Stack] ovn-ipsec crashlooping due to cert signing issues OCPBUGS-3797 - [4.13] Bump OVS control plane to get "ovsdb/transaction.c: Refactor assess_weak_refs." OCPBUGS-3822 - Cluster-admin cannot know whether operator is fully deleted or not after normal user trigger "Delete CSV" OCPBUGS-3827 - CCM not able to remove a LB in ERROR state OCPBUGS-3877 - RouteTargetReference missing default for "weight" in Route CRD v1 schema OCPBUGS-3880 - [Ingress Node Firewall] Change the logo used for ingress node firewall operator OCPBUGS-3883 - Hosted ovnkubernetes pods are not being spread among workers evenly OCPBUGS-3896 - Console nav toggle button reports expanded in both expanded and not expanded states OCPBUGS-3904 - Delete/Add a failureDomain in CPMS to trigger update cannot work right on GCP OCPBUGS-3909 - Node is degraded when a machine config deploys a unit with content and mask=true OCPBUGS-3916 - expr for SDNPodNotReady is wrong due to there is not node label for kube_pod_status_ready OCPBUGS-3919 - Azure: unable to configure EgressIP if an ASG is set OCPBUGS-3921 - Openshift-install bootstrap operation cannot find a cloud defined in clouds.yaml in the current directory OCPBUGS-3923 - [CI] cluster-monitoring-operator produces more watch requests than expected OCPBUGS-3924 - Remove autoscaling/v2beta2 in 4.12 and later OCPBUGS-3929 - Use flowcontrol/v1beta2 for apf manifests in 4.13 OCPBUGS-3931 - When all extensions are installed, "libkadm5" rpm package is duplicated in the `rpm -q` command OCPBUGS-3933 - Fails to deprovision cluster when swift omits 'content-type' OCPBUGS-3945 - Handle 0600 kubeconfig OCPBUGS-3951 - Dynamic plugin extensions disappear from the UI when a codeRef fails to load OCPBUGS-3960 - Use kernel-rt from ose repo OCPBUGS-3965 - must-gather namespace should have ?privileged? warn and audit pod security labels besides enforce OCPBUGS-3973 - [SNO] csi-snapshot-controller CO is degraded when upgrade from 4.12 to 4.13 and reports permissions issue. OCPBUGS-3974 - CIRO panics when suspended flag is nil OCPBUGS-3975 - "Failed to open directory, disabling udev device properties" in node-exporter logs OCPBUGS-3978 - AWS EBS CSI driver operator is degraded without "CSISnapshot" capability OCPBUGS-3985 - Allow PSa enforcement in 4.13 by using featuresets OCPBUGS-3987 - Some nmstate validations are skipped when NM config is in agent-config.yaml OCPBUGS-3990 - HyperShift control plane operators have wrong priorityClass OCPBUGS-3993 - egressIP annotation including two interfaces when multiple networks OCPBUGS-4000 - fix operator naming convention OCPBUGS-4008 - Console deployment does not roll out when managed cluster configmap is updated OCPBUGS-4012 - Disabled Serverless add actions should not be displayed in topology menu OCPBUGS-4026 - Endless rerender loop and a stuck browser on the add and topology page when SBO is installed OCPBUGS-4047 - [CI-Watcher] e2e test flake: Create key/value secrets Validate a key/value secret OCPBUGS-4049 - MCO reconcile fails if user replace the pull secret to empty one OCPBUGS-4052 - [ALBO] OpenShift Load Balancer Operator does not properly support cluster wide proxy OCPBUGS-4054 - cluster-ingress-operator's configurable-route controller's startup is noisy OCPBUGS-4089 - Kube-State-metrics pod fails to start due to panic OCPBUGS-4090 - OCP on OSP - Image registry is deployed with cinder instead of swift storage backend OCPBUGS-4101 - Empty/missing node-sizing SYSTEM_RESERVED_ES parameter can result in kubelet not starting OCPBUGS-4110 - Form footer buttons are misaligned in web terminal form OCPBUGS-4119 - Random SYN drops in OVS bridges of OVN-Kubernetes OCPBUGS-4166 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-4168 - Prometheus continuously restarts due to slow WAL replay OCPBUGS-4173 - vsphere-problem-detector should re-check passwords after change OCPBUGS-4181 - Prometheus and Alertmanager incorrect ExternalURL configured OCPBUGS-4184 - Use mTLS authentication for all monitoring components instead of bearer token OCPBUGS-4203 - Unnecessary padding around alert atop debug pod terminal OCPBUGS-4206 - getContainerStateValue contains incorrectly internationalized text OCPBUGS-4207 - Remove debug level logging on openshift-config-operator OCPBUGS-4219 - Add runbook link to PrometheusRuleFailures OCPBUGS-4225 - [4.13] boot sequence override request fails with Base.1.8.PropertyNotWritable on Lenovo SE450 OCPBUGS-4232 - CNCC: Wrong log format for Azure locking OCPBUGS-4245 - L2 does not work if a metallb is not able to listen to arp requests on a single interface OCPBUGS-4252 - Node Terminal tab results in error OCPBUGS-4253 - Add PodNetworkConnectivityCheck for must-gather OCPBUGS-4266 - crio.service should use a more safe restart policy to provide recoverability against concurrency issues OCPBUGS-4279 - Custom Victory-Core components in monitoring ui code causing build issues OCPBUGS-4280 - Return 0 when `oc import-image` failed OCPBUGS-4282 - [IR-269]Can't pull sub-manifest image using imagestream of manifest list OCPBUGS-4291 - [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore. OCPBUGS-4293 - Specify resources.requests for operator pod OCPBUGS-4298 - Specify resources.requests for operator pod OCPBUGS-4302 - Specify resources.requests for operator pod OCPBUGS-4305 - [4.13] Improve ironic logging configuration in metal3 OCPBUGS-4317 - [IBM][4.13][Snapshot] restore size in snapshot is not the same size of pvc request size OCPBUGS-4328 - Update installer images to be consistent with ART OCPBUGS-434 - After FIPS enabled in S390X, ingress controller in degraded state OCPBUGS-4343 - Use flowcontrol/v1beta3 for apf manifests in 4.13 OCPBUGS-4347 - set TLS cipher suites in Kube RBAC sidecars OCPBUGS-4350 - CNO in HyperShift reports upgrade complete in clusteroperator prematurely OCPBUGS-4352 - [RHOCP] HPA shows different API versions in web console OCPBUGS-4357 - Bump samples operator k8s dep to 1.25.2 OCPBUGS-4359 - cluster-dns-operator corrupts /etc/hosts when fs full OCPBUGS-4367 - Debug log messages missing from output and Info messages malformed OCPBUGS-4377 - Service name search ability while creating the Route from console OCPBUGS-4401 - limit cluster-policy-controller RBAC permissions OCPBUGS-4411 - ovnkube node pod crashed after converting to a dual-stack cluster network OCPBUGS-4417 - ip-reconciler removes the overlappingrangeipreservations whether the pod is alive or not OCPBUGS-4425 - Egress FW ACL rules are invalid in dualstack mode OCPBUGS-4447 - [MetalLB Operator] The CSV needs an update to reflect the correct version of operator OCPBUGS-446 - Cannot Add a project from DevConsole in airgap mode using git importing OCPBUGS-4483 - apply retry logic to ovnk-node controllers OCPBUGS-4490 - hypershift: csi-snapshot-controller uses wrong kubeconfig OCPBUGS-4491 - hypershift: aws-ebs-csi-driver-operator uses wrong kubeconfig OCPBUGS-4492 - [4.13] The property TransferProtocolType is required for VirtualMedia.InsertMedia OCPBUGS-4502 - [4.13] [OVNK] Add support for service session affinity timeout OCPBUGS-4516 - `oc-mirror` does not work as expected relative path for OCI format copy OCPBUGS-4517 - Better to detail the --command-os of mac for `oc adm release extract` command OCPBUGS-4521 - all kubelet targets are down after a few hours OCPBUGS-4524 - Hold lock when deleting completed pod during update event OCPBUGS-4525 - Don't log in iterateRetryResources when there are no retry entries OCPBUGS-4535 - There is no 4.13 gcp-filestore-csi-driver-operator version for test OCPBUGS-4536 - Image registry panics while deploying OCP in eu-south-2 AWS region OCPBUGS-4537 - Image registry panics while deploying OCP in eu-central-2 AWS region OCPBUGS-4538 - Image registry panics while deploying OCP in ap-south-2 AWS region OCPBUGS-4541 - Azure: remove deprecated ADAL OCPBUGS-4546 - CVE-2021-38561 ose-installer-container: golang: out-of-bounds read in golang.org/x/text/language leads to DoS [openshift-4] OCPBUGS-4549 - Azure: replace deprecated AD Graph API OCPBUGS-4550 - [CI] console-operator produces more watch requests than expected OCPBUGS-4571 - The operator recommended namespace is incorrect after change installation mode to "A specific namespace on the cluster" OCPBUGS-4574 - Machine stuck in no phase when creating in a nonexistent zone and stuck in Deleting when deleting on GCP OCPBUGS-463 - OVN-Kubernetes should not send IPs with leading zeros to OVN OCPBUGS-4630 - Bump documentationBaseURL to 4.13 OCPBUGS-4635 - [OCP 4.13] ironic container images have old packages OCPBUGS-4638 - Support RHOBS monitoring for HyperShift in CNO OCPBUGS-4652 - Fixes for RHCOS 9 based on RHEL 9.0 OCPBUGS-4654 - Azure: UPI: Fix storage arm template to work with Galleries and MAO OCPBUGS-4659 - Network Policy executes duplicate transactions for every pod update OCPBUGS-4684 - In DeploymentConfig both the Form view and Yaml view are not in sync OCPBUGS-4689 - SNO not able to bring up Provisioning resource in 4.11.17 OCPBUGS-4691 - Topology sidebar actions doesn't show the latest resource data OCPBUGS-4692 - PTP operator: Use priority class node critical OCPBUGS-4700 - read-only update UX: confusing "Update blocked" pop-up OCPBUGS-4701 - read-only update UX: confusing "Control plane is hosted" banner OCPBUGS-4703 - Router can migrate to use LivenessProbe.TerminationGracePeriodSeconds OCPBUGS-4712 - ironic-proxy daemonset not deleted when provisioningNetwork is changed from Disabled to Managed/Unmanaged OCPBUGS-4724 - [4.13] egressIP annotations not present on OpenShift on Openstack multiAZ installation OCPBUGS-4725 - mapi_machinehealthcheck_short_circuit not properly reconciling causing MachineHealthCheckUnterminatedShortCircuit alert to fire OCPBUGS-4746 - Removal of detection of host kubelet kubeconfig breaks IBM Cloud ROKS OCPBUGS-4756 - OLM generates invalid component selector labels OCPBUGS-4757 - Revert Catalog PSA decisions for 4.13 (OLM) OCPBUGS-4758 - Revert Catalog PSA decisions for 4.13 (Marketplace) OCPBUGS-4769 - Old AWS boot images vs. 4.12: unknown provider 'ec2' OCPBUGS-4780 - Update openshift/builder release-4.13 to go1.19 OCPBUGS-4781 - Get Helm Release seems to be using List Releases api OCPBUGS-4793 - CMO may generate Kubernetes events with a wrong object reference OCPBUGS-4802 - Update formatting with gofmt for go1.19 OCPBUGS-4825 - Pods completed + deleted may leak OCPBUGS-4827 - Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1 OCPBUGS-4873 - openshift-marketplace namespace missing "audit-version" and "warn-version" PSA label OCPBUGS-4874 - Baremetal host data is still sometimes required OCPBUGS-4883 - Default Git type to other info alert should get remove after changing the git type OCPBUGS-4894 - Disabled Serverless add actions should not be displayed for Knative Service OCPBUGS-4899 - coreos-installer output not available in the logs OCPBUGS-4900 - Volume limits test broken on AWS and GCP TechPreview clusters OCPBUGS-4906 - Cross-namespace template processing is not being tested OCPBUGS-4909 - Can't reach own service when egress netpol are enabled OCPBUGS-4913 - Need to wait longer for VM to obtain IP from DHCP OCPBUGS-4941 - Fails to deprovision cluster when swift omits 'content-type' and there are empty containers OCPBUGS-4950 - OLM K8s Dependencies should be at 1.25 OCPBUGS-4954 - [IBMCloud] COS Reclamation prevents ResourceGroup cleanup OCPBUGS-4955 - Bundle Unpacker Using "Always" ImagePullPolicy for digests OCPBUGS-4969 - ROSA Machinepool EgressIP Labels Not Discovered OCPBUGS-4975 - Missing translation in ceph storage plugin OCPBUGS-4986 - precondition: Do not claim warnings would have blocked OCPBUGS-4997 - Agent ISO does not respect proxy settings OCPBUGS-5001 - MachineConfigControllerPausedPoolKubeletCA should have a working runbook URI OCPBUGS-501 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver OCPBUGS-5010 - Should always delete the must-gather pod when run the must-gather OCPBUGS-5016 - Editing Pipeline in the ocp console to get information error OCPBUGS-5018 - Upgrade from 4.11 to 4.12 with Windows machine workers (Spot Instances) failing due to: hcnCreateEndpoint failed in Win32: The object already exists. OCPBUGS-5036 - Cloud Controller Managers do not react to changes in configuration leading to assorted errors OCPBUGS-5045 - unit test data race with egress ip tests OCPBUGS-5068 - [4.13] virtual media provisioning fails when iLO Ironic driver is used OCPBUGS-5073 - Connection reset by peer issue with SSL OAuth Proxy when route objects are created more than 80. OCPBUGS-5079 - [CI Watcher] pull-ci-openshift-console-master-e2e-gcp-console jobs: Process did not finish before 4h0m0s timeout OCPBUGS-5085 - Should only show the selected catalog when after apply the ICSP and catalogsource OCPBUGS-5101 - [GCP] [capi] Deletion of cluster is happening , it shouldn't be allowed OCPBUGS-5116 - machine.openshift.io API is not supported in Machine API webhooks OCPBUGS-512 - Permission denied when write data to mounted gcp filestore volume instance OCPBUGS-5124 - kubernetes-nmstate does not pass CVP tests in 4.12 OCPBUGS-5136 - provisioning on ilo4-virtualmedia BMC driver fails with error: "Creating vfat image failed: Unexpected error while running command" OCPBUGS-5140 - [alibabacloud] IPI install got bootstrap failure and without any node ready, due to enforced EIP bandwidth 5 Mbit/s OCPBUGS-5151 - Installer - provisioning interface on master node not getting ipv4 dhcp ip address from bootstrap dhcp server on OCP IPI BareMetal install OCPBUGS-5164 - Add support for API version v1beta1 for knativeServing and knativeEventing OCPBUGS-5165 - Dev Sandbox clusters uses clusterType OSD and there is no way to enforce DEVSANDBOX OCPBUGS-5182 - [azure] Fail to create master node with vm size in family ECIADSv5 and ECIASv5 OCPBUGS-5184 - [azure] Fail to create master node with vm size in standardNVSv4Family OCPBUGS-5188 - Wrong message in MCCDrainError alert OCPBUGS-5234 - [azure] Azure Stack Hub (wwt) UPI installation failed to scale up worker nodes using machinesets OCPBUGS-5235 - mapi_instance_create_failed metric cannot work when set acceleratedNetworking: true on Azure OCPBUGS-5269 - remove unnecessary RBAC in KCM: file removal OCPBUGS-5275 - remove unnecessary RBAC in OCM OCPBUGS-5287 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail OCPBUGS-5292 - Multus: Interface name contains an invalid character / [ocp 4.13] OCPBUGS-5300 - WriteRequestBodies audit profile records routes/status events at RequestResponse level OCPBUGS-5306 - One old machine stuck in Deleting and many co get degraded when doing master replacement on the cluster with OVN network OCPBUGS-5346 - Reported vSphere Connection status is misleading OCPBUGS-5347 - Clusteroperator Available condition is updated every 2 mins when operator is disabled OCPBUGS-5353 - Dashboard graph should not be stacked - Kubernetes / Compute Resources / Pod Dashboard OCPBUGS-5410 - [AWS-EBS-CSI-Driver] provision volume using customer kms key couldn't restore its snapshot successfully OCPBUGS-5423 - openshift-marketplace pods cause PodSecurityViolation alert to fire OCPBUGS-5428 - Many plugin SDK extension docs are missing descriptions OCPBUGS-5432 - Downstream Operator-SDK v1.25.1 to OCP 4.13 OCPBUGS-5458 - wal: max entry size limit exceeded OCPBUGS-5465 - Context Deadline exceeded when PTP service is disabled from the switch OCPBUGS-5466 - Default CatalogSource aren't always reverted to default settings OCPBUGS-5492 - CI "[Feature:bond] should create a pod with bond interface" fail for MTU migration jobs OCPBUGS-5497 - MCDRebootError alarm disappears after 15 minutes OCPBUGS-5498 - Host inventory quick start for OCP OCPBUGS-5505 - Upgradeability check is throttled too much and with unnecessary non-determinism OCPBUGS-5508 - Report topology usage in vSphere environment via telemetry OCPBUGS-5517 - [Azure/ARO] Update Azure SDK to v63.1.0+incompatible OCPBUGS-5520 - MCDPivotError alert fires due temporary transient failures OCPBUGS-5523 - Catalog, fatal error: concurrent map read and map write OCPBUGS-5524 - Disable vsphere intree tests that exercise multiple tests OCPBUGS-5534 - [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash OCPBUGS-5540 - Typo in WTO for Milliseconds OCPBUGS-5542 - Project dropdown order is not as smart as project list page order OCPBUGS-5546 - Machine API Provider Azure should not modify the Machine spec OCPBUGS-5547 - Webhook Secret (1 of 2) is not removed when Knative Service is deleted OCPBUGS-5559 - add default noProxy config for Azure OCPBUGS-5733 - [Openshift Pipelines] Description of parameters are not shown in pipelinerun description page OCPBUGS-5734 - Azure: VIP 168.63.129.16 should be noProxy to all clouds except Public OCPBUGS-5736 - The main section of the page will keep loading after normal user login OCPBUGS-5759 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled OCPBUGS-5802 - update sprig to v3 in cno OCPBUGS-5836 - Incorrect redirection when user try to download windows oc binary OCPBUGS-5842 - executes /host/usr/bin/oc OCPBUGS-5851 - [CI-Watcher]: Using OLM descriptor components deletes operand OCPBUGS-5873 - etcd_object_counts is deprecated and replaced with apiserver_storage_objects, causing "etcd Object Count" dashboard to only show OpenShift resources OCPBUGS-5888 - Failed to install 4.13 ocp on SNO with "error during syncRequiredMachineConfigPools" OCPBUGS-5891 - oc-mirror heads-only does not work with target name OCPBUGS-5903 - gather default ingress controller definition OCPBUGS-5922 - [2047299 Jira placeholder] nodeport not reachable port connection timeout OCPBUGS-5939 - revert "force cert rotation every couple days for development" in 4.13 OCPBUGS-5948 - Runtime error using API Explorer with AdmissionReview resource OCPBUGS-5949 - oc --icsp mapping scope does not match openshift icsp mapping scope OCPBUGS-5959 - [4.13] Bootimage bump tracker OCPBUGS-5988 - Degraded etcd on assisted-installer installation- bootstrap etcd is not removed properly OCPBUGS-5991 - Kube APIServer panics in admission controller OCPBUGS-5997 - Add Git Repository form shows empty permission content and non-working help link until a git url is entered OCPBUGS-6004 - apiserver pods cannot reach etcd on single node IPv6 cluster: transport: authentication handshake failed: x509: certificate is valid for ::1, 127.0.0.1, ::1, fd69::2, not 2620:52:0:198::10" OCPBUGS-6011 - openshift-client package has wrong version of kubectl bundled OCPBUGS-6018 - The MCO can generate a rendered config with old KubeletConfig contents, blocking upgrades OCPBUGS-6026 - cannot change /etc folder ownership inside pod OCPBUGS-6033 - metallb 4.12.0-202301042354 (OCP 4.12) refers to external image OCPBUGS-6049 - Do not show UpdateInProgress when status is Failing OCPBUGS-6053 - `availableUpdates: null` results in run-time error on Cluster Settings page OCPBUGS-6055 - thanos-ruler-user-workload-1 pod is getting repeatedly re-created after upgrade do 4.10.41 OCPBUGS-6063 - PVs(vmdk) get deleted when scaling down machineSet with vSphere IPI OCPBUGS-6089 - Unnecessary event reprocessing OCPBUGS-6092 - ovs-configuration.service fails - Error: Connection activation failed: No suitable device found for this connection OCPBUGS-6097 - CVO hotloops on ImageStream and logs the information incorrectly OCPBUGS-6098 - Show Git icon and URL in repository link in PLR details page should be based on the git provider OCPBUGS-6101 - Daemonset is not upgraded after operator upgrade OCPBUGS-6175 - Image registry Operator does not use Proxy when connecting to openstack OCPBUGS-6185 - Update 4.13 ose-cluster-config-operator image to be consistent with ART OCPBUGS-6187 - Update 4.13 openshift-state-metrics image to be consistent with ART OCPBUGS-6189 - Update 4.13 ose-cluster-authentication-operator image to be consistent with ART OCPBUGS-6191 - Update 4.13 ose-network-metrics-daemon image to be consistent with ART OCPBUGS-6197 - Update 4.13 ose-openshift-apiserver image to be consistent with ART OCPBUGS-6201 - Update 4.13 openshift-enterprise-pod image to be consistent with ART OCPBUGS-6202 - Update 4.13 ose-cluster-kube-apiserver-operator image to be consistent with ART OCPBUGS-6213 - Update 4.13 ose-machine-config-operator image to be consistent with ART OCPBUGS-6222 - Update 4.13 ose-alibaba-cloud-csi-driver image to be consistent with ART OCPBUGS-6228 - Update 4.13 coredns image to be consistent with ART OCPBUGS-6231 - Update 4.13 ose-kube-storage-version-migrator image to be consistent with ART OCPBUGS-6232 - Update 4.13 marketplace-operator image to be consistent with ART OCPBUGS-6233 - Update 4.13 ose-cluster-openshift-apiserver-operator image to be consistent with ART OCPBUGS-6234 - Update 4.13 ose-cluster-bootstrap image to be consistent with ART OCPBUGS-6235 - Update 4.13 cluster-network-operator image to be consistent with ART OCPBUGS-6238 - Update 4.13 oauth-server image to be consistent with ART OCPBUGS-6240 - Update 4.13 ose-cluster-kube-storage-version-migrator-operator image to be consistent with ART OCPBUGS-6241 - Update 4.13 operator-lifecycle-manager image to be consistent with ART OCPBUGS-6247 - Update 4.13 ose-cluster-ingress-operator image to be consistent with ART OCPBUGS-6262 - Add more logs to "oc extract" in mco-first boot service OCPBUGS-6265 - When installing SNO with bootstrap in place it takes CVO 6 minutes to acquire the leader lease OCPBUGS-6270 - Irrelevant vsphere platform data is required OCPBUGS-6272 - E2E tests: Entire pipeline flow from Builder page Start the pipeline with workspace OCPBUGS-631 - machineconfig service is failed to start because Podman storage gets corrupted OCPBUGS-6486 - Image upload fails when installing cluster OCPBUGS-6503 - admin ack test nondeterministically does a check post-upgrade OCPBUGS-6504 - IPI Baremetal Master Node in DualStack getting fd69:: address randomly, OVN CrashLoopBackOff OCPBUGS-6507 - Don't retry network policy peer pods if ips couldn't be fetched OCPBUGS-6577 - Node-exporter NodeFilesystemAlmostOutOfSpace alert exception needed OCPBUGS-6610 - Developer - Topology : 'Filter by resource' drop-down i18n misses OCPBUGS-6621 - Image registry panics while deploying OCP in ap-southeast-4 AWS region OCPBUGS-6624 - Issue deploying the master node with IPI OCPBUGS-6634 - Let the console able to build on other architectures and compatible with prow builds OCPBUGS-6646 - Ingress node firewall CI is broken with latest OCPBUGS-6647 - User Preferences - Applications : Resource type drop-down i18n misses OCPBUGS-6651 - Nodes unready in PublicAndPrivate / Private Hypershift setups behind a proxy OCPBUGS-6660 - Uninstall Operator? modal instructions always reference optional checkbox OCPBUGS-6663 - Platform baremetal warnings during create image when fields not defined OCPBUGS-6682 - [OVN] ovs-configuration vSphere vmxnet3 allmulti workaround is now permanent OCPBUGS-6698 - Fix conflict error message in cluster-ingress-operator's ensureNodePortService OCPBUGS-6700 - Cluster-ingress-operator's updateIngressClass function logs success message when error OCPBUGS-6701 - The ingress-operator spuriously updates ingressClass on startup OCPBUGS-6714 - Traffic from egress IPs was interrupted after Cluster patch to Openshift 4.10.46 OCPBUGS-672 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes OCPBUGS-6722 - s390x: failed to generate asset "Image": multiple "disk" artifacts found OCPBUGS-6730 - Pod latency spikes are observed when there is a compaction/leadership transfer OCPBUGS-6731 - Gathered Environment variables (HTTP_PROXY/HTTPS_PROXY) may contain sensible information and should be obfuscated OCPBUGS-6741 - opm fails to serve FBC if cachedir not provided OCPBUGS-6757 - Pipeline Repository (Pipeline-as-Code) list page shows an empty Event type column OCPBUGS-6760 - Couldn't update/delete cpms on gcp private cluster OCPBUGS-6762 - Enhance the user experience for the name-filter-input on Metrics target page OCPBUGS-6765 - "Delete dependent objects of this resource" might cause confusions OCPBUGS-6777 - [gcp][CORS-1988] "create manifests" without an existing "install-config.yaml" missing 4 YAML files in "<install dir>/openshift" which leads to "create cluster" failure OCPBUGS-6781 - gather Machine objects OCPBUGS-6797 - Empty IBMCOS storage config causes operator to crashloop OCPBUGS-6799 - Repositories list does not show the running pipelinerun as last pipelinerun OCPBUGS-6809 - Uploading large layers fails with "blob upload invalid" OCPBUGS-6811 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-6821 - Update NTO images to be consistent with ART OCPBUGS-6832 - Include openshift_apps_deploymentconfigs_strategy_total to recent_metrics OCPBUGS-6893 - Dev console doesn't finish loading for users with limited access OCPBUGS-6902 - 4.13-e2e-metal-ipi-upgrade-ovn-ipv6 on permafail OCPBUGS-6917 - MultinetworkPolicy: unknown service runtime.v1alpha2.RuntimeService OCPBUGS-6925 - Update OWNERS_ALIASES in release-4.13 branch OCPBUGS-6945 - OS Release reports incorrect version ID OCPBUGS-6953 - ovnkube-master panic nil deref OCPBUGS-6955 - panic in an ovnkube-master pod OCPBUGS-6962 - 'agent_installer' invoker not showing up in telemetry OCPBUGS-6977 - pod-identity-webhook replicas=2 is failing single node jobs OCPBUGS-6978 - Index violation on IGMP_Group during upgrade from 4.12.0 to 4.12.1 OCPBUGS-6994 - All Clusters perspective is not activated automatically when ACM is installed OCPBUGS-702 - The caBundle field of alertmanagerconfigs.monitoring.coreos.com crd is getting removed OCPBUGS-7031 - Pipelines repository list and creation form doesn't show Tech Preview status OCPBUGS-7090 - Add to navigation button in search result does nothing OCPBUGS-7102 - OLM downstream utest fails due to new release-XX+1 branch creation OCPBUGS-7106 - network-tools needs to be updated to give ovn-k master leader info OCPBUGS-7118 - OCP 4.12 does not support launching SGX enclaves OCPBUGS-7144 - On mobile screens, At pipeline details page the info alert on metrics tab is not showing correctly OCPBUGS-7149 - IPv6 multinode spoke no moving from rebooting/configuring stage OCPBUGS-7173 - [OVN] DHCP timeouts on Azure arm64, install fails OCPBUGS-7180 - [4.13] Bootimage bump tracker OCPBUGS-7186 - [gcp][CORS-2424] with "secureBoot" enabled, after deleting control-plane machine, the new machine is created with "enableSecureBoot" being False unexpectedly OCPBUGS-7195 - [CI-Watcher] e2e issue with tests: Create Samples Page Timeout Error OCPBUGS-7199 - [CI-Watcher] e2e issue with tests: Interacting with CatalogSource page OCPBUGS-7204 - Manifests generated to multiple "results-xxx" folders when using the oci feature with OCI and nonOCI catalogs OCPBUGS-7207 - MTU migration configuration is cleaned up prematurely while in progress OCPBUGS-723 - ClusterResourceQuota values are not reflecting. OCPBUGS-7268 - [4.13] Modify the PSa pod extractor to mutate pod controller pod specs OCPBUGS-7284 - Hypershift failing new SCC conformance tests OCPBUGS-7291 - ptp keeps trying to start phc2sys even if it's configured as empty string in phc2sysOpts OCPBUGS-7293 - RHCOS 9.2 Failing to Bootstrap on Metal, OpenStack, vSphere (all baremetal runtime platforms) OCPBUGS-7300 - aws-ebs-csi-driver-operator crash loops with HC proxy configured OCPBUGS-7301 - Not possible to use certain start addresses in whereabouts IPv6 range [Backport 4.13] OCPBUGS-7308 - Download kubeconfig for ServiceAccount returns error OCPBUGS-7354 - Installation failed on Azure SDN as network is degraded OCPBUGS-7356 - Default channel on OCP 4.13 should be stable-4.13 OCPBUGS-7359 - [Azure] Replace master failed as new master did not add into lb backend OCPBUGS-736 - Kuryr uses default MTU for service network OCPBUGS-7366 - [gcp] New machine stuck in Provisioning when delete one zone from cpms on gcp with customer vpc OCPBUGS-7372 - fail early on missing node status envs OCPBUGS-7374 - set default timeouts in etcdcli OCPBUGS-7391 - Monitoring operator long delay reconciling extension-apiserver-authentication OCPBUGS-7399 - In the Edit application mode, the name of the added pipeline is not displayed anymore OCPBUGS-7408 - AzureDisk CSI driver does not compile with cachito OCPBUGS-7412 - gomod dependencies failures in 4.13-4.14 container builds OCPBUGS-7417 - gomod dependencies failures in 4.13-4.14 container builds OCPBUGS-7418 - Default values for Scaling fields is not set in Create Serverless function form OCPBUGS-7419 - CVO delay when setting clusterversion available status to true OCPBUGS-7421 - Missing i18n key for PAC section in Git import form OCPBUGS-7424 - Bump cluster-ingress-operator to k8s APIs v0.26.1 OCPBUGS-7427 - dynamic-demo-plugin.spec.ts requires 10 minutes of unnecessary wait time OCPBUGS-7438 - Egress service does not handle invalid nodeSelectors correctly OCPBUGS-7482 - Fix handling of single failure-domain (non-tagged) deployments in vsphere OCPBUGS-7483 - Hypershift installs on "platform: none" are broken OCPBUGS-7488 - test flake: should not reconcile SC when state is Unmanaged OCPBUGS-7495 - Platform type is ignored OCPBUGS-7517 - Helm page crashes on old releases with a new Secret OCPBUGS-7519 - NFS Storage Tests trigger Kernel Panic on Azure and Metal OCPBUGS-7523 - Add new AWS regions for ROSA OCPBUGS-7542 - Bump router to k8s APIs v0.26.1 OCPBUGS-7555 - Enable default sysctls for kubelet OCPBUGS-7558 - Rebase coredns to 1.10.1 OCPBUGS-7563 - vSphere install can't complete with out-of-tree CCM OCPBUGS-7579 - [azure] failed to parse client certificate when using certificate-based Service Principal with passpharse OCPBUGS-7611 - PTPOperator config transportHost with AMQ is not detected OCPBUGS-7616 - vSphere multiple in-tree test failures (non-zonal) OCPBUGS-7617 - Azure Disk volume is taking time to attach/detach OCPBUGS-7622 - vSphere UPI jobs failing with 'Managed cluster should have machine resources' OCPBUGS-7648 - Bump cluster-dns-operator to k8s APIs v0.26.1 OCPBUGS-7689 - Project Admin is able to Label project with empty string in RHOCP 4 OCPBUGS-7696 - [ Azure ]not able to deploy machine with publicIp:true OCPBUGS-7707 - /etc/NetworkManager/dispatcher.d needs to be relabeled during pivot from 8.6 to 9.2 OCPBUGS-7719 - Update to 4.13.0-ec.3 stuck on leaked MachineConfig OCPBUGS-7729 - Remove ETCD liviness probe. OCPBUGS-7731 - Need to cancel threads when agent-tui timeout is stopped OCPBUGS-7733 - Afterburn fails on AWS/GCP clusters born in OCP 4.1/4.2 OCPBUGS-7743 - SNO upgrade from 4.12 to 4.13 rhel9.2 is broken cause of dnsmasq default config OCPBUGS-7750 - fix gofmt check issue in network-metrics-daemon OCPBUGS-7754 - ART having trouble building olm images OCPBUGS-7774 - RawCNIConfig is printed in byte representation on failure, not human readable OCPBUGS-7785 - migrate to using Lease for leader election OCPBUGS-7806 - add "nfs-export" under PV details page OCPBUGS-7809 - sg3_utils package is missing in the assisted-installer-agent Docker file OCPBUGS-781 - ironic-proxy is using a deprecated field to fetch cluster VIP OCPBUGS-7833 - Storage tests failing in no-capabilities job OCPBUGS-7837 - hypershift: aws-ebs-csi-driver-operator uses guest cluster proxy causing PV provisioning failure OCPBUGS-7860 - [azure] message is unclear when missing clientCertificatePassword in osServicePrincipal.json OCPBUGS-7876 - [Descheduler] Enabling LifeCycleUtilization to test namespace filtering does not work OCPBUGS-7879 - Devfile isn't be processed correctly on 'Add from git repo' OCPBUGS-7896 - MCO should not add keepalived pod manifests in case of VSPHERE UPI OCPBUGS-7899 - ODF Monitor pods failing to be bounded because timeout issue with thin-csi SC OCPBUGS-7903 - Pool degraded with error: rpm-ostree kargs: signal: terminated OCPBUGS-7909 - Baremetal runtime prepender creates /etc/resolv.conf mode 0600 and bad selinux context OCPBUGS-794 - OLM version rule is not clear OCPBUGS-7940 - apiserver panics in admission controller OCPBUGS-7943 - AzureFile CSI driver does not compile with cachito OCPBUGS-7970 - [E2E] Always close the filter dropdown in listPage.filter.by OCPBUGS-799 - Reply packet for DNS conversation to service IP uses pod IP as source OCPBUGS-8066 - Create Serverless Function form breaks if Pipeline Operator is not installed OCPBUGS-8086 - Visual issues with listing items OCPBUGS-8243 - [release 4.13] Gather Monitoring pods' Persistent Volumes OCPBUGS-8308 - Bump openshift/kubernetes to 1.26.2 OCPBUGS-8312 - IPI on Power VS clusters cannot deploy MCO OCPBUGS-8326 - Azure cloud provider should use Kubernetes 1.26 dependencies OCPBUGS-8341 - Unable to set capabilities with agent installer based installation OCPBUGS-8342 - create cluster-manifests fails when imageContentSources is missing OCPBUGS-8353 - PXE support is incomplete OCPBUGS-8381 - Console shows x509 error when requesting token from oauth endpoint OCPBUGS-8401 - Bump openshift/origin to kube 1.26.2 OCPBUGS-8424 - ControlPlaneMachineSet: Machine's Node should be Ready to consider the Machine Ready OCPBUGS-8445 - cgroups default setting in OCP 4.13 generates extra MachineConfig OCPBUGS-8463 - OpenStack Failure domains as 4.13 TechPreview OCPBUGS-8471 - [4.13] egress firewall only createas 1 acl for long namespace names OCPBUGS-8475 - TestBoundTokenSignerController causes unrecoverable disruption in e2e-gcp-operator CI job OCPBUGS-8481 - CAPI rebases 4.13 backports OCPBUGS-8490 - agent-tui: display additional checks only when primary check fails OCPBUGS-8498 - aws-ebs-csi-driver-operator ServiceAccount does not include the HCP pull-secret in its imagePullSecrets OCPBUGS-8505 - [4.13] egress firewall acls are deleted on restart OCPBUGS-8511 - [4.13+ ONLY] Don't use port 80 in bootstrap IPI bare metal OCPBUGS-855 - When setting allowedRegistries urls the openshift-samples operator is degraded OCPBUGS-859 - monitor not working with UDP lb when externalTrafficPolicy: Local OCPBUGS-860 - CSR are generated with incorrect Subject Alternate Names OCPBUGS-8699 - Metal IPI Install Rate Below 90% OCPBUGS-8701 - `oc patch project` not working with OCP 4.12 OCPBUGS-8702 - OKD SCOS: remove workaround for rpm-ostree auth OCPBUGS-8703 - fails to switch to kernel-rt with rhel 9.2 OCPBUGS-8710 - [4.13] don't enforce PSa in 4.13 OCPBUGS-8712 - AES-GCM encryption at rest is not supported by kube-apiserver-operator OCPBUGS-8719 - Allow the user to scroll the content of the agent-tui details view OCPBUGS-8741 - [4.13] Pods in same deployment will have different ability to query services in same namespace from one another; ocp 4.10 OCPBUGS-8742 - Origin tests should not specify `readyz` as the health check path OCPBUGS-881 - fail to create install-config.yaml as apiVIP and ingressVIP are not in machine networks OCPBUGS-8941 - Introduce tooltips for contextual information OCPBUGS-904 - Alerts from MCO are missing namespace OCPBUGS-9079 - ICMP fragmentation needed sent to pods behind a service don't seem to reach the pods OCPBUGS-91 - [ExtDNS] New TXT record breaks downward compatibility by retroactively limiting record length OCPBUGS-9132 - WebSCale: ovn logical router polices incorrect/l3 gw config not updated after IP change OCPBUGS-9185 - Pod latency spikes are observed when there is a compaction/leadership transfer OCPBUGS-9233 - ConsoleQuickStart {{copy}} and {{execute}} features do not work in some cases OCPBUGS-931 - [osp][octavia lb] NodePort allocation cannot be disabled for LB type svcs OCPBUGS-9338 - editor toggle radio input doesn't have distinguishable attributes OCPBUGS-9389 - Detach code in vsphere csi driver is failing OCPBUGS-948 - OLM sets invalid SCC label on its namespaces OCPBUGS-95 - NMstate removes egressip in OpenShift cluster with SDN plugin OCPBUGS-9913 - bacport tests for PDBUnhealthyPodEvictionPolicy as Tech Preview OCPBUGS-9924 - Remove unsupported warning in oc-mirror when using the --skip-pruning flag OCPBUGS-9926 - Enable node healthz server for ovnk in CNO OCPBUGS-9951 - fails to reconcile to RT kernel on interrupted updates OCPBUGS-9957 - Garbage collect grafana-dashboard-etcd OCPBUGS-996 - Control Plane Machine Set Operator OnDelete update should cause an error when more than one machine is ready in an index OCPBUGS-9963 - Better to change the error information more clearly to help understand OCPBUGS-9968 - Operands running management side missing affinity, tolerations, node selector and priority rules than the operator 6

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

arbitrary, code execution

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-20T19:54:23.316000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE