Bug 2029957

Summary: rebuild ceph container for Critical nss RHSA
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Ken Dreyer (Red Hat) <kdreyer>
Component: ContainerAssignee: Ken Dreyer (Red Hat) <kdreyer>
Status: CLOSED ERRATA QA Contact: Manasa <mgowri>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2CC: bniver, ceph-eng-bugs, ceph-qe-bugs, gabrioux, mmurthy, sunnagar, vereddy
Target Milestone: ---   
Target Release: 4.2z4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhceph-container-4-69.1638383142 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-13 14:14:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ken Dreyer (Red Hat) 2021-12-07 16:17:42 UTC 
The rhceph/rhceph-4-rhel8:latest container includes nss packages that are vulnerable to a Critical CVE.

Critical CVE-2021-43527 https://access.redhat.com/errata/RHSA-2021:4903 nss

Vulnerable package versions:
  nss-3.67.0-6.el8_4
  nss-softokn-3.67.0-6.el8_4
  nss-softokn-freebl-3.67.0-6.el8_4
  nss-sysinit-3.67.0-6.el8_4
  nss-util-3.67.0-6.el8_4

This bug tracks rebuilding the ceph container image against the newer RHEL base container image with the fixed packages.
Comment 1 RHEL Program Management 2021-12-07 16:17:48 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 2 Ken Dreyer (Red Hat) 2021-12-07 16:22:05 UTC 
Using https://pagure.io/fork/ktdreyer/koji-tools/blob/koji-diff-containers/f/src/bin/koji-diff-containers :

$ ./src/bin/koji-diff-containers --profile brew rhceph-container-4-69 rhceph-container-4-69.1638383142
found 374 old NVRs
found 374 new NVRs
Found 5 differences:
changed package nss-util: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
changed package nss-softokn: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
changed package nss: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
changed package nss-softokn-freebl: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
changed package nss-sysinit: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
Comment 4 Veera Raghava Reddy 2021-12-07 16:49:19 UTC 
Planned ETA, Dec 09 2021
Comment 9 errata-xmlrpc 2021-12-13 14:14:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (updated rhceph container image), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:5084