Bug 1862114
| Summary: | [4.3.z] update boot images to address CVE-2020-10713 | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Micah Abbott <miabbott> |
| Component: | RHCOS | Assignee: | Micah Abbott <miabbott> |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.3.z | CC: | bbreard, dornelas, imcleod, jligon, kfan, mnguyen, nstielau, smilner |
| Target Milestone: | --- | ||
| Target Release: | 4.3.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1862113 | Environment: | |
| Last Closed: | 2020-08-19 11:10:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1862113 | ||
| Bug Blocks: | 1186913 | ||
|
Description
Micah Abbott
2020-07-30 13:36:32 UTC
This is currently being worked on and work will continue next sprint. Verified on 4.3.0-0.nightly-2020-08-11-083910
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.3.0-0.nightly-2020-08-11-083910 True False 14m Cluster version is 4.3.0-0.nightly-2020-08-11-083910
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal Ready master 35m v1.16.2+295f6e6
ci-ln-krlsv-m-1.c.openshift-gce-devel-ci.internal Ready master 35m v1.16.2+295f6e6
ci-ln-krlsv-m-2.c.openshift-gce-devel-ci.internal Ready master 34m v1.16.2+295f6e6
ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal Ready worker 25m v1.16.2+295f6e6
ci-ln-krlsv-w-c-gbkfc.c.openshift-gce-devel-ci.internal Ready worker 25m v1.16.2+295f6e6
== check shim version on master node is 15.15.el8_2==
$ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status
Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5
CustomOrigin: Managed by machine-config-operator
Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z)
ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e
Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z)
Removing debug pod ...
$ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64
Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
Name : shim-x64
Version : 15
Release : 15.el8_2
Architecture: x86_64
Install Date: Mon Aug 10 21:57:10 2020
Group : Unspecified
Size : 5252606
License : BSD
Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM : shim-15-15.el8_2.src.rpm
Build Date : Fri Jul 31 21:18:08 2020
Build Host : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : https://github.com/rhboot/shim/
Summary : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.
Removing debug pod ...
== check shim version on worker node is 15.15.el8_2 ==
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5
CustomOrigin: Managed by machine-config-operator
Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z)
ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e
Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z)
Removing debug pod ...
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
Name : shim-x64
Version : 15
Release : 15.el8_2
Architecture: x86_64
Install Date: Mon Aug 10 21:57:10 2020
Group : Unspecified
Size : 5252606
License : BSD
Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM : shim-15-15.el8_2.src.rpm
Build Date : Fri Jul 31 21:18:08 2020
Build Host : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : https://github.com/rhboot/shim/
Summary : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.
Removing debug pod ...
== Check bootstrap node's shim version ==
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree db list 737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e | grep shim-x64
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
shim-x64-15-15.el8_2.x86_64
Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.3.33 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3259 |