The rhceph/rhceph-4-rhel8:latest container includes nss packages that are vulnerable to a Critical CVE. Critical CVE-2021-43527 https://access.redhat.com/errata/RHSA-2021:4903 nss Vulnerable package versions: nss-3.67.0-6.el8_4 nss-softokn-3.67.0-6.el8_4 nss-softokn-freebl-3.67.0-6.el8_4 nss-sysinit-3.67.0-6.el8_4 nss-util-3.67.0-6.el8_4 This bug tracks rebuilding the ceph container image against the newer RHEL base container image with the fixed packages.
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Using https://pagure.io/fork/ktdreyer/koji-tools/blob/koji-diff-containers/f/src/bin/koji-diff-containers : $ ./src/bin/koji-diff-containers --profile brew rhceph-container-4-69 rhceph-container-4-69.1638383142 found 374 old NVRs found 374 new NVRs Found 5 differences: changed package nss-util: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5 changed package nss-softokn: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5 changed package nss: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5 changed package nss-softokn-freebl: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5 changed package nss-sysinit: 3.67.0-6.el8_4 -> 3.67.0-7.el8_5
Planned ETA, Dec 09 2021
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (updated rhceph container image), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:5084