The rhceph/rhceph-5-rhel8:latest container includes glibc, nghttp2, and python3 packages that are vulnerable to Important CVEs. Important CVE-2023-4911 https://access.redhat.com/errata/RHSA-2023:5455 glibc Important CVE-2023-4527 https://access.redhat.com/errata/RHSA-2023:5455 glibc Important CVE-2023-4806 https://access.redhat.com/errata/RHSA-2023:5455 glibc Important CVE-2023-4813 https://access.redhat.com/errata/RHSA-2023:5455 glibc Important CVE-2023-44487 https://access.redhat.com/errata/RHSA-2023:5837 nghttp2 Important CVE-2023-40217 https://access.redhat.com/errata/RHSA-2023:5997 python3 Vulnerable package versions: glibc-2.28-225.el8 glibc-common-2.28-225.el8 glibc-minimal-langpack-2.28-225.el8 libnghttp2-1.33.0-3.el8_2.1 platform-python-3.6.8-51.el8_8.1 platform-python-devel-3.6.8-51.el8_8.1 python3-libs-3.6.8-51.el8_8.1 Public Container Ecosystem Catalog entry: https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rhceph/rhceph-5-rhel8 You can find the fixed package versions by clicking each RHSA link above and looking at the "Updated Packages" tab. This bug tracks rebuilding the ceph container image against the newer RHEL base container image with the fixed packages.
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Requesting QA Ack so we can add this to the 5.3 container errata
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: new container image: rhceph-5.3), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0746