var-202107-1506
Vulnerability from variot
Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Open vSwitch ( alias openvswitch) Is vulnerable to the use of freed memory.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Description:
Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
- ========================================================================== Ubuntu Security Notice USN-5065-1 September 08, 2021
openvswitch vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Open vSwitch could be made to crash or run programs if it received specially crafted network traffic.
Software Description: - openvswitch: Ethernet virtual switch
Details:
It was discovered that Open vSwitch incorrectly handled decoding RAW_ENCAP actions. A remote attacker could use this issue to cause Open vSwitch to crash, resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: openvswitch-common 2.15.0-0ubuntu3.1
Ubuntu 20.04 LTS: openvswitch-common 2.13.3-0ubuntu0.20.04.2
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.9.0 bug fix and security update Advisory ID: RHSA-2021:3759-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:3759 Issue date: 2021-10-18 CVE Names: CVE-2021-3121 CVE-2021-26539 CVE-2021-26540 CVE-2021-28092 CVE-2021-28169 CVE-2021-29059 CVE-2021-31525 CVE-2021-32690 CVE-2021-33194 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34428 CVE-2021-34558 CVE-2021-36980 =====================================================================
- Summary:
Red Hat OpenShift Container Platform release 4.9.0 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.0. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2021:3758
Security Fix(es):
-
gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
-
sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation (CVE-2021-26539)
-
sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element (CVE-2021-26540)
-
nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)
-
nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string (CVE-2021-29059)
-
golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
-
helm: information disclosure vulnerability (CVE-2021-32690)
-
golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194)
-
golang: net: lookup functions may return invalid host names (CVE-2021-33195)
-
golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
-
golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
-
golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-x86_64
The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-s390x
The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.9.0-ppc64le
The image digest is sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61
All OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor
- Solution:
For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster - -cli.html
- Bugs fixed (https://bugzilla.redhat.com/):
1786835 - oc is crashing while mirroring registry
1856355 - Scrolling of pf4 tables is far less performant than the previous version
1862429 - LocalVolumeSet object can be deleted with in-use PVs. May result in data leak
1868221 - Missing /etc/mtab symlink in CRI-O containers
1882490 - Azure installer misses hyphen in master NIC names
1883378 - Openapi spec is missing for prometheus-adapter aggregated api-resources
1890676 - Cypress: Fix 'aria-hidden-focus' accesibility violations
1898877 - keepalived consumes 100% of cpu
1903519 - Wrong Ingress to Route conversion for wildcard hostnames
1903632 - After upgrading a customer openshift cluster to 4.6.4 the openshift marketplace pods are in ImagePullBackOff state
1904155 - Graphs on utilization tab don't respect timespan selection
1905326 - kube-apiserver initContainer setup is not requesting required resources: cpu, memory
1905851 - [REF] Create volumesnapshotclass for Manila csi driver by default Storage/Manila CSI Driver
1906315 - "cannot populate chunk " error in prometheus container logs
1908677 - Reenable [sig-network] SCTP [Feature:SCTP] [LinuxOnly] should create a Pod with SCTP HostPort [Suite:openshift/conformance/parallel] [Suite:k8s]
1908772 - A11y Violation: Dev Console Nav Menu UL contains non-LI elements
1909058 - [cinder-csi-driver operator] always report fake event continuously in openstack-cinder-csi-driver-operator log
1913618 - Completed pods skew the Quota metrics
1914398 - multus admission controller and metrics daemon running as root
1914414 - SRIOV enablement for Emulex Corporation OneConnect NIC (10df:0720) is not working anymore
1914837 - Machine API Termination Handlers should be tested
1918562 - [cinder-csi-driver-operator] does not detect csi driver work status
1921139 - revert "force cert rotation every couple days for development" in 4.8
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923111 - Install plans permanently fail due to CRD resource modified or similar transient errors
1924695 - Non-ascii passwords are accepted but don't work
1925180 - Deployment creates a huge number of ReplicaSets - image-lookup bits
1925203 - [RFE] [OCPonRHV] - High Performance Mode in OCP on RHV - huge pages, CPU and Numa pinning configuration
1925276 - Double instance create AWS
1925524 - openshift-jenkins-sync plugin does not scale on OCP 4
1928668 - Prometheus is collecting metrics for completed pods
1928816 - When using idrac-virtualmedia, the bios_interface gets set to idrac-wsman
1928856 - OCP Conformance test fails if MachineSet resource type is not present
1928942 - [Assisted-4.7] [Minimal-ISO] [Started image download] "Started image download" event missing important info: Content-Length: and Content-Disposition filename in both API and UI events
1932139 - The downstream darwin/amd64 opm
binary fails to output the version info
1932323 - CVE-2021-26540 sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element
1932362 - CVE-2021-26539 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
1934443 - Installation of OCP 4.6.13 fails when teaming interface is used with OVNKubernetes
1936408 - [VMware-LSO] pod re-attach time took more then 60 sec.
1936919 - AlertmanagerMembersInconsistent fires too quickly, causing serial-test noise
1937696 - [Assisted-4.7]node/hostnames vs bmh names inconsistency, skipped cluster index in name
1938282 - [4.9] Kuryr won't remove LB members on Endpoints object removal
1939045 - [OCPv4.6] pod to pod communication broken on PFCP procotol over UDP
1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string
1940059 - [GSS][RFE] Integrate ceph dashboard with OCS
1941224 - Serial e2e should not complain about the authentication operator going Progressing=True during the "test RequestHeaders IdP" test-case
1942122 - Egress IP iptables rules not added due to iptables: Resource temporarily unavailable
1942164 - [sig-cluster-lifecycle] cluster upgrade should be fast
1942657 - ingress operator stays degraded after privateZone fixed in DNS
1943265 - Negative Memory Utilization for Cluster Compute Resources Dashboard
1943284 - opm index prune will fail if the working directory does not have write permissions
1943334 - [ovnkube] node pod should taint NoSchedule on termination; clear on startup
1943378 - OpenStack machine_controller does not remove boot volumes when reconciler errors
1946178 - [Assisted-4.7] [Staging][OCS] Cluster validation messages improvements
1947005 - cluster-monitoring-view role allows to create alert silences
1947740 - [single-node] "Failed to watch" errors in openshift-state-metrics container
1948089 - openshift-apiserver should not set Available=False APIServicesAvailable on update
1948090 - Storage should not set Available=False APIServices_Error AWSEBSCSIDriverOperatorCRAvailable on update
1948603 - Azure CSI driver does not pass e2e-azure-csi tests
1948607 - vSphere CSI driver does not pass e2e-vsphere-csi tests
1948720 - Spacing issues in Chinese translations
1949497 - apiversion is still policy/v1betal when user creates pdb via oc create command
1949840 - CMO reports unavailable during upgrades
1950173 - Non-fatal: prometheus.env.yaml: no such file or directory
1950534 - OPM fails to deprecate bundles
1951812 - [master] [assisted operator] Assisted Service Postgres crashes msg: "mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied"
1952101 - Can't re-build index if any bundles have been truncated
1952224 - Some quickly deleted pods are never cleaned up by kubelet after 20m
1952457 - In k8s 1.21 bump '[sig-node] crictl should be able to run crictl on the node' test is disabled
1952737 - [RFE]Users had difficulty distinguishing between “ Supported” and “Provided”
1953063 - Update default AWS instance type in machine-api-operator
1953113 - HAProxy template doesn't allow HSTS header to be case insensitive or include spaces
1953127 - NetworkPolicy tests were mistakenly marked skipped
1953182 - [Azure disk csi driver] volume expansion failed on filesystem resizing
1953185 - [Azure disk csi dirver operator] doesn't use the credential created by CCO
1953674 - [RFE] Add resize to ovirt CSI driver
1954869 - Add necessary priority class to marketplace components
1955192 - ExternalIP feature do not work on ovn-kuberenetes
1955292 - Describe quota output should show units
1955435 - "requestURI":"/apis/user.openshift.io/v1/users/kube:admin" from system:apiserver got code 422
1955586 - ThanosSidecarUnhealthy will never fire if the sidecar is never healthy.
1956081 - kube-apiserver setup fail while installing SNO due to port being used
1956830 - "oc adm top nodes" output give negative numbers
1956836 - AVC denial when setting hostname on GCP using "set-valid-hostname.sh" script
1956879 - authentication errors with "square/go-jose: error in cryptographic primitive" are observed in the CI
1956955 - Services sync causes too many ovn load balancer deletes
1956989 - In k8s 1.21 bump some sig-network tests are disabled due to being permanently broken on e2e-metal-ipi-ovn-ipv6
1957498 - cluster-etcd-operator: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21
1957609 - [aws]Machine tags should have precedence over Infrastructure
1957634 - prometheus-adapter panics on GetNodeMetrics
1957761 - SR-IOV daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent
1957886 - In k8s 1.21 bump TTLAfterFinished is disabled
1958107 - SR-IOV network operator pods should not run in best-effort QoS
1958154 - Custom AWS user tags limit not supported (openshift/api says max=25), install fails when >=10
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1958375 - Return IPv6 traffic from the application pod is getting dropped when f5 pod is scaled to more than one.
1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies
1958390 - API Services unavailable after upgrade from 4.5.38 to 4.6.27
1958888 - 4.7.6 -> 4.7.9 upgrade: leader election stuck
1959200 - failed to configure pod interface: error while waiting on OVS.Interface.external-ids:ovn-installed for pod: timed out while waiting for OVS port binding
1959290 - openshift-kube-apiserver-operator should not rely on external networking for health check
1959586 - [master] All resources not being cleaned up after clusterdeployment deletion
1959798 - DNAT rules for external IP services wrong in ovn-kubernetes
1959906 - External gateway fails to add duplicate OVN ECMP route
1959957 - After a channel head is deprecated, the channel still exists in the index, but with no installable content = BAD UX
1960101 - CNO: exportNetworkFlows accepts invalid TCP/UDP port numbers
1960152 - Manilacsi becomes degraded even though it is not available with the underlying Openstack
1960455 - Performance Addon Operator fails to install after catalog source becomes ready
1960485 - Cannot use DASD at virtio block device when installing RHCOS on KVM
1960559 - Remove v1beta1 handling code
1960574 - Managed cluster should ensure SR-IOV pods components have system- priority class associated
1960680 - [SCC] openshift-apiserver degraded when a SCC with high priority is created
1961226 - Can't ssh too IPA on worker nodes
1961757 - ovn-kubernetes: Enable ovn-controller lflow-cache limits (memory and/or size)
1961811 - Creating a configmap for a CA without a trailing newline in source file results in non-working CA verification
1962344 - [SCALE] ovn-controller running up to 30 second poll intervals due to full recompute
1962387 - Upgrade from Openshift 4.5 -> 4.6 Results in Orphaned Address sets
1962414 - ed25519 keys do not work when FIPS is enabled
1962951 - Can't enable column diffs in 4.9
1962957 - [master] Assisted service reports a malformed iso when we fail to download the base iso
1963027 - Upload qcow2 to PVC too small : "Error Uploading Data Request fail with status code 400"
1963132 - Installer: Remove the word 'Northern' from us-east4 (Ashburn, Northern Virginia, USA) to make it consistent
1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
1963943 - For baremetal clusters, the node->terminal is not available
1964231 - Client certificate used to contact kubelet is not loaded dynamically
1964266 - [RFE] add external-resizer side car container
1964471 - [master] Confusing behavior when multi-node spoke workers present when only controlPlaneAgents specified
1964482 - Ipv6 IP addresses are not accepted for whitelisting
1964540 - CAPO: It's impossible to make port a trunk when it's defined in ports
field
1964591 - [master] ACM/ZTP with Wan emulation fails to start the agent service
1964623 - [master] File system usage not being logged appropriately
1964786 - Serial console does not load
1964902 - NetworkPolicy Ingress rules table shows confusing text in From column
1964941 - If loading dynamic plugin times out, the UI throws a syntax error
1965074 - [OVN Kubernetes] ovnkube errors observed on 100 node clusters during uperf testing Fatal error: ofport of patch-br-ex_ip-oc adm release info
taking too long
1969494 - [master] no indication for missing debugInfo in AgentClusterInstall
1969546 - OLM: Scroll shadow in wrong position in operator details modal
1969547 - [master] SNO with AI/operator - kubeconfig secret is not created until the spoke is deployed
1969719 - vsphere-problem-detector cannot connect to vCenter API over https
1969761 - sriov webhook not worked when upgrade from 4.7 to 4.8
1969766 - [master] Empty cluster name on handleEnsureISOErrors log after applying InfraEnv.yaml
1969796 - [master] Updating configmap within AgentServiceConfig is not logged properly
1969902 - OLM fails with 'ResolutionFailed' found more than one head for channel
1969989 - KMS connection details for new storageclass can not be changed in StorageClass creation form after 9 connection details are stored in csi-kms-connection-details configmap
1969998 - [OCP 4.9 tracker] kubelet service fail to load EnvironmentFile due to SELinux denial
1970011 - “managed by” link goes to the incorrect URL (unlike the correct ownerRef link)
1970063 - [master] AgentServiceConfig mirror registry requires both ca-bundle.crt and registries.conf
1970129 - OVS logging in must gather is missing previous logging levels
1970147 - Weak Cipher in openshift-monitoring
1970179 - [4.9] Bootimage bump tracker
1970261 - [master] Add State and StateInfo to DebugInfo in ACI and Agent CRDs
1970270 - [master] Add ProgressInfo to Agent and AgentClusterInstalll CRDs
1970315 - 4.7 -> 4.8 upgrades fail on "[sig-network] pods should successfully create sandboxes by other" for pods which eventually start
1970332 - Page disappears while creating Storage Class for rbd provisioner via UI
1970421 - CVO does not provide a good enough reason to why an upgrade payload pull failed
1970437 - [oVirt] Add guaranteed memory field to oVirt Machine Object
1970466 - Console's OperatorHub leads users to unrelated install plan, if subscription does not have its own
1970604 - Add IDP menu items are not translated
1970910 - Uninstalling kube-descheduler clusterkubedescheduleroperator.4.6.0-202106010807.p0.git.5db84c5 removes some clusterrolebindings
1970962 - Exception inside the Jenkins Master pod
1970980 - Remove usage of i18nKey
1970985 - periodic ci-4.8-upgrade-from-stable-4.7-e2e-local-with-fallback
service annotation does not preserve source IP
1971899 - The ciphers in theTLS profiles for the kubelet, the oc explain
output don't match the kubelet.conf file
1972003 - Get invalid date when edit custom time range on monitoring dashboards
1972009 - [REF]Image registry pullthough should support pull image from the mirror registry with auth via imagecontentsourcepolicy
1972011 - Dashboards display different time range when drag&drop on the first dashboard
1972016 - Set a specific time range, but Dashboards display data with a different time range
1972028 - Upgrade is failed when upgrade SNO cluster on gcp platform
1972060 - typo in operators available
1972096 - [master] Domain dummy.com (not belonging to Red Hat) is being used in a default configuration
1972131 - ironic-static-ip-manager container still uses 4.7 base image
1972272 - [master] "baremetalhost.metal3.io/detached" uses boolean value where string is expected
1972287 - [mlx5] traffic from Node port is not offloaded
1972351 - Bump jenkins version to 2.289.1
1972374 - Adopt failure can trigger deprovisioning
1972383 - Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings
1972393 - PDB PUT /status is 1/6th of total write load on busy cluster continuously (should be 1/100 or so)
1972514 - add check for accessing traffic from status in ksvc
1972524 - bootstrap vm does not get right configuration for dhcp6
1972525 - [master] clusterDeployments controller should send an event to InfraEnv for backend cluster registration
1972572 - Ironic rhcos downloader re-downloads same image in upgrade process from 4.7 to 4.8
1972582 - [oVirt] Installing with an oVirt network with 2 vnics on the same network causes the installer to not create tfvars and fail with terraform error
1972598 - [master] Install retry per recreating ACI, BMH error status is not cleared
1972678 - Requirements for authenticating kernel modules with X.509
1972682 - DPDK KNI modules need some additional tools
1972684 - [Feature:IPv6DualStack] tests are failing in dualstack
1972747 - Allow Cluster-api-provider-ovirt using auto pinning new namings
1972753 - ironic hardware inspection failed due to NewConnectionError causes bm nodes stuck
1972776 - improve dual-stack install-config validation
1972777 - Unable to edit the default Health check probe values
1972829 - Upgrade tests should fail when ingress is disrupted
1972966 - Virtualization is not available in Home Overview
1972968 - "Add Disk" button should be disabled in common template disks tab
1972977 - The removed ingresscontrollers should not be counted in ingress_controller_conditions metrics
1973005 - authentication operator degraded during 4.7.16 update
1973065 - Editing a Deployment drops annotations
1973076 - [oVirt] CSI driver is not waiting for disk to be OK on creation
1973147 - KubePersistentVolumeFillingUp - False Alert firing for PVCs with volumeMode as block.
1973154 - RHCOS-shipped stalld systemd units do not use SCHED_FIFO to run stalld.
1973160 - Monitoring UI disappear when we query a string
1973200 - remove kubevirt images and references
1973215 - [OVN] EgressIP no longer worked after a cluster upgrade
1973314 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted
1973315 - [master] Updating ISO URL does not create a correct log entry
1973318 - Image pruner does not use custom tolerations
1973333 - Investigate why strings removed in English files are showing up in langauge files
1973336 - Verify "Only {volumeMode} volume mode is available for {storageClass} with {accessMode} access mode" displays correctly
1973338 - Fix punctuation in string
1973340 - Add Sprint 203 translations
1973423 - Several operators degraded because Failed to create pod sandbox when installing an sts cluster
1973482 - 4.8.0.rc0 upgrade hung, stuck on DNS clusteroperator progressing
1973491 - Node exporter veth optimizations do not work if the network type is OVN
1973525 - machine-config-operator: remove runlevel from kni-infra namespace
1973565 - Dynamic plugin routes should be evaluated before static plugin routes
1973567 - Autoscaler log report error “Failed to watch v1.CSIDriver”
1973576 - only show annotations.summary field on thanos-ruler Alerts page
1973582 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc certified-operators is not correct
1973643 - oc logs doesn't work with piepeline builds
1973679 - fix ovn-kubernetes NetworkPolicy 4.7->4.8 upgrade issue
1973724 - metal3 Pod cannot download RHCOS images using the provisioning network anymore
1973813 - NodePorts do not work on RHEL 7.9 workers (was "4.7 -> 4.8 upgrade is stuck at Ingress operator Degraded with rhel 7.9 workers")
1974077 - [Assisted-4.8] [Staging][Network Latency] Improve validation message: host with IP not found in inventory
1974083 - [RFE] When branding is not redhat, no need to explicitly mark community support.
1974085 - [Assisted-4.8] [Staging][Network Latency] Worker host IP appear in master validation message
1974237 - 4.7 -> 4.8 upgrades on AWS take longer than expected
1974277 - Tuned net plugin fails to handle net devices with n/a value for a channel
1974312 - linuxptp-daemon: remove not needed run-level 1 label
1974338 - [OCP4.7] maven image doesn't use JAVA_HOME env variable
1974350 - LB endpoint for API becomes unavailable briefly during openshift test suite
1974364 - [must-gather] ovs/ovn database should be exported or dumped, not compacted and copied
1974403 - OVN-Kube Node race occasionally leads to invalid pod IP
1974411 - Installation with multipath parameters in parmfile fails (DNS resolution missing)
1974429 - Requirements for nvidia GPU driver container for driver toolkit
1974453 - coreos-installer failing Execshield
1974501 - [master] Assisted Service Operator should be Infrastructure Operator for Red Hat OpenShift
1974520 - [release-4.9] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out
1974567 - vertical-pod-autoscaler-operator: remove runlevel from namespace manual install
1974598 - Sub-optimal cluster destroy strategy
1974603 - clusteroperators table output does omit condition messages
1974611 - In template list, the boot source provider column should be named boot source
1974640 - When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for reading and not for writing credentials
1974651 - dockerv1client tests fail due to unavailability of v1 API on registry-1.docker.io
1974689 - In customize create vm wizard, a warning "no registred model"
1974716 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster
1974755 - Status defaults were not internationalized
1974758 - aws-serial jobs are failing with false-positive MachineWithNoRunningPhase firing or pending
1974830 - KubeDeploymentReplicasMismatch alert will never fire
1974832 - The monitoring stack should alert when 2 Prometheus pods are scheduled on the same node
1974839 - CVE-2021-29059 nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string
1974967 - Prometheus Memory Usage 50-100% higher on 4.8+ OVN when under load
1974973 - ci-operator cannot import an s390x or a non-amd64 OCP release image
1975016 - OpenStack credentials for Kuryr Controller should be stored in a secret
1975038 - Cannot delete user created vm template
1975042 - Cannot customize windows template boot source
1975133 - Sync ironic containers with latest ironic code
1975157 - (release-4.9) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records
1975218 - [master] KubeAPI Move conditions consts to CRD types
1975232 - VM Create YAML page 404 error
1975283 - gcp-realtime: e2e test failing [sig-storage] Multi-AZ Cluster Volumes should only be allowed to provision PDs in zones where nodes exist [Suite:openshift/conformance/parallel] [Suite:k8s]
1975296 - machinehealthcheck controller does not consider nodes that still have the external remediation annotation
1975359 - [master] timeout on kubeAPI subsystem test: SNO full install and validate MetaData
1975379 - Console pods are scheduled on single master node
1975383 - No NTP sources defined in a cluster after assisted installation
1975391 - Install Operator description iframe shows double scrollbars when the browser sized is narrowed.
1975392 - Console and downloads pods should have more specific anti-affinity label selectors
1975475 - [aws] terraform may fail when the bootstrap instance profile is not ready
1975478 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance
1975491 - [Assisted-4.8] [Staging][Network latency] host_requirements api should contain network thresholds
1975529 - Production logs are spammed on "Validate Requirements status All host roles must be assigned to enable CNV."
1975539 - [ImageStreams] Remove stale cruft installed by CVO in earlier releases
1975542 - [Insights] Remove stale cruft installed by CVO in earlier releases
1975683 - baremetal-operator fails to build
1975696 - compareOwnerReference should not accept a reference
1975714 - Missing policy-group label on the openshift-console namespace manifest
1975715 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8.
1975779 - image pull keeps failing on upgrade
1975805 - [4.8.0] Install retry per recreating ACI, BMH error status is not cleared
1975820 - There are plugins remained after uninstall operator with multiple plugins enabled
1975824 - Alert InstallPlanStepAppliedWithWarnings does not resolve
1975825 - [v4.8] The oc compliance fetch-raw
is unable to process results from suite: unexpected EOF
1975831 - Crio is using large amounts of node resources
1975913 - Unable to uncheck the optional workspace checkbox in pipeline builder
1975947 - Add egress ips to anonymizer
1976016 - Azure: Destroy cluster eventually fails when trying to delete a cluster while other resources (not related to the cluster) are present in the resource group
1976072 - Operand details page doesn't render correct format when x-descriptor path has None value
1976112 - batch/v1beta1 CronJob warning appears in image pruner pod when image registry is removed
1976125 - [BM][IPI] redfish inspect fails on nodes with nics where mac="": Expected a MAC address but received .
1976215 - Removed egressIP still shows as EXTERNAL_IP in the NorthBound DB.
1976217 - Chart empty state card different height than other cards on Metrics tab
1976243 - OLM operator index pod for Performance Addon Operator is missing Workload Partitioning Annotation
1976307 - CVO missing ImageStreams manifest delete annotation logic
1976326 - CI failing on firing CertifiedOperatorsCatalogError due to slow livenessProbe responses
1976373 - disable jenkins client plugin test whose Jenkinsfile references master branch openshift/origin artifacts
1976379 - CVO pod skipped by workload partitioning with incorrect error stating cluster is not SNO
1976753 - [sig-devex][Feature:Jenkins][Slow] Jenkins repos e2e openshift using slow openshift pipeline build Sync plugin tests using the ephemeral template expand_more
1976775 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit
1976776 - [master] Change agent's ReadyForInstallation condition into RequirementsMet
1976939 - Interacting with CatalogSource page.Interacting with CatalogSource page renders details about the redhat-operators catalog source
1976983 - [master] [assisted operator][docs] Setting automatedCleaningMode: metadata in BMH is overridden to disabled
1977027 - [oauth-apiserver] Remove stale cruft installed by CVO in earlier releases
1977037 - VNC console stays in Connecting state.
1977054 - [4.9] Unable to authenticate against IDP after upgrade to 4.8-rc.1
1977097 - build cleanup test failing on release-openshift-origin-installer-old-rhcos-e2e-aws-4.7
1977129 - openshift-installer: remove runlevel from openshift-kubevirt-infra namespace
1977279 - When applying the gateway annotation to a gateway pod or to a namespace, the per pod SNAT is not removed
1977330 - Single stack external gateway makes the pod not starting with dual stack clusters
1977346 - Fix obfuscation translation table secret 4.9
1977354 - [master] KUBE-API: Support move agent to different cluster in the same namespace
1977369 - vSphere Machines stuck in deleting phase if associated Node object is deleted
1977377 - [master] Add columns to the Agent CRD list
1977389 - Manila CSI driver is not in must-gather
1977435 - SNO - monitoring operator is not available cause failed: waiting for Alertmanager openshift-monitoring/main
1977444 - KubeAPI docs: Add a getting started guide
1977449 - [master] Fix flaky test: invalid NMState config YAML
1977454 - builds: e2e-proxy tests fail due to Redis security protections
1977595 - pseudo translation missing on OperatorHub page
1977655 - localization issue for volume mode tooltip message
1977753 - (release-4.9] Gather all MachineConfig definitions
1977807 - Prometheus PV is corrupted during CSI migration tests
1977884 - Upgrade from 4.8.0-rc.0 to 4.9.0-0.nightly-2021-06-24-073147 failing with multiple errors
1977920 - Pod fails to run when a custom SCC with a specific set of volumes is used
1977936 - OCS deployment using Multus: UI allows StorageCluster creation with empty public and cluster network in "Internal - Attached Devices" mode
1977972 - Kernel version in /etc/driver-toolkit-release.json not including architecture
1977981 - [External Mode] OpenShift Container Storage Overview does not display any dashboard by default unless specific tab is clicked
1978091 - Cluster Utilization item Network transfer shows 'No datapoints found'
1978137 - ovnkube-trace requires iproute to be installed in the pod
1978144 - CVE-2021-32690 helm: information disclosure vulnerability
1978193 - htpasswd provider for auth is not working as expected and give 401 error when user try to login
1978200 - RHEL 6 template should not be starred by default
1978202 - RHEL 6 template is tagged as "community"
1978213 - OpenStack quota checks inexact when using Kuryr
1978222 - User Management / Users: seeing "Add IdP" button although IdP exists
1978225 - User Management / Users: no progress visible suggesting that IdPs are not instant after configuration
1978268 - Exec probes fail clusterwide after upgrade to cri-o-1.19.2-4.rhaos4.6.git4f7cb5e.el7.x86_64
1978310 - OLM dependencies not fixing version
1978338 - "Prometheus metrics should be available after an upgrade" is panicking
1978340 - packageserver isn't following the OpenShift HA conventions
1978352 - [master] Add machine network cidr to cluster status
1978376 - Should not allow upgrades to 4.9 without admin acknowledgement that apis are being removed
1978403 - Add Sprint 203 Round 2 translations
1978416 - Convert TFunction to Trans component
1978421 - String updates (typos, etc.)
1978425 - Consolidate namespaces in console-app and console-shared plugins
1978429 - Typos in Pipelines Plugin strings
1978435 - SR-IOV doesn't show up in operatorhub for ppc64le
1978627 - When mount source with a long unexist name, the build keeps pending with unclear message
1978629 - [RFE]'oc describe build|buildconfig' should show mount souce info when add Secret Volume Mounts to buildconfig
1978649 - Object Service tab should not be part of OCP Console for ODF Managed Services
1978662 - monitoring operator needs to indicate non-durable data
1978691 - [4.9.0] OPENSHIFT_VERSIONS env var overrides AgentServiceConfig osImages: values
1978724 - Binary secret data isn't properly uploaded by ui
1978739 - [master] Provisioning SNOs bmh is stuck in ready state
1978749 - CVO doesn't honor noProxy while contacting Cincinnati endpoint
1978774 - Cluster-version operator loads proxy config from spec, not status
1978797 - external gateway pod deletes may not clean up ECMP routes
1978829 - ClusterMonitoringOperatorReconciliationErrors is firing during upgrades and should not be
1979009 - Change log message about EFI not being supported in assisted-installer
1979038 - Installation logs are not gathered from OCP Control planes nodes
1979114 - Cannot create vm from 'With YAML' on CNV 2.6.5 + OCP 4.8
1979116 - Cannot create vm from customize wizard on CNV 2.6.5 + OCP 4.8
1979169 - [docs] Unclear docs in automatedCleaningMode
1979190 - Cannot get guest information on CNV 2.6.5 + OCP 4.8
1979297 - SystemExceedsMemoryReservation prometheusRule manages wrongly hugepage reservation
1979300 - Upgrading from 4.7.11 to 4.8.0: Saw HybridOverlay logical router policies getting created without any existing hybridoverlay configuration
1979352 - Tuned affining containers to house keeping cpus
1979506 - The earlier version bundles that generated by pkgman-to-bundle won't be installed success
1979544 - olm Operator is in CrashLoopBackOff state with error "couldn't cleanup cross-namespace ownerreferences"
1979571 - Process is not terminated in pod terminal in UI.
1979620 - Applying an OLM descriptor to a deeply nested child property then doing the same for a parent property will cause the descriptor for the child to be removed.
1979738 - driver-toolkit gcc install unable to download extract-vmlinux script in ART builds
1979822 - mdns-publisher pods are crashing and restarting often.
1979996 - Dashboards do not support automatic unit transformation for time
1980029 - CI: openstacksdk 0.53 breaks UPI jobs
1980118 - Cannot launch debug container for pods in management workload partition
1980135 - On an IPv6 single stack cluster traffic between master nodes is sent via default gw instead of local subnet
1980187 - [sig-operator] an end user can use OLM can subscribe to the operator failing frequently
1980235 - OAuth proxy version is displayed should be removed.
1980257 - 'You are logged in as a temporary administrative user.' banner is shown for kubeadmin user with crc
1980357 - Getting the alert "V4SubnetAllocationThresholdExceeded" in newly installed cluster, Where subnet allocation is not more then 80%
1980364 - CI not working because Dockerfile references an ImageStream resource which isn't compatible with OLM
1980465 - etcd warning logs misleading
1980531 - additionalHelpActions 'HelpMenu' ConsoleLinks not translated
1980548 - Not all plugins' locales folders are listed in webpack.config.ts
1980658 - metal-ipi jobs are failing because of api server connection errors
1980679 - On a Azure IPI installation MCO fails to create new nodes
1980704 - Web console doesn't list all the registries credentials in a secret
1980753 - 4.7 minimal iso fails to boot
1980781 - NTO-shipped stalld can segfault
1980844 - The SystemMemoryExceedsReserved alert released in 4.6 seems to trigger on many clusters under load (default increase if possible?)
1980888 - Thanos querier probes are timing out
1980930 - Machine-api-operator is going through leader election even when API rollout takes ~60 sec in SNO
1981055 - ovn-kubernetes-master need to handle 60 seconds downtime of API server gracefully in SNO
1981090 - [IPI baremetal] 'Failed to get the sockets from the old process' error is reported in haproxy logs following haproxy reload
1981272 - When deleting PVC inside PVC page the status in the heading doesn't match the status field
1981399 - protractor tests are not able to run on release-4.8 and master
1981417 - Change OCM links from cloud. to console.redhat.com
1981425 - Update jenkins to 2.289.2
1981465 - Assisted installer wait for ready nodes on bootstrap kube-apiserver though it moved to one of the other masters
1981477 - Unable to attach Vsphere volume shows the error "failed to get canonical path"
1981498 - enhance service-ca injection
1981550 - AWS Elastic IP permissions are incorrectly required
1981639 - Imageregistry bumps out N+1 pods when set replicas to N(N>2) and Y(=workers number) pods are scheduled to different workers, the left pods will keep pending
1981832 - OLM fails with 'ResolutionFailed' found multiple channel heads
1981936 - openshift/builder base images inconsistent with ART
1981957 - Sync plugin v1.0.47 takes a very long time to pick up new builds
1981975 - Master Machine Config Pool degraded at install time
1981999 - [4.9] Bootimage bump tracker
1982046 - CVO gets stuck on resource deletion progress after re-creating the deleted resource
1982052 - [vsphere][upi] OVN vmxnet3 allmulti workaround doesn't apply when vmxnet3 is bonded
1982079 - Resource usage measurement data display the concatenation of English and translation sentence fragments in Cluster utilization of Home->Ovewview when moving the mouse over each resource usage chart
1982090 - Top consumers filter dropdown list is inconsistent with the translation of left menu when click usage data in each Cluster utilization row
1982150 - Add a TechPreviewBadge for Multus
1982153 - Accessibility (and cypress test) issue with empty category on Operator Hub page
1982170 - (release-4.9] Operator operation is not set when updating status
1982274 - OLM should block the OCP 4.8 upgrade to 4.9 when the operator installed with olm.openShiftMaxVersion
annotation
1982300 - vsphere-problem-detector not showing wrong credentials event/alert on OCP Console
1982376 - Remove PatternFly override fixes now that upstream version include the fix
1982653 - Observe - Alerting - Create silence : time period values are in English
1982659 - Workloads - Jobs : 'Type' column's Value 'Non-parallel' is in English
1982680 - Abort signal is ignored when using safe-k8s-hook.tsx
1982682 - Namespace is not properly passed to k8sCreate
1982692 - Serverless - Eventing - Event Sources - Move sink: incomprehensible japanese sentence
1982727 - Serverless - Eventing - Brokers - Add Trigger : i18n misses
1982736 - Serverless - Eventing - Channels - Add Subscription : appearing Partial translation for fully translated text
1982751 - Serverless - Eventing - Subscriptions - Move Subscription : appearing partial translation
1982765 - Networking - Services - Edit Pod Selector : An incomprehensible Japanese sentence
1982766 - [on-prem] Make ingress keepalived check more tolerant to failures
1982776 - Namespaces - RoleBindings - Edit ClusterRoleBinding subject : An incomprehensible Japanese translation
1982781 - "opm index rm" doesn't remove deprecated bundles
1982868 - 4.8 ManagementCPUsOverride admission plugin blocks 4.7 deployments on empty topology
1982997 - Page header tools - Import YAML : i18n misses
1983032 - User Management - Users - Impersonate User : i18n misses
1983091 - Logic for getting default pull secret incorrect on project page
1983190 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia
1983205 - StatefulSet fails to deploy with error Readiness Probe exec failed open /dev/tty failure no such address when .spec.tty is set to true [OCP 4.6.34]
1983220 - A second scroll bar appears on the Node/Pod terminal page when resizing vertically
1983412 - [Assisted-4.8] [Integration][Network validations] "unable to unmarshall host" and "unexpected end of JSON input" errors when booting nodes
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1983612 - When using boot-from-volume "image", InstanceCreate leaks volumes in case machine-controller is rebooted
1983673 - opm may prune bundles from the input
1983693 - Import from YAML shows warning when just pressing enter
1983707 - Import from YAML breaks console when three dash separator at the end
1983788 - Kubelet may start running before CRI-O
1983933 - [oVirt] CSI expansion should work in offline mode
1983975 - BMO fails to start with port conflict
1984030 - Reduce CPU overhead for ignore-listed NICs
1984031 - Create Silence form's "Created by" field is not populated after refreshing the page
1984047 - insight-operator logs a panic when shutdown, triggering panic detections in CI jobs
1984049 - Slow OVN Recovery on SNO
1984156 - Add sprint 204 translations
1984297 - There are spaces before VM description
1984365 - Dashboard Prometheus/Overview can't filter instance by job
1984414 - Excessive resource diff logging during updates
1984449 - [4.9] drop-icmp pod blocks direct SSH access to cluster nodes
1984481 - machine-api couldn't reconcile VMs with OVNKubernetes network type
1984538 - The openshift-operators namespace should not contain the openshift.io/cluster-monitoring namespace label
1984576 - PROVISIONING_INTERFACE missing from metal3 pod
1984582 - Metal IPI jobs are failing a high percentage of the time
1984608 - kube-scheduler needs to handle 60 seconds downtime of API server gracefully in SNO
1984635 - openshift-config-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1984644 - openshift-service-ca-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1984683 - sdn-controller needs to handle 60 seconds downtime of API server gracefully in SNO
1984736 - [master] ClusterDeployment controller watches all Secrets from all namespaces
1984807 - Move tooltip 'Restore is only enabled for offline virtual machine' to the button when it's disabled
1984942 - ApplyClusterRoleBinding triggers boundsError when adding new subject
1984954 - Normal user cannot create VM because it cannot access v2v-vmware configmap
1985033 - [OVN] [cluster network operator] Provide the option to configure probe intervals
1985080 - Downloaded log file (All task logs) contains logs of all taskrun in a single line
1985082 - namespace of monitoring rbac rules should not be hardcoded
1985125 - OperatorGroup status is not updated when it has cardinality conflits when targetNamespace is used
1985161 - Some localization issues
1985164 - Regular user cannot restore VM snapshot
1985197 - production builds doesn't load some locales successfully
1985336 - OpenShift SDN doesn't add NOTRACK rule to raw iptables table to prevent vxlan from reaching conntrack
1985366 - CCCMO using unregistered host ports
1985391 - Cluster Proxy not used during installation on OSP
1985447 - KubeAPIErrorBudgetBurn Missing namespace label
1985449 - [Assisted-4.8 ][SaaS] error raised "unable to unmarshal connectivity report for host ID xxxx:unexpected end of JSON input" in Assisted Service Pod log
1985483 - Cleaning a BMH deployed using live ISO results in a TLS failure
1985512 - allow-from-router feature doesn't work on v6 only single stack cluster
1985697 - package-server-manager needs to handle 60 seconds downtime of API server gracefully in SNO
1985711 - Registry image input isn't trimming at the start of input
1985721 - Pencil button is missing at Scheduling and resources requirements fields
1985737 - VM Details page , boot order is missing pencil edit button
1985773 - ptp4l crash when BC is configured
1985795 - OCPonRHV: pvc stuck on pending status when using preallocated storage domain
1985802 - cluster-version-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1985846 - Adding ebs type "gp3" when create storage class from web console
1985850 - Update default value of volumeBindingMode from Immediate to WaitForFirstConsumer when create storageclass from web console
1985852 - The vmware-vsphere-csi-driver-webhook pod runs as “BestEffort” qosClass
1985895 - Order by 'Latest version' doesn't work on CustomResourceDefinitions list page
1985948 - [e2e]sysprep, ssh, tests fail from time to time
1985960 - oVirt 4.8 tests are failing on resize
1985997 - kube-apiserver in SNO must not brick the cluster when a config observer outputs invalid data that would eventually converge towards a running system in HA setup
1985998 - Re-enable 50 tests related to CSI failures
1986001 - Enable back ResourceQuota should create a ResourceQuota and capture the life of a service
1986003 - Bump to latest available 1.22.x k8s
1986061 - cluster network operator deploys a service monitor which is never picked up by cluster monitoring operator
1986090 - Cannot delete ClusterAutoscaler CR with foreground deletion
1986127 - UI crash when installing helm chart or right click installed chart in topology
1986129 - OpenShift web console not deployed after installing OCP 4.8.2 using single-node-developer profile
1986139 - The marketplace operator default catalogs need to use the v4.9 tags
1986148 - Bump API for Ingress RequiredHSTSPolicies field
1986174 - SRO should be able to read a complete chart form a ConfigMap.
1986215 - cluster-storage-operator needs to handle API server downtime gracefully in SNO
1986225 - [e2e][automation] add tests for vm snapshot feature
1986228 - Create e2e test for HSTS Feature
1986238 - Supermicro X12 fails to provision using Redfish BM HW Provisioning
1986243 - delete user-workload-monitoring-config configmap, can not find user metrics although no setting for enforcedTargetLimit
1986253 - Automation of Application groupings in topology
1986297 - Windows guest tool is always mounted even it's unchecked
1986306 - Enable back [sig-cli] Kubectl client kubectl wait should ignore not found error with --for=delete
1986307 - Enable back Feature:UDPConnectivity and NetworkPolicy tests
1986309 - Update ironic-agent container with latest bugfix code
1986311 - SRO crash when a incorrect chart is applied
1986322 - Update ironic container with latest bugfix code
1986324 - Update ironic-ipa-downloader container with latest bugfix code
1986375 - Avoid CMO being degraded when some nodes aren't available
1986389 - Textarea inside modal can be resized to larger width than modal
1986392 - Kubelet can't find Node after upgrade to external CCM on AWS/OpenStack
1986408 - Add NE-310 HSTS to 4.9
1986418 - kube-storage-version-migrator-operator needs to handle API server downtime gracefully in SNO
1986419 - aws-efs-csi-driver-operator CSV has upstream image references
1986420 - IPI of private cluster on GCP failed due to variable "cluster_public_ip" is not set
1986426 - Fix failing request on creating an ibm flash system via odf wizard
1986427 - rebase d/s metallb-operator to pickup AddressPool update fix and CI enhancements
1986437 - Bump openshift/api to support ExternalCloudProvider featuregate
1986440 - Bump OVN to ovn21.09-21.09.0-9.el8fdp
1986443 - OVN-kube master may report errors for "transaction failed" when creating logical ports
1986452 - Increase in RSS memory in CRI-O
1986453 - EUS Control loop to check for API server and node versions skew
1986462 - Bug in cluster-baremetal-operator when PreProvisioningOSDownloadURLs are specified in addition to ProvisioningOSDownloadURL
1986464 - Registry pull secret should be sent as base64 string
1986474 - vsphere-syncer build is failing
1986477 - cluster-node-tuning-operator needs to handle API server downtime gracefully in SNO
1986493 - Upload jar files: Java commands are JAVA_ARGS not the purported container command
1986495 - Missing translation in the Edit deployment form
1986501 - Fix bundle image for efs operator
1986540 - Cluster Proxy not used during installation on OSP
1986560 - etcd-operator needs to handle API server downtime gracefully in SNO
1986562 - lastTriggeredImageId is populated in BuildConfig spec
1986565 - [OCP48][WebUI] "How to seal boot source for template usage" link points to /foo
1986575 - Add e2e tests for haproxy timeout variables
1986631 - BuildConfig Environment tab: different errors when the form is not filled completely
1986632 - App Name & Name Values are not getting auto-populated for Deploy Image page in internal image registry
1986650 - Cypress: Globally installs Service Binding Operator operator fails at "Create Operand" step
1986654 - [OCP4.9 Bug] Auto cleaning step in Prepare stage failed
1986656 - [OCP4.9 Bug] Ironic node enters the clean failed state when the target node doesn't have a RAID controller.
1986676 - React Unique key warnings in pipelines and pipeline run details page
1986680 - [knative][flake] Fail to set traffic distribution due to "object has been modified" error
1986685 - panic when opm alpha diff
1986699 - we should take catalogsource into considering when showing Installed tile in OperatorHub catalog
1986704 - missing translation for Kafka Connections nav option
1986707 - CVO log "resource has already been removed" is confusing in a fresh install
1986729 - Event source Sink is not marked as required in create form
1986735 - Monitoring chart range selection does not work on Firefox
1986754 - In Home->Events Dashboard, 'more' and 'Show Less' are hardcodes when the browser set to Chinese language
1986757 - Keepalived fails with Liveness probe failed: command timed out
1986790 - Add disk modal gives error when not selecting storageClass
1986803 - Details page doesn't catch errors which happen on a tab
1986810 - [AUTH-13] oauth-proxy in default OpenShift components might fail to log users in if custom route certificate is configured
1986829 - [AUTH-20] Make prometheus authenticate with a certificate while scraping the cluster's core components metrics
1986833 - Gather Openshift Logging Stack Data
1986936 - Grafana shows wrong label on y-axis of network graphs
1986946 - High ICNI2 application pod creation times
1986971 - [RFE]Password of template is fixed, instead of a parameter
1986981 - Revise Alert Severity in OCP 4.9
1986988 - Pipeline builder workspace info popover is not accessible via keyboard
1986990 - Webhook tests should not use admission registration v1beta1
1987047 - VM console doesn't open to current console type when opened in a new window
1987083 - excludeMastersFromLB in Azure Cloud Config prevents service controller from adding masters
1987108 - Networking issue with vSphere clusters running HW14 and later
1987143 - update resources label for prometheus to 2.28.1
1987152 - [e2e][automation]deploy specific hpp version for tests
1987160 - opm alpha diff fails at headsonly mode
1987169 - Cannot create network attachment definition while operator is installed.
1987171 - When customizing boot source, password is shown in default font
1987192 - Disabled state/condition is not consistent
1987197 - Improve version checking in repository tooling
1987198 - The chart version dropdown says Select the chart version
even when the dropdown is disabled
1987199 - NO-OP Helm Chart Rollback
1987230 - Operators should not create watch channels very often: bump apirequests upperbounds in 4.9
1987238 - A negative value applied for the "tlsInspectDelay" option caused the router pod to go into crashloop
1987250 - Remove diskEligible check from OCS
1987255 - Azure stack hub does not support zones, azure-cloud-provider crashes horribly on startup
1987279 - installer fails to destroy a cluster with a tagged access-point
1987289 - Epic ODC-5030 - Gherkin Scripts Design
1987344 - Links in help of the Edit Disk point to old documentation
1987845 - OpenStack IPI on provider network enforces unnecessary quotas
1987948 - Add high memory alert to Openshift
1988032 - cluster-autoscaler-operator and machine-api-operator tombstone manifests should contain CVO high-availability annotations
1988092 - Cypress: disable OLM globall install test, duplicate Operand tabs
1988123 - Driver Toolkit ART / OSBS builds are failing because of extract-vmlinux
1988133 - Cypress: enable OLM globall install test, handle multiple csv's crd versions
1988291 - 4.7 -> 4.8 upgrade, node-exporter can't rollout
1988349 - Insights report controller - set the corresponding clusteroperator condition correctly
1988351 - Add new OCM controller pulling periodically SCA certs
1988371 - AWS EBS: Mounting XFS volume clone or restored snapshot to same node failed
1988372 - Azure Disk: Mounting XFS volume clone or restored snapshot to same node failed
1988373 - GCE PD: Mounting XFS volume clone or restored snapshot to same node failed
1988374 - OpenStack Cinder: Mounting XFS volume clone or restored snapshot to same node failed
1988379 - Avoid connection pool full logs
1988424 - Only assign priority class in OCP environment for LSO
1988476 - remove dhclient binary from RHCOS
1988491 - quorum-guard health checks fail to report accurate health reporting
1988576 - Authentication operator fails to become available during upgrade to 4.8.2
1988801 - Router HAProxy backend balance option is blank missing random argument in haproxy.config
1988812 - [e2e][flaky] smoke tests may fail if vm already exist before vmi tests start
1988828 - oc adm must-gather runs successfully for audit logs 2e2 is failing
1988903 - Kms details empty in only MCG deployment
1988904 - Arbiter details not present in ODF wizard
1988905 - External mode deployments fails on parsing json in ODF wizard
1988976 - pkgman-to-bundle will exit with flag "--build-cmd"
1988992 - Worker machine object updated too many times [Azure]
1989005 - router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to ".openshift.com"
1989044 - [ART] Error reconciling Dockerfile for openshift/ose-sriov-network-operator in OCP v4.9
1989051 - Machine API Spot tests should set valid value for maxPrice
1989055 - logins to the web console fail when custom certificate is in use for the OpenShift oauth-server
1989058 - router pod stuck in ContainerCreatin if removed configmap/router-client-ca-crl-default and update spec.clientTLS.clientCertificatePolicy
1989073 - KCM logs an error on startup when using external cloud providers
1989077 - vSphere CSI StorageClass events are repeated pathologically
1989101 - [ovirt] Update owners - csi-driver
1989102 - [ovirt] Update owners - csi-driver-operator
1989122 - rebase openshift/sdn to kube 1.22
1989143 - [e2e][automation] missing file for testing release-4.8
1989158 - re-enable disabled unidling e2e tests
1989215 - [openstack-cinder-csi-driver-operator] csi-liveness-probe is not deployed
1989246 - openshift-network-operator needs to handle API server downtime gracefully in SNO
1989335 - Etcd is degraded after upgrading to 4.9 with message "configmap openshift-config-managed/csr-controller-ca field manager is not valid"
1989342 - containernetworking-plugins: Add dpdk support to host-device plugin
1989391 - oc adm groups sync
will generate useless data
1989417 - Enable back [sig-cli] oc adm storage-admin
1989423 - Enable back [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it
1989431 - fail to "opm alpha diff" bundle image with heads-only mode.
1989440 - OCS Storage Cluster creation Multus network configuration not applied when only Cluster Network is selected
1989454 - Butane 0.13.0 generate MachineConfig object with ignition version 3.3.0 which is not supported in ocp4.9
1989456 - sriov operator cannot be upgraded to 4.9 from 4.8
1989460 - non-head bundle of the channel is included in output of opm alpha diff for heads-only mode
1989461 - kube-apiserver does not use the SO_REUSEPORT properly
1989462 - [v2v] MTV modal string changes
1989496 - typo in ClusterOperatorDegraded alert description part
1989504 - The code logic of channel clear is ambiguous, as well as the help info and output messages
1989505 - Enable back single oc observe test
1989507 - replace configmap with storageprofile
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1989600 - Registry server RSS and CPU utilization too high during normal operation
1989604 - IBMCLOUD: panic: runtime error: invalid memory address or nil pointer dereference
1989615 - HBO: Every node update triggers "lsp-add" for HBO ports unnecessarily
1989632 - Create EFS filesystem for dynamic provisioning
1989633 - staticpod/installer: backoff should not apply if latestAvailableRevision > targetRevision
1989688 - [SNO] Egress router pod not created in SNO ipv6 single stack cluster
1989694 - Bump OVN to ovn21.09-21.09.0-10.el8fdp
1989704 - Invalid olm.maxOpenShiftVersion properties have unclear/undefined behavior in OLM
1989707 - [Dev Only] Add HPA page shows error screen when you try to create HPA with default values
1989710 - Catalog operator wastes memory by caching complete copied CSVs
1989720 - Descheduler operator should allow configuration of PodLifetime seconds
1989722 - Descheduler operator should allow eviction based on soft topology constraints
1989724 - Descheduler operator should expose options for pods with PVCs and Local Storage
1989728 - Descheduler operator should verify config does not conflict with scheduler
1989734 - Whereabouts fails in 4.9 due to missing RBAC for leases
1989772 - openshift-controller-manager and operator needs to handle API server downtime gracefully in SNO
1989796 - the same bundle is in output of opm alpha diff
1989837 - [Migration] SDN migration rollback failed, stuck in MCO
1989839 - docs packages should not be installed in the ironic containers
1989842 - Console Observe > Metrics / Dashboards: Missing series appear in tooltip with value "0"
1989876 - Dashboards for OCS Storage System not available
1989887 - Metrics not shown in storage system list page under ODF
1989889 - UI crashes when accessing create new operand page
1989896 - CVE-2019-19794 : mdns-publisher uses miekg Go DNS package version < 1.1.25
1989914 - [e2e][flaky] increase timeouts
1989917 - OpenStack inconsistency reports on limits numbers for network quota check
1989961 - CI apiserver downtime calculation isn't quite right
1989973 - openshift-install explain text contains typo: cluster components will assume assume ownership of all resources
1989980 - Worker machine object updated too many times [vsphere]
1990012 - ControllerConfig Infrastructure does not match cluster Infrastructure resource
1990018 - Add Sprint 204 round 2 translations
1990024 - Eligible is misspelled in console-app
1990060 - [Assisted-4.8] Host returns no routes when routing table contains multipart
1990075 - azure-cloud-node-manager DaemonSet should use maxUnavailable: 10%
1990089 - Bundle validation does not fail for a bundle having multiple service account declaration with same name
1990115 - Multus whereabouts assigns duplicate IP addresses to pods when have large number of replicas
1990137 - Fix creation of EFS filesystem
1990140 - Samples operator management Removed failed to contact registry.redhat.io
1990146 - some controllers missing livenessProbe
1990205 - Console: Observe > Dashboards: "Cannot update during an existing state transition (such as within render)..." in browser developer console
1990206 - Incorrect AWS Supported instance type
1990316 - Deployment with virtualmedia fails on HP setup (real bm) - port missing in iso http path
1990432 - Volumes are accidentally deleted along with the machine [vsphere]
1990447 - Worker machine object updated too many times [gcp]
1990493 - [e2e][automation] test for storageProfile settings
1990496 - Cleaning can fail with SSLError "timed out"
1990541 - etcd: golang version should align with product
1990577 - Upgrade Ingress API version
1990601 - AzureDisk CSI driver is not installed by default on Azure Stack Hub
1990603 - [Descheduler] descheduler operator throws an error which reads "key failed with : scheduler.config.openshift.io "cluster" not found"
1990610 - Panic in the cluster-kube-apiserver-operator startup monitor enablement check
1990617 - Update Fedora CoreOS images to latest testing for OKD
1990631 - FailedToDeleteOVNLoadBalancer Error trying to delete the idling OVN LoadBalancer
1990725 - [Kuryr][4.9] KuryrSDNPodNotReady alert is missing the node name in the message
1990732 - Test failures caused by "volumeBindingMode" defaulting to "WaitForFirstConsumer"
1990781 - Large binary pkg/tool/gen-skus-map in Azure Disk repo
1990826 - New non-secure and secure routes without hsts annotation fail to get created in globally enforced hsts domain resources
1990850 - Registry databases that do not store properties as TEXT are not served
1990899 - PrivateIPAddressVersionCannotBeModified errors in CNO tests
1990970 - The development of ccoctl support for IBM left unused debug test binary in the source code
1990975 - ccoctl for IBM does not support not all possible environment variables to pass APIKEY
1990988 - Samples library sync fails container test on php 7.2
1991068 - cluster-etcd-operator: tls ciphers should be checked for validity
1991095 - [External Mode] Dashboard shows incorrect deployment mode
1991316 - namespace should be with openshift as prefix
1991338 - "Network Attachment Definitions" is not able to load by a regular user
1991357 - Fresh installation shows kube-apiserver error NodeInstallerDegraded: 1 nodes are failing on revision 4
1991439 - Some hardcodes are detected at the code level in OpenShift console components
1991507 - [sig-cli] Kubectl client Simple pod should return command exit codes [Suite:openshift/conformance/parallel] [Suite:k8s]
1991508 - ppc64le and s390x CI jobs are failing with exec format errors
1991519 - [e2e][flaky] fix kubevirt hco creation
1991548 - [e2e][automation] add tests for disk preallocation
1991551 - Idle service cannot be waked up
1991566 - [e2e][automation] Disable protractor test in prow
1991662 - OLM Catalog Templating
1991730 - e2e-aws-proxy is failing with "Invalid value: []string{"us-west-2d", "us-west-2b"}: No subnets provided for zones"
1991793 - ECMP routes with invalid next hops still result in OF groups getting programmed
1991814 - "oc adm inspect co storage" returns an error message when there is no openshift-manila-csi-driver ns.
1991860 - Insights Operator panics with invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
1991977 - Kamelet sources shown in openshift-operators in eventsources but in other namespace shows up only if user created IP CR
1992004 - ci/prow/e2e-gcp-console flake "Create Application from git form"
1992013 - ci/prow/e2e-gcp-console flake "Create Application from Devfile.Create Application"
1992016 - Expose kubelet configuration parameters
1992148 - [Azure CSI] cannot deploy Azure Disk on ASH because /etc/kubernetes is read-only fs
1992193 - Race condition in cluster-storage-operator
1992255 - csi-snapshot-controller needs to handle API server downtime gracefully in SNO
1992405 - Sync upstream 1.10.1 downstream
1992463 - OKD: Installation to Libvirt fails due to no space left in /run
1992493 - 3 alerts have no annotations summary and description
1992502 - select storage class dropdown fail when using CNV2.6.5
1992507 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992508 - documentationBaseURL should be updated to 4.9
1992555 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992557 - failed to start cri-o service due to /usr/libexec/crio/conmon is missing
1992560 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992591 - 2 different oc binaries are used in the cli-artifacts
image
1992673 - Failed OCP build of openshift/ose-etcd:v4.9.0
1992677 - OLM upgradeable condition message unclear with MaxOpenShiftVersion set
1992714 - use existing pvc hotplug crashes
1992730 - Dynamic Plugins: localization does not work for plugin
1992820 - [Knative] Event Sources should be under Serverless group together with Channel
1992823 - Cluster autoscaler should use Kubernetes 1.22 dependencies
1992857 - [Azure CSI] Not enough permissions to list config maps in openshift-config ns
1992875 - [Azure CSI] Driver Node controller can't get config from the secret of Azure Stack Hub
1992876 - Gather OKD specific journal logs
1992900 - openshift/kubernetes fails to build on ARM
1992950 - [e2e][automation] create template from wizard
1992974 - Revision/Route list table doesn't have proper alignment/styles in admin perspective
1993002 - The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accepts negative values
1993007 - e2e tests fail because operator does not delete SriovNetworks
1993055 - node_exporter task, log message wrong
1993078 - Enable Auth config for ironic-api
1993087 - Azure StackHub: cluster-cloud-controller-manager-operator / azure-cloud-controller-manager / azure-cloud-node-manager does not support OCP azure credentials secret format
1993147 - Add aria-label to different OCS dashboard components
1993148 - Monitoring UI doesn't make use of React's memoization features
1993159 - [Azure] Instead of updating the spec actuator updates status twice
1993195 - Testing performance of sync plugin
1993207 - failed to list resource groups: Can not get resource groups without account id in parameter by service id token
1993260 - SRO RBAC error when deploying ping-pong CR
1993286 - Minor OpenShift upgrades blocked when olm.maxOpenShiftVersion = current Y-stream+1 and current Z-stream > 0
1993306 - Flaky e2e test: Event Sources on default Developer Catalog
1993444 - NFD - cstate detection enabled on s390x
1993757 - OCP 4.8 etcd unhealthy
1993788 - VM creation (customize flow): storage class mismatch between actual SC and "Edit Disk" screen
1993793 - Move CSIDriver from v1beta to v1
1993840 - openshift-samples should not change condition Degraded/Available (upgrades)
1993851 - EFS CSI driver operator does not have an icon
1993886 - operand creation form doesn't render correct format
1993920 - Improve Sysprep helper text
1993922 - The kubeletconfig controller has wrong assumption regarding the number of kubelet configs
1993931 - Storage operators use older kubernetes client
1993934 - Update CSI sidecars
1993955 - [External Mode] Fix margin issue with Details card on Block and File Page
1993975 - [not user facing][infrastructure] remove kubevirt dependants for dynamic plugin
1993977 - kube-rbac-proxy panic
1993980 - Kubelet regularly freeze control groups causing issues further down
1993999 - Some hardcodes are detected at the code level in OpenShift console components
1994035 - SNO: LSO diskmaker pod using excessive cpu
1994060 - API response for host routes includes misleading family number when IPv6 is enabled
1994069 - [4.9] bump OVN to ovn21.09-21.09.0-13.el8fdp
1994103 - [IBMCLOUD] Needs to have Terraform code converted to steps.
1994113 - local volume tests create lot of events churn
1994139 - k8s 1.22 bump for operator-lifecycle-manager
1994155 - thanos fails to build with latest imagebuilder
1994172 - rhel node does not join cluster conmon validation: invalid conmon path
1994253 - On OKD templates provided by kubevirt provider and supported by red-hat are marked as community templates
1994257 - Audit errors alert not created
1994277 - Changing the memory manager policy via the kubelet config will drop the node to NotReady state
1994410 - When machine creation failed due to validations, error contains "failed to create connection to oVirt API"
1994434 - service account sriov-network-config-daemon disappeared when sriov operator upgrade from 4.8 to 4.9 version
1994439 - Review page of ODF wizard does not follow console guidelines
1994443 - openshift-console operator incorrectly reports Available=false
1994454 - upgrade from 4.6 to 4.7 to 4.8 with mcp worker "paused=true", crio report "panic: close of closed channel" which lead to a master Node go into Restart loop
1994480 - Cluster Infrastructure owned components should use 1.22 dependencies
1994586 - Create local volume set step says "An error has occurred"
1994613 - disable all CI tests that require IPv6 internet connectivity
1994642 - Update CSI drivers
1994643 - kube-apiserver must not return 404 to garbage collection controller before being ready
1994647 - [ipv6] ovn-nbctl calls to find with nexthop= need quotes for IPv6
1994648 - Resolution failed error condition in Subscription not being removed after resolution error is resolved.
1994707 - cluster-etcd-operator: handle unstarted member condition in status request.
1994857 - [UPGRADE] kube-apiserver is degraded after upgrading to 4.9 with error "configmap openshift-config-managed/csr-controller-ca field manager is not valid"
1994872 - [4.9] oc fail to mirror release payload to local disk
1994891 - NTO: use the latest k8s 1.22 and openshift vendor dependencies
1994927 - Enable back [sig-network] Networking should provide Internet connection for containers using DNS
1994973 - Fix bundle config
1994975 - Next button is enabled when the flash system endpoint is invalid
1994979 - Fix skipRange
1994981 - Local Storage Operator does not have an icon
1994986 - etcd check perf causes issues on clusters if run
1994991 - olm.skipRange replacement is noop
1994997 - olm.skipRange substitution is noop in ART builds
1995043 - Two storage systems got created while creating one from UI
1995049 - tech / dev preview badge in search resource dropdown missing styles
1995110 - olm.skipRange is not set
1995116 - Pod logs shows incorrect lines number in the log window top banner
1995148 - Secret key for mangement address is incorrect for flash system
1995198 - OLM tests are failing on aws arm64
1995291 - oc new-app/new-build commands should not mention docker
1995300 - opm validate does not detect cycles in channels
1995325 - Projects page fails to render due to calling more hooks than previous render
1995330 - ovn-kubernetes load-balancer operations are very expensive
1995386 - bz 1990140 fix broke retry on tbr connection test
1995387 - OpenStack 4.8 -> 4.9 upgrade is permafailing periodic-ci-openshift-release-master-ci-4.9-upgrade-from-stable-4.8-e2e-openstack-upgrade
1995468 - Nodes can't resolved IPv4 address in dual stack configuration
1995523 - Pipeline Builder form throws an error when clicked on Add Task
1995525 - All storage systems are listed in the details page of a particular storagesystem
1995573 - oc adm certificate approve|deny help shows kubectl in the examples
1995612 - Block pool details page breadcrumb link is not pointing storage system details page
1995614 - "beta.kubernetes.io/os" is deprecated since v1.14
1995653 - upgrade rbac rules to use v1 APIS for LSO
1995655 - 4.9 installer should default ClusterVersion channel to stable-4.9
1995695 - Get insights on series churn during upgrades
1995727 - sync plugin no longer catches build deletes that occur between restarts
1995785 - long living clusters may fail to upgrade because of an invalid conmon path
1995804 - Rewrite carry "UPSTREAM: [sig-storage] EmptyDir volumes pod should support memory backed volumes of specified size
is permafailing on OKD 4.9
2000589 - [sig-node] crictl should be able to run crictl on the node
2000590 - Warning on topology context menu right click
2000596 - (release-4.9) Update K8s & OpenShift API dependencies versions
2000607 - Domain mapping movement from one service to another is not intutive
2000608 - static pod startup monitor should log to a log file in addition to stderr
2000633 - Issue with the UI of observer page when screen size is reduced
2000636 - Edit Deployment form drops strategy data when switching type
2000689 - [block-pool-dashbaord] Expandable section in mirroring card is empty when no image for mirroring
2000721 - Bump OVS userland to openvswitch2.16-2.16.0-6.el8fdp
2000726 - ZTP PolicyGen failed to create CRs during synchronization of 1 site
2000768 - Quick Starts provide incorrect guidance when Che/CRW is installed
2000820 - (release-4.9) Gather PodSecurityPolicies names installed in a cluster
2000833 - Wepack warnings about missing types when running dev build
2000873 - Toast shows list style on uploadJar toast and export app toast
2000935 - add volume mode selection in storage creation (external IBM FlashSystem)
2000965 - [e2e][automation] remove login prompt check until it's clearly needed
2001263 - [e2e][automation] create vm from template list and action dropdown
2001288 - Virtualization is not available in Home Overview when CNV version is 2.6.z
2001292 - import vm action is not hidden
2001958 - Cluster becomes degraded if it can't talk to Manila
2001983 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster
2002196 - Pass down proxy env to operands failed for ansible type operator
2002197 - Pass down proxy env to operands failed for helm type operator
2002200 - Operator-lib proxy block the "ReadProxyVarsFromEnv" for go type operator
2002288 - [4.9] kube-proxy's userspace implementation consumes excessive CPU
2002338 - Bump descheduler to k8s 1.22
2002361 - Missing the ability to set networkType in SiteConfig during ZTP flow
2002374 - Inexplicably slow kubelet on bootstrap makes installation fail
2002502 - []corev1.EnvVar{} can't be appended to container.env
2002543 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log
2002561 - Failing tests: "volumeMode should fail in binding dynamic provisioned PV to PVC"
2003161 - [SCALE] ovnkube CNI: remove ovs flows check
2003197 - CRI-O leaks some children PIDs
2003245 - [4.9] Revert libovsdb client code
2003306 - Rejected pods should be filtered from admission regression
2003545 - Remove openshift:kubevirt-machine-controllers decleration from machine-api
2004137 - ptp/worker custom threshold doesn't change ptp events threshold
2004146 - Need Device plugin configuration for the NIC "needVhostNet" & "isRdma"
2004337 - [4.9] OVN CNI should ensure host veths are removed
2004340 - [4.9] Pod creation failed due to mismatched pod IP address in CNI and OVN
2004568 - Cluster-version operator does not remove unrecognized volume mounts
2004676 - [4.9] Boot option recovery menu prevents image boot
2004712 - TuneD issues with the recent ConfigParser changes.
2004924 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start
2004961 - output of "crictl inspectp" is not complete
2005108 - removing and recreating static pod manifest leaves pod in error state
2005462 - [4.9] ovn-kube may never attempt to retry a pod creation
2005476 - [4.9] [ICNI2] 'ErrorAddingLogicalPort' failed to handle external GW check: timeout waiting for namespace event
2006145 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2006432 - [4.9] Remove workaround keeping /boot RW for kdump support
2006782 - Missing ZTP ArgoCD Container Image
2006962 - [4.9] OS boot failure "x64 Exception Type 06 - Invalid Opcode Exception"
2007086 - [4.9] Bootimage bump tracker
2007089 - [4.9] Intermittent failure mounting /run/media/iso when booting live ISO from USB stick
2007324 - race condition can cause in cluster-bootstrap can cause crashlooping bootstrap kube-apiserver
2007458 - crio's selinux module has performance improvements when compiled with golang 1.16
2007684 - [4.9.z] PVs remain in Released state for a long time after the claim is deleted
2008619 - ImageStream with RHCOS version tag needed for RHODS GPU support
2008944 - Azure Stack UPI does not have Internal Load Balancer
2009059 - Placeholder bug for OCP 4.9.0 metadata release
2009342 - The serviceAccountIssuer field on Authentication CR is reseted to “” when installation process
2009467 - [4.9] container-selinux should come from rhel8-appstream
2009530 - Deployment upgrade is failing availability check
2009652 - [4.9] Multipath day1 not working on s390x
2009653 - [4.9] Bootimage bump tracker
2009738 - [IPI-on-GCP] 'Install a cluster with nested virtualization enabled' failed due to unable to launch compute instances
2009842 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo
2010066 - [Assisted-4.9][Integration] Unable to generate ISO with error: Failed to fetch base ISO information: NotFound
2010074 - [e2e][automation] CI tests fail because of wrong test cnv version installed
2010372 - Reverts PIE build mode for K8S components
2010486 - SRO package name collision between official and community version
2010529 - [backport 4.9] openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions
2010861 - Failure building EFS operator
2010954 - SRO CSV uses non default category "Drivers and plugins"
2011050 - Storage operator is not available after reboot cluster instances
2011087 - Backport audit log silence change
2011350 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24
2011701 - Bootkube tries to use oc after cluster bootstrap is done and there is no API
2011815 - Kubelet rejects pods that use resources that should be freed by completed pods
2011951 - [4.9] ClusterVersion Upgradeable=False MultipleReasons should include all messages
2011958 - [4.9] [tracker] Kubelet rejects pods that use resources that should be freed by completed pods
2011961 - [4.9] [tracker] Storage operator is not available after reboot cluster instances
2011985 - SRO bundle references non-existent image
2012008 - APIRemovedInNextReleaseInUse: give exact command in description
- References:
https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-26539 https://access.redhat.com/security/cve/CVE-2021-26540 https://access.redhat.com/security/cve/CVE-2021-28092 https://access.redhat.com/security/cve/CVE-2021-28169 https://access.redhat.com/security/cve/CVE-2021-29059 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-33194 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34428 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/cve/CVE-2021-36980 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYW2xOdzjgjWX9erEAQhRpg/+NubKYuEEFCd+EYhr16pH3VlbzYBRZAxP Of5AIOpaqr7Nmij2fg1xokPBaB81PRf1Zh50t6025cr6+WaNggw8ina7YY4uJMKU t2pV4gKZuT6d2UNytZ9Hqw0H4gG9lSJz3nvjQ1Mb2RNhcAEeA8dk1UWdhUXe122L hqMLRr1WRkCDQ8z5WIRRWtvgEllWF5IufV+98zIKf5RslGFntETRrBw3OXZJItIS 03gcWNn+8QHoovqpdP5GfCpDSltsbk3I9rGPa7+/WFGWN39DdDRLr0VgbyU1TMxV ypuqThlfjJAIVTs+mHvtBDJ71REVh8mkDpLLnSnm8iym1ehsuBBqt1jIkPgu2vnr b1b75K9Y1YoMDLycbU7WcEfSjq8iqfYoVddzwkKSihmjPJeqCsTseOSl00s2HMaT 5DQHyvpwhzIYWw+vSiD2xolRI7j8VH6K3mvWM2aG3GrQNuLSgmd5l3Y115aW01JG ay1oDXj/k9Y5EeerGDS2IbrZhHRVy6Y5ach2deCBAUmA2gX2yTk88e6/F/WTGLL7 tKWcpu/QQJKg6rcDx7r5+G0aUlHpo7e06uxKwBr+MrCSNFj7TgRlN30ZkNMqrh4P 0v3fPfZdBFAAt6Akb7fxb6Pb+NMlGJF8Pa8RgncWAK7q7hwBlW8cV2x9aRdZnW/I UhVGDnha+dI= =BYf6 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2021:3759
Security Fix(es):
-
jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)
-
golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)
-
openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action (CVE-2021-36980)
-
jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):
1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout 1984473 - CVE-2021-36980 openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
Gentoo Linux Security Advisory GLSA 202311-16
https://security.gentoo.org/
Severity: Low Title: Open vSwitch: Multiple Vulnerabilities Date: November 26, 2023 Bugs: #765346, #769995, #803107, #887561 ID: 202311-16
Synopsis
Multiple denial of service vulnerabilites have been found in Open vSwitch.
Background
Open vSwitch is a production quality multilayer virtual switch.
Affected packages
Package Vulnerable Unaffected
net-misc/openvswitch < 2.17.6 >= 2.17.6
Description
Multiple vulnerabilities have been discovered in Open vSwitch. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Open vSwitch users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.17.6"
References
[ 1 ] CVE-2020-27827 https://nvd.nist.gov/vuln/detail/CVE-2020-27827 [ 2 ] CVE-2020-35498 https://nvd.nist.gov/vuln/detail/CVE-2020-35498 [ 3 ] CVE-2021-3905 https://nvd.nist.gov/vuln/detail/CVE-2021-3905 [ 4 ] CVE-2021-36980 https://nvd.nist.gov/vuln/detail/CVE-2021-36980 [ 5 ] CVE-2022-4337 https://nvd.nist.gov/vuln/detail/CVE-2022-4337 [ 6 ] CVE-2022-4338 https://nvd.nist.gov/vuln/detail/CVE-2022-4338 [ 7 ] CVE-2023-1668 https://nvd.nist.gov/vuln/detail/CVE-2023-1668
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202311-16
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202107-1506", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "openvswitch", "scope": "lte", "trust": 1.0, "vendor": "openvswitch", "version": "2.15.0" }, { "model": "openvswitch", "scope": "gte", "trust": 1.0, "vendor": "openvswitch", "version": "2.11.0" }, { "model": "open vswitch", "scope": "eq", "trust": 0.8, "vendor": "open vswitch", "version": "2.11.0 to 2.15.0" }, { "model": "open vswitch", "scope": "eq", "trust": 0.8, "vendor": "open vswitch", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "NVD", "id": "CVE-2021-36980" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:openvswitch:openvswitch:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.15.0", "versionStartIncluding": "2.11.0", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-36980" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "164563" }, { "db": "PACKETSTORM", "id": "164543" }, { "db": "PACKETSTORM", "id": "164542" } ], "trust": 0.3 }, "cve": "CVE-2021-36980", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": true, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Medium", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 4.3, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-36980", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "exploitabilityScore": 8.6, "id": "VHN-398812", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "LOCAL", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitabilityScore": 1.8, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Local", "author": "NVD", "availabilityImpact": "High", "baseScore": 5.5, "baseSeverity": "Medium", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-36980", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "Required", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-36980", "trust": 1.8, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202107-1384", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULHUB", "id": "VHN-398812", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-398812" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "NVD", "id": "CVE-2021-36980" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. Open vSwitch ( alias openvswitch) Is vulnerable to the use of freed memory.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Description:\n\nOpen vSwitch provides standard network bridging functions and support for\nthe OpenFlow protocol for remote per-flow control of traffic. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891\n\n5. ==========================================================================\nUbuntu Security Notice USN-5065-1\nSeptember 08, 2021\n\nopenvswitch vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.04 LTS\n\nSummary:\n\nOpen vSwitch could be made to crash or run programs if it received\nspecially crafted network traffic. \n\nSoftware Description:\n- openvswitch: Ethernet virtual switch\n\nDetails:\n\nIt was discovered that Open vSwitch incorrectly handled decoding RAW_ENCAP\nactions. A remote attacker could use this issue to cause Open vSwitch to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n openvswitch-common 2.15.0-0ubuntu3.1\n\nUbuntu 20.04 LTS:\n openvswitch-common 2.13.3-0ubuntu0.20.04.2\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: OpenShift Container Platform 4.9.0 bug fix and security update\nAdvisory ID: RHSA-2021:3759-01\nProduct: Red Hat OpenShift Enterprise\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:3759\nIssue date: 2021-10-18\nCVE Names: CVE-2021-3121 CVE-2021-26539 CVE-2021-26540 \n CVE-2021-28092 CVE-2021-28169 CVE-2021-29059 \n CVE-2021-31525 CVE-2021-32690 CVE-2021-33194 \n CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 \n CVE-2021-33198 CVE-2021-34428 CVE-2021-34558 \n CVE-2021-36980 \n=====================================================================\n\n1. Summary:\n\nRed Hat OpenShift Container Platform release 4.9.0 is now available with\nupdates to packages and images that fix several bugs and add enhancements. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.9.0. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2021:3758\n\nSecurity Fix(es):\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index\nvalidation (CVE-2021-3121)\n\n* sanitize-html: improper handling of internationalized domain name (IDN)\ncan lead to bypass hostname whitelist validation (CVE-2021-26539)\n\n* sanitize-html: improper validation of hostnames set by the\n\"allowedIframeHostnames\" option can lead to bypass hostname whitelist for\niframe element (CVE-2021-26540)\n\n* nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)\n\n* nodejs-is-svg: Regular expression denial of service if the application is\nprovided and checks a crafted invalid SVG string (CVE-2021-29059)\n\n* golang: net/http: panic in ReadRequest and ReadResponse when reading a\nvery large header (CVE-2021-31525)\n\n* helm: information disclosure vulnerability (CVE-2021-32690)\n\n* golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194)\n\n* golang: net: lookup functions may return invalid host names\n(CVE-2021-33195)\n\n* golang: net/http/httputil: ReverseProxy forwards connection headers if\nfirst one is empty (CVE-2021-33197)\n\n* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error\nif passed inputs with very large exponents (CVE-2021-33198)\n\n* golang: crypto/tls: certificate of wrong type is causing TLS client to\npanic (CVE-2021-34558)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nThis update also fixes several bugs and adds various enhancements. \nDocumentation for these changes is available from the Release Notes\ndocument linked to in the References section. \n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.9.0-x86_64\n\nThe image digest is\nsha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61\n\n(For s390x architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.9.0-s390x\n\nThe image digest is\nsha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61\n\n(For ppc64le architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.9.0-ppc64le\n\nThe image digest is\nsha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61\n\nAll OpenShift Container Platform 4.9 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.9/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor\n\n3. Solution:\n\nFor OpenShift Container Platform 4.9 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.9/updating/updating-cluster\n- -cli.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1786835 - oc is crashing while mirroring registry\n1856355 - Scrolling of pf4 tables is far less performant than the previous version\n1862429 - LocalVolumeSet object can be deleted with in-use PVs. May result in data leak\n1868221 - Missing /etc/mtab symlink in CRI-O containers\n1882490 - Azure installer misses hyphen in master NIC names\n1883378 - Openapi spec is missing for prometheus-adapter aggregated api-resources\n1890676 - Cypress: Fix \u0027aria-hidden-focus\u0027 accesibility violations\n1898877 - keepalived consumes 100% of cpu\n1903519 - Wrong Ingress to Route conversion for wildcard hostnames\n1903632 - After upgrading a customer openshift cluster to 4.6.4 the openshift marketplace pods are in ImagePullBackOff state\n1904155 - Graphs on utilization tab don\u0027t respect timespan selection\n1905326 - kube-apiserver initContainer setup is not requesting required resources: cpu, memory\n1905851 - [REF] Create volumesnapshotclass for Manila csi driver by default Storage/Manila CSI Driver\n1906315 - \"cannot populate chunk **\" error in prometheus container logs\n1908677 - Reenable [sig-network] SCTP [Feature:SCTP] [LinuxOnly] should create a Pod with SCTP HostPort [Suite:openshift/conformance/parallel] [Suite:k8s]\n1908772 - A11y Violation: Dev Console Nav Menu UL contains non-LI elements\n1909058 - [cinder-csi-driver operator] always report fake event continuously in openstack-cinder-csi-driver-operator log\n1913618 - Completed pods skew the Quota metrics\n1914398 - multus admission controller and metrics daemon running as root\n1914414 - SRIOV enablement for Emulex Corporation OneConnect NIC (10df:0720) is not working anymore\n1914837 - Machine API Termination Handlers should be tested\n1918562 - [cinder-csi-driver-operator] does not detect csi driver work status\n1921139 - revert \"force cert rotation every couple days for development\" in 4.8\n1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation\n1923111 - Install plans permanently fail due to CRD resource modified or similar transient errors\n1924695 - Non-ascii passwords are accepted but don\u0027t work\n1925180 - Deployment creates a huge number of ReplicaSets - image-lookup bits\n1925203 - [RFE] [OCPonRHV] - High Performance Mode in OCP on RHV - huge pages, CPU and Numa pinning configuration\n1925276 - Double instance create AWS\n1925524 - openshift-jenkins-sync plugin does not scale on OCP 4\n1928668 - Prometheus is collecting metrics for completed pods\n1928816 - When using idrac-virtualmedia, the bios_interface gets set to idrac-wsman\n1928856 - OCP Conformance test fails if MachineSet resource type is not present\n1928942 - [Assisted-4.7] [Minimal-ISO] [Started image download] \"Started image download\" event missing important info: Content-Length: and Content-Disposition filename in both API and UI events\n1932139 - The downstream darwin/amd64 `opm` binary fails to output the version info\n1932323 - CVE-2021-26540 sanitize-html: improper validation of hostnames set by the \"allowedIframeHostnames\" option can lead to bypass hostname whitelist for iframe element\n1932362 - CVE-2021-26539 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation\n1934443 - Installation of OCP 4.6.13 fails when teaming interface is used with OVNKubernetes\n1936408 - [VMware-LSO] pod re-attach time took more then 60 sec. \n1936919 - AlertmanagerMembersInconsistent fires too quickly, causing serial-test noise\n1937696 - [Assisted-4.7]node/hostnames vs bmh names inconsistency, skipped cluster index in name\n1938282 - [4.9] Kuryr won\u0027t remove LB members on Endpoints object removal\n1939045 - [OCPv4.6] pod to pod communication broken on PFCP procotol over UDP\n1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string\n1940059 - [GSS][RFE] Integrate ceph dashboard with OCS\n1941224 - Serial e2e should not complain about the authentication operator going Progressing=True during the \"test RequestHeaders IdP\" test-case\n1942122 - Egress IP iptables rules not added due to iptables: Resource temporarily unavailable\n1942164 - [sig-cluster-lifecycle] cluster upgrade should be fast\n1942657 - ingress operator stays degraded after privateZone fixed in DNS\n1943265 - Negative Memory Utilization for Cluster Compute Resources Dashboard\n1943284 - opm index prune will fail if the working directory does not have write permissions\n1943334 - [ovnkube] node pod should taint NoSchedule on termination; clear on startup\n1943378 - OpenStack machine_controller does not remove boot volumes when reconciler errors\n1946178 - [Assisted-4.7] [Staging][OCS] Cluster validation messages improvements\n1947005 - cluster-monitoring-view role allows to create alert silences\n1947740 - [single-node] \"Failed to watch\" errors in openshift-state-metrics container\n1948089 - openshift-apiserver should not set Available=False APIServicesAvailable on update\n1948090 - Storage should not set Available=False APIServices_Error AWSEBSCSIDriverOperatorCRAvailable on update\n1948603 - Azure CSI driver does not pass e2e-azure-csi tests\n1948607 - vSphere CSI driver does not pass e2e-vsphere-csi tests\n1948720 - Spacing issues in Chinese translations\n1949497 - apiversion is still policy/v1betal when user creates pdb via oc create command\n1949840 - CMO reports unavailable during upgrades\n1950173 - Non-fatal: prometheus.env.yaml: no such file or directory\n1950534 - OPM fails to deprecate bundles\n1951812 - [master] [assisted operator] Assisted Service Postgres crashes msg: \"mkdir: cannot create directory \u0027/var/lib/pgsql/data/userdata\u0027: Permission denied\"\n1952101 - Can\u0027t re-build index if any bundles have been truncated\n1952224 - Some quickly deleted pods are never cleaned up by kubelet after 20m\n1952457 - In k8s 1.21 bump \u0027[sig-node] crictl should be able to run crictl on the node\u0027 test is disabled\n1952737 - [RFE]Users had difficulty distinguishing between \u201c Supported\u201d and \u201cProvided\u201d\n1953063 - Update default AWS instance type in machine-api-operator\n1953113 - HAProxy template doesn\u0027t allow HSTS header to be case insensitive or include spaces\n1953127 - NetworkPolicy tests were mistakenly marked skipped\n1953182 - [Azure disk csi driver] volume expansion failed on filesystem resizing\n1953185 - [Azure disk csi dirver operator] doesn\u0027t use the credential created by CCO\n1953674 - [RFE] Add resize to ovirt CSI driver\n1954869 - Add necessary priority class to marketplace components\n1955192 - ExternalIP feature do not work on ovn-kuberenetes\n1955292 - Describe quota output should show units\n1955435 - \"requestURI\":\"/apis/user.openshift.io/v1/users/kube:admin\" from system:apiserver got code 422\n1955586 - ThanosSidecarUnhealthy will never fire if the sidecar is never healthy. \n1956081 - kube-apiserver setup fail while installing SNO due to port being used\n1956830 - \"oc adm top nodes\" output give negative numbers\n1956836 - AVC denial when setting hostname on GCP using \"set-valid-hostname.sh\" script\n1956879 - authentication errors with \"square/go-jose: error in cryptographic primitive\" are observed in the CI\n1956955 - Services sync causes too many ovn load balancer deletes\n1956989 - In k8s 1.21 bump some sig-network tests are disabled due to being permanently broken on e2e-metal-ipi-ovn-ipv6\n1957498 - cluster-etcd-operator: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21\n1957609 - [aws]Machine tags should have precedence over Infrastructure\n1957634 - prometheus-adapter panics on GetNodeMetrics\n1957761 - SR-IOV daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent\n1957886 - In k8s 1.21 bump TTLAfterFinished is disabled\n1958107 - SR-IOV network operator pods should not run in best-effort QoS\n1958154 - Custom AWS user tags limit not supported (openshift/api says max=25), install fails when \u003e=10\n1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header\n1958375 - Return IPv6 traffic from the application pod is getting dropped when f5 pod is scaled to more than one. \n1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies\n1958390 - API Services unavailable after upgrade from 4.5.38 to 4.6.27\n1958888 - 4.7.6 -\u003e 4.7.9 upgrade: leader election stuck\n1959200 - failed to configure pod interface: error while waiting on OVS.Interface.external-ids:ovn-installed for pod: timed out while waiting for OVS port binding\n1959290 - openshift-kube-apiserver-operator should not rely on external networking for health check\n1959586 - [master] All resources not being cleaned up after clusterdeployment deletion\n1959798 - DNAT rules for external IP services wrong in ovn-kubernetes\n1959906 - External gateway fails to add duplicate OVN ECMP route\n1959957 - After a channel head is deprecated, the channel still exists in the index, but with no installable content = BAD UX\n1960101 - CNO: exportNetworkFlows accepts invalid TCP/UDP port numbers\n1960152 - Manilacsi becomes degraded even though it is not available with the underlying Openstack\n1960455 - Performance Addon Operator fails to install after catalog source becomes ready\n1960485 - Cannot use DASD at virtio block device when installing RHCOS on KVM\n1960559 - Remove v1beta1 handling code\n1960574 - Managed cluster should ensure SR-IOV pods components have system-* priority class associated\n1960680 - [SCC] openshift-apiserver degraded when a SCC with high priority is created\n1961226 - Can\u0027t ssh too IPA on worker nodes\n1961757 - ovn-kubernetes: Enable ovn-controller lflow-cache limits (memory and/or size)\n1961811 - Creating a configmap for a CA without a trailing newline in source file results in non-working CA verification\n1962344 - [SCALE] ovn-controller running up to 30 second poll intervals due to full recompute\n1962387 - Upgrade from Openshift 4.5 -\u003e 4.6 Results in Orphaned Address sets\n1962414 - ed25519 keys do not work when FIPS is enabled\n1962951 - Can\u0027t enable column diffs in 4.9\n1962957 - [master] Assisted service reports a malformed iso when we fail to download the base iso\n1963027 - Upload qcow2 to PVC too small : \"Error Uploading Data Request fail with status code 400\"\n1963132 - Installer: Remove the word \u0027Northern\u0027 from us-east4 (Ashburn, Northern Virginia, USA) to make it consistent\n1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment\n1963943 - For baremetal clusters, the node-\u003eterminal is not available\n1964231 - Client certificate used to contact kubelet is not loaded dynamically\n1964266 - [RFE] add external-resizer side car container\n1964471 - [master] Confusing behavior when multi-node spoke workers present when only controlPlaneAgents specified\n1964482 - Ipv6 IP addresses are not accepted for whitelisting\n1964540 - CAPO: It\u0027s impossible to make port a trunk when it\u0027s defined in `ports` field\n1964591 - [master] ACM/ZTP with Wan emulation fails to start the agent service\n1964623 - [master] File system usage not being logged appropriately\n1964786 - Serial console does not load\n1964902 - NetworkPolicy Ingress rules table shows confusing text in From column\n1964941 - If loading dynamic plugin times out, the UI throws a syntax error\n1965074 - [OVN Kubernetes] ovnkube errors observed on 100 node clusters during uperf testing Fatal error: ofport of patch-br-ex_ip-\u003cnode_ip\u003e.us-east-2.compute.internal-to-br-int has changed from [] to 2\n1965080 - machine-api-operator constantly makes unauthorized AWS calls to DescribeInternetGateways\n1965117 - [master] Post making changes to AgentServiceConfig assisted-service operator is not detecting the change and redeploying assisted-service pod\n1965263 - [volume snapshot] \"oc get volumesnapshotcontent\" should display the volumesnapshot namespace info\n1965365 - Accessibility - Resource and Events filter select options do not move cursor focus into search input on click, inhibits keyboard navigation\n1965562 - recycler-for-nfs-... does not set requests or priorityClassName\n1965930 - NetworkPolicy is not translated in Korean or Chinese\n1965984 - Console Dashboard performance leads to empty visualizations\n1965992 - Gracefully shutdown taking around 6-7 mins (libvirt provider)\n1966129 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted\n1966480 - Console-operator\u0027s controllers are passed resourceSyncer which is not used (refactoring)\n1966485 - [master] Operator-managed assisted Service doesn\u0027t wait for CVO to finish before reporting back\n1966499 - portworx-operator causes APIRemovedInNextReleaseInUse alert\n1966586 - [Assisted-4.7] [Staging] 200 OK returned when setting invalid Base DNS domain using API\n1967047 - Console overview section shows operators are upgrading even though it is not actually upgrading. \n1967108 - AsyncComponent loader comparison may result in false positive\n1967228 - 503 Error page contains license for a vulnerable release of Bootstrap\n1967316 - Sweep frontend/public folder for i18n\n1967483 - coreos-installer fails to download Ignition (DNS error, failed to lookup address)\n1967516 - Incorrect warning message on network type selection\n1967527 - CPU spikes not captured in Grafana causing issue to understand HPA behavior\n1967621 - Operator fails to install and OLM tries to delete nonexistent catalog pods under openshift-marketplace/redhat-marketplace\n1967658 - OLM: Failure alert message for copied CSV not helpful\n1967695 - managedFields is missing in provisioning-configuration json object\n1967808 - Readiness \"exec\" probes causes zombie process on certain container images\n1967885 - Creating a VM from the UI on OKD 4.7 fails with \"the API version in the data (kubevirt/v1) does not match the expected API version (kubevirt/v1alpha3)\"\n1967934 - Hide input box of add capacity modal for attached devices mode\n1967956 - [master] Assisted-service deployed on an IPv6 cluster installed with proxy: agentclusterinstall shows error pulling an image from quay. \n1967979 - Masthead dropdowns options are not accessible via the keyboard\n1968043 - [master] backend events generated with wrong namespace for agent\n1968124 - [master] [doc] \"Mirror Registry Configuration\" doc section needs clarification of functionality and limitations\n1968125 - [master] [DOCS] AgentServiceConfig examples in operator.md doc should each contain databaseStorage + filesystemStorage\n1968324 - [master] Unclear message in case of missing clusterImageSet\n1968336 - [master] missing role in agent CRD\n1968404 - [master] Wrong Install-config override documentation\n1968406 - [master] Misleading error in case of install-config override bad input\n1968423 - [master] CR finalizers block resource deletions if the assisted-service POD is not available\n1968425 - [master] AgentLabelSelector is required yet not supported\n1968448 - [master] KubeAPI CVO progress is not available on CR/conditions only in events. \n1968525 - Warning: Encountered two children with the same key in Operator Details page\n1968552 - [master] BMAC should wait for an ISO to exist for 1 minute before using it\n1968569 - Creating a network policy in OVN-Kubernetes can be very inefficient. \n1968570 - [master] Misleading error when ClusterImageSet specifies OpenShift version lower than 4.8\n1968572 - Assisted Service does not escape backslash characters on public SSH keys\n1969324 - [master] Remove Agent CRD Status fields not needed\n1969371 - [AWS] destroyer tried to search resources in other china region. \n1969374 - [OSP] Document how to update domain for image registry in version \u003c4.8\n1969391 - [master] infra-env condition message isn\u0027t informative in case of missing pull secret\n1969404 - revert \"force cert rotation every couple days for development\" in 4.9\n1969471 - HAProxy tests in sdn-network-stress job are flaky\n1969477 - [master] Assisted service times out on GetNextSteps due to `oc adm release info` taking too long\n1969494 - [master] no indication for missing debugInfo in AgentClusterInstall\n1969546 - OLM: Scroll shadow in wrong position in operator details modal\n1969547 - [master] SNO with AI/operator - kubeconfig secret is not created until the spoke is deployed\n1969719 - vsphere-problem-detector cannot connect to vCenter API over https\n1969761 - sriov webhook not worked when upgrade from 4.7 to 4.8\n1969766 - [master] Empty cluster name on handleEnsureISOErrors log after applying InfraEnv.yaml\n1969796 - [master] Updating configmap within AgentServiceConfig is not logged properly\n1969902 - OLM fails with \u0027ResolutionFailed\u0027 found more than one head for channel\n1969989 - KMS connection details for new storageclass can not be changed in StorageClass creation form after 9 connection details are stored in csi-kms-connection-details configmap\n1969998 - [OCP 4.9 tracker] kubelet service fail to load EnvironmentFile due to SELinux denial\n1970011 - \u201cmanaged by\u201d link goes to the incorrect URL (unlike the correct ownerRef link)\n1970063 - [master] AgentServiceConfig mirror registry requires both ca-bundle.crt and registries.conf\n1970129 - OVS logging in must gather is missing previous logging levels\n1970147 - Weak Cipher in openshift-monitoring\n1970179 - [4.9] Bootimage bump tracker\n1970261 - [master] Add State and StateInfo to DebugInfo in ACI and Agent CRDs\n1970270 - [master] Add ProgressInfo to Agent and AgentClusterInstalll CRDs\n1970315 - 4.7 -\u003e 4.8 upgrades fail on \"[sig-network] pods should successfully create sandboxes by other\" for pods which eventually start\n1970332 - Page disappears while creating Storage Class for rbd provisioner via UI\n1970421 - CVO does not provide a good enough reason to why an upgrade payload pull failed\n1970437 - [oVirt] Add guaranteed memory field to oVirt Machine Object\n1970466 - Console\u0027s OperatorHub leads users to unrelated install plan, if subscription does not have its own\n1970604 - Add IDP menu items are not translated\n1970910 - Uninstalling kube-descheduler clusterkubedescheduleroperator.4.6.0-202106010807.p0.git.5db84c5 removes some clusterrolebindings\n1970962 - Exception inside the Jenkins Master pod\n1970980 - Remove usage of i18nKey\n1970985 - periodic ci-4.8-upgrade-from-stable-4.7-e2e-*-ovn-upgrade are permafailing on service/ingress disruption\n1971032 - Add Sprint 202 Round 2 translations\n1971046 - apiserver stops responding during an e2e run (non-graceful shutdown) on GCP\n1971162 - Installation failed by enabling OCS from AI because of Virtual_Floppy as HDD listed in UI\n1971207 - installer only created one worker node and the install failed\n1971332 - oc new-build command does not pick automatic source clone secret in OpenShift 4.7\n1971499 - Should not show getting started links when add page customization disabled these entries\n1971518 - Cluster deletion misses trunk ports and loop over until timeout\n1971532 - Admin project list should not use internal ids as link titles\n1971537 - Support cgroups v2 (Podman on Fedora 31+)\n1971544 - Event sources in Developer console lists also action and sink kamelets\n1971602 - e2e-metal-ipi-upgrade for 4.7 to 4.8 is permafailing\n1971624 - [release-4.9] kube-apiserver failed to load SNI cert and key\n1971640 - [master] InfraEnv controller should always requeue for backend response HTTP StatusConflict (code 409)\n1971690 - Remove \"unsupported\" tag from ARM 64 oc binary in console\n1971715 - [OCP 4.7] \"configure-ovs.sh\" leaves static ip in old interface\n1971738 - Keep /boot RW when kdump is enabled\n1971808 - New `local-with-fallback` service annotation does not preserve source IP\n1971899 - The ciphers in theTLS profiles for the kubelet, the `oc explain` output don\u0027t match the kubelet.conf file\n1972003 - Get invalid date when edit custom time range on monitoring dashboards\n1972009 - [REF]Image registry pullthough should support pull image from the mirror registry with auth via imagecontentsourcepolicy\n1972011 - Dashboards display different time range when drag\u0026drop on the first dashboard\n1972016 - Set a specific time range, but Dashboards display data with a different time range\n1972028 - Upgrade is failed when upgrade SNO cluster on gcp platform\n1972060 - typo in operators available\n1972096 - [master] Domain dummy.com (not belonging to Red Hat) is being used in a default configuration\n1972131 - ironic-static-ip-manager container still uses 4.7 base image\n1972272 - [master] \"baremetalhost.metal3.io/detached\" uses boolean value where string is expected\n1972287 - [mlx5] traffic from Node port is not offloaded\n1972351 - Bump jenkins version to 2.289.1\n1972374 - Adopt failure can trigger deprovisioning\n1972383 - Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings\n1972393 - PDB PUT /status is 1/6th of total write load on busy cluster continuously (should be 1/100 or so)\n1972514 - add check for accessing traffic from status in ksvc\n1972524 - bootstrap vm does not get right configuration for dhcp6\n1972525 - [master] clusterDeployments controller should send an event to InfraEnv for backend cluster registration\n1972572 - Ironic rhcos downloader re-downloads same image in upgrade process from 4.7 to 4.8\n1972582 - [oVirt] Installing with an oVirt network with 2 vnics on the same network causes the installer to not create tfvars and fail with terraform error\n1972598 - [master] Install retry per recreating ACI, BMH error status is not cleared\n1972678 - Requirements for authenticating kernel modules with X.509\n1972682 - DPDK KNI modules need some additional tools\n1972684 - [Feature:IPv6DualStack] tests are failing in dualstack\n1972747 - Allow Cluster-api-provider-ovirt using auto pinning new namings\n1972753 - ironic hardware inspection failed due to NewConnectionError causes bm nodes stuck\n1972776 - improve dual-stack install-config validation\n1972777 - Unable to edit the default Health check probe values\n1972829 - Upgrade tests should fail when ingress is disrupted\n1972966 - Virtualization is not available in Home Overview\n1972968 - \"Add Disk\" button should be disabled in common template disks tab\n1972977 - The removed ingresscontrollers should not be counted in ingress_controller_conditions metrics\n1973005 - authentication operator degraded during 4.7.16 update\n1973065 - Editing a Deployment drops annotations\n1973076 - [oVirt] CSI driver is not waiting for disk to be OK on creation\n1973147 - KubePersistentVolumeFillingUp - False Alert firing for PVCs with volumeMode as block. \n1973154 - RHCOS-shipped stalld systemd units do not use SCHED_FIFO to run stalld. \n1973160 - Monitoring UI disappear when we query a string\n1973200 - remove kubevirt images and references\n1973215 - [OVN] EgressIP no longer worked after a cluster upgrade\n1973314 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted\n1973315 - [master] Updating ISO URL does not create a correct log entry\n1973318 - Image pruner does not use custom tolerations\n1973333 - Investigate why strings removed in English files are showing up in langauge files\n1973336 - Verify \"Only {volumeMode} volume mode is available for {storageClass} with {accessMode} access mode\" displays correctly\n1973338 - Fix punctuation in string\n1973340 - Add Sprint 203 translations\n1973423 - Several operators degraded because Failed to create pod sandbox when installing an sts cluster\n1973482 - 4.8.0.rc0 upgrade hung, stuck on DNS clusteroperator progressing\n1973491 - Node exporter veth optimizations do not work if the network type is OVN\n1973525 - machine-config-operator: remove runlevel from kni-infra namespace\n1973565 - Dynamic plugin routes should be evaluated before static plugin routes\n1973567 - Autoscaler log report error \u201cFailed to watch *v1.CSIDriver\u201d\n1973576 - only show annotations.summary field on thanos-ruler Alerts page\n1973582 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc certified-operators is not correct\n1973643 - oc logs doesn\u0027t work with piepeline builds\n1973679 - fix ovn-kubernetes NetworkPolicy 4.7-\u003e4.8 upgrade issue\n1973724 - metal3 Pod cannot download RHCOS images using the provisioning network anymore\n1973813 - NodePorts do not work on RHEL 7.9 workers (was \"4.7 -\u003e 4.8 upgrade is stuck at Ingress operator Degraded with rhel 7.9 workers\")\n1974077 - [Assisted-4.8] [Staging][Network Latency] Improve validation message: host with IP not found in inventory\n1974083 - [RFE] When branding is not redhat, no need to explicitly mark community support. \n1974085 - [Assisted-4.8] [Staging][Network Latency] Worker host IP appear in master validation message\n1974237 - 4.7 -\u003e 4.8 upgrades on AWS take longer than expected\n1974277 - Tuned net plugin fails to handle net devices with n/a value for a channel\n1974312 - linuxptp-daemon: remove not needed run-level 1 label\n1974338 - [OCP4.7] maven image doesn\u0027t use JAVA_HOME env variable\n1974350 - LB endpoint for API becomes unavailable briefly during openshift test suite\n1974364 - [must-gather] ovs/ovn database should be exported or dumped, not compacted and copied\n1974403 - OVN-Kube Node race occasionally leads to invalid pod IP\n1974411 - Installation with multipath parameters in parmfile fails (DNS resolution missing)\n1974429 - Requirements for nvidia GPU driver container for driver toolkit\n1974453 - coreos-installer failing Execshield\n1974501 - [master] Assisted Service Operator should be Infrastructure Operator for Red Hat OpenShift\n1974520 - [release-4.9] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out\n1974567 - vertical-pod-autoscaler-operator: remove runlevel from namespace manual install\n1974598 - Sub-optimal cluster destroy strategy\n1974603 - clusteroperators table output does omit condition messages\n1974611 - In template list, the boot source provider column should be named boot source\n1974640 - When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for reading and not for writing credentials\n1974651 - dockerv1client tests fail due to unavailability of v1 API on registry-1.docker.io\n1974689 - In customize create vm wizard, a warning \"no registred model\"\n1974716 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster\n1974755 - Status defaults were not internationalized\n1974758 - aws-serial jobs are failing with false-positive MachineWithNoRunningPhase firing or pending\n1974830 - KubeDeploymentReplicasMismatch alert will never fire\n1974832 - The monitoring stack should alert when 2 Prometheus pods are scheduled on the same node\n1974839 - CVE-2021-29059 nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string\n1974967 - Prometheus Memory Usage 50-100% higher on 4.8+ OVN when under load\n1974973 - ci-operator cannot import an s390x or a non-amd64 OCP release image\n1975016 - OpenStack credentials for Kuryr Controller should be stored in a secret\n1975038 - Cannot delete user created vm template\n1975042 - Cannot customize windows template boot source\n1975133 - Sync ironic containers with latest ironic code\n1975157 - (release-4.9) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records\n1975218 - [master] KubeAPI Move conditions consts to CRD types\n1975232 - VM Create YAML page 404 error\n1975283 - gcp-realtime: e2e test failing [sig-storage] Multi-AZ Cluster Volumes should only be allowed to provision PDs in zones where nodes exist [Suite:openshift/conformance/parallel] [Suite:k8s]\n1975296 - machinehealthcheck controller does not consider nodes that still have the external remediation annotation\n1975359 - [master] timeout on kubeAPI subsystem test: SNO full install and validate MetaData\n1975379 - Console pods are scheduled on single master node\n1975383 - No NTP sources defined in a cluster after assisted installation\n1975391 - Install Operator description iframe shows double scrollbars when the browser sized is narrowed. \n1975392 - Console and downloads pods should have more specific anti-affinity label selectors\n1975475 - [aws] terraform may fail when the bootstrap instance profile is not ready\n1975478 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance\n1975491 - [Assisted-4.8] [Staging][Network latency] host_requirements api should contain network thresholds\n1975529 - Production logs are spammed on \"Validate Requirements status All host roles must be assigned to enable CNV.\"\n1975539 - [ImageStreams] Remove stale cruft installed by CVO in earlier releases\n1975542 - [Insights] Remove stale cruft installed by CVO in earlier releases\n1975683 - baremetal-operator fails to build\n1975696 - compareOwnerReference should not accept a reference\n1975714 - Missing policy-group label on the openshift-console namespace manifest\n1975715 - Monitoring dashboard \u0027Logging/Elasticsearch\u0027 isn\u0027t accessible on OCP 4.8. \n1975779 - image pull keeps failing on upgrade\n1975805 - [4.8.0] Install retry per recreating ACI, BMH error status is not cleared\n1975820 - There are plugins remained after uninstall operator with multiple plugins enabled\n1975824 - Alert InstallPlanStepAppliedWithWarnings does not resolve\n1975825 - [v4.8] The `oc compliance fetch-raw` is unable to process results from suite: unexpected EOF\n1975831 - Crio is using large amounts of node resources\n1975913 - Unable to uncheck the optional workspace checkbox in pipeline builder\n1975947 - Add egress ips to anonymizer\n1976016 - Azure: Destroy cluster eventually fails when trying to delete a cluster while other resources (not related to the cluster) are present in the resource group\n1976072 - Operand details page doesn\u0027t render correct format when x-descriptor path has None value\n1976112 - batch/v1beta1 CronJob warning appears in image pruner pod when image registry is removed\n1976125 - [BM][IPI] redfish inspect fails on nodes with nics where mac=\"\": Expected a MAC address but received . \n1976215 - Removed egressIP still shows as EXTERNAL_IP in the NorthBound DB. \n1976217 - Chart empty state card different height than other cards on Metrics tab\n1976243 - OLM operator index pod for Performance Addon Operator is missing Workload Partitioning Annotation\n1976307 - CVO missing ImageStreams manifest delete annotation logic\n1976326 - CI failing on firing CertifiedOperatorsCatalogError due to slow livenessProbe responses\n1976373 - disable jenkins client plugin test whose Jenkinsfile references master branch openshift/origin artifacts\n1976379 - CVO pod skipped by workload partitioning with incorrect error stating cluster is not SNO\n1976753 - [sig-devex][Feature:Jenkins][Slow] Jenkins repos e2e openshift using slow openshift pipeline build Sync plugin tests using the ephemeral template expand_more\n1976775 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit\n1976776 - [master] Change agent\u0027s ReadyForInstallation condition into RequirementsMet\n1976939 - Interacting with CatalogSource page.Interacting with CatalogSource page renders details about the redhat-operators catalog source\n1976983 - [master] [assisted operator][docs] Setting automatedCleaningMode: metadata in BMH is overridden to disabled\n1977027 - [oauth-apiserver] Remove stale cruft installed by CVO in earlier releases\n1977037 - VNC console stays in Connecting state. \n1977054 - [4.9] Unable to authenticate against IDP after upgrade to 4.8-rc.1\n1977097 - build cleanup test failing on release-openshift-origin-installer-old-rhcos-e2e-aws-4.7\n1977129 - openshift-installer: remove runlevel from openshift-kubevirt-infra namespace\n1977279 - When applying the gateway annotation to a gateway pod or to a namespace, the per pod SNAT is not removed\n1977330 - Single stack external gateway makes the pod not starting with dual stack clusters\n1977346 - Fix obfuscation translation table secret 4.9\n1977354 - [master] KUBE-API: Support move agent to different cluster in the same namespace\n1977369 - vSphere Machines stuck in deleting phase if associated Node object is deleted\n1977377 - [master] Add columns to the Agent CRD list\n1977389 - Manila CSI driver is not in must-gather\n1977435 - SNO - monitoring operator is not available cause failed: waiting for Alertmanager openshift-monitoring/main\n1977444 - KubeAPI docs: Add a getting started guide\n1977449 - [master] Fix flaky test: invalid NMState config YAML\n1977454 - builds: e2e-proxy tests fail due to Redis security protections\n1977595 - pseudo translation missing on OperatorHub page\n1977655 - localization issue for volume mode tooltip message\n1977753 - (release-4.9] Gather all MachineConfig definitions\n1977807 - Prometheus PV is corrupted during CSI migration tests\n1977884 - Upgrade from 4.8.0-rc.0 to 4.9.0-0.nightly-2021-06-24-073147 failing with multiple errors\n1977920 - Pod fails to run when a custom SCC with a specific set of volumes is used\n1977936 - OCS deployment using Multus: UI allows StorageCluster creation with empty public and cluster network in \"Internal - Attached Devices\" mode\n1977972 - Kernel version in /etc/driver-toolkit-release.json not including architecture\n1977981 - [External Mode] OpenShift Container Storage Overview does not display any dashboard by default unless specific tab is clicked\n1978091 - Cluster Utilization item Network transfer shows \u0027No datapoints found\u0027\n1978137 - ovnkube-trace requires iproute to be installed in the pod\n1978144 - CVE-2021-32690 helm: information disclosure vulnerability\n1978193 - htpasswd provider for auth is not working as expected and give 401 error when user try to login\n1978200 - RHEL 6 template should not be starred by default\n1978202 - RHEL 6 template is tagged as \"community\"\n1978213 - OpenStack quota checks inexact when using Kuryr\n1978222 - User Management / Users: seeing \"Add IdP\" button although IdP exists\n1978225 - User Management / Users: no progress visible suggesting that IdPs are not instant after configuration\n1978268 - Exec probes fail clusterwide after upgrade to cri-o-1.19.2-4.rhaos4.6.git4f7cb5e.el7.x86_64\n1978310 - OLM dependencies not fixing version\n1978338 - \"Prometheus metrics should be available after an upgrade\" is panicking\n1978340 - packageserver isn\u0027t following the OpenShift HA conventions\n1978352 - [master] Add machine network cidr to cluster status\n1978376 - Should not allow upgrades to 4.9 without admin acknowledgement that apis are being removed\n1978403 - Add Sprint 203 Round 2 translations\n1978416 - Convert TFunction to Trans component\n1978421 - String updates (typos, etc.)\n1978425 - Consolidate namespaces in console-app and console-shared plugins\n1978429 - Typos in Pipelines Plugin strings\n1978435 - SR-IOV doesn\u0027t show up in operatorhub for ppc64le\n1978627 - When mount source with a long unexist name, the build keeps pending with unclear message\n1978629 - [RFE]\u0027oc describe build|buildconfig\u0027 should show mount souce info when add Secret Volume Mounts to buildconfig\n1978649 - Object Service tab should not be part of OCP Console for ODF Managed Services\n1978662 - monitoring operator needs to indicate non-durable data\n1978691 - [4.9.0] OPENSHIFT_VERSIONS env var overrides AgentServiceConfig osImages: values\n1978724 - Binary secret data isn\u0027t properly uploaded by ui\n1978739 - [master] Provisioning SNOs bmh is stuck in ready state\n1978749 - CVO doesn\u0027t honor noProxy while contacting Cincinnati endpoint\n1978774 - Cluster-version operator loads proxy config from spec, not status\n1978797 - external gateway pod deletes may not clean up ECMP routes\n1978829 - ClusterMonitoringOperatorReconciliationErrors is firing during upgrades and should not be\n1979009 - Change log message about EFI not being supported in assisted-installer\n1979038 - Installation logs are not gathered from OCP Control planes nodes\n1979114 - Cannot create vm from \u0027With YAML\u0027 on CNV 2.6.5 + OCP 4.8\n1979116 - Cannot create vm from customize wizard on CNV 2.6.5 + OCP 4.8\n1979169 - [docs] Unclear docs in automatedCleaningMode\n1979190 - Cannot get guest information on CNV 2.6.5 + OCP 4.8\n1979297 - SystemExceedsMemoryReservation prometheusRule manages wrongly hugepage reservation\n1979300 - Upgrading from 4.7.11 to 4.8.0: Saw HybridOverlay logical router policies getting created without any existing hybridoverlay configuration\n1979352 - Tuned affining containers to house keeping cpus\n1979506 - The earlier version bundles that generated by pkgman-to-bundle won\u0027t be installed success\n1979544 - olm Operator is in CrashLoopBackOff state with error \"couldn\u0027t cleanup cross-namespace ownerreferences\"\n1979571 - Process is not terminated in pod terminal in UI. \n1979620 - Applying an OLM descriptor to a deeply nested child property then doing the same for a parent property will cause the descriptor for the child to be removed. \n1979738 - driver-toolkit gcc install unable to download extract-vmlinux script in ART builds\n1979822 - mdns-publisher pods are crashing and restarting often. \n1979996 - Dashboards do not support automatic unit transformation for time\n1980029 - CI: openstacksdk 0.53 breaks UPI jobs\n1980118 - Cannot launch debug container for pods in management workload partition\n1980135 - On an IPv6 single stack cluster traffic between master nodes is sent via default gw instead of local subnet\n1980187 - [sig-operator] an end user can use OLM can subscribe to the operator failing frequently\n1980235 - OAuth proxy version is displayed should be removed. \n1980257 - \u0027You are logged in as a temporary administrative user.\u0027 banner is shown for kubeadmin user with crc\n1980357 - Getting the alert \"V4SubnetAllocationThresholdExceeded\" in newly installed cluster, Where subnet allocation is not more then 80%\n1980364 - CI not working because Dockerfile references an ImageStream resource which isn\u0027t compatible with OLM\n1980465 - etcd warning logs misleading\n1980531 - additionalHelpActions \u0027HelpMenu\u0027 ConsoleLinks not translated\n1980548 - Not all plugins\u0027 locales folders are listed in webpack.config.ts\n1980658 - metal-ipi jobs are failing because of api server connection errors\n1980679 - On a Azure IPI installation MCO fails to create new nodes\n1980704 - Web console doesn\u0027t list all the registries credentials in a secret\n1980753 - 4.7 minimal iso fails to boot\n1980781 - NTO-shipped stalld can segfault\n1980844 - The SystemMemoryExceedsReserved alert released in 4.6 seems to trigger on many clusters under load (default increase if possible?)\n1980888 - Thanos querier probes are timing out\n1980930 - Machine-api-operator is going through leader election even when API rollout takes ~60 sec in SNO\n1981055 - ovn-kubernetes-master need to handle 60 seconds downtime of API server gracefully in SNO\n1981090 - [IPI baremetal] \u0027Failed to get the sockets from the old process\u0027 error is reported in haproxy logs following haproxy reload\n1981272 - When deleting PVC inside PVC page the status in the heading doesn\u0027t match the status field\n1981399 - protractor tests are not able to run on release-4.8 and master\n1981417 - Change OCM links from cloud. to console.redhat.com\n1981425 - Update jenkins to 2.289.2\n1981465 - Assisted installer wait for ready nodes on bootstrap kube-apiserver though it moved to one of the other masters\n1981477 - Unable to attach Vsphere volume shows the error \"failed to get canonical path\"\n1981498 - enhance service-ca injection\n1981550 - AWS Elastic IP permissions are incorrectly required\n1981639 - Imageregistry bumps out N+1 pods when set replicas to N(N\u003e2) and Y(=workers number) pods are scheduled to different workers, the left pods will keep pending\n1981832 - OLM fails with \u0027ResolutionFailed\u0027 found multiple channel heads\n1981936 - openshift/builder base images inconsistent with ART\n1981957 - Sync plugin v1.0.47 takes a very long time to pick up new builds\n1981975 - Master Machine Config Pool degraded at install time\n1981999 - [4.9] Bootimage bump tracker\n1982046 - CVO gets stuck on resource deletion progress after re-creating the deleted resource\n1982052 - [vsphere][upi] OVN vmxnet3 allmulti workaround doesn\u0027t apply when vmxnet3 is bonded\n1982079 - Resource usage measurement data display the concatenation of English and translation sentence fragments in Cluster utilization of Home-\u003eOvewview when moving the mouse over each resource usage chart\n1982090 - Top consumers filter dropdown list is inconsistent with the translation of left menu when click usage data in each Cluster utilization row\n1982150 - Add a TechPreviewBadge for Multus\n1982153 - Accessibility (and cypress test) issue with empty category on Operator Hub page\n1982170 - (release-4.9] Operator operation is not set when updating status\n1982274 - OLM should block the OCP 4.8 upgrade to 4.9 when the operator installed with `olm.openShiftMaxVersion` annotation\n1982300 - vsphere-problem-detector not showing wrong credentials event/alert on OCP Console\n1982376 - Remove PatternFly override fixes now that upstream version include the fix\n1982653 - Observe - Alerting - Create silence : time period values are in English\n1982659 - Workloads - Jobs : \u0027Type\u0027 column\u0027s Value \u0027Non-parallel\u0027 is in English\n1982680 - Abort signal is ignored when using safe-k8s-hook.tsx\n1982682 - Namespace is not properly passed to k8sCreate\n1982692 - Serverless - Eventing - Event Sources - Move sink: incomprehensible japanese sentence\n1982727 - Serverless - Eventing - Brokers - Add Trigger : i18n misses\n1982736 - Serverless - Eventing - Channels - Add Subscription : appearing Partial translation for fully translated text\n1982751 - Serverless - Eventing - Subscriptions - Move Subscription : appearing partial translation\n1982765 - Networking - Services - Edit Pod Selector : An incomprehensible Japanese sentence\n1982766 - [on-prem] Make ingress keepalived check more tolerant to failures\n1982776 - Namespaces - RoleBindings - Edit ClusterRoleBinding subject : An incomprehensible Japanese translation\n1982781 - \"opm index rm\" doesn\u0027t remove deprecated bundles\n1982868 - 4.8 ManagementCPUsOverride admission plugin blocks 4.7 deployments on empty topology\n1982997 - Page header tools - Import YAML : i18n misses\n1983032 - User Management - Users - Impersonate User : i18n misses\n1983091 - Logic for getting default pull secret incorrect on project page\n1983190 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia\n1983205 - StatefulSet fails to deploy with error Readiness Probe exec failed open /dev/tty failure no such address when .spec.tty is set to true [OCP 4.6.34]\n1983220 - A second scroll bar appears on the Node/Pod terminal page when resizing vertically\n1983412 - [Assisted-4.8] [Integration][Network validations] \"unable to unmarshall host\" and \"unexpected end of JSON input\" errors when booting nodes\n1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic\n1983612 - When using boot-from-volume \"image\", InstanceCreate leaks volumes in case machine-controller is rebooted\n1983673 - opm may prune bundles from the input\n1983693 - Import from YAML shows warning when just pressing enter\n1983707 - Import from YAML breaks console when three dash separator at the end\n1983788 - Kubelet may start running before CRI-O\n1983933 - [oVirt] CSI expansion should work in offline mode\n1983975 - BMO fails to start with port conflict\n1984030 - Reduce CPU overhead for ignore-listed NICs\n1984031 - Create Silence form\u0027s \"Created by\" field is not populated after refreshing the page\n1984047 - insight-operator logs a panic when shutdown, triggering panic detections in CI jobs\n1984049 - Slow OVN Recovery on SNO\n1984156 - Add sprint 204 translations\n1984297 - There are spaces before VM description\n1984365 - Dashboard Prometheus/Overview can\u0027t filter instance by job\n1984414 - Excessive resource diff logging during updates\n1984449 - [4.9] drop-icmp pod blocks direct SSH access to cluster nodes\n1984481 - machine-api couldn\u0027t reconcile VMs with OVNKubernetes network type\n1984538 - The openshift-operators namespace should not contain the openshift.io/cluster-monitoring namespace label\n1984576 - PROVISIONING_INTERFACE missing from metal3 pod\n1984582 - Metal IPI jobs are failing a high percentage of the time\n1984608 - kube-scheduler needs to handle 60 seconds downtime of API server gracefully in SNO\n1984635 - openshift-config-operator needs to handle 60 seconds downtime of API server gracefully in SNO\n1984644 - openshift-service-ca-operator needs to handle 60 seconds downtime of API server gracefully in SNO\n1984683 - sdn-controller needs to handle 60 seconds downtime of API server gracefully in SNO\n1984736 - [master] ClusterDeployment controller watches all Secrets from all namespaces\n1984807 - Move tooltip \u0027Restore is only enabled for offline virtual machine\u0027 to the button when it\u0027s disabled\n1984942 - ApplyClusterRoleBinding triggers boundsError when adding new subject\n1984954 - Normal user cannot create VM because it cannot access v2v-vmware configmap\n1985033 - [OVN] [cluster network operator] Provide the option to configure probe intervals\n1985080 - Downloaded log file (All task logs) contains logs of all taskrun in a single line\n1985082 - namespace of monitoring rbac rules should not be hardcoded\n1985125 - OperatorGroup status is not updated when it has cardinality conflits when targetNamespace is used\n1985161 - Some localization issues\n1985164 - Regular user cannot restore VM snapshot\n1985197 - production builds doesn\u0027t load some locales successfully\n1985336 - OpenShift SDN doesn\u0027t add NOTRACK rule to raw iptables table to prevent vxlan from reaching conntrack\n1985366 - CCCMO using unregistered host ports\n1985391 - Cluster Proxy not used during installation on OSP\n1985447 - KubeAPIErrorBudgetBurn Missing namespace label\n1985449 - [Assisted-4.8 ][SaaS] error raised \"unable to unmarshal connectivity report for host ID xxxx:unexpected end of JSON input\" in Assisted Service Pod log\n1985483 - Cleaning a BMH deployed using live ISO results in a TLS failure\n1985512 - allow-from-router feature doesn\u0027t work on v6 only single stack cluster\n1985697 - package-server-manager needs to handle 60 seconds downtime of API server gracefully in SNO\n1985711 - Registry image input isn\u0027t trimming at the start of input\n1985721 - Pencil button is missing at Scheduling and resources requirements fields\n1985737 - VM Details page , boot order is missing pencil edit button\n1985773 - ptp4l crash when BC is configured\n1985795 - OCPonRHV: pvc stuck on pending status when using preallocated storage domain\n1985802 - cluster-version-operator needs to handle 60 seconds downtime of API server gracefully in SNO\n1985846 - Adding ebs type \"gp3\" when create storage class from web console\n1985850 - Update default value of volumeBindingMode from Immediate to WaitForFirstConsumer when create storageclass from web console\n1985852 - The vmware-vsphere-csi-driver-webhook pod runs as \u201cBestEffort\u201d qosClass\n1985895 - Order by \u0027Latest version\u0027 doesn\u0027t work on CustomResourceDefinitions list page\n1985948 - [e2e]sysprep, ssh, tests fail from time to time\n1985960 - oVirt 4.8 tests are failing on resize\n1985997 - kube-apiserver in SNO must not brick the cluster when a config observer outputs invalid data that would eventually converge towards a running system in HA setup\n1985998 - Re-enable 50 tests related to CSI failures\n1986001 - Enable back `ResourceQuota should create a ResourceQuota and capture the life of a service`\n1986003 - Bump to latest available 1.22.x k8s\n1986061 - cluster network operator deploys a service monitor which is never picked up by cluster monitoring operator\n1986090 - Cannot delete ClusterAutoscaler CR with foreground deletion\n1986127 - UI crash when installing helm chart or right click installed chart in topology\n1986129 - OpenShift web console not deployed after installing OCP 4.8.2 using single-node-developer profile\n1986139 - The marketplace operator default catalogs need to use the v4.9 tags\n1986148 - Bump API for Ingress RequiredHSTSPolicies field\n1986174 - SRO should be able to read a complete chart form a ConfigMap. \n1986215 - cluster-storage-operator needs to handle API server downtime gracefully in SNO\n1986225 - [e2e][automation] add tests for vm snapshot feature\n1986228 - Create e2e test for HSTS Feature\n1986238 - Supermicro X12 fails to provision using Redfish BM HW Provisioning\n1986243 - delete user-workload-monitoring-config configmap, can not find user metrics although no setting for enforcedTargetLimit\n1986253 - Automation of Application groupings in topology\n1986297 - Windows guest tool is always mounted even it\u0027s unchecked\n1986306 - Enable back `[sig-cli] Kubectl client kubectl wait should ignore not found error with --for=delete`\n1986307 - Enable back Feature:UDPConnectivity and NetworkPolicy tests\n1986309 - Update ironic-agent container with latest bugfix code\n1986311 - SRO crash when a incorrect chart is applied\n1986322 - Update ironic container with latest bugfix code\n1986324 - Update ironic-ipa-downloader container with latest bugfix code\n1986375 - Avoid CMO being degraded when some nodes aren\u0027t available\n1986389 - Textarea inside modal can be resized to larger width than modal\n1986392 - Kubelet can\u0027t find Node after upgrade to external CCM on AWS/OpenStack\n1986408 - Add NE-310 HSTS to 4.9\n1986418 - kube-storage-version-migrator-operator needs to handle API server downtime gracefully in SNO\n1986419 - aws-efs-csi-driver-operator CSV has upstream image references\n1986420 - IPI of private cluster on GCP failed due to variable \"cluster_public_ip\" is not set\n1986426 - Fix failing request on creating an ibm flash system via odf wizard\n1986427 - rebase d/s metallb-operator to pickup AddressPool update fix and CI enhancements\n1986437 - Bump openshift/api to support ExternalCloudProvider featuregate\n1986440 - Bump OVN to ovn21.09-21.09.0-9.el8fdp\n1986443 - OVN-kube master may report errors for \"transaction failed\" when creating logical ports\n1986452 - Increase in RSS memory in CRI-O\n1986453 - EUS Control loop to check for API server and node versions skew\n1986462 - Bug in cluster-baremetal-operator when PreProvisioningOSDownloadURLs are specified in addition to ProvisioningOSDownloadURL\n1986464 - Registry pull secret should be sent as base64 string\n1986474 - vsphere-syncer build is failing\n1986477 - cluster-node-tuning-operator needs to handle API server downtime gracefully in SNO\n1986493 - Upload jar files: Java commands are JAVA_ARGS not the purported container command\n1986495 - Missing translation in the Edit deployment form\n1986501 - Fix bundle image for efs operator\n1986540 - Cluster Proxy not used during installation on OSP\n1986560 - etcd-operator needs to handle API server downtime gracefully in SNO\n1986562 - lastTriggeredImageId is populated in BuildConfig spec\n1986565 - [OCP48][WebUI] \"How to seal boot source for template usage\" link points to /foo\n1986575 - Add e2e tests for haproxy timeout variables\n1986631 - BuildConfig Environment tab: different errors when the form is not filled completely\n1986632 - App Name \u0026 Name Values are not getting auto-populated for Deploy Image page in internal image registry\n1986650 - Cypress: Globally installs Service Binding Operator operator fails at \"Create Operand\" step\n1986654 - [OCP4.9 Bug] Auto cleaning step in Prepare stage failed\n1986656 - [OCP4.9 Bug] Ironic node enters the clean failed state when the target node doesn\u0027t have a RAID controller. \n1986676 - React Unique key warnings in pipelines and pipeline run details page\n1986680 - [knative][flake] Fail to set traffic distribution due to \"object has been modified\" error\n1986685 - panic when opm alpha diff\n1986699 - we should take catalogsource into considering when showing Installed tile in OperatorHub catalog\n1986704 - missing translation for Kafka Connections nav option\n1986707 - CVO log \"resource has already been removed\" is confusing in a fresh install\n1986729 - Event source Sink is not marked as required in create form\n1986735 - Monitoring chart range selection does not work on Firefox\n1986754 - In Home-\u003eEvents Dashboard, \u0027more\u0027 and \u0027Show Less\u0027 are hardcodes when the browser set to Chinese language\n1986757 - Keepalived fails with Liveness probe failed: command timed out\n1986790 - Add disk modal gives error when not selecting storageClass\n1986803 - Details page doesn\u0027t catch errors which happen on a tab\n1986810 - [AUTH-13] oauth-proxy in default OpenShift components might fail to log users in if custom route certificate is configured\n1986829 - [AUTH-20] Make prometheus authenticate with a certificate while scraping the cluster\u0027s core components metrics\n1986833 - Gather Openshift Logging Stack Data\n1986936 - Grafana shows wrong label on y-axis of network graphs\n1986946 - High ICNI2 application pod creation times\n1986971 - [RFE]Password of template is fixed, instead of a parameter\n1986981 - Revise Alert Severity in OCP 4.9\n1986988 - Pipeline builder workspace info popover is not accessible via keyboard\n1986990 - Webhook tests should not use admission registration v1beta1\n1987047 - VM console doesn\u0027t open to current console type when opened in a new window\n1987083 - excludeMastersFromLB in Azure Cloud Config prevents service controller from adding masters\n1987108 - Networking issue with vSphere clusters running HW14 and later\n1987143 - update resources label for prometheus to 2.28.1\n1987152 - [e2e][automation]deploy specific hpp version for tests\n1987160 - opm alpha diff fails at headsonly mode\n1987169 - Cannot create network attachment definition while operator is installed. \n1987171 - When customizing boot source, password is shown in default font\n1987192 - Disabled state/condition is not consistent\n1987197 - Improve version checking in repository tooling\n1987198 - The chart version dropdown says `Select the chart version` even when the dropdown is disabled\n1987199 - NO-OP Helm Chart Rollback\n1987230 - Operators should not create watch channels very often: bump apirequests upperbounds in 4.9\n1987238 - A negative value applied for the \"tlsInspectDelay\" option caused the router pod to go into crashloop\n1987250 - Remove diskEligible check from OCS\n1987255 - Azure stack hub does not support zones, azure-cloud-provider crashes horribly on startup\n1987279 - installer fails to destroy a cluster with a tagged access-point\n1987289 - Epic ODC-5030 - Gherkin Scripts Design\n1987344 - Links in help of the Edit Disk point to old documentation\n1987845 - OpenStack IPI on provider network enforces unnecessary quotas\n1987948 - Add high memory alert to Openshift\n1988032 - cluster-autoscaler-operator and machine-api-operator tombstone manifests should contain CVO high-availability annotations\n1988092 - Cypress: disable OLM globall install test, duplicate Operand tabs\n1988123 - Driver Toolkit ART / OSBS builds are failing because of extract-vmlinux\n1988133 - Cypress: enable OLM globall install test, handle multiple csv\u0027s crd versions\n1988291 - 4.7 -\u003e 4.8 upgrade, node-exporter can\u0027t rollout\n1988349 - Insights report controller - set the corresponding clusteroperator condition correctly\n1988351 - Add new OCM controller pulling periodically SCA certs\n1988371 - AWS EBS: Mounting XFS volume clone or restored snapshot to same node failed\n1988372 - Azure Disk: Mounting XFS volume clone or restored snapshot to same node failed\n1988373 - GCE PD: Mounting XFS volume clone or restored snapshot to same node failed\n1988374 - OpenStack Cinder: Mounting XFS volume clone or restored snapshot to same node failed\n1988379 - Avoid connection pool full logs\n1988424 - Only assign priority class in OCP environment for LSO\n1988476 - remove dhclient binary from RHCOS\n1988491 - quorum-guard health checks fail to report accurate health reporting\n1988576 - Authentication operator fails to become available during upgrade to 4.8.2\n1988801 - Router HAProxy backend balance option is blank missing random argument in haproxy.config\n1988812 - [e2e][flaky] smoke tests may fail if vm already exist before vmi tests start\n1988828 - oc adm must-gather runs successfully for audit logs 2e2 is failing\n1988903 - Kms details empty in only MCG deployment\n1988904 - Arbiter details not present in ODF wizard\n1988905 - External mode deployments fails on parsing json in ODF wizard\n1988976 - pkgman-to-bundle will exit with flag \"--build-cmd\"\n1988992 - Worker machine object updated too many times [Azure]\n1989005 - router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to \"*.openshift.com\"\n1989044 - [ART] Error reconciling Dockerfile for openshift/ose-sriov-network-operator in OCP v4.9\n1989051 - Machine API Spot tests should set valid value for maxPrice\n1989055 - logins to the web console fail when custom certificate is in use for the OpenShift oauth-server\n1989058 - router pod stuck in ContainerCreatin if removed configmap/router-client-ca-crl-default and update spec.clientTLS.clientCertificatePolicy\n1989073 - KCM logs an error on startup when using external cloud providers\n1989077 - vSphere CSI StorageClass events are repeated pathologically\n1989101 - [ovirt] Update owners - csi-driver\n1989102 - [ovirt] Update owners - csi-driver-operator\n1989122 - rebase openshift/sdn to kube 1.22\n1989143 - [e2e][automation] missing file for testing release-4.8\n1989158 - re-enable disabled unidling e2e tests\n1989215 - [openstack-cinder-csi-driver-operator] csi-liveness-probe is not deployed\n1989246 - openshift-network-operator needs to handle API server downtime gracefully in SNO\n1989335 - Etcd is degraded after upgrading to 4.9 with message \"configmap openshift-config-managed/csr-controller-ca field manager is not valid\"\n1989342 - containernetworking-plugins: Add dpdk support to host-device plugin\n1989391 - `oc adm groups sync` will generate useless data\n1989417 - Enable back [sig-cli] oc adm storage-admin\n1989423 - Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it`\n1989431 - fail to \"opm alpha diff\" bundle image with heads-only mode. \n1989440 - OCS Storage Cluster creation Multus network configuration not applied when only Cluster Network is selected\n1989454 - Butane 0.13.0 generate MachineConfig object with ignition version 3.3.0 which is not supported in ocp4.9\n1989456 - sriov operator cannot be upgraded to 4.9 from 4.8\n1989460 - non-head bundle of the channel is included in output of opm alpha diff for heads-only mode\n1989461 - kube-apiserver does not use the SO_REUSEPORT properly\n1989462 - [v2v] MTV modal string changes\n1989496 - typo in ClusterOperatorDegraded alert description part\n1989504 - The code logic of channel clear is ambiguous, as well as the help info and output messages\n1989505 - Enable back single oc observe test\n1989507 - replace configmap with storageprofile\n1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names\n1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty\n1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents\n1989600 - Registry server RSS and CPU utilization too high during normal operation\n1989604 - IBMCLOUD: panic: runtime error: invalid memory address or nil pointer dereference\n1989615 - HBO: Every node update triggers \"lsp-add\" for HBO ports unnecessarily\n1989632 - Create EFS filesystem for dynamic provisioning\n1989633 - staticpod/installer: backoff should not apply if latestAvailableRevision \u003e targetRevision\n1989688 - [SNO] Egress router pod not created in SNO ipv6 single stack cluster\n1989694 - Bump OVN to ovn21.09-21.09.0-10.el8fdp\n1989704 - Invalid olm.maxOpenShiftVersion properties have unclear/undefined behavior in OLM\n1989707 - [Dev Only] Add HPA page shows error screen when you try to create HPA with default values\n1989710 - Catalog operator wastes memory by caching complete copied CSVs\n1989720 - Descheduler operator should allow configuration of PodLifetime seconds\n1989722 - Descheduler operator should allow eviction based on soft topology constraints\n1989724 - Descheduler operator should expose options for pods with PVCs and Local Storage\n1989728 - Descheduler operator should verify config does not conflict with scheduler\n1989734 - Whereabouts fails in 4.9 due to missing RBAC for leases\n1989772 - openshift-controller-manager and operator needs to handle API server downtime gracefully in SNO\n1989796 - the same bundle is in output of opm alpha diff\n1989837 - [Migration] SDN migration rollback failed, stuck in MCO\n1989839 - docs packages should not be installed in the ironic containers\n1989842 - Console Observe \u003e Metrics / Dashboards: Missing series appear in tooltip with value \"0\"\n1989876 - Dashboards for OCS Storage System not available\n1989887 - Metrics not shown in storage system list page under ODF\n1989889 - UI crashes when accessing create new operand page\n1989896 - CVE-2019-19794 : mdns-publisher uses miekg Go DNS package version \u003c 1.1.25\n1989914 - [e2e][flaky] increase timeouts\n1989917 - OpenStack inconsistency reports on limits numbers for network quota check\n1989961 - CI apiserver downtime calculation isn\u0027t quite right\n1989973 - openshift-install explain text contains typo: cluster components will assume assume ownership of all resources\n1989980 - Worker machine object updated too many times [vsphere]\n1990012 - ControllerConfig Infrastructure does not match cluster Infrastructure resource\n1990018 - Add Sprint 204 round 2 translations\n1990024 - Eligible is misspelled in console-app\n1990060 - [Assisted-4.8] Host returns no routes when routing table contains multipart\n1990075 - azure-cloud-node-manager DaemonSet should use maxUnavailable: 10%\n1990089 - Bundle validation does not fail for a bundle having multiple service account declaration with same name\n1990115 - Multus whereabouts assigns duplicate IP addresses to pods when have large number of replicas\n1990137 - Fix creation of EFS filesystem\n1990140 - Samples operator management Removed failed to contact registry.redhat.io\n1990146 - some controllers missing livenessProbe\n1990205 - Console: Observe \u003e Dashboards: \"Cannot update during an existing state transition (such as within render)...\" in browser developer console\n1990206 - Incorrect AWS Supported instance type\n1990316 - Deployment with virtualmedia fails on HP setup (real bm) - port missing in iso http path\n1990432 - Volumes are accidentally deleted along with the machine [vsphere]\n1990447 - Worker machine object updated too many times [gcp]\n1990493 - [e2e][automation] test for storageProfile settings\n1990496 - Cleaning can fail with SSLError \"timed out\"\n1990541 - etcd: golang version should align with product\n1990577 - Upgrade Ingress API version\n1990601 - AzureDisk CSI driver is not installed by default on Azure Stack Hub\n1990603 - [Descheduler] descheduler operator throws an error which reads \"key failed with : scheduler.config.openshift.io \"cluster\" not found\"\n1990610 - Panic in the cluster-kube-apiserver-operator startup monitor enablement check\n1990617 - Update Fedora CoreOS images to latest testing for OKD\n1990631 - FailedToDeleteOVNLoadBalancer Error trying to delete the idling OVN LoadBalancer\n1990725 - [Kuryr][4.9] KuryrSDNPodNotReady alert is missing the node name in the message\n1990732 - Test failures caused by \"volumeBindingMode\" defaulting to \"WaitForFirstConsumer\"\n1990781 - Large binary pkg/tool/gen-skus-map in Azure Disk repo\n1990826 - New non-secure and secure routes without hsts annotation fail to get created in globally enforced hsts domain resources\n1990850 - Registry databases that do not store properties as TEXT are not served\n1990899 - PrivateIPAddressVersionCannotBeModified errors in CNO tests\n1990970 - The development of ccoctl support for IBM left unused debug test binary in the source code\n1990975 - ccoctl for IBM does not support not all possible environment variables to pass APIKEY\n1990988 - Samples library sync fails container test on php 7.2\n1991068 - cluster-etcd-operator: tls ciphers should be checked for validity\n1991095 - [External Mode] Dashboard shows incorrect deployment mode\n1991316 - namespace should be with openshift as prefix\n1991338 - \"Network Attachment Definitions\" is not able to load by a regular user\n1991357 - Fresh installation shows kube-apiserver error NodeInstallerDegraded: 1 nodes are failing on revision 4\n1991439 - Some hardcodes are detected at the code level in OpenShift console components\n1991507 - [sig-cli] Kubectl client Simple pod should return command exit codes [Suite:openshift/conformance/parallel] [Suite:k8s]\n1991508 - ppc64le and s390x CI jobs are failing with exec format errors\n1991519 - [e2e][flaky] fix kubevirt hco creation\n1991548 - [e2e][automation] add tests for disk preallocation\n1991551 - Idle service cannot be waked up\n1991566 - [e2e][automation] Disable protractor test in prow\n1991662 - OLM Catalog Templating\n1991730 - e2e-aws-proxy is failing with \"Invalid value: []string{\"us-west-2d\", \"us-west-2b\"}: No subnets provided for zones\"\n1991793 - ECMP routes with invalid next hops still result in OF groups getting programmed\n1991814 - \"oc adm inspect co storage\" returns an error message when there is no openshift-manila-csi-driver ns. \n1991860 - Insights Operator panics with invalid memory address or nil pointer dereference\" (runtime error: invalid memory address or nil pointer dereference)\n1991977 - Kamelet sources shown in openshift-operators in eventsources but in other namespace shows up only if user created IP CR\n1992004 - ci/prow/e2e-gcp-console flake \"Create Application from git form\"\n1992013 - ci/prow/e2e-gcp-console flake \"Create Application from Devfile.Create Application\"\n1992016 - Expose kubelet configuration parameters\n1992148 - [Azure CSI] cannot deploy Azure Disk on ASH because /etc/kubernetes is read-only fs\n1992193 - Race condition in cluster-storage-operator\n1992255 - csi-snapshot-controller needs to handle API server downtime gracefully in SNO\n1992405 - Sync upstream 1.10.1 downstream\n1992463 - OKD: Installation to Libvirt fails due to no space left in /run\n1992493 - 3 alerts have no annotations summary and description\n1992502 - select storage class dropdown fail when using CNV2.6.5\n1992507 - all the alert rules\u0027 annotations \"summary\" and \"description\" should comply with the OpenShift alerting guidelines\n1992508 - documentationBaseURL should be updated to 4.9\n1992555 - all the alert rules\u0027 annotations \"summary\" and \"description\" should comply with the OpenShift alerting guidelines\n1992557 - failed to start cri-o service due to /usr/libexec/crio/conmon is missing\n1992560 - all the alert rules\u0027 annotations \"summary\" and \"description\" should comply with the OpenShift alerting guidelines\n1992591 - 2 different oc binaries are used in the `cli-artifacts` image\n1992673 - Failed OCP build of openshift/ose-etcd:v4.9.0\n1992677 - OLM upgradeable condition message unclear with MaxOpenShiftVersion set\n1992714 - use existing pvc hotplug crashes\n1992730 - Dynamic Plugins: localization does not work for plugin\n1992820 - [Knative] Event Sources should be under Serverless group together with Channel\n1992823 - Cluster autoscaler should use Kubernetes 1.22 dependencies\n1992857 - [Azure CSI] Not enough permissions to list config maps in openshift-config ns\n1992875 - [Azure CSI] Driver Node controller can\u0027t get config from the secret of Azure Stack Hub\n1992876 - Gather OKD specific journal logs\n1992900 - openshift/kubernetes fails to build on ARM\n1992950 - [e2e][automation] create template from wizard\n1992974 - Revision/Route list table doesn\u0027t have proper alignment/styles in admin perspective\n1993002 - The \"largestMaxAge\" and \"smallestMaxAge\" in \"maxAge\" option for HSTS headers accepts negative values\n1993007 - e2e tests fail because operator does not delete SriovNetworks\n1993055 - node_exporter task, log message wrong\n1993078 - Enable Auth config for ironic-api\n1993087 - Azure StackHub: cluster-cloud-controller-manager-operator / azure-cloud-controller-manager / azure-cloud-node-manager does not support OCP azure credentials secret format\n1993147 - Add aria-label to different OCS dashboard components\n1993148 - Monitoring UI doesn\u0027t make use of React\u0027s memoization features\n1993159 - [Azure] Instead of updating the spec actuator updates status twice\n1993195 - Testing performance of sync plugin\n1993207 - failed to list resource groups: Can not get resource groups without account id in parameter by service id token\n1993260 - SRO RBAC error when deploying ping-pong CR\n1993286 - Minor OpenShift upgrades blocked when olm.maxOpenShiftVersion = current Y-stream+1 and current Z-stream \u003e 0\n1993306 - Flaky e2e test: Event Sources on default Developer Catalog\n1993444 - NFD - cstate detection enabled on s390x\n1993757 - OCP 4.8 etcd unhealthy\n1993788 - VM creation (customize flow): storage class mismatch between actual SC and \"Edit Disk\" screen\n1993793 - Move CSIDriver from v1beta to v1\n1993840 - openshift-samples should not change condition Degraded/Available (upgrades)\n1993851 - EFS CSI driver operator does not have an icon\n1993886 - operand creation form doesn\u0027t render correct format\n1993920 - Improve Sysprep helper text\n1993922 - The kubeletconfig controller has wrong assumption regarding the number of kubelet configs\n1993931 - Storage operators use older kubernetes client\n1993934 - Update CSI sidecars\n1993955 - [External Mode] Fix margin issue with Details card on Block and File Page\n1993975 - [not user facing][infrastructure] remove kubevirt dependants for dynamic plugin\n1993977 - kube-rbac-proxy panic\n1993980 - Kubelet regularly freeze control groups causing issues further down\n1993999 - Some hardcodes are detected at the code level in OpenShift console components\n1994035 - SNO: LSO diskmaker pod using excessive cpu\n1994060 - API response for host routes includes misleading family number when IPv6 is enabled\n1994069 - [4.9] bump OVN to ovn21.09-21.09.0-13.el8fdp\n1994103 - [IBMCLOUD] Needs to have Terraform code converted to steps. \n1994113 - local volume tests create lot of events churn\n1994139 - k8s 1.22 bump for operator-lifecycle-manager\n1994155 - thanos fails to build with latest imagebuilder\n1994172 - rhel node does not join cluster conmon validation: invalid conmon path\n1994253 - On OKD templates provided by kubevirt provider and supported by red-hat are marked as community templates\n1994257 - Audit errors alert not created\n1994277 - Changing the memory manager policy via the kubelet config will drop the node to NotReady state\n1994410 - When machine creation failed due to validations, error contains \"failed to create connection to oVirt API\"\n1994434 - service account sriov-network-config-daemon disappeared when sriov operator upgrade from 4.8 to 4.9 version\n1994439 - Review page of ODF wizard does not follow console guidelines\n1994443 - openshift-console operator incorrectly reports Available=false\n1994454 - upgrade from 4.6 to 4.7 to 4.8 with mcp worker \"paused=true\", crio report \"panic: close of closed channel\" which lead to a master Node go into Restart loop\n1994480 - Cluster Infrastructure owned components should use 1.22 dependencies\n1994586 - Create local volume set step says \"An error has occurred\"\n1994613 - disable all CI tests that require IPv6 internet connectivity\n1994642 - Update CSI drivers\n1994643 - kube-apiserver must not return 404 to garbage collection controller before being ready\n1994647 - [ipv6] ovn-nbctl calls to find with nexthop= need quotes for IPv6\n1994648 - Resolution failed error condition in Subscription not being removed after resolution error is resolved. \n1994707 - cluster-etcd-operator: handle unstarted member condition in status request. \n1994857 - [UPGRADE] kube-apiserver is degraded after upgrading to 4.9 with error \"configmap openshift-config-managed/csr-controller-ca field manager is not valid\"\n1994872 - [4.9] oc fail to mirror release payload to local disk\n1994891 - NTO: use the latest k8s 1.22 and openshift vendor dependencies\n1994927 - Enable back [sig-network] Networking should provide Internet connection for containers using DNS\n1994973 - Fix bundle config\n1994975 - Next button is enabled when the flash system endpoint is invalid\n1994979 - Fix skipRange\n1994981 - Local Storage Operator does not have an icon\n1994986 - etcd check perf causes issues on clusters if run\n1994991 - olm.skipRange replacement is noop\n1994997 - olm.skipRange substitution is noop in ART builds\n1995043 - Two storage systems got created while creating one from UI\n1995049 - tech / dev preview badge in search resource dropdown missing styles\n1995110 - olm.skipRange is not set\n1995116 - Pod logs shows incorrect lines number in the log window top banner\n1995148 - Secret key for mangement address is incorrect for flash system\n1995198 - OLM tests are failing on aws arm64\n1995291 - oc new-app/new-build commands should not mention docker\n1995300 - opm validate does not detect cycles in channels\n1995325 - Projects page fails to render due to calling more hooks than previous render\n1995330 - ovn-kubernetes load-balancer operations are very expensive\n1995386 - bz 1990140 fix broke retry on tbr connection test\n1995387 - OpenStack 4.8 -\u003e 4.9 upgrade is permafailing periodic-ci-openshift-release-master-ci-4.9-upgrade-from-stable-4.8-e2e-openstack-upgrade\n1995468 - Nodes can\u0027t resolved IPv4 address in dual stack configuration\n1995523 - Pipeline Builder form throws an error when clicked on `Add Task`\n1995525 - All storage systems are listed in the details page of a particular storagesystem\n1995573 - oc adm certificate approve|deny help shows kubectl in the examples\n1995612 - Block pool details page breadcrumb link is not pointing storage system details page\n1995614 - \"beta.kubernetes.io/os\" is deprecated since v1.14\n1995653 - upgrade rbac rules to use v1 APIS for LSO\n1995655 - 4.9 installer should default ClusterVersion channel to stable-4.9\n1995695 - Get insights on series churn during upgrades\n1995727 - sync plugin no longer catches build deletes that occur between restarts\n1995785 - long living clusters may fail to upgrade because of an invalid conmon path\n1995804 - Rewrite carry \"UPSTREAM: \u003ccarry\u003e: create termination events\" to lifecycleEvents\n1995816 - Reduce cardinality of ovn-kubernetes event handler metrics\n1995898 - [Descheduler] - The minKubeVersion should be 1.22\n1995901 - Warnings are shown in the browser for Monitoring types\n1996031 - cloud-provider-openstack: Merge upstream 1.22 tag\n1996032 - cluster-kube-apiserver-operator should not run with pre-release libraries\n1996081 - csi-driver-nfs: Merge upstream\n1996094 - Missing key errors on containers page\n1996097 - [Feature:IPv6DualStack] tests are failing in dualstack after renamed\n1996116 - Block pool list page and detail page menu action is not disabled for default pool\n1996124 - Add release architecture to openshift-install version\n1996139 - make verify target always fails for upstream staging commits\n1996156 - UI breaks for topology nodes which doesn\u0027t have a SideBar\n1996158 - Dynamic Plugins: Unable to add nav sections to admin perspective\n1996159 - Dynamic Plugins: Visiting a plugin route directly causes a 404 page to flash briefly\n1996212 - Cluster Resource Override Admission needs to be migrated from v1beta1 to v1\n1996306 - Build root container image fails to download the kubebuilder 2.3.1 executable successfully in CI\n1996501 - Instance types with less than 8GB memory are listed in AWS UPI templates, but they do not meet memory minimum requirement for cluster\n1996506 - Fix crd version for SriovNetworkPoolConfig\n1996531 - [Assisted-4.8] [Integration] No 80 minutes timeout when SNO cluster is hang on rebooting\n1996535 - Project selector flickers on the creation of namespace between current and newly created one\n1996539 - error when selecting knative service in topology\n1996566 - Manually created invalid Kamelets should be skipped in the eventsources list\n1996620 - [SCC] openshift-oauth-apiserver degraded when a SCC with high priority is created\n1996622 - The Authorized SSH Key input box fail to fill the SSH key on Advanced page\n1996644 - ODF Internal Dashboard Not showing up\n1996646 - Ties between competing SCCs may have wrong reasoning in audit logs\n1996689 - RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well\n1996718 - KSM flag --node should be --nodes in CMO assets\n1996779 - fix racy disk check for vsphere cloud provider\n1996783 - cloud-provider-openstack: Bump to Go v1.16 and OCP v4.9\n1996785 - Unused rules in CMO\n1996792 - Quick search modal missing icons and have unnecessary scrollbar\n1996878 - opm does not print sqlite deprecation warnings\n1996881 - oc adm catalog mirror does not print sqlite deprecation warnings\n1996914 - Failed to get ImpersonateHeaders TypeError: i.a is undefined\n1996941 - Monitoring operator is degraded because expected 8 ready pods for \"node-exporter\" daemonset but got 6 when upgrading windows cluster to 4.9\n1997029 - OCS Dashboard should not show when ODF is present\n1997034 - Drop high cardinality cAdvisor metrics\n1997048 - User can create same domain mapping multiple times\n1997050 - CNO panic: runtime error: invalid memory address or nil pointer dereference\n1997062 - crio-o: \"no space left on device\" issue is seen on latest 4.9 builds\n1997079 - Custom time range not working\n1997102 - Gherkin for observe tab in workload sidebar is not aligned with latest UI\n1997108 - react warning loading dev perspective /topology\n1997114 - EgressFirewall may fail to be applied due to address_set missing\n1997122 - [LocalVolume] provisioning fails silently if device is already claimed\n1997131 - Update the pipeline quicksearch with latest desgin\n1997135 - Unable to start export if deleted export CR from different window\n1997168 - Remove unused variable in parser config file\n1997179 - Serverless installation is failing on CI jobs for e2e tests\n1997183 - Update Kube dependencies in MCO to 1.22\n1997187 - Update analyze script vendor size to 3.5MiB\n1997207 - newETCD3Client does not use existing context\n1997267 - Add translations from Sprint 205 part 2\n1997270 - bump OVN to ovn21.09-21.09.0-15.el8fdp\n1997347 - Take etcd backups before minor-version OpenShift updates\n1997379 - [e2e][automation] add tests for showing multiple IP address on UI\n1997407 - power-of-two balancing feature set \"Random\" as default balancing for passthrough routes\n1997420 - Revert wrong change on api-usage rules\n1997422 - Hardcode happens when create VolumeSnapshots\n1997438 - Syntax error appears to breaks the ovn egressFirewall policy during the cluster upgrade\n1997461 - [UI][LSO] \"Local Storage Operator not installed\" message statement is not appropriate\n1997465 - Fix panic in the LRU cache\n1997475 - e2e-agnostic-operator tests fail occasionally after 30 minutes because of timeout\n1997482 - Remove mask from behind modal in Pipeline Builder Tekton Hub Integration\n1997486 - Node Tuning Operator(NTO) - Missing [sysfs] section in openshift profile\n1997507 - Cluster cloud controller manager operator fails to upgrade on a single node cluster\n1997528 - instance:etcd_object_counts:sum and cluster:usage:resources:sum use the etcd_object_counts metric which is deprecated\n1997596 - UpdateAvailable alert is re-triggered on pod and other label changes\n1997655 - React warning when open pipeline list page (with at least one pipeline)\n1997657 - Kubelet rejects pods that use resources that should be freed by completed pods\n1997787 - Descheduler default for evict pods with PVCs is incorrect\n1997790 - Add Azure Stack UPI Templates\n1997811 - Marketplace Operator should use k8s 1.21+ dependencies\n1997929 - MachineSets list and details page headings should follow same format with other resources\n1997972 - CMO dependencies must be pinned for release\n1997993 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia\n1998015 - Observe \u003e Metrics / Dashboards performance: Graph tooltips process all points even if they won\u0027t be displayed\n1998031 - [bz-openshift-apiserver] clusteroperator/openshift-apiserver should not change condition/Degraded: master nodes drained too quickly\n1998047 - Missing UI flags after install creation\n1998146 - service VIP did not be removed after remove one node\n1998168 - Final Toast has download which is a button and should be an anchor tag\n1998207 - Helm upgrade on OpenShift 4.9 failing with schema errors\n1998240 - Helm side panel should be consistent with operatorhub and show support URL\n1998247 - Tuned configuration fails and does not recover when profile references a not yet existing performance profile configuration\n1998311 - Enable Manual Credentials Mode on Azure Stack Hub\n1998319 - Dynamic Plugins: dynamic route chunks are not lazy loading\n1998347 - Language preference does not reflect on console load\n1998364 - Inconsistent react-i18next mocks in unit tests\n1998388 - User preference screen shows \"Create Namespace\" instead of \"Create Project\"\n1998394 - [e2e][automation] add tests for RHEL9 template\n1998408 - Git import flow: Dockerfile is detected but file name is not used\n1998411 - Name is not autofilled when git URL contains trailing slash\n1998413 - Expanding portions of Helm Form overlay section title and include an area which is disconnected\n1998423 - upgrade from 4.8.6 to 4.9.0-0.nightly-2021-08-26-164418, blocked by dns upgrade due to FailedCreatePodSandBox for pods\n1998431 - AppName \u0026 Name are not auto-updated when modifying the Internal registry details in container image page\n1998466 - Cloud controller manager fails to upgrade on a single node cluster\n1998508 - CNO reports incorrect status during slow/failed install\n1998528 - Sync latest upstream bugfixes to OCP ironic container image\n1998552 - Enforce OpenShift\u0027s defined kubelet version skew policies\n1998563 - Column headers don\u0027t match content in pod and machine list\n1998575 - Insert sample YAML do nothing on BuildConfig and was mistakenly shown when editing a resource\n1998587 - BuildConfig form doesn\u0027t update app.openshift.io/vcs-uri annotation\n1998598 - ptp operator can not enable event publisher sidecar\n1998614 - Pod creation failed with CNI request timeout due to stale data in cache. \n1998616 - Show fully qualified domain name (FQDN) a Service\u0027s page\n1998637 - Update ironic-ipa-downloader container with latest tested code \u0026 RHEL updates\n1998643 - e2e-metal-ipi-virtualmedia and e2e-metal-ipi-ovn-ipv6 are failing to install\n1999018 - [ASH] upgrade stuck due to Cluster cloud controller manager deployment strategy error\n1999026 - Detect ODF managed services when OCS operator is installed\n1999039 - [UI] OpenShift Data Foundation Overview page is showing wrong status of storage system\n1999075 - Move the selected workload to the full view in topology canvas\n1999093 - Pods list appears to unmount / remount on some updates\n1999119 - bump golang version of installer to 1.16\n1999131 - [e2e][automation] adjust layout by cypress conventions\n1999138 - [CNO] [OVN-K] The network-unavailable taint needs to be from upstream k8s and not ovn-k specific\n1999159 - Remove evan from owners\n1999168 - Busted VPA graphic in OperatorHub\n1999179 - Import from git as Serverless Service creates an incomplete BuildConfig (Secret is missing)\n1999185 - ptp config with summary_interval 0 throws parsing error in the log\n1999187 - VPA E2E test aws-operator is failing due to use of removed v1beta1 RBAC API\n1999210 - [e2e][automation] add tests for VM wizard Cloudinit editor fields\n1999225 - Descheduler operator needs new profiles for 4.9\n1999266 - Click issue in topology page context menu\n1999292 - \"System projects\" does not align with the docs terminology, which uses \"default projects\"\n1999297 - [Assisted-4.8 ][SaaS] vip-dhcp-allocation mode broken cannot set networking for cluster\n1999326 - Automated day-2 configuration deployment for ZTP\n1999393 - Form / YAML switch makes unnecessary network calls to save latest editor type\n1999397 - Prometheus: data race in the loadWAL function\n1999404 - [e2e][automation] add tests for rootdisk validations\n1999421 - OKD: revert initial FCOS to 20210626.3.1\n1999422 - Missing feature flags for new features\n1999577 - RHCOS live ISO can fail to boot in UEFI mode; drops to grub shell\n1999593 - SNO: Add e2e test for RT kernel switch\n1999614 - Edit D/DC forms should display D/DC name being edited to provide context\n1999615 - UI crashes when clicked on the grey background of the topology view if projects dropdown is open\n1999627 - Import from git flow doesn\u0027t recommend build image when a Dockerfile exists\n1999631 - Show advanced Git options is not clickable (again) in new Git import flow\n1999648 - Remove remaining Storage Class in console-app\n1999656 - pipeline run count chart discrepancies with other chart values\n1999658 - E2E test failures due to github rate limiting\n1999669 - BackingStore Details Page is breaking\n1999674 - Warn users about using deprecated vSphere version\n1999719 - last selected tab in topology side panel is not persisted\n1999723 - Cannot Select Text with Cursor in QuickSearchModal bar\n1999729 - Dynamic Plugin SDK component has wrong spelling\n1999823 - Admin web-console should linkify ClusterVersion and ClusterOperator condition messages\n1999852 - Bump OVN to ovn21.09-21.09.0-18.el8fdp\n1999853 - cluster-storage-operator not honoring the control plane topology setting for the csi driver operator deployment\n1999862 - ZTP example \u0027tuned-performance-patch\u0027 policy refers to the wrong tuned profile name\n1999879 - Update ansible collections; follow on to 1.10 update. \n1999951 - VPA won\u0027t operate on pods created by custom controllers\n2000108 - Inspecting a chart takes to empty metrics\n2000126 - high load on Prometheus using the ptp operator\n2000144 - GetBundleForChannel registry endpoint performs significant needless work\n2000146 - opm render includes channel metadata in properties when rendering bundles\n2000186 - NetworkPolicy: allow from hostnetwork policy and allow from router (policy-group.network.openshift.io/ingress: \"\") does not work for network plugin openshiftSDN\n2000191 - Make durations for CCCMO leader election operations compatible with the OpenShift standards\n2000226 - Unable to have multiple charts in one configmap\n2000253 - oc edit ptpconfig causes cloudevent sidecar to crash and restart\n2000259 - Add Sprint 206 translations\n2000294 - report apiversion of esxi host and vcenter server\n2000321 - README file on github refers to \u0027{product-title} but should be \u0027OpenShift\u0027\n2000352 - Default OVA import to HW15\n2000391 - [e2e][automation] review skipped tests\n2000440 - OCS Quick Start should not be shown unless you have proper privileges\n2000473 - Observe \u003e Dashboards: Dashboards are sometimes blank (no data loading)\n2000491 - Remove TechPreview Badge from Red Hat integration camel K operator\n2000492 - Conditional data gathering validation \u0026 refactoring\n2000499 - If export app toast is not cleared by the user and a new one is triggered then old toast download gives 404\n2000576 - Creating a StorageSystem with MCG only deployment is failing\n2000584 - `[sig-storage] EmptyDir volumes pod should support memory backed volumes of specified size` is permafailing on OKD 4.9\n2000589 - [sig-node] crictl should be able to run crictl on the node\n2000590 - Warning on topology context menu right click\n2000596 - (release-4.9) Update K8s \u0026 OpenShift API dependencies versions\n2000607 - Domain mapping movement from one service to another is not intutive\n2000608 - static pod startup monitor should log to a log file in addition to stderr\n2000633 - Issue with the UI of observer page when screen size is reduced\n2000636 - Edit Deployment form drops strategy data when switching type\n2000689 - [block-pool-dashbaord] Expandable section in mirroring card is empty when no image for mirroring\n2000721 - Bump OVS userland to openvswitch2.16-2.16.0-6.el8fdp\n2000726 - ZTP PolicyGen failed to create CRs during synchronization of 1 site\n2000768 - Quick Starts provide incorrect guidance when Che/CRW is installed\n2000820 - (release-4.9) Gather PodSecurityPolicies names installed in a cluster\n2000833 - Wepack warnings about missing types when running dev build\n2000873 - Toast shows list style on uploadJar toast and export app toast\n2000935 - add volume mode selection in storage creation (external IBM FlashSystem)\n2000965 - [e2e][automation] remove login prompt check until it\u0027s clearly needed\n2001263 - [e2e][automation] create vm from template list and action dropdown\n2001288 - Virtualization is not available in Home Overview when CNV version is 2.6.z\n2001292 - import vm action is not hidden\n2001958 - Cluster becomes degraded if it can\u0027t talk to Manila\n2001983 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster\n2002196 - Pass down proxy env to operands failed for ansible type operator\n2002197 - Pass down proxy env to operands failed for helm type operator\n2002200 - Operator-lib proxy block the \"ReadProxyVarsFromEnv\" for go type operator\n2002288 - [4.9] kube-proxy\u0027s userspace implementation consumes excessive CPU\n2002338 - Bump descheduler to k8s 1.22\n2002361 - Missing the ability to set networkType in SiteConfig during ZTP flow\n2002374 - Inexplicably slow kubelet on bootstrap makes installation fail\n2002502 - []corev1.EnvVar{} can\u0027t be appended to container.env\n2002543 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log\n2002561 - Failing tests: \"volumeMode should fail in binding dynamic provisioned PV to PVC\"\n2003161 - [SCALE] ovnkube CNI: remove ovs flows check\n2003197 - CRI-O leaks some children PIDs\n2003245 - [4.9] Revert libovsdb client code\n2003306 - Rejected pods should be filtered from admission regression\n2003545 - Remove openshift:kubevirt-machine-controllers decleration from machine-api\n2004137 - ptp/worker custom threshold doesn\u0027t change ptp events threshold\n2004146 - Need Device plugin configuration for the NIC \"needVhostNet\" \u0026 \"isRdma\"\n2004337 - [4.9] OVN CNI should ensure host veths are removed\n2004340 - [4.9] Pod creation failed due to mismatched pod IP address in CNI and OVN\n2004568 - Cluster-version operator does not remove unrecognized volume mounts\n2004676 - [4.9] Boot option recovery menu prevents image boot\n2004712 - TuneD issues with the recent ConfigParser changes. \n2004924 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start\n2004961 - output of \"crictl inspectp\" is not complete\n2005108 - removing and recreating static pod manifest leaves pod in error state\n2005462 - [4.9] ovn-kube may never attempt to retry a pod creation\n2005476 - [4.9] [ICNI2] \u0027ErrorAddingLogicalPort\u0027 failed to handle external GW check: timeout waiting for namespace event\n2006145 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable\n2006432 - [4.9] Remove workaround keeping /boot RW for kdump support\n2006782 - Missing ZTP ArgoCD Container Image\n2006962 - [4.9] OS boot failure \"x64 Exception Type 06 - Invalid Opcode Exception\"\n2007086 - [4.9] Bootimage bump tracker\n2007089 - [4.9] Intermittent failure mounting /run/media/iso when booting live ISO from USB stick\n2007324 - race condition can cause in cluster-bootstrap can cause crashlooping bootstrap kube-apiserver\n2007458 - crio\u0027s selinux module has performance improvements when compiled with golang 1.16\n2007684 - [4.9.z] PVs remain in Released state for a long time after the claim is deleted\n2008619 - ImageStream with RHCOS version tag needed for RHODS GPU support\n2008944 - Azure Stack UPI does not have Internal Load Balancer\n2009059 - Placeholder bug for OCP 4.9.0 metadata release\n2009342 - The serviceAccountIssuer field on Authentication CR is reseted to \u201c\u201d when installation process\n2009467 - [4.9] container-selinux should come from rhel8-appstream\n2009530 - Deployment upgrade is failing availability check\n2009652 - [4.9] Multipath day1 not working on s390x\n2009653 - [4.9] Bootimage bump tracker\n2009738 - [IPI-on-GCP] \u0027Install a cluster with nested virtualization enabled\u0027 failed due to unable to launch compute instances\n2009842 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo\n2010066 - [Assisted-4.9][Integration] Unable to generate ISO with error: Failed to fetch base ISO information: NotFound\n2010074 - [e2e][automation] CI tests fail because of wrong test cnv version installed\n2010372 - Reverts PIE build mode for K8S components\n2010486 - SRO package name collision between official and community version\n2010529 - [backport 4.9] openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions\n2010861 - Failure building EFS operator\n2010954 - SRO CSV uses non default category \"Drivers and plugins\"\n2011050 - Storage operator is not available after reboot cluster instances\n2011087 - Backport audit log silence change\n2011350 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24\n2011701 - Bootkube tries to use oc after cluster bootstrap is done and there is no API\n2011815 - Kubelet rejects pods that use resources that should be freed by completed pods\n2011951 - [4.9] ClusterVersion Upgradeable=False MultipleReasons should include all messages\n2011958 - [4.9] [tracker] Kubelet rejects pods that use resources that should be freed by completed pods\n2011961 - [4.9] [tracker] Storage operator is not available after reboot cluster instances\n2011985 - SRO bundle references non-existent image\n2012008 - APIRemovedInNextReleaseInUse: give exact command in description\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3121\nhttps://access.redhat.com/security/cve/CVE-2021-26539\nhttps://access.redhat.com/security/cve/CVE-2021-26540\nhttps://access.redhat.com/security/cve/CVE-2021-28092\nhttps://access.redhat.com/security/cve/CVE-2021-28169\nhttps://access.redhat.com/security/cve/CVE-2021-29059\nhttps://access.redhat.com/security/cve/CVE-2021-31525\nhttps://access.redhat.com/security/cve/CVE-2021-32690\nhttps://access.redhat.com/security/cve/CVE-2021-33194\nhttps://access.redhat.com/security/cve/CVE-2021-33195\nhttps://access.redhat.com/security/cve/CVE-2021-33196\nhttps://access.redhat.com/security/cve/CVE-2021-33197\nhttps://access.redhat.com/security/cve/CVE-2021-33198\nhttps://access.redhat.com/security/cve/CVE-2021-34428\nhttps://access.redhat.com/security/cve/CVE-2021-34558\nhttps://access.redhat.com/security/cve/CVE-2021-36980\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYW2xOdzjgjWX9erEAQhRpg/+NubKYuEEFCd+EYhr16pH3VlbzYBRZAxP\nOf5AIOpaqr7Nmij2fg1xokPBaB81PRf1Zh50t6025cr6+WaNggw8ina7YY4uJMKU\nt2pV4gKZuT6d2UNytZ9Hqw0H4gG9lSJz3nvjQ1Mb2RNhcAEeA8dk1UWdhUXe122L\nhqMLRr1WRkCDQ8z5WIRRWtvgEllWF5IufV+98zIKf5RslGFntETRrBw3OXZJItIS\n03gcWNn+8QHoovqpdP5GfCpDSltsbk3I9rGPa7+/WFGWN39DdDRLr0VgbyU1TMxV\nypuqThlfjJAIVTs+mHvtBDJ71REVh8mkDpLLnSnm8iym1ehsuBBqt1jIkPgu2vnr\nb1b75K9Y1YoMDLycbU7WcEfSjq8iqfYoVddzwkKSihmjPJeqCsTseOSl00s2HMaT\n5DQHyvpwhzIYWw+vSiD2xolRI7j8VH6K3mvWM2aG3GrQNuLSgmd5l3Y115aW01JG\nay1oDXj/k9Y5EeerGDS2IbrZhHRVy6Y5ach2deCBAUmA2gX2yTk88e6/F/WTGLL7\ntKWcpu/QQJKg6rcDx7r5+G0aUlHpo7e06uxKwBr+MrCSNFj7TgRlN30ZkNMqrh4P\n0v3fPfZdBFAAt6Akb7fxb6Pb+NMlGJF8Pa8RgncWAK7q7hwBlW8cV2x9aRdZnW/I\nUhVGDnha+dI=\n=BYf6\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. See the following advisory for the container images for\nthis release:\n\nhttps://access.redhat.com/errata/RHSA-2021:3759\n\nSecurity Fix(es):\n\n* jetty: requests to the ConcatServlet and WelcomeFilter are able to access\nprotected resources within the WEB-INF directory (CVE-2021-28169)\n\n* golang: archive/zip: malformed archive may cause panic or memory\nexhaustion (CVE-2021-33196)\n\n* openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding\nof a RAW_ENCAP action (CVE-2021-36980)\n\n* jetty: SessionListener can prevent a session from being invalidated\nbreaking logout (CVE-2021-34428)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n1965503 - CVE-2021-33196 golang: archive/zip: malformed archive may cause panic or memory exhaustion\n1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory\n1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout\n1984473 - CVE-2021-36980 openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action\n\n6. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202311-16\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Low\n Title: Open vSwitch: Multiple Vulnerabilities\n Date: November 26, 2023\n Bugs: #765346, #769995, #803107, #887561\n ID: 202311-16\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple denial of service vulnerabilites have been found in Open\nvSwitch. \n\nBackground\n=========\nOpen vSwitch is a production quality multilayer virtual switch. \n\nAffected packages\n================\nPackage Vulnerable Unaffected\n-------------------- ------------ ------------\nnet-misc/openvswitch \u003c 2.17.6 \u003e= 2.17.6\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in Open vSwitch. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Open vSwitch users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/openvswitch-2.17.6\"\n\nReferences\n=========\n[ 1 ] CVE-2020-27827\n https://nvd.nist.gov/vuln/detail/CVE-2020-27827\n[ 2 ] CVE-2020-35498\n https://nvd.nist.gov/vuln/detail/CVE-2020-35498\n[ 3 ] CVE-2021-3905\n https://nvd.nist.gov/vuln/detail/CVE-2021-3905\n[ 4 ] CVE-2021-36980\n https://nvd.nist.gov/vuln/detail/CVE-2021-36980\n[ 5 ] CVE-2022-4337\n https://nvd.nist.gov/vuln/detail/CVE-2022-4337\n[ 6 ] CVE-2022-4338\n https://nvd.nist.gov/vuln/detail/CVE-2022-4338\n[ 7 ] CVE-2023-1668\n https://nvd.nist.gov/vuln/detail/CVE-2023-1668\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202311-16\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2023 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n", "sources": [ { "db": "NVD", "id": "CVE-2021-36980" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "VULHUB", "id": "VHN-398812" }, { "db": "VULMON", "id": "CVE-2021-36980" }, { "db": "PACKETSTORM", "id": "164563" }, { "db": "PACKETSTORM", "id": "164080" }, { "db": "PACKETSTORM", "id": "164543" }, { "db": "PACKETSTORM", "id": "164542" }, { "db": "PACKETSTORM", "id": "175917" } ], "trust": 2.79 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-36980", "trust": 3.9 }, { "db": "JVNDB", "id": "JVNDB-2021-009864", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "164563", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "164080", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "164542", "trust": 0.7 }, { "db": "CS-HELP", "id": "SB2021041363", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3466", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3490", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2023.2040", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3032", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.4446", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021072017", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021102117", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202107-1384", "trust": 0.6 }, { "db": "VULHUB", "id": "VHN-398812", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2021-36980", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "164543", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "175917", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-398812" }, { "db": "VULMON", "id": "CVE-2021-36980" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "PACKETSTORM", "id": "164563" }, { "db": "PACKETSTORM", "id": "164080" }, { "db": "PACKETSTORM", "id": "164543" }, { "db": "PACKETSTORM", "id": "164542" }, { "db": "PACKETSTORM", "id": "175917" }, { "db": "NVD", "id": "CVE-2021-36980" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "id": "VAR-202107-1506", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-398812" } ], "trust": 0.01 }, "last_update_date": "2023-12-18T11:29:21.703000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "ofp-actions", "trust": 0.8, "url": "https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f" }, { "title": "Open vSwitch Remediation of resource management error vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=157998" }, { "title": "Debian CVElist Bug Report Logs: openvswitch: CVE-2021-36980", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=3be4014cfdb7d8d1e263c272f11d4d7c" }, { "title": "Arch Linux Advisories: [ASA-202107-40] openvswitch: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202107-40" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2021-36980 log" } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-36980" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-416", "trust": 1.1 }, { "problemtype": "Use of freed memory (CWE-416) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "VULHUB", "id": "VHN-398812" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "NVD", "id": "CVE-2021-36980" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.6, "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851" }, { "trust": 1.9, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-36980" }, { "trust": 1.8, "url": "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/openvswitch/osv-2020-2197.yaml" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/65c61b0c23a0d474696d7b1cea522a5016a8aeb3" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/6d67310f4d2524b466b98f05ebccc1add1e8cf35" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/77cccc74deede443e8b9102299efc869a52b65b2" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/8ce8dc34b5f73b30ce0c1869af9947013c3c6575" }, { "trust": 1.8, "url": "https://github.com/openvswitch/ovs/commit/9926637a80d0d243dbf9c49761046895e9d1a8e2" }, { "trust": 1.1, "url": "https://security.gentoo.org/glsa/202311-16" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021041363" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2023.2040" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3032" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3466" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021072017" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/open-vswitch-reuse-after-free-via-decode-nxast-raw-encap-36347" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/164080/ubuntu-security-notice-usn-5065-1.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.4446" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/164563/red-hat-security-advisory-2021-3942-01.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/164542/red-hat-security-advisory-2021-3758-01.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021102117" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3490" }, { "trust": 0.3, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.3, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2021-36980" }, { "trust": 0.3, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.3, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33196" }, { "trust": 0.2, "url": "https://access.redhat.com/errata/rhsa-2021:3758" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-34428" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-33196" }, { "trust": 0.2, "url": "https://docs.openshift.com/container-platform/4.9/updating/updating-cluster" }, { "trust": 0.2, "url": "https://access.redhat.com/errata/rhsa-2021:3759" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-28169" }, { "trust": 0.2, "url": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-34428" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28169" }, { "trust": 0.1, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991308" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://access.redhat.com/articles/2974891" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:3942" }, { "trust": 0.1, "url": "https://ubuntu.com/security/notices/usn-5065-1" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/openvswitch/2.15.0-0ubuntu3.1" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/openvswitch/2.13.3-0ubuntu0.20.04.2" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-26539" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33195" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-32690" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3121" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-28092" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33197" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33195" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3121" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33198" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33194" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33198" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-31525" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-34558" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-29059" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-32690" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33194" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33197" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29059" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28092" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-31525" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-26539" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-26540" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-34558" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-26540" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3905" }, { "trust": 0.1, "url": "https://creativecommons.org/licenses/by-sa/2.5" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-35498" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-4337" }, { "trust": 0.1, "url": "https://bugs.gentoo.org." }, { "trust": 0.1, "url": "https://security.gentoo.org/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-4338" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2023-1668" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27827" } ], "sources": [ { "db": "VULHUB", "id": "VHN-398812" }, { "db": "VULMON", "id": "CVE-2021-36980" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "PACKETSTORM", "id": "164563" }, { "db": "PACKETSTORM", "id": "164080" }, { "db": "PACKETSTORM", "id": "164543" }, { "db": "PACKETSTORM", "id": "164542" }, { "db": "PACKETSTORM", "id": "175917" }, { "db": "NVD", "id": "CVE-2021-36980" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-398812" }, { "db": "VULMON", "id": "CVE-2021-36980" }, { "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "db": "PACKETSTORM", "id": "164563" }, { "db": "PACKETSTORM", "id": "164080" }, { "db": "PACKETSTORM", "id": "164543" }, { "db": "PACKETSTORM", "id": "164542" }, { "db": "PACKETSTORM", "id": "175917" }, { "db": "NVD", "id": "CVE-2021-36980" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-07-20T00:00:00", "db": "VULHUB", "id": "VHN-398812" }, { "date": "2021-07-20T00:00:00", "db": "VULMON", "id": "CVE-2021-36980" }, { "date": "2022-06-02T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "date": "2021-10-20T15:45:55", "db": "PACKETSTORM", "id": "164563" }, { "date": "2021-09-08T14:27:14", "db": "PACKETSTORM", "id": "164080" }, { "date": "2021-10-19T15:15:35", "db": "PACKETSTORM", "id": "164543" }, { "date": "2021-10-19T15:15:15", "db": "PACKETSTORM", "id": "164542" }, { "date": "2023-11-27T15:42:18", "db": "PACKETSTORM", "id": "175917" }, { "date": "2021-07-20T07:15:08.113000", "db": "NVD", "id": "CVE-2021-36980" }, { "date": "2021-04-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2021-07-20T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-07-28T00:00:00", "db": "VULHUB", "id": "VHN-398812" }, { "date": "2021-07-20T00:00:00", "db": "VULMON", "id": "CVE-2021-36980" }, { "date": "2022-06-02T07:30:00", "db": "JVNDB", "id": "JVNDB-2021-009864" }, { "date": "2023-11-26T11:15:08.053000", "db": "NVD", "id": "CVE-2021-36980" }, { "date": "2021-04-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2023-04-11T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-1384" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "local", "sources": [ { "db": "CNNVD", "id": "CNNVD-202107-1384" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Open\u00a0vSwitch\u00a0 Vulnerabilities in the use of freed memory", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-009864" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202104-975" } ], "trust": 0.6 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.