From d6b3ac6a8017390029ae96c54f064e89d19d3b05 Mon Sep 17 00:00:00 2001 From: Eric Le Lay Date: Fri, 5 Dec 2025 17:37:23 +0100 Subject: [PATCH 1/2] Dependencies updated or ignored for CVE vulnerabilities - bump cadvisor to 0.56.2 - Ignore CVE-2024-24790 in prometheus mtail exporter control plane is trusted - Bump grafana to 12.3.3 to fix CVE-2025-68121 grafana server 12.3.3 is fixed but the opensearch-datasource plugin is still affected. - Bump etcd to 3.5.27 to fix CVE-2025-68121 - Ignore CVE-2025-68121 for prometheus images - server-side: exporters and server are not listening with tls - as client: only querying known services - Ignore CVE-2025-68121 for influxdb No new version is available and it runs on a secure network - Ignore CVE-2025-68121 for letsencrypt-lego it only talks to known servers - Ignore CVE-2025-68121 for neutron it is the docker client that triggers it and we don't speak to remote docker over tls - Ignore CVE-2026-27699 for opensearch-dashboard basic-ftp@5.0.5 is present in opensearch-dashboards 2.19.4 --- etc/kayobe/kolla/kolla-build.conf | 8 ++-- etc/kayobe/pulp-repo-versions.yml | 2 +- etc/kayobe/trivy/allowed-vulnerabilities.yml | 47 ++++++++++++++++++++ 3 files changed, 52 insertions(+), 5 deletions(-) diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf index 745764570..307c22f7a 100644 --- a/etc/kayobe/kolla/kolla-build.conf +++ b/etc/kayobe/kolla/kolla-build.conf @@ -19,8 +19,8 @@ location = https://github.com/stackhpc/requirements reference = stackhpc/{{ openstack_release }} [etcd] -version = 3.5.21 -sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c,arm64:95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f +version = 3.5.27 +sha256 = amd64:0aad9a9e4e0817a021e933f9806a2b2960a62f949ad5a3d6436d8886945cb1bc,arm64:1277309f540c5a0329c428f95455c9f76d24f768c8d28fd2753e891c379053fa [letsencrypt-lego] version = v4.23.1 @@ -32,5 +32,5 @@ sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce, # TODO: move to kolla_sources in kolla.yml once https://review.opendev.org/c/openstack/kayobe/+/970268 is available [prometheus-cadvisor] -version = 0.54.1 -sha256 = amd64:21be8d2797433048474e676d37c215c28fb171509448ef9b1c4648a564e39595,arm64:21f7bac786f6c53a8091964b4d3ff2486a0c460e5a410000b59a9a565b4183a9 +version = 0.56.2 +sha256 = amd64:ad92930f16a2f9da15190675e09eeaceb8fd38637d07a686bb0dd68695f692af,arm64:b7a707379496fd7a7b5d2768c5c494427112f534ba5069f889af28ffe6ad11bb diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml index d42482b1e..d5b67b09f 100755 --- a/etc/kayobe/pulp-repo-versions.yml +++ b/etc/kayobe/pulp-repo-versions.yml @@ -25,7 +25,7 @@ stackhpc_pulp_repo_elrepo_9_aarch64_version: 20250408T030629 stackhpc_pulp_repo_elrepo_9_version: 20260127T212055 stackhpc_pulp_repo_epel_9_aarch64_version: 20260204T223146 stackhpc_pulp_repo_epel_9_version: 20260204T220346 -stackhpc_pulp_repo_grafana_version: 20260204T212232 +stackhpc_pulp_repo_grafana_version: 20260214T213531 stackhpc_pulp_repo_opensearch_2_x_version: 20251106T202313 stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20251106T202313 stackhpc_pulp_repo_rhel9_rabbitmq_erlang_26_aarch64_version: 20260112T224827 diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml index b85bff573..1e17880e3 100644 --- a/etc/kayobe/trivy/allowed-vulnerabilities.yml +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -16,33 +16,80 @@ fluentd_allowed_vulnerabilities: - CVE-2024-27280 grafana_allowed_vulnerabilities: - CVE-2024-8986 + - CVE-2025-68121 # the opensearch datasource plugin is still vulnerable influxdb_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 +ironic_neutron_agent_allowed_vulnerabilities: + - CVE-2025-68121 +letsencrypt_lego_allowed_vulnerabilities: + - CVE-2025-68121 magnum_conductor_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 +neutron_base_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_bgp_dragent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_dhcp_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_l3_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_linuxbridge_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_metadata_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_mlnx_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_openvswitch_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_ovn_agent_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_server_allowed_vulnerabilities: + - CVE-2025-68121 +neutron_sriov_agent_allowed_vulnerabilities: + - CVE-2025-68121 opensearch_dashboards_allowed_vulnerabilities: - CVE-2025-68428 + - CVE-2026-27699 +prometheus_alertmanager_allowed_vulnerabilities: + - CVE-2025-68121 prometheus_blackbox_exporter_allowed_vulnerabilities: - CVE-2024-24790 - CVE-2024-45337 + - CVE-2025-68121 prometheus_memcached_exporter_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 prometheus_mysqld_exporter_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 prometheus_elasticsearch_exporter_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 prometheus_node_exporter_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 prometheus_openstack_exporter_allowed_vulnerabilities: - CVE-2024-24790 - CVE-2024-45337 + - CVE-2025-68121 prometheus_ovn_exporter_allowed_vulnerabilities: - CVE-2024-24790 + - CVE-2025-68121 prometheus_libvirt_exporter_allowed_vulnerabilities: - CVE-2024-45337 + - CVE-2025-68121 prometheus_cadvisor_allowed_vulnerabilities: - CVE-2024-41110 - CVE-2024-45337 + - CVE-2025-68121 +prometheus_mtail_allowed_vulnerabilities: + - CVE-2024-24790 + - CVE-2025-68121 +prometheus_server_allowed_vulnerabilities: + - CVE-2024-45337 + - CVE-2025-68121 ############################################################################### # Dummy variable to allow Ansible to accept this file. From dcce4494e7ab6e6c505ecc65ef9b23449d7807a8 Mon Sep 17 00:00:00 2001 From: Eric Le Lay Date: Tue, 3 Mar 2026 13:47:20 +0100 Subject: [PATCH 2/2] Rebuilt etcd, grafana, prometheus-cadvisor --- etc/kayobe/kolla-image-tags.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml index 1ff9f2c36..e63424c05 100644 --- a/etc/kayobe/kolla-image-tags.yml +++ b/etc/kayobe/kolla-image-tags.yml @@ -6,8 +6,10 @@ kolla_image_tags: openstack: rocky-9: 2025.1-rocky-9-20260205T152450 ubuntu-noble: 2025.1-ubuntu-noble-20260205T152450 + etcd: + rocky-9: 2025.1-rocky-9-20260303T104901 grafana: - rocky-9: 2025.1-rocky-9-20260223T134735 + rocky-9: 2025.1-rocky-9-20260303T104901 ubuntu-noble: 2025.1-ubuntu-noble-20260223T134735 nova: rocky-9: 2025.1-rocky-9-20260226T161930 @@ -15,3 +17,5 @@ kolla_image_tags: octavia: rocky-9: 2025.1-rocky-9-20260226T091552 ubuntu-noble: 2025.1-ubuntu-noble-20260226T091552 + prometheus_cadvisor: + rocky-9: 2025.1-rocky-9-20260303T104901