Merge pull request #1701 from stackhpc/epoxy-cve-fix2

seunghun1ee · web-flow · commit 09f7a38c2ccd · 2025-06-13T14:06:58.000+01:00
Fix Critical CVEs on Epoxy Kolla container images
diff --git a/etc/kayobe/kolla-image-tags.yml b/etc/kayobe/kolla-image-tags.yml
@@ -5,7 +5,5 @@
 # TODO: Rebuild epoxy images
 kolla_image_tags:
   openstack:
-    rocky-9: 2025.1-rocky-9-20250603T110500
-    ubuntu-noble: 2025.1-ubuntu-noble-20250606T113506
-  neutron_l3_agent:
-    rocky-9: 2025.1-rocky-9-20250606T090153
+    rocky-9: 2025.1-rocky-9-20250611T085217
+    ubuntu-noble: 2025.1-ubuntu-noble-20250611T085217
diff --git a/etc/kayobe/kolla/kolla-build.conf b/etc/kayobe/kolla/kolla-build.conf
@@ -14,3 +14,15 @@ build_args = {{ (kolla_build_args | default({})).items() | map('join', ':') | jo
 type = git
 location = https://github.com/stackhpc/requirements
 reference = stackhpc/{{ openstack_release }}
+
+[etcd]
+version = 3.5.21
+sha256 = amd64:adddda4b06718e68671ffabff2f8cee48488ba61ad82900e639d108f2148501c,arm64:95bf6918623a097c0385b96f139d90248614485e781ec9bee4768dbb6c79c53f
+
+[letsencrypt-lego]
+version = v4.23.1
+sha256 = amd64:1fd60b1fd59c239bed22719a5de402cb745d1f933540cb1ec196e2c03e6e8882,arm64:1114745108343286d4bff189b4bdee3cba9d07ebcacc673860d91ab951d31e0d
+
+[magnum-conductor-plugin-helm]
+version = v3.18.2
+sha256 = amd64:c5deada86fe609deefdf40e9cbbe3da2f8cf3f6a4551a0ebe7886dc8fcf98bce,arm64:03181a494a0916b370a100a5b2536104963b095be53fb23d1e29b2afb1c7de8d
diff --git a/etc/kayobe/pulp-repo-versions.yml b/etc/kayobe/pulp-repo-versions.yml
@@ -1,20 +1,24 @@
 ---
 # This file is autogenerated by Ansible using the following workflow:
 # https://github.com/stackhpc/stackhpc-release-train/actions/workflows/package-update-kayobe.yml
-stackhpc_pulp_repo_centos_stream_9_docker_version: 20250123T000657
-stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250205T015600
+stackhpc_pulp_repo_centos_stream_9_docker_version: 20250531T002004
+stackhpc_pulp_repo_centos_stream_9_nfv_openvswitch_version: 20250528T022338
 stackhpc_pulp_repo_centos_stream_9_opstools_version: 20231213T031318
-stackhpc_pulp_repo_centos_stream_9_storage_ceph_squid_version: 20250203T100829
-stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250131T133101
-stackhpc_pulp_repo_elrepo_9_version: 20250203T000038
-stackhpc_pulp_repo_epel_9_version: 20250204T071808
-stackhpc_pulp_repo_grafana_version: 20250204T090817
-stackhpc_pulp_repo_opensearch_2_x_version: 20241106T010702
-stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20241106T010702
-stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20250128T001826
-stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20241217T002152
-stackhpc_pulp_repo_rhel_9_influxdb_version: 20250125T002237
-stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20250205T001351
+stackhpc_pulp_repo_centos_stream_9_storage_ceph_squid_version: 20250412T024303
+stackhpc_pulp_repo_docker_ce_ubuntu_noble_version: 20250604T001951
+stackhpc_pulp_repo_elrepo_9_version: 20250608T000535
+stackhpc_pulp_repo_epel_9_version: 20250609T000109
+stackhpc_pulp_repo_grafana_version: 20250609T005704
+stackhpc_pulp_repo_opensearch_2_x_version: 20250430T014638
+stackhpc_pulp_repo_opensearch_dashboards_2_x_version: 20250430T014638
+stackhpc_pulp_repo_rhel9_rabbitmq_erlang_version: 20250607T003941
+stackhpc_pulp_repo_rhel9_rabbitmq_server_version: 20250607T003941
+stackhpc_pulp_repo_rhel_9_4_doca_modules_version: 20241213T112245
+stackhpc_pulp_repo_rhel_9_4_doca_version: 20241211T153620
+stackhpc_pulp_repo_rhel_9_5_doca_modules_version: 20250115T150314
+stackhpc_pulp_repo_rhel_9_5_doca_version: 20241211T171301
+stackhpc_pulp_repo_rhel_9_influxdb_version: 20250529T023704
+stackhpc_pulp_repo_rhel_9_mariadb_10_11_version: 20250523T014203
 stackhpc_pulp_repo_rhel_9_rabbitmq_erlang_version: 20240711T091318
 stackhpc_pulp_repo_rhel_9_rabbitmq_server_version: 20240711T091318
 stackhpc_pulp_repo_rhel_9_treasuredata_5_version: 20241115T002028
@@ -43,11 +47,7 @@ stackhpc_pulp_repo_rocky_9_5_baseos_version: 20250201T125442
 stackhpc_pulp_repo_rocky_9_5_crb_version: 20250204T095037
 stackhpc_pulp_repo_rocky_9_5_extras_version: 20250122T025402
 stackhpc_pulp_repo_rocky_9_5_highavailability_version: 20250204T095037
-stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250128T024400
-stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250205T050034
-stackhpc_pulp_repo_ubuntu_noble_security_version: 20250205T090140
-stackhpc_pulp_repo_ubuntu_noble_version: 20250205T090140
-stackhpc_pulp_repo_rhel_9_4_doca_version: 20241211T153620
-stackhpc_pulp_repo_rhel_9_4_doca_modules_version: 20241213T112245
-stackhpc_pulp_repo_rhel_9_5_doca_version: 20241211T171301
-stackhpc_pulp_repo_rhel_9_5_doca_modules_version: 20250115T150314
+stackhpc_pulp_repo_rocky_9_sig_security_common_version: 20250222T040303
+stackhpc_pulp_repo_ubuntu_cloud_archive_version: 20250609T053359
+stackhpc_pulp_repo_ubuntu_noble_security_version: 20250609T094526
+stackhpc_pulp_repo_ubuntu_noble_version: 20250609T094526
diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml
@@ -35,6 +35,8 @@ prometheus_libvirt_exporter_allowed_vulnerabilities:
 prometheus_cadvisor_allowed_vulnerabilities:
   - CVE-2024-41110
   - CVE-2024-45337
+influxdb_allowed_vulnerabilities:
+  - CVE-2024-45337
 
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
