rackerlabs · cloudnull · Jun 11, 2025 · Jun 11, 2025
diff --git a/.github/workflows/container-build-octavia.yaml b/.github/workflows/container-build-octavia.yaml
@@ -58,20 +58,24 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       openstack-constraints: ${{ steps.generate-matrix.outputs.openstack_constraints }}
+      ovnPluginTag: ${{ steps.generate-matrix.outputs.ovnPluginTag }}
     steps:
       - name: generate-matrix
         id: generate-matrix
         run: |
           if [ "${{ github.event_name == 'workflow_dispatch' }}" = "true" ]; then
             openstack_constraints="$(echo '${{ github.event.inputs.openstack-constraints }}' | jq -R '[select(length>0)]' | jq -c '.')"
+            ovnPluginTag="$(echo '${{ github.event.inputs.ovnPluginTag }}' | jq -R '[select(length>0)]' | jq -c '.')"
           fi
           echo "openstack_constraints=${openstack_constraints:-${{ env.openstack_constraints }}}" >> $GITHUB_OUTPUT
+          echo "ovnPluginTag=${ovnPluginTag:-${{ env.ovnPluginTag }}}" >> $GITHUB_OUTPUT
   build-and-push-image:
     needs:
       - init
     strategy:
       matrix:
         openstack-constraints: ${{ fromJSON(needs.init.outputs.openstack-constraints)}}
+        ovnPluginTag: ${{ fromJSON(needs.init.outputs.ovnPluginTag)}}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -114,7 +118,7 @@ jobs:
           build-args: |
             OS_VERSION=${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }}
             OS_CONSTRAINTS=${{ matrix.openstack-constraints }}
-            OVN_PLUGIN_VERSION=${{ github.event.inputs.ovnPluginTag }}
+            OVN_PLUGIN_VERSION=${{ matrix.ovnPluginTag }}
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@0.28.0
         with:
@@ -158,4 +162,4 @@ jobs:
           build-args: |
             OS_VERSION=${{ env.project_version != '' && env.project_version || matrix.openstack-constraints }}
             OS_CONSTRAINTS=${{ matrix.openstack-constraints }}
-            OVN_PLUGIN_VERSION=${{ github.event.inputs.ovnPluginTag }}
+            OVN_PLUGIN_VERSION=${{ matrix.ovnPluginTag }}
diff --git a/scripts/glance-cve-patching.sh b/scripts/glance-cve-patching.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 
 if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then
-    echo "No CVE patches in stable/2025.1"
+    # CVE fixes CVE-2025-27516
+    /var/lib/openstack/bin/pip install --upgrade \
+                                       "Jinja2==3.1.6"
 elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then
     # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27,
     #           CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-4340,CVE-2024-37891,CVE-2024-5569,CVE-2024-12797

diff --git a/scripts/heat-cve-patching.sh b/scripts/heat-cve-patching.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 
 if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then
-    echo "No CVE patches in stable/2025.1"
+    # CVE fixes CVE-2025-27516
+    /var/lib/openstack/bin/pip install --upgrade \
+                                       "Jinja2==3.1.6"
 elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then
     # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,GHSA-h4gh-qq45-vh27,
     #           CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,CVE-2024-12797

diff --git a/scripts/keystone-cve-patching.sh b/scripts/keystone-cve-patching.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 
 if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then
-    echo "No CVE patches in stable/2025.1"
+    # CVE fixes CVE-2025-27516
+    /var/lib/openstack/bin/pip install --upgrade \
+                                       "Jinja2==3.1.6"
 elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then
     # CVE fixes CVE-2024-34064,CVE-2024-56201,CVE-2024-56326,CVE-2025-27516,CVE-2024-36039,CVE-2024-42353,CVE-2024-34069,
     #           CVE-2024-49766,CVE-2024-49767,GHSA-h4gh-qq45-vh27,CVE-2023-29483,CVE-2024-3651,CVE-2024-35195,CVE-2024-37891,
@@ -16,6 +18,6 @@ elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then
                                        "dnspython>=2.6.1,<2.7" \
                                        "eventlet>=0.35.2,<0.36" \
                                        "idna>=3.7,<3.8" \
-                                       "requests>=2.32.0,<2.33" \
+                                       "requests==2.32.4" \
                                        "urllib3==1.26.19"
 fi
diff --git a/scripts/octavia-cve-patching.sh b/scripts/octavia-cve-patching.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 
 if [ ${OS_VERSION:-master} = "stable/2025.1" ]; then
-    echo "No CVE patches in stable/2025.1"
+    # CVE fixes CVE-2025-27516
+    /var/lib/openstack/bin/pip install --upgrade \
+                                       "Jinja2==3.1.6"
 elif [ ${OS_VERSION:-master} = "stable/2024.1" ]; then
     # CVE fixes CVE-2024-36039,CVE-2024-6827,CVE-2024-1135,CVE-2024-49767,CVE-2024-34069,CVE-2024-56326,CVE-2024-56326,CVE-2024-56201
     #           CVE-2024-35195,CVE-2024-37891,CVE-2024-3651,CVE-2023-29483,CVE-2024-49766,CVE-2024-42353,CVE-2025-27516,CVE-2024-34064