Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2016:1773-01] Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update

Advisory ID: RHSA-2016:1773-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1773.html

Issue date: 2016-08-24

CVE Names: CVE-2014-3577 CVE-2015-7501 CVE-2016-0788

CVE-2016-0789 CVE-2016-0790 CVE-2016-0791

CVE-2016-0792 CVE-2016-3721 CVE-2016-3722

CVE-2016-3723 CVE-2016-3724 CVE-2016-3725

CVE-2016-3726 CVE-2016-3727

=====================================================================

 

1. Summary:

 

An update is now available for Red Hat OpenShift Enterprise 2.2.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Enterprise Client 2.2 - noarch

Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64

Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 - noarch

Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64

 

3. Description:

 

OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or

private cloud deployments.

 

* The Jenkins continuous integration server has been updated to upstream

version 1.651.2 LTS that addresses a large number of security issues,

including open redirects, a potential denial of service, unsafe handling of

user provided environment variables and several instances of sensitive

information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789,

CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722,

CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727,

CVE-2015-7501)

 

Space precludes documenting all of the bug fixes and enhancements in this

advisory. See the OpenShift Enterprise Technical Notes, which will be

updated shortly for release 2.2.10, for details about these changes:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/Technical_Notes/index.html

 

All OpenShift Enterprise 2 users are advised to upgrade to these updated

packages.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

See the OpenShift Enterprise 2.2 Release Notes, which will be updated

shortly for release 2.2.10, for important instructions on how to fully

apply this asynchronous errata update:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

 

This update is available via the Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

https://access.redhat.com/articles/11258.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix

1196783 - OPENSHIFT_GEAR_MEMORY_MB is not updated when resource limits change

1217403 - [RFE] separate system-level logs of cron cartridge from gear-level logs

1266239 - [RFE] Make user variables maximum value configurable.

1274852 - Routing Daemon does not update LB when head gear is moved.

1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

1282852 - Tomcat Does not properly parse spaces in JVM parameters/setttings

1311722 - Deleting a multi-version cartridge on the node fails silently

1311946 - CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)

1311947 - CVE-2016-0789 jenkins: HTTP response splitting vulnerability (SECURITY-238)

1311948 - CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241)

1311949 - CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)

1311950 - CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)

1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)

1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)

1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250)

1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)

1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273)

1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276)

1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)

1358938 - libcgroup dependency error when installing node in ose-2.2

1361305 - gears exceeding quota cannot be stopped or idled

1361306 - Unable to obtain user-agent or client IP in websocket handshake on OpenShift hosted WildFly

1361307 - mysql cartridge removes logs on start

1362666 - oo-admin-move should move gears to nodes with enough free space + buffer space

 

6. Package List:

 

Red Hat OpenShift Enterprise Client 2.2:

 

Source:

rhc-1.38.7.1-1.el6op.src.rpm

 

noarch:

rhc-1.38.7.1-1.el6op.noarch.rpm

 

Red Hat OpenShift Enterprise Infrastructure 2.2:

 

Source:

activemq-5.9.0-6.redhat.611463.el6op.src.rpm

openshift-origin-broker-1.16.3.2-1.el6op.src.rpm

openshift-origin-broker-util-1.37.6.2-1.el6op.src.rpm

rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.src.rpm

rubygem-openshift-origin-controller-1.38.6.4-1.el6op.src.rpm

rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.src.rpm

rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.src.rpm

 

noarch:

openshift-origin-broker-1.16.3.2-1.el6op.noarch.rpm

openshift-origin-broker-util-1.37.6.2-1.el6op.noarch.rpm

rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.noarch.rpm

rubygem-openshift-origin-controller-1.38.6.4-1.el6op.noarch.rpm

rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.noarch.rpm

rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.noarch.rpm

 

x86_64:

activemq-5.9.0-6.redhat.611463.el6op.x86_64.rpm

activemq-client-5.9.0-6.redhat.611463.el6op.x86_64.rpm

 

Red Hat OpenShift Enterprise JBoss EAP add-on 2.2:

 

Source:

openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.src.rpm

 

noarch:

openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.noarch.rpm

 

Red Hat OpenShift Enterprise Node 2.2:

 

Source:

ImageMagick-6.7.2.7-5.el6_8.src.rpm

activemq-5.9.0-6.redhat.611463.el6op.src.rpm

jenkins-1.651.2-1.el6op.src.rpm

libcgroup-0.40.rc1-18.el6_8.src.rpm

openshift-origin-cartridge-cron-1.25.4.2-1.el6op.src.rpm

openshift-origin-cartridge-diy-1.26.2.2-1.el6op.src.rpm

openshift-origin-cartridge-haproxy-1.31.6.2-1.el6op.src.rpm

openshift-origin-cartridge-jbossews-1.35.5.2-1.el6op.src.rpm

openshift-origin-cartridge-jenkins-1.29.2.2-1.el6op.src.rpm

openshift-origin-cartridge-jenkins-client-1.26.1.1-1.el6op.src.rpm

openshift-origin-cartridge-mongodb-1.26.2.2-1.el6op.src.rpm

openshift-origin-cartridge-mysql-1.31.3.3-1.el6op.src.rpm

openshift-origin-cartridge-nodejs-1.33.1.2-1.el6op.src.rpm

openshift-origin-cartridge-perl-1.30.2.2-1.el6op.src.rpm

openshift-origin-cartridge-php-1.35.4.2-1.el6op.src.rpm

openshift-origin-cartridge-python-1.34.3.2-1.el6op.src.rpm

openshift-origin-cartridge-ruby-1.32.2.2-1.el6op.src.rpm

openshift-origin-msg-node-mcollective-1.30.2.2-1.el6op.src.rpm

openshift-origin-node-proxy-1.26.3.1-1.el6op.src.rpm

openshift-origin-node-util-1.38.7.1-1.el6op.src.rpm

rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.2.1-1.el6op.src.rpm

rubygem-openshift-origin-node-1.38.6.4-1.el6op.src.rpm

 

noarch:

jenkins-1.651.2-1.el6op.noarch.rpm

openshift-origin-cartridge-cron-1.25.4.2-1.el6op.noarch.rpm

openshift-origin-cartridge-diy-1.26.2.2-1.el6op.noarch.rpm

openshift-origin-cartridge-haproxy-1.31.6.2-1.el6op.noarch.rpm

openshift-origin-cartridge-jbossews-1.35.5.2-1.el6op.noarch.rpm

openshift-origin-cartridge-jenkins-1.29.2.2-1.el6op.noarch.rpm

openshift-origin-cartridge-jenkins-client-1.26.1.1-1.el6op.noarch.rpm

openshift-origin-cartridge-mongodb-1.26.2.2-1.el6op.noarch.rpm

openshift-origin-cartridge-mysql-1.31.3.3-1.el6op.noarch.rpm

openshift-origin-cartridge-nodejs-1.33.1.2-1.el6op.noarch.rpm

openshift-origin-cartridge-perl-1.30.2.2-1.el6op.noarch.rpm

openshift-origin-cartridge-php-1.35.4.2-1.el6op.noarch.rpm

openshift-origin-cartridge-python-1.34.3.2-1.el6op.noarch.rpm

openshift-origin-cartridge-ruby-1.32.2.2-1.el6op.noarch.rpm

openshift-origin-msg-node-mcollective-1.30.2.2-1.el6op.noarch.rpm

openshift-origin-node-proxy-1.26.3.1-1.el6op.noarch.rpm

openshift-origin-node-util-1.38.7.1-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.2.1-1.el6op.noarch.rpm

rubygem-openshift-origin-node-1.38.6.4-1.el6op.noarch.rpm

 

x86_64:

ImageMagick-debuginfo-6.7.2.7-5.el6_8.x86_64.rpm

ImageMagick-devel-6.7.2.7-5.el6_8.x86_64.rpm

ImageMagick-doc-6.7.2.7-5.el6_8.x86_64.rpm

ImageMagick-perl-6.7.2.7-5.el6_8.x86_64.rpm

activemq-client-5.9.0-6.redhat.611463.el6op.x86_64.rpm

libcgroup-debuginfo-0.40.rc1-18.el6_8.x86_64.rpm

libcgroup-pam-0.40.rc1-18.el6_8.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2014-3577

https://access.redhat.com/security/cve/CVE-2015-7501

https://access.redhat.com/security/cve/CVE-2016-0788

https://access.redhat.com/security/cve/CVE-2016-0789

https://access.redhat.com/security/cve/CVE-2016-0790

https://access.redhat.com/security/cve/CVE-2016-0791

https://access.redhat.com/security/cve/CVE-2016-0792

https://access.redhat.com/security/cve/CVE-2016-3721

https://access.redhat.com/security/cve/CVE-2016-3722

https://access.redhat.com/security/cve/CVE-2016-3723

https://access.redhat.com/security/cve/CVE-2016-3724

https://access.redhat.com/security/cve/CVE-2016-3725

https://access.redhat.com/security/cve/CVE-2016-3726

https://access.redhat.com/security/cve/CVE-2016-3727

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFXvfohXlSAg2UNWIIRAkfNAKCBtVY0xEgjCs6Artz4o1q2MTshjwCdG8ow

LTXLl4KmRK711Sc+V6NxT7c=

=mDbi

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×