[RHSA-2015:2666-01] Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update

Advisory ID: RHSA-2015:2666-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2666.html

Issue date: 2015-12-17

CVE Names: CVE-2015-3281

=====================================================================

 

1. Summary:

 

Red Hat OpenShift Enterprise release 2.2.8, which fixes one security

issue, several bugs, and introduces feature enhancements, is now

available.

 

Red Hat Product Security has rated this update as having Important

security impact. Common Vulnerability Scoring System (CVSS) base

scores, which give detailed severity ratings, are available for each

vulnerability from the CVE links in the References section.

 

2. Relevant releases/architectures:

 

RHOSE Client 2.2 - noarch

RHOSE Infrastructure 2.2 - noarch

RHOSE JBoss EAP add-on 2.2 - noarch

RHOSE Node 2.2 - noarch, x86_64

 

3. Description:

 

OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or

private cloud deployments.

 

The following security issue is addressed with this release:

 

An implementation error related to the memory management of request

and responses was found within HAProxy's buffer_slow_realign()

function. An unauthenticated remote attacker could use this flaw

to leak certain memory buffer contents from a past request or

session. (CVE-2015-3281)

 

Space precludes documenting all of the bug fixes in this advisory. See

the OpenShift Enterprise Technical Notes, which will be updated

shortly for release 2.2.8, for details about these changes:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/Technical_Notes/index.html

 

All OpenShift Enterprise 2 users are advised to upgrade to these updated

packages.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

See the OpenShift Enterprise 2.2 Release Notes, which will be updated

shortly for release 2.2.8, for important instructions on how to fully

apply this asynchronous errata update:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

 

This update is available via the Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1045226 - oo-auto-idler man page incorrect

1054441 - oo-accept-node should test that BROKER_HOST is consistent

1064039 - RFE oo-diagnostics should report when node auth is failing (401 Unauthorized)

1101973 - oo-diagnostics tools is checking a non-existing dir after update ose-2.0 GA to ose-2.0.z puddle + RHSCL-1.1

1110415 - `oo-admin-broker-cache --clear --console` does not warn that --console flag does nothing

1111501 - REPORT_BUILD_ANALYTICS should be set to false by default

1111598 - oo-admin-chk gives bad advice to users when gears do not exist on the node.

1139608 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information

1140766 - oo-admin-ctl-district doesn't suggest FQDN for -i in -h output

1155003 - Should prompt correct and important parameter information when use none or error parameter in "rhc server add" command

1177753 - Enable a configuration in rhc to use a different ssh executable

1211526 - HAProxy does not restart when pid is not found

1218872 - rhc setup fail during upload sshkey

1238305 - [RFE] gear-placement plugin domain_id as input data

1239072 - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()

1241675 - [RFE] Check for missing openshift_application_aliases components f5-icontrol-rest.rb

1248439 - Routing SPI for Nginx doesn't preserve host in http request's headers

1255426 - API Call to disable HA does not remove 2nd haproxy head gear

1264722 - oo-register-dns shows erros with any option

1265609 - pandas not getting installed

1268080 - ChangeMembersDomainOp are not cleared by oo-admin-clear-pending-ops

1270660 - Haproxy health check should be in sync with rolling updates in EWS

1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory

1272195 - oo-admin-ctl-app -c remove-gear , ignores min scale setting

1277695 - hostname regex fails in update-cluster in some locales

1280438 - haproxy_ctld error on a close-to-quota gear

1282520 - Routing-daemon does not create the openshift_application_aliases policy

1282940 - Exception log output when using rhc app ssh "--ssh option" with exist directory

 

6. Package List:

 

RHOSE Client 2.2:

 

Source:

rhc-1.38.4.5-1.el6op.src.rpm

 

noarch:

rhc-1.38.4.5-1.el6op.noarch.rpm

 

RHOSE Infrastructure 2.2:

 

Source:

openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm

openshift-origin-broker-util-1.37.4.2-1.el6op.src.rpm

rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm

rubygem-openshift-origin-controller-1.38.4.2-1.el6op.src.rpm

rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.src.rpm

 

noarch:

openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm

openshift-enterprise-upgrade-broker-2.2.8-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm

openshift-origin-broker-util-1.37.4.2-1.el6op.noarch.rpm

rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm

rubygem-openshift-origin-controller-1.38.4.2-1.el6op.noarch.rpm

rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.noarch.rpm

 

RHOSE JBoss EAP add-on 2.2:

 

Source:

openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.src.rpm

 

noarch:

openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.noarch.rpm

 

RHOSE Node 2.2:

 

Source:

haproxy15side-1.5.4-2.el6op.src.rpm

openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm

openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.src.rpm

openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.src.rpm

openshift-origin-cartridge-python-1.34.1.1-1.el6op.src.rpm

openshift-origin-node-util-1.38.5.1-1.el6op.src.rpm

rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm

rubygem-openshift-origin-node-1.38.4.1-1.el6op.src.rpm

 

noarch:

openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm

openshift-enterprise-upgrade-node-2.2.8-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm

openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.noarch.rpm

openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.noarch.rpm

openshift-origin-cartridge-python-1.34.1.1-1.el6op.noarch.rpm

openshift-origin-node-util-1.38.5.1-1.el6op.noarch.rpm

rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm

rubygem-openshift-origin-node-1.38.4.1-1.el6op.noarch.rpm

 

x86_64:

haproxy15side-1.5.4-2.el6op.x86_64.rpm

haproxy15side-debuginfo-1.5.4-2.el6op.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-3281

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFWcuyDXlSAg2UNWIIRAs9iAKCg610Xq8HXhYNhIrml02r8Lesk+ACfYIA2

gXKNT+SfO8+09NHVvoedmUA=

=Vm9R

-----END PGP SIGNATURE-----

 

 

--