[RHSA-2016:0489-01] Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update

Advisory ID: RHSA-2016:0489-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0489.html

Issue date: 2016-03-22

CVE Names: CVE-2015-5254 CVE-2015-5317 CVE-2015-5318

CVE-2015-5319 CVE-2015-5320 CVE-2015-5321

CVE-2015-5322 CVE-2015-5323 CVE-2015-5324

CVE-2015-5325 CVE-2015-5326 CVE-2015-7537

CVE-2015-7538 CVE-2015-7539 CVE-2015-8103

=====================================================================

 

1. Summary:

 

Red Hat OpenShift Enterprise release 2.2.9, which fixes several

security issues, several bugs, and introduces feature enhancements, is

now available.

 

Red Hat Product Security has rated this update as having Important

security impact. Common Vulnerability Scoring System (CVSS) base

scores, which give detailed severity ratings, are available for each

vulnerability from the CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Enterprise Client 2.2 - noarch

Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64

Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64

 

3. Description:

 

OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or

private cloud deployments.

 

The following security issue is addressed with this release:

 

It was found that ActiveMQ did not safely handle user supplied data

when deserializing objects. A remote attacker could use this flaw to

execute arbitrary code with the permissions of the ActiveMQ

application. (CVE-2015-5254)

 

An update for Jenkins Continuous Integration Server that addresses a

large number of security issues including XSS, CSRF, information

disclosure and code execution have been addressed as well.

(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320,

CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324,

CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538,

CVE-2015-7539, CVE-2015-8103)

 

Space precludes documenting all of the bug fixes in this advisory. See

the OpenShift Enterprise Technical Notes, which will be updated

shortly for release 2.2.9, for details about these changes:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/Technical_Notes/index.html

 

All OpenShift Enterprise 2 users are advised to upgrade to these

updated packages.

 

4. Solution:

 

Before applying this update, make sure all previously released

errata relevant to your system have been applied.

 

See the OpenShift Enterprise 2.2 Release Notes, which will be

updated shortly for release 2.2.9, for important instructions on how

to fully apply this asynchronous errata update:

 

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s

ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

 

This update is available via the Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1111456 - jenkin app will be created as default small gear size when user create app with --enable-jenkins and non-default gear-size

1140816 - oo-admin-ctl-district missing documentation for listing districts

1160934 - "oo-admin-ctl-gears stopgear" failed to stop idled gear

1168480 - Should prompt correct information when execute oo-admin-ctl-user --addgearsize $invalid value

1169690 - Webconsole should show warning info when add cartridge as quota used up to QUOTA_WARNING_PERCENT

1265423 - .gitconfig is not configurable for application create

1265811 - oo-accept-node reports a quota failures when a loop device is used.

1279584 - Users have nil value for resulting in failed oo-admin-repair

1282359 - CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)

1282361 - CVE-2015-5318 jenkins: Public value used for CSRF protection salt (SECURITY-169)

1282362 - CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)

1282363 - CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184)

1282364 - CVE-2015-5321 jenkins: Information disclosure via sidepanel (SECURITY-192)

1282365 - CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)

1282366 - CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)

1282367 - CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)

1282368 - CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)

1282369 - CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)

1282371 - CVE-2015-8103 jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)

1283372 - oo-admin-gear man page displays wrong option

1291292 - CVE-2015-5254 activemq: unsafe deserialization

1291795 - CVE-2015-7537 jenkins: CSRF vulnerability in some administrative actions (SECURITY-225)

1291797 - CVE-2015-7538 jenkins: CSRF protection ineffective (SECURITY-233)

1291798 - CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)

1294513 - oo-diagnostics test_enterprise_rpms fails for nodejs010-nodejs-debug

1299014 - [RFE] Configuration setting to set cipher on Openshift node web proxy

1299095 - oo-diagnostic error on broker No such file or directory - /etc/openshift/env/OPENSHIFT_BROKER_HOST

1302787 - Node web proxy configuration file is overwritten upon update

1305688 - oo-accept-broker incorrectly parses MONGO_HOST_PORT individual host and ports

1307174 - rhc ssh does not respect PATH env variable, nor the --ssh PATH option

1307175 - oo-accept-node does not validate whether threads are in cgroups

1308716 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information

1308718 - It is better to return meaningful error message when do ssh in head gear of scalable app with incorrect user id or ssh url

1308720 - Unable to deploy Drupal

1308722 - Django quickstart can't bind address

1308739 - It will not validate the deployment type when do app deploy via REST API

1310247 - New configuration item, TRAFFIC_CONTROL_DEVS

1310266 - https using letsencrypt has B rating - chain incomplete

1310841 - Fix zsh autocompletion for rhc

1314535 - oo-admin-repair-node,oo-admin-ctl-iptables-port-proxy and oo-admin-ctl-tc has no man page

1314546 - Python cartridge doesn't stop deploy process when it failed to install packages (It is different from behavior of other cartridges)

 

6. Package List:

 

Red Hat OpenShift Enterprise Client 2.2:

 

Source:

rhc-1.38.6.1-1.el6op.src.rpm

 

noarch:

rhc-1.38.6.1-1.el6op.noarch.rpm

 

Red Hat OpenShift Enterprise Infrastructure 2.2:

 

Source:

activemq-5.9.0-6.redhat.611454.el6op.src.rpm

openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm

openshift-origin-broker-util-1.37.5.3-1.el6op.src.rpm

rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm

rubygem-openshift-origin-console-1.35.5.1-1.el6op.src.rpm

rubygem-openshift-origin-controller-1.38.5.1-1.el6op.src.rpm

 

noarch:

openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm

openshift-enterprise-upgrade-broker-2.2.9-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm

openshift-origin-broker-util-1.37.5.3-1.el6op.noarch.rpm

rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm

rubygem-openshift-origin-console-1.35.5.1-1.el6op.noarch.rpm

rubygem-openshift-origin-controller-1.38.5.1-1.el6op.noarch.rpm

 

x86_64:

activemq-5.9.0-6.redhat.611454.el6op.x86_64.rpm

activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm

 

Red Hat OpenShift Enterprise Node 2.2:

 

Source:

activemq-5.9.0-6.redhat.611454.el6op.src.rpm

jenkins-1.625.3-1.el6op.src.rpm

openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm

openshift-origin-cartridge-cron-1.25.2.1-1.el6op.src.rpm

openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.src.rpm

openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.src.rpm

openshift-origin-cartridge-php-1.35.3.1-1.el6op.src.rpm

openshift-origin-cartridge-python-1.34.2.1-1.el6op.src.rpm

openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.src.rpm

openshift-origin-node-proxy-1.26.2.1-1.el6op.src.rpm

openshift-origin-node-util-1.38.6.2-1.el6op.src.rpm

php-5.3.3-46.el6_7.1.src.rpm

rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm

rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.src.rpm

rubygem-openshift-origin-node-1.38.5.3-1.el6op.src.rpm

 

noarch:

jenkins-1.625.3-1.el6op.noarch.rpm

openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm

openshift-enterprise-upgrade-node-2.2.9-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm

openshift-origin-cartridge-cron-1.25.2.1-1.el6op.noarch.rpm

openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.noarch.rpm

openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.noarch.rpm

openshift-origin-cartridge-php-1.35.3.1-1.el6op.noarch.rpm

openshift-origin-cartridge-python-1.34.2.1-1.el6op.noarch.rpm

openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.noarch.rpm

openshift-origin-node-proxy-1.26.2.1-1.el6op.noarch.rpm

openshift-origin-node-util-1.38.6.2-1.el6op.noarch.rpm

rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.noarch.rpm

rubygem-openshift-origin-node-1.38.5.3-1.el6op.noarch.rpm

 

x86_64:

activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm

php-bcmath-5.3.3-46.el6_7.1.x86_64.rpm

php-debuginfo-5.3.3-46.el6_7.1.x86_64.rpm

php-devel-5.3.3-46.el6_7.1.x86_64.rpm

php-fpm-5.3.3-46.el6_7.1.x86_64.rpm

php-imap-5.3.3-46.el6_7.1.x86_64.rpm

php-intl-5.3.3-46.el6_7.1.x86_64.rpm

php-mbstring-5.3.3-46.el6_7.1.x86_64.rpm

php-process-5.3.3-46.el6_7.1.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-5254

https://access.redhat.com/security/cve/CVE-2015-5317

https://access.redhat.com/security/cve/CVE-2015-5318

https://access.redhat.com/security/cve/CVE-2015-5319

https://access.redhat.com/security/cve/CVE-2015-5320

https://access.redhat.com/security/cve/CVE-2015-5321

https://access.redhat.com/security/cve/CVE-2015-5322

https://access.redhat.com/security/cve/CVE-2015-5323

https://access.redhat.com/security/cve/CVE-2015-5324

https://access.redhat.com/security/cve/CVE-2015-5325

https://access.redhat.com/security/cve/CVE-2015-5326

https://access.redhat.com/security/cve/CVE-2015-7537

https://access.redhat.com/security/cve/CVE-2015-7538

https://access.redhat.com/security/cve/CVE-2015-7539

https://access.redhat.com/security/cve/CVE-2015-8103

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFW8XglXlSAg2UNWIIRAoouAJ0XHeEABsx6OtQv/S8IBfl53g9JAgCeLtjq

xQ2Bp9Ov4WK0pelScKgBp0Y=

=hzs2

-----END PGP SIGNATURE-----

 

--