Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2016:2915-01] Important: atomic-openshift security and bug fix update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: atomic-openshift security and bug fix update

Advisory ID: RHSA-2016:2915-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2016:2915

Issue date: 2016-12-07

CVE Names: CVE-2016-8651

=====================================================================

 

1. Summary:

 

An update for atomic-openshift is now available for Red Hat OpenShift

Container Platform 3.1, 3.2, and 3.3.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Container Platform 3.3 - noarch, x86_64

Red Hat OpenShift Enterprise 3.1 - noarch, x86_64

Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

 

3. Description:

 

Red Hat OpenShift Container Platform is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.

 

This advisory contains the RPM packages for Red Hat OpenShift Container

Platform releases 3.3.1.7, 3.2.1.21, and 3.1.1.10. See the following

advisory for the container images for these releases:

 

https://access.redhat.com/errata/RHBA-2016:2916

 

Security Fix(es):

 

* An input validation flaw was found in the way OpenShift handles requests

for images. A user, with a copy of the manifest associated with an image,

can pull an image even if they do not have access to the image normally,

resulting in the disclosure of any information contained within the image.

(CVE-2016-8651)

 

Bug Fix(es) for OpenShift Container Platform 3.3:

 

* Previously when rapidly up[censored] multiple namespaces

controlled by a single ClusterResourceQuota, the status.total.used can get

out of sync with the sum of the status.namespaces[*].used. This bug fix

ensures the ClusterResourceQuota objects are properly updated. (BZ#1400200)

 

* When using the `oc new-app --search` command in an environment where

OpenShift Container Platform (OCP) could not reach Docker Hub, the command

failed for any query. OCP now prints a warning and continues with what was

found in other sources. (BZ#1388524)

 

* The OpenShift Container Platform node daemon did not recover properly

from restarts, and it lost information about attached and mounted volumes.

In rare cases, the daemon deleted all data on a mounted volume, thinking

that it has been already unmounted while it was only missing its node's

cache. This bug fix ensures node caches are recovered after restarts, and

as a result no data loss occurs on the mounted volumes. (BZ#1398417)

 

* Previously, ScheduledJobs were not cleaned up on project deletion. If a

new project was created with the same project name, the previously-defined

ScheduledJobs would re-appear. This bug fix ensures ScheduledJobs are

removed when a project is removed. (BZ#1399700)

 

Bug Fix(es) for OpenShift Container Platform 3.2:

 

* When using the `oc new-app --search` command in an environment where

OpenShift Container Platform (OCP) could not reach Docker Hub, the command

failed for any query. OCP now prints a warning and continues with what was

found in other sources. (BZ#1388522)

 

All OpenShift Container Platform users are advised to upgrade to these

updated packages and images.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

To apply this update, see the following cluster upgrade documentation that

relates to your installed version of OpenShift Container Platform.

 

For OpenShift Container Platform 3.3:

 

https://docs.openshift.com/container-platform/3.3/install_config/upgrading/

automated_upgrades.html#upgrading-to-ocp-3-3-asynchronous-releases

 

For OpenShift Container Platform 3.2:

 

https://docs.openshift.com/enterprise/3.2/install_config/upgrading/automate

d_upgrades.html#upgrading-to-openshift-enterprise-3-2-asynchronous-releases

 

For OpenShift Container Platform 3.1:

 

https://docs.openshift.com/enterprise/3.1/install_config/upgrading/automate

d_upgrades.html#upgrading-to-openshift-enterprise-3-1-asynchronous-releases

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1388522 - [backport] (3.2) Failed to "oc new-app --search" at the offline environment disconnected to the Internet

1388524 - [backport] (3.3) Failed to "oc new-app --search" at the offline environment disconnected to the Internet

1397987 - CVE-2016-8651 OpenShift Enterprise 3: Pulling of any image is possible with it manifest

1398417 - Data from persistent volumes is wiped after a node service restart

1399700 - Scheduledjob not deleted when project has been deleted

1400200 - ClusterResourceQuota status total doesn't match sum of namespaces

 

6. Package List:

 

Red Hat OpenShift Enterprise 3.1:

 

Source:

atomic-openshift-3.1.1.10-1.git.0.efeef8d.el7aos.src.rpm

 

noarch:

atomic-openshift-docker-excluder-3.1.1.10-1.git.0.efeef8d.el7aos.noarch.rpm

atomic-openshift-excluder-3.1.1.10-1.git.0.efeef8d.el7aos.noarch.rpm

 

x86_64:

atomic-openshift-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-clients-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-clients-redistributable-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-dockerregistry-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-master-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-node-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-pod-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-recycle-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

atomic-openshift-sdn-ovs-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm

 

Red Hat OpenShift Enterprise 3.2:

 

Source:

atomic-openshift-3.2.1.21-1.git.0.4250771.el7.src.rpm

 

noarch:

atomic-openshift-docker-excluder-3.2.1.21-1.git.0.4250771.el7.noarch.rpm

atomic-openshift-excluder-3.2.1.21-1.git.0.4250771.el7.noarch.rpm

 

x86_64:

atomic-openshift-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-clients-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-clients-redistributable-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-dockerregistry-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-master-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-node-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-pod-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-recycle-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-sdn-ovs-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

atomic-openshift-tests-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.2.1.21-1.git.0.4250771.el7.x86_64.rpm

 

Red Hat OpenShift Container Platform 3.3:

 

Source:

atomic-openshift-3.3.1.7-1.git.0.0988966.el7.src.rpm

 

noarch:

atomic-openshift-docker-excluder-3.3.1.7-1.git.0.0988966.el7.noarch.rpm

atomic-openshift-excluder-3.3.1.7-1.git.0.0988966.el7.noarch.rpm

 

x86_64:

atomic-openshift-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-clients-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-clients-redistributable-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-dockerregistry-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-master-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-node-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-pod-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-sdn-ovs-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

atomic-openshift-tests-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-8651

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFYSHjTXlSAg2UNWIIRAjf3AKCBVHwXqFQ1tRc9E1dxLeWvNn4TRQCfdZVu

Jp/Zdi85OIL+aWxTUBx3Fwc=

=RShg

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×