Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2017:0448-01] Important: ansible and openshift-ansible security and bug fix update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: ansible and openshift-ansible security and bug fix update

Advisory ID: RHSA-2017:0448-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2017:0448

Issue date: 2017-03-06

CVE Names: CVE-2016-9587

=====================================================================

 

1. Summary:

 

An update for ansible and openshift-ansible is now available for Red Hat

OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3,

and Red Hat OpenShift Container Platform 3.4.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Container Platform 3.2 - noarch

Red Hat OpenShift Container Platform 3.3 - noarch

Red Hat OpenShift Container Platform 3.4 - noarch

 

3. Description:

 

Red Hat OpenShift Container Platform is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.

 

Ansible is a SSH-based configuration management, deployment, and task

execution system. The openshift-ansible packages contain Ansible code and

playbooks for installing and upgrading OpenShift Container Platform 3.

 

Security Fix(es):

 

* An input validation vulnerability was found in Ansible's handling of data

sent from client systems. An attacker with control over a client system

being managed by Ansible and the ability to send facts back to the Ansible

server could use this flaw to execute arbitrary code on the Ansible server

using the Ansible server privileges. (CVE-2016-9587)

 

Bug Fix(es):

 

Space precludes documenting all of the non-security bug fixes in this

advisory. See the relevant OpenShift Container Platform Release Notes

linked to in the References section, which will be updated shortly for this

release.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

To apply this update, run the following on all hosts where you intend to

initiate Ansible-based installation or upgrade procedures:

 

# yum update atomic-openshift-utils

 

This update is available via the Red Hat Network. Details on how to use the

Red Hat Network to apply this update are available at:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables restarted

1388016 - [3.3] The insecure-registry address was removed during upgrade

1389263 - [3.4] the summary of json report should include total/ok number after certificate expiry check

1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails

1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running commands on the Ansible controller

1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format

1415067 - [3.2]Installer should persist net.ipv4.ip_forward

1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables restarted

1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables restarted

1417680 - [3.2] Backport openshift_certificate_expiry role

1417681 - [3.4] Backport openshift_certificate_expiry role

1417682 - [3.3] Backport openshift_certificate_expiry role

1419493 - [3.4] Installer pulls in 3.3 registry-console image

1419533 - [3.2]Installation on node failed when creating node config

1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt

1420393 - [3.4] conntrack executable not found on $PATH during cluster horizontal run

1420395 - [3.3] conntrack executable not found on $PATH during cluster horizontal run

1421053 - [quick installer 3.4] quick installer failed due to a python method failure

1421059 - [quick installer 3.2]quick installer failed due to a python method failure

1421061 - [quick installer 3.3]quick installer failed due to a python method failure

1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match cAdvisor

1422361 - [3.4] Advanced installer fails if python-six not available

1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format

 

6. Package List:

 

Red Hat OpenShift Container Platform 3.2:

 

Source:

ansible-2.2.1.0-2.el7.src.rpm

openshift-ansible-3.2.53-1.git.0.2fefc17.el7.src.rpm

 

noarch:

ansible-2.2.1.0-2.el7.noarch.rpm

atomic-openshift-utils-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-docs-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-filter-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-playbooks-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

openshift-ansible-roles-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

 

Red Hat OpenShift Container Platform 3.3:

 

Source:

ansible-2.2.1.0-2.el7.src.rpm

openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.src.rpm

 

noarch:

ansible-2.2.1.0-2.el7.noarch.rpm

atomic-openshift-utils-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-callback-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-docs-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-filter-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-playbooks-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

openshift-ansible-roles-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

 

Red Hat OpenShift Container Platform 3.4:

 

Source:

ansible-2.2.1.0-2.el7.src.rpm

openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.src.rpm

 

noarch:

ansible-2.2.1.0-2.el7.noarch.rpm

atomic-openshift-utils-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-callback-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-docs-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-filter-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-playbooks-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-9587

https://access.redhat.com/security/updates/classification/#important

https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html

https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFYvZOvXlSAg2UNWIIRAtBgAKC/a5j2ToXiQ4uD9JYy2bMKYn+9JwCeL4nh

A7ntVFTpJOYbu3M9BeVZGqk=

=mgid

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×