RedHat: RHSA-2016-0489:01 Important: Red Hat OpenShift Enterprise 2.2.9
Summary
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.
The following security issue is addressed with this release:
It was found that ActiveMQ did not safely handle user supplied data
when deserializing objects. A remote attacker could use this flaw to
execute arbitrary code with the permissions of the ActiveMQ
application. (CVE-2015-5254)
An update for Jenkins Continuous Integration Server that addresses a
large number of security issues including XSS, CSRF, information
disclosure and code execution have been addressed as well.
(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320,
CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324,
CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538,
CVE-2015-7539, CVE-2015-8103)
Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.9, for details about these changes:
ingle/Technical_Notes/index.html
All OpenShift Enterprise 2 users are advised to upgrade to these
updated packages.
Summary
Solution
Before applying this update, make sure all previously released
errata relevant to your system have been applied.
See the OpenShift Enterprise 2.2 Release Notes, which will be
updated shortly for release 2.2.9, for important instructions on how
to fully apply this asynchronous errata update:
ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates
This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2015-5254 https://access.redhat.com/security/cve/CVE-2015-5317 https://access.redhat.com/security/cve/CVE-2015-5318 https://access.redhat.com/security/cve/CVE-2015-5319 https://access.redhat.com/security/cve/CVE-2015-5320 https://access.redhat.com/security/cve/CVE-2015-5321 https://access.redhat.com/security/cve/CVE-2015-5322 https://access.redhat.com/security/cve/CVE-2015-5323 https://access.redhat.com/security/cve/CVE-2015-5324 https://access.redhat.com/security/cve/CVE-2015-5325 https://access.redhat.com/security/cve/CVE-2015-5326 https://access.redhat.com/security/cve/CVE-2015-7537 https://access.redhat.com/security/cve/CVE-2015-7538 https://access.redhat.com/security/cve/CVE-2015-7539 https://access.redhat.com/security/cve/CVE-2015-8103 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat OpenShift Enterprise Client 2.2:
Source:
rhc-1.38.6.1-1.el6op.src.rpm
noarch:
rhc-1.38.6.1-1.el6op.noarch.rpm
Red Hat OpenShift Enterprise Infrastructure 2.2:
Source:
activemq-5.9.0-6.redhat.611454.el6op.src.rpm
openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm
openshift-origin-broker-util-1.37.5.3-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm
rubygem-openshift-origin-console-1.35.5.1-1.el6op.src.rpm
rubygem-openshift-origin-controller-1.38.5.1-1.el6op.src.rpm
noarch:
openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-upgrade-broker-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm
openshift-origin-broker-util-1.37.5.3-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm
rubygem-openshift-origin-console-1.35.5.1-1.el6op.noarch.rpm
rubygem-openshift-origin-controller-1.38.5.1-1.el6op.noarch.rpm
x86_64:
activemq-5.9.0-6.redhat.611454.el6op.x86_64.rpm
activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm
Red Hat OpenShift Enterprise Node 2.2:
Source:
activemq-5.9.0-6.redhat.611454.el6op.src.rpm
jenkins-1.625.3-1.el6op.src.rpm
openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.src.rpm
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.src.rpm
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.src.rpm
openshift-origin-cartridge-php-1.35.3.1-1.el6op.src.rpm
openshift-origin-cartridge-python-1.34.2.1-1.el6op.src.rpm
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.src.rpm
openshift-origin-node-proxy-1.26.2.1-1.el6op.src.rpm
openshift-origin-node-util-1.38.6.2-1.el6op.src.rpm
php-5.3.3-46.el6_7.1.src.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.src.rpm
rubygem-openshift-origin-node-1.38.5.3-1.el6op.src.rpm
noarch:
jenkins-1.625.3-1.el6op.noarch.rpm
openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-upgrade-node-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.noarch.rpm
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.noarch.rpm
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.noarch.rpm
openshift-origin-cartridge-php-1.35.3.1-1.el6op.noarch.rpm
openshift-origin-cartridge-python-1.34.2.1-1.el6op.noarch.rpm
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.noarch.rpm
openshift-origin-node-proxy-1.26.2.1-1.el6op.noarch.rpm
openshift-origin-node-util-1.38.6.2-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.noarch.rpm
rubygem-openshift-origin-node-1.38.5.3-1.el6op.noarch.rpm
x86_64:
activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm
php-bcmath-5.3.3-46.el6_7.1.x86_64.rpm
php-debuginfo-5.3.3-46.el6_7.1.x86_64.rpm
php-devel-5.3.3-46.el6_7.1.x86_64.rpm
php-fpm-5.3.3-46.el6_7.1.x86_64.rpm
php-imap-5.3.3-46.el6_7.1.x86_64.rpm
php-intl-5.3.3-46.el6_7.1.x86_64.rpm
php-mbstring-5.3.3-46.el6_7.1.x86_64.rpm
php-process-5.3.3-46.el6_7.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
Red Hat OpenShift Enterprise release 2.2.9, which fixes several security issues, several bugs, and introduces feature enhancements, is now available.Red Hat Product Security has rated this update as having Importantsecurity impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.
Topic
Relevant Releases Architectures
Red Hat OpenShift Enterprise Client 2.2 - noarch
Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64
Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64
Bugs Fixed
1111456 - jenkin app will be created as default small gear size when user create app with --enable-jenkins and non-default gear-size
1140816 - oo-admin-ctl-district missing documentation for listing districts
1160934 - "oo-admin-ctl-gears stopgear" failed to stop idled gear
1168480 - Should prompt correct information when execute oo-admin-ctl-user --addgearsize $invalid value
1169690 - Webconsole should show warning info when add cartridge as quota used up to QUOTA_WARNING_PERCENT
1265423 - .gitconfig is not configurable for application create
1265811 - oo-accept-node reports a quota failures when a loop device is used.
1279584 - Users have nil value for resulting in failed oo-admin-repair
1282359 - CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
1282361 - CVE-2015-5318 jenkins: Public value used for CSRF protection salt (SECURITY-169)
1282362 - CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)
1282363 - CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184)
1282364 - CVE-2015-5321 jenkins: Information disclosure via sidepanel (SECURITY-192)
1282365 - CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
1282366 - CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
1282367 - CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)
1282368 - CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)
1282369 - CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
1282371 - CVE-2015-8103 jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)
1283372 - oo-admin-gear man page displays wrong option
1291292 - CVE-2015-5254 activemq: unsafe deserialization
1291795 - CVE-2015-7537 jenkins: CSRF vulnerability in some administrative actions (SECURITY-225)
1291797 - CVE-2015-7538 jenkins: CSRF protection ineffective (SECURITY-233)
1291798 - CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)
1294513 - oo-diagnostics test_enterprise_rpms fails for nodejs010-nodejs-debug
1299014 - [RFE] Configuration setting to set cipher on Openshift node web proxy
1299095 - oo-diagnostic error on broker No such file or directory - /etc/openshift/env/OPENSHIFT_BROKER_HOST
1302787 - Node web proxy configuration file is overwritten upon update
1305688 - oo-accept-broker incorrectly parses MONGO_HOST_PORT individual host and ports
1307174 - rhc ssh
1307175 - oo-accept-node does not validate whether threads are in cgroups
1308716 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
1308718 - It is better to return meaningful error message when do ssh in head gear of scalable app with incorrect user id or ssh url
1308720 - Unable to deploy Drupal
1308722 - Django quickstart can't bind address
1308739 - It will not validate the deployment type when do app deploy via REST API
1310247 - New configuration item, TRAFFIC_CONTROL_DEVS
1310266 - https using letsencrypt has B rating - chain incomplete
1310841 - Fix zsh autocompletion for rhc
1314535 - oo-admin-repair-node,oo-admin-ctl-iptables-port-proxy and oo-admin-ctl-tc has no man page
1314546 - Python cartridge doesn't stop deploy process when it failed to install packages (It is different from behavior of other cartridges)