Red Hat OpenShift 3.2 RHSA-2016-1206-01 Moderate: Jenkins Security Fix
Jun 06, 2016
•
LinuxSecurity Advisories
2 - 4 min read
Topics Covered
An updated Jenkins package and image that includes security fixes are now available for Red Hat OpenShift Enterprise 3.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==================================================================== Red Hat Security Advisory
Synopsis: Moderate: jenkins security update
Advisory ID: RHSA-2016:1206-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1206
Issue date: 2016-06-06
CVE Names: CVE-2016-3721 CVE-2016-3722 CVE-2016-3723
CVE-2016-3724 CVE-2016-3725 CVE-2016-3726
CVE-2016-3727
====================================================================
1. Summary:
An updated Jenkins package and image that includes security fixes are now
available for Red Hat OpenShift Enterprise 3.2.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Enterprise 3.1 - noarch, x86_64
Red Hat OpenShift Enterprise 3.2 - noarch, x86_64
3. Description:
OpenShift Enterprise by Red Hat is the company's cloud computing Platform-
as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* The Jenkins continuous integration server has been updated to upstream
version 1.651.2 LTS that addresses a large number of security issues,
including open redirects, a potential denial of service, unsafe handling of
user provided environment variables and several instances of sensitive
information disclosure. (CVE-2016-3721, CVE-2016-3722, CVE-2016-3723,
CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727)
Refer to the changelog listed in the References section for a list of
changes.
This update includes the following image:
openshift3/jenkins-1-rhel7:1.651.2-4
All OpenShift Enterprise 3.2 users are advised to upgrade to the updated
package and image.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1333133 - better retry in accessing replication controllers from openshift jenkin-plugin
1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)
1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)
1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250)
1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)
1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273)
1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276)
1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)
6. Package List:
Red Hat OpenShift Enterprise 3.1:
Source:
jenkins-1.651.2-1.el7.src.rpm
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.src.rpm
noarch:
jenkins-1.651.2-1.el7.noarch.rpm
x86_64:
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.x86_64.rpm
Red Hat OpenShift Enterprise 3.2:
Source:
jenkins-1.651.2-1.el7.src.rpm
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.src.rpm
noarch:
jenkins-1.651.2-1.el7.noarch.rpm
x86_64:
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-3721
https://access.redhat.com/security/cve/CVE-2016-3722
https://access.redhat.com/security/cve/CVE-2016-3723
https://access.redhat.com/security/cve/CVE-2016-3724
https://access.redhat.com/security/cve/CVE-2016-3725
https://access.redhat.com/security/cve/CVE-2016-3726
https://access.redhat.com/security/cve/CVE-2016-3727
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXVcoxXlSAg2UNWIIRAjjDAJ9/afBTR6I1DBmhAQNsCh9ry7MtiwCghOu4
T2bcIlUp2dXyIGWIUVnA4Os=gqNe
-----END PGP SIGNATURE-----
--
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Red Hat OpenShift 3.2 RHSA-2016-1206-01 Moderate: Jenkins Security Fix
red hat
June 6, 2016
An updated Jenkins package and image that includes security fixes are now available for Red Hat OpenShift Enterprise 3.2
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
OpenShift Enterprise by Red Hat is the company's cloud computing Platform-
as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* The Jenkins continuous integration server has been updated to upstream
version 1.651.2 LTS that addresses a large number of security issues,
including open redirects, a potential denial of service, unsafe handling of
user provided environment variables and several instances of sensitive
information disclosure. (CVE-2016-3721, CVE-2016-3722, CVE-2016-3723,
CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727)
Refer to the changelog listed in the References section for a list of
changes.
This update includes the following image:
openshift3/jenkins-1-rhel7:1.651.2-4
All OpenShift Enterprise 3.2 users are advised to upgrade to the updated
package and image.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2016-3721 https://access.redhat.com/security/cve/CVE-2016-3722 https://access.redhat.com/security/cve/CVE-2016-3723 https://access.redhat.com/security/cve/CVE-2016-3724 https://access.redhat.com/security/cve/CVE-2016-3725 https://access.redhat.com/security/cve/CVE-2016-3726 https://access.redhat.com/security/cve/CVE-2016-3727 https://access.redhat.com/security/updates/classification/#moderate
Package List
Red Hat OpenShift Enterprise 3.1:
Source:
jenkins-1.651.2-1.el7.src.rpm
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.src.rpm
noarch:
jenkins-1.651.2-1.el7.noarch.rpm
x86_64:
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.x86_64.rpm
Red Hat OpenShift Enterprise 3.2:
Source:
jenkins-1.651.2-1.el7.src.rpm
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.src.rpm
noarch:
jenkins-1.651.2-1.el7.noarch.rpm
x86_64:
jenkins-plugin-openshift-pipeline-1.0.12-1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Advisory ID: RHSA-2016:1206-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1206
Issue date: 2016-06-06
Topic
An updated Jenkins package and image that includes security fixes are now available for Red Hat OpenShift Enterprise 3.2.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Red Hat OpenShift Enterprise 3.1 - noarch, x86_64
Red Hat OpenShift Enterprise 3.2 - noarch, x86_64
Bugs Fixed
1333133 - better retry in accessing replication controllers from openshift jenkin-plugin
1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)
1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)
1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250)
1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)
1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273)
1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276)
1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!