-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.11 security update
Advisory ID:       RHSA-2020:3541-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3541
Issue date:        2020-08-26
CVE Names:         CVE-2019-16541 CVE-2020-1741 CVE-2020-2220 
                   CVE-2020-2221 CVE-2020-2222 CVE-2020-2223 
                   CVE-2020-2224 CVE-2020-2225 CVE-2020-2226 
                   CVE-2020-13757 
====================================================================
1. Summary:

An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsa
is now available for Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron. The
Matrix Project is a module which handles creating Jenkins
multi-configuration projects (matrix projects). Matrix Authorization allows
configuring the lowest level permissions, such as starting new builds,
configuring items, or deleting them, individually.

Python-RSA is a RSA implementation in Python. It can be used as a Python
library as well as the commandline utility.

Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

* jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220)

* jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221)

* jenkins: Stored XSS vulnerability in 'keep forever' badge icons
(CVE-2020-2222)

* jenkins: Stored XSS vulnerability in console links (CVE-2020-2223)

* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis
builds tooltips (CVE-2020-2224)

* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple
axis builds tooltips (CVE-2020-2225)

* jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix
Authorization Strategy Plugin (CVE-2020-2226)

* jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541)

* python-rsa: decryption of ciphertext leads to DoS (CVE-2020-13757)

* openshift-ansible: cors allowed origin allows changing url protocol
(CVE-2020-1741)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation, which will be updated shortly for release
3.11.272, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1802381 - CVE-2020-1741 openshift-ansible: cors allowed origin allows changing url protocol
1819663 - CVE-2019-16541 jenkins-jira-plugin: plugin information disclosure
1848507 - CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
1857425 - CVE-2020-2220 jenkins: Stored XSS vulnerability in job build time trend
1857427 - CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause
1857431 - CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons
1857433 - CVE-2020-2223 jenkins: Stored XSS vulnerability in console links
1857436 - CVE-2020-2224 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips
1857439 - CVE-2020-2225 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips
1857441 - CVE-2020-2226 jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2-plugins-3.11.1597310986-1.el7.src.rpm
jenkins-2.235.2.1597220898-1.el7.src.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.src.rpm
python-rsa-4.5-2.el7.src.rpm

noarch:
jenkins-2-plugins-3.11.1597310986-1.el7.noarch.rpm
jenkins-2.235.2.1597220898-1.el7.noarch.rpm
openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-docs-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-playbooks-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-roles-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
openshift-ansible-test-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm
python2-rsa-4.5-2.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-16541
https://access.redhat.com/security/cve/CVE-2020-1741
https://access.redhat.com/security/cve/CVE-2020-2220
https://access.redhat.com/security/cve/CVE-2020-2221
https://access.redhat.com/security/cve/CVE-2020-2222
https://access.redhat.com/security/cve/CVE-2020-2223
https://access.redhat.com/security/cve/CVE-2020-2224
https://access.redhat.com/security/cve/CVE-2020-2225
https://access.redhat.com/security/cve/CVE-2020-2226
https://access.redhat.com/security/cve/CVE-2020-13757
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX0bmstzjgjWX9erEAQjTQQ//ZxCg3gPCNpNyo3vMDigEgUfso8aPVhAE
L/OUqtBiaQYK495J9jwl6ZOtvKIBpzrd12emypAO30LYLbEm3znMqwosPxq7bGfi
p8tHJ+KIpKmMLyK5bOWJh9wMJvRYPzuOU/5gFoP0H7NIUw6Z5J/G51g+dnXS1JXi
6/Bs9Ys7v6yrPmI2WBEfKRAsLzpUWJxC8Zi4hkBhVdpjCHNwUM543TAO5mdCrY06
ty1l+rGHEEpFvWCA6+cxs98Gww8ClYilBORmTWaVJa027HUIggg6WInRkKzipqVw
FBUmMaHBU88PlJS9esyzaZaeWf29x6Rn5JU6dUx6O9HQ8CuzljybAV2Om/zmZbQ1
K0c6R6AtuIblf2FFOlXlOSBTJOjBn8Uml1kMcsQtBYhUT1ofsNHTPAPM0ds1XMTN
fRBmI5792zLIdYuQh1tC2Gn4xlteplGZ6mb2yASVvXjrlMD4phOwzrzvVguNgb7I
zxfa6eyC8/FEg+3EdstIAnA9TsX8YHhE6vlzp+m0h68ESV53viTFwG/iCbvCqGaz
8TTfsOSgXLDZAsZkjBOLINqLuDslyP3c8tE8g7QarMBKSNDNGRR/PQYPh7PZ1JKi
srdu9BtBBeJwhscxXkqrpwTonvF6IQTgwAsyxW3vItdwmy3Wlewg9aKw2JYkoI0o
ZcXmkKaTv2M=Uu+D
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-3541:01 Important: OpenShift Container Platform 3.11

An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsa is now available for Red Hat OpenShift Container Platform 3.11

Summary

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. The Matrix Project is a module which handles creating Jenkins multi-configuration projects (matrix projects). Matrix Authorization allows configuring the lowest level permissions, such as starting new builds, configuring items, or deleting them, individually.
Python-RSA is a RSA implementation in Python. It can be used as a Python library as well as the commandline utility.
Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3.
Security Fix(es):
* jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220)
* jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221)
* jenkins: Stored XSS vulnerability in 'keep forever' badge icons (CVE-2020-2222)
* jenkins: Stored XSS vulnerability in console links (CVE-2020-2223)
* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips (CVE-2020-2224)
* jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips (CVE-2020-2225)
* jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin (CVE-2020-2226)
* jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541)
* python-rsa: decryption of ciphertext leads to DoS (CVE-2020-13757)
* openshift-ansible: cors allowed origin allows changing url protocol (CVE-2020-1741)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

See the following documentation, which will be updated shortly for release 3.11.272, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

References

https://access.redhat.com/security/cve/CVE-2019-16541 https://access.redhat.com/security/cve/CVE-2020-1741 https://access.redhat.com/security/cve/CVE-2020-2220 https://access.redhat.com/security/cve/CVE-2020-2221 https://access.redhat.com/security/cve/CVE-2020-2222 https://access.redhat.com/security/cve/CVE-2020-2223 https://access.redhat.com/security/cve/CVE-2020-2224 https://access.redhat.com/security/cve/CVE-2020-2225 https://access.redhat.com/security/cve/CVE-2020-2226 https://access.redhat.com/security/cve/CVE-2020-13757 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat OpenShift Container Platform 3.11:
Source: jenkins-2-plugins-3.11.1597310986-1.el7.src.rpm jenkins-2.235.2.1597220898-1.el7.src.rpm openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.src.rpm python-rsa-4.5-2.el7.src.rpm
noarch: jenkins-2-plugins-3.11.1597310986-1.el7.noarch.rpm jenkins-2.235.2.1597220898-1.el7.noarch.rpm openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-docs-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-playbooks-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-roles-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-test-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm python2-rsa-4.5-2.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity

Advisory ID: RHSA-2020:3541-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2020:3541

Issued Date: : 2020-08-26

CVE Names: CVE-2019-16541 CVE-2020-1741 CVE-2020-2220 CVE-2020-2221 CVE-2020-2222 CVE-2020-2223 CVE-2020-2224 CVE-2020-2225 CVE-2020-2226 CVE-2020-13757

Topic

An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsais now available for Red Hat OpenShift Container Platform 3.11.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.