-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 3.11.318 jenkins-2-plugins security update
Advisory ID:       RHSA-2020:5102-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5102
Issue date:        2020-11-17
CVE Names:         CVE-2020-2252 CVE-2020-2254 CVE-2020-2255 
====================================================================
1. Summary:

An update for jenkins-2-plugins is now available for Red Hat OpenShift
Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 - noarch

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin
could result in MITM (CVE-2020-2252)

* jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean
Plugin could allow to read arbitrary files (CVE-2020-2254)

* jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform
permission checks in several HTTP endpoints implementing connection tests
(CVE-2020-2255)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1880454 - CVE-2020-2252 jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM
1880456 - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files
1880460 - CVE-2020-2255 jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests.

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2-plugins-3.11.1603460090-1.el7.src.rpm

noarch:
jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-2252
https://access.redhat.com/security/cve/CVE-2020-2254
https://access.redhat.com/security/cve/CVE-2020-2255
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX7NUM9zjgjWX9erEAQjayg//fqwPOJshflXoJ9n0cRQGdgNVtCRD1Kjt
dIQnoj++xqm864EWPXEm9CaJBhV0KuBwxyxns0OhkSC+q8O74F2LOBq+UJRYATZz
AWZCRhvNW2qX5lHMr8a43CaaEMYSKcwnmUXriHu4SoEtRSrcK2V9hudmakkom6Qy
12b73lQUJtDoIeZE6SDXqHiqhv0ecuiaQNWzUjQiqaJngI2RYHs4Mu3d5umK1xHO
JKRBRTEh8y23MUbDlnt93iYtAIlpaRX6LrSUnRhVcYMPxFvQxWx3fF4ABIbXsB6z
hFeWoLIQ6N2Y7es7paeQawdG5Np9DzBWCyRUUkis7Pkimjy8XiW54zH3SVUqS4LM
ro7lv7ijezN/kkhtFvMZx2IAzTipwrYO24z5JT0iRI0EDBRUX+MDg2Zks0+M8N3O
B4ho9wlr4fW/oxNn8noCNF272SXgxRRdyC1PIMC4KAyqT0nJPP434bjh9nsPBTMg
aLL5Z+CqabLYYepopH30bl9ymRxeBJA4JaT8luSuO0Epd3EY++oyS/QiKjbk+ZKU
z6gQp4M4Byl4op1Cg4DjJSZVL1DL2aApxR6W+22vUTrWAn8MTIHdWHCf+K/cPccI
DiSYuDb84ZeCCMPCuwdRZJAlBrxYE0cFAl0NwwRQLSZtrJwn16Km0w+bjBBOyavV
3kQVZV2EiVs=0JlV
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-5102:01 Moderate: OpenShift Container Platform 3.11.318

An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11

Summary

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM (CVE-2020-2252)
* jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files (CVE-2020-2254)
* jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests (CVE-2020-2255)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

References

https://access.redhat.com/security/cve/CVE-2020-2252 https://access.redhat.com/security/cve/CVE-2020-2254 https://access.redhat.com/security/cve/CVE-2020-2255 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat OpenShift Container Platform 3.11:
Source: jenkins-2-plugins-3.11.1603460090-1.el7.src.rpm
noarch: jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:5102-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5102
Issued Date: : 2020-11-17
CVE Names: CVE-2020-2252 CVE-2020-2254 CVE-2020-2255

Topic

An update for jenkins-2-plugins is now available for Red Hat OpenShiftContainer Platform 3.11.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat OpenShift Container Platform 3.11 - noarch


Bugs Fixed

1880454 - CVE-2020-2252 jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM

1880456 - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files

1880460 - CVE-2020-2255 jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests.


Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved