Explore top 10 tips to secure your open-source projects now. Read More
×
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3622-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3622 Issue date: 2023-06-15 CVE Names: CVE-2022-29599 CVE-2022-30953 CVE-2022-30954 CVE-2023-1370 CVE-2023-1436 CVE-2023-20860 CVE-2023-20861 CVE-2023-27903 CVE-2023-27904 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953) * Jenkins plugin: missingpermission checks in Blue Ocean Plugin (CVE-2022-30954) * jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class 2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin 2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 6. Package List: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8: Source: jenkins-2-plugins-4.13.1686680473-1.el8.src.rpm jenkins-2.401.1.1686680404-3.el8.src.rpm noarch: jenkins-2-plugins-4.13.1686680473-1.el8.noarch.rpm jenkins-2.401.1.1686680404-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signatureare available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-30953 https://access.redhat.com/security/cve/CVE-2022-30954 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification#important https://docs.redhat.com/en/documentation/openshift_container_platform/4.13/html/jenkins/important-changes-to-openshift-jenkins-images 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZIsIV9zjgjWX9erEAQiXzxAAkFBO1PgaRFIdtMpH01UntLYY/Rw29jJg X3/b+Vk5btL5nt8WlFtR0CpTy4EKq9wEqLK976Er45NFGrgTFDNMDxwl0BESHdiq mXSzso57abdctD4yIfQBRAJD9ZeuiDVimx3b7OcjQaJf5uZ1E3764O2k2g8SdRXP 9SaKGs8g8nDSOtA21fTP7XxJQNrPuOcga6e/lTDniEh8VvbiEVm8l1O1Yu3Wbmn4 9py6r4AAe9OgzJ+iJvWq8IJLWA9iPH650IKWIN68ZmOyhPU7mGsekfXNrcFtMtTh D5loI7LuiNFv8ludLGB6b98osbk0m6XCYzbpUKCPq7EAmMzyPeeRXDzkxHCEywo4 ysnkGGapt2u4iYkcgrxRK0vYdF7CibWpgd6WglqZLQp/Q5HmFMOLMCtylcq9WbHs UQnNWjm6NvJWroLJXj6PadzzHzPHVgSLRm+O/Bb4ebiYlLGcem4BaAzdkK4Q4kpl G7QTsKYHyhHOiEd+6MfMjwYjWnESQ3MzgbA2+zAeTrZZkaP/zhhzEKm+PVJsqiN0 iwZl/vjqvgVRXWfTrwt8uKH+H2HSJsWfuLvqrJIzIvsSji1V4eUgZPKwdldq9zIq wrV1rePM63Zt+3tytZx6nIe97pRqqM1wKZIyVhrL38tU4RGjYRLGQIxYM7IWcMnl RYuXKRamsHk=/S5s -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3610-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3610 Issue date: 2023-06-15 CVE Names: CVE-2021-46877 CVE-2022-29599 CVE-2022-30953 CVE-2022-30954 CVE-2022-40149 CVE-2022-40150 CVE-2022-41723 CVE-2022-45693 CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 CVE-2023-24422 CVE-2023-32977 CVE-2023-32981 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double WildcardPattern (CVE-2023-20860) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953) * Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954) * jettison: parser crash by stackoverflow (CVE-2022-40149) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2066479 - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class 2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin 2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may leadto dos 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) 2207830 - CVE-2023-32977 jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin 2207835 - CVE-2023-32981 jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin 6. Package List: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8: Source: jenkins-2-plugins-4.12.1686649756-1.el8.src.rpm jenkins-2.401.1.1686649641-3.el8.src.rpm noarch: jenkins-2-plugins-4.12.1686649756-1.el8.noarch.rpm jenkins-2.401.1.1686649641-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7.References: https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-29599 https://access.redhat.com/security/cve/CVE-2022-30953 https://access.redhat.com/security/cve/CVE-2022-30954 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-45693 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-32977 https://access.redhat.com/security/cve/CVE-2023-32981 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZIpfuNzjgjWX9erEAQgVTQ//RoKN2zjvmL/IsBBSk3Uxfv/mrixVhb1v kCZY6rPODxDExQ65zcu1cjvM6jTICDmqIBkZCLlVMrQC/zNTM9QnwGeF/tstuUEO Rz1jTC0N/8pPBHHQ6ngA/P4YX+X7nSwxDmE8oB9wPRBqMGdzNTQtyrELZ5tfUei/ pc1r71HcdJUih416Wj4qm5T7zyTvEdgyXUFHoOpkUHOOPx93b5l+iI8ZfSEnfmFW +3zck15+ffNZPnWLMkVXcwpq356e0jJUriZdpgDtS6pqfiLP/VxAZ3A7aPEtyJ2g SGolsN44ie/JbTLWNNe7xNTlgz8yBttn6TxekspUqxeoZxBPbFuzRJCmolp8VXJl jSwSiSL2uJ2HujNQLORfMndDgKy0cC/npnhHSOI8aXHtFdo69Qhlc0zAiY4951hS 6zwKeTQoY0Q6JgmaDqkgDM5bvR1L5T3KuLYEDmEuJz3hhS9j/1BBXJsgP2bLgG7q 9gYhxr8rpmGno9za+zqUqSP4qkfFgFmTaGz2frf8udaHo2GcSq8xkw/vi5N/QfwL MwAGzFX09P+YzMBFspBA1BxOYKdc0fnCUni18AzwnBXweAoi/hEsUpX/OUuV2xJj 7qwXyzxFXu5XNOOYAkn2S85OCACAI+EqPuv4QeQmJaQVXm2bHiDZyehcOveSR0Fp 2N2NeKUt0Tg=j0+7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3299-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3299 Issue date: 2023-05-24 CVE Names: CVE-2020-7692 CVE-2021-4178 CVE-2021-46877 CVE-2022-22978 CVE-2022-40151 CVE-2022-40152 CVE-2022-42889 CVE-2023-24422 CVE-2023-24998 CVE-2023-25761 CVE-2023-25762 CVE-2023-27900 CVE-2023-27901 CVE-2023-27902 CVE-2023-27904 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692) * jenkins-2-plugins/script-security:Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * springframework: Authorization Bypass in RegexRequestMatcher (CVE-2022-22978) * xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151) * woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152) * Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * Jenkins: Denial of Service attack (CVE-2023-27900) * Jenkins: Denial of Service attack (CVE-2023-27901) * Jenkins: Workspace temporary directories accessible through directory browser (CVE-2023-27902) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks 2134292 - CVE-2022-40151 xstream: Xstream to serialiseXML data was vulnerable to Denial of Service attacks 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts 2177630 - CVE-2023-27902 Jenkins: Workspace temporary directories accessible through directory browser 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 2177638 - CVE-2023-27900 Jenkins: Denial of Service attack 2177646 - CVE-2023-27901 Jenkins: Denial of Service attack 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): PITEAM-10 - Release 4.13 Jenkins agent image PITEAM-9 - Release 4.13 Jenkins image 7. Package List: OpenShift Developer Tools and Services for OCP 4.13 for RHEL 8: Source: jenkins-2-plugins-4.13.1684911916-1.el8.src.rpm jenkins-2.387.3.1684911776-3.el8.src.rpm noarch: jenkins-2-plugins-4.13.1684911916-1.el8.noarch.rpm jenkins-2.387.3.1684911776-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 8.References: https://access.redhat.com/security/cve/CVE-2020-7692 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-22978 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-24998 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-27900 https://access.redhat.com/security/cve/CVE-2023-27901 https://access.redhat.com/security/cve/CVE-2023-27902 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZG5wWtzjgjWX9erEAQgFsg//YzF69fxifzUFd9jVJhsxmyAL5XcwVzke 0UWcIUOW50zakKhNb+2ka6V3wCt+PlLHhHheEAR0UqMdQ0JcdGMU+Er1P8IKB0Tu LdKoOBCgFdJ6aPpDD7dBMZaCd8pSYkqF/MVfFOoJKvH36M6AJKlAxSwWofGG3vI7 312EM3Mj2NFF79y3/EIKPjVRlz1pVYmXUtGNVe5R1+gXDbgyEv/e9w4pgUowxjTH KDFSsz4WVJJGj+GGWlKtI2JkfTGjGVcyEDZsFD+ppQbRJW/EBJtXXXKp30vu41WK s7Uw8rYJybFhvxdfHeOlchK++ep4NGDbCJHtB8ad45qckKpfHPPLQtvWX2VJw8YD 8Eej7F5mU7CzCD9vBdGuSFjXLPaJnQ9RBAgCO0dmT6zaFr2QJXyYR2qZLMKpL2JZ TP+Rx4cbPYD7WsFGEWiVBdPQHKVaghfda/7XO5Nk5g8KWZ55LwSYu5tJo/rQvNWS mAOk2B651gX3EvXzidlwPIhf0BVICxdfdDzq15bXINQtFvd8IN79Bn//vYa5yCZQ dO2qEc9nXIuObgjRgPeLs32qHsVP2FCiLbSq1RsT8S7PUQa/p7SZ+epq6c/HFnoT kO9UTUrJyXHL+4RKtlI6yyupuL0UfN0q44ewyzHPm2F7h+mnZVelTfUT9JFgFgnE Br5rCa9tQGQ=/O17 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: jenkins and jenkins-2-plugins security update Advisory ID: RHSA-2023:3195-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3195 Issue date: 2023-05-17 CVE Names: CVE-2022-42889 CVE-2023-24422 CVE-2023-25761 CVE-2023-25762 CVE-2023-27903 CVE-2023-27904 ==================================================================== 1. Summary: An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * apache-commons-text: variable interpolation RCE (CVE-2022-42889) * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422) * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761) * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762) * Jenkins: Temporary file parameter created with insecurepermissions (CVE-2023-27903) * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin 2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin 2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin 2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions 2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents 6. Package List: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8: Source: jenkins-2-plugins-4.12.1683009955-1.el8.src.rpm jenkins-2.387.1.1683009767-3.el8.src.rpm noarch: jenkins-2-plugins-4.12.1683009955-1.el8.noarch.rpm jenkins-2.387.1.1683009767-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7.References: https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-24422 https://access.redhat.com/security/cve/CVE-2023-25761 https://access.redhat.com/security/cve/CVE-2023-25762 https://access.redhat.com/security/cve/CVE-2023-27903 https://access.redhat.com/security/cve/CVE-2023-27904 https://access.redhat.com/security/updates/classification#important https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins/important-changes-to-openshift-jenkins-images 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGa58dzjgjWX9erEAQip9w//UBL/dt2vE4XpmSQJfp6gkUvPQjdbUAmH nuozjZ+73t1bqA98GRVo6zpccPHTpzoN43SMYTcWbl49MAuSrSAXNTYO5L1RO97w B0RffO+yyfejfXnt/QsJzvCWEKWuICrOVzEry3iDpWjwU2tZT8K6cS/JeE0JuyDp OoZDHq2t7ke0Ew/tqiXXlafPI43ZSz93GdJ66bGXCmeCAFxOLj1V5Otn4j88RPVg PVgdcUGH4kCT0k0DN43gPN60hNRQh32Y9D6TKtgC/8AwJp3Vv+qOSM5rhCsLzh24 dpZHwGKGUARP976MNxmcwea74CYnhnjwZhUgQTCsTpPF3iMxw23Lv7W4M454DsSR qEiGqjY1RXM9iz6Cd05HCFS8UdWN46T2f02IEjOWpFDLqYueP8AtngWVBlHhZIq6 1P1/MqTAXrQ2DXL2JooBkyK3LSOkN0HVebSw4mIEitmgEM5wcgskJOYC/y9+fUxb 38SJQF/hqpZrl+uuQD7bZYnQrzHf9wHJq7wMOsTGHcc1pdPKY6TEV2H0QHb45uNS mn3uEzPKjJ0qU3IBOFKm4aoaC+cJ1WynZdlDwhAEwMU3PxtcSpEZCUS1d1omgBvd fssRVi6M0wQWgyorIiCSfgiwt7mkt0w+49DhkwiFzmdEPPT6lwzAAm/Up/nwmJuB p+xANTbizJ0=8o2E -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: OpenShift Developer Tools and Services for OCP 4.12 security update Advisory ID: RHSA-2023:1064-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:1064 Issue date: 2023-03-06 CVE Names: CVE-2022-29047 CVE-2022-30952 CVE-2022-42003 CVE-2022-42004 CVE-2022-43401 CVE-2022-43402 CVE-2022-43403 CVE-2022-43404 CVE-2022-43405 CVE-2022-43406 CVE-2022-43407 CVE-2022-43408 CVE-2022-43409 CVE-2022-43410 CVE-2022-45047 ==================================================================== 1. Summary: An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401) * jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402) *jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403) * jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404) * jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405) * jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406) * Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047) * jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407) * mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408) * jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409) * jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly forthis release: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/jenkins/important-changes-to-openshift-jenkins-images 5. Bugs fixed (https://bugzilla.redhat.com/): 2074855 - CVE-2022-29047 Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin 2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2136369 - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin 2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin 2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin 2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin 2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin 2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin 2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin 2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 6. Package List: OpenShift Developer Tools andServices for OCP 4.12 for RHEL 8: Source: jenkins-2-plugins-4.12.1675702407-1.el8.src.rpm jenkins-2.361.4.1675702346-3.el8.src.rpm noarch: jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm jenkins-2.361.4.1675702346-3.el8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2022-29047 https://access.redhat.com/security/cve/CVE-2022-30952 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-43401 https://access.redhat.com/security/cve/CVE-2022-43402 https://access.redhat.com/security/cve/CVE-2022-43403 https://access.redhat.com/security/cve/CVE-2022-43404 https://access.redhat.com/security/cve/CVE-2022-43405 https://access.redhat.com/security/cve/CVE-2022-43406 https://access.redhat.com/security/cve/CVE-2022-43407 https://access.redhat.com/security/cve/CVE-2022-43408 https://access.redhat.com/security/cve/CVE-2022-43409 https://access.redhat.com/security/cve/CVE-2022-43410 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/updates/classification#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZAXcidzjgjWX9erEAQgupA//eFQlrAPyQGSP9g7NyP8IZknOMsnZ2NCn IQq00CAHWMdFgAGUHMNJZhOJ0eyS3iL4kSVgNSF0hIZgqh0tTT4ruJ7cujT4JApq ynrC7zUheiidSlQ70t0TAESlhIbUffw/VmdRmhXK8VU8P36718keuRO4t83PO/Rx eojx/uwQ7BIGBdhfU7RnQRbRu1AtiXSYTy40XUqk6sxdQ851ijs7iPd0HMGlbWgJ GyOCmKg7YyzUd52SG+YPFCxrhxwM+HNhX16+1xRIMzqPZiTzpaUBa9+27gUr8FyS GNbQ1kNd4TKE/EwNhUMjC/ILZLwsS57X1xeJwBKgjbScW1u1aM7hGaAc17i3HRZ2 KtbhjEE5bueCP7eck20HKjB746u4v6dysD+dzyDAnFLfVBA7VWH851TvhwR+UkjH PqWsWEx7b8SNwedTkb+oMoJbBB+XbjEUcxc9BxaZF7ntkUgACGiCruiCHYAYFxTV oa0cTQnjlgDIQLfxqvv9NNKEZ4SqG66kHM6AdxhYGa33FH8mN2pOgmOvLV4TzB+O M1HlgiO1OpXuyQ5u0Jc5j5A5onGlS7QPzQD7S4bDRxLlCnvkstiLMmgs0JT4ncGx lcy9D7Fv92rc2bFQB5fYELikR+JSjICgkwnOJsRq9c3W7Ii5OFKieSS1EUwli2/o fWzJftH69Ds=RJgw -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Red Hat OpenShift Container Platform release 3.11.569 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 3.11.569 security update Advisory ID: RHSA-2021:4827-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:4827 Issue date: 2021-12-02 CVE Names: CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688 CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692 CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696 CVE-2021-21697 CVE-2021-21698 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 3.11.569 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698) * jenkins: FilePath#mkdirs does not check permission to createparent directories (CVE-2021-21685) * jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686) * jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687) * jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688) * jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689) * jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690) * jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691) * jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692) * jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. (CVE-2021-21693) * jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694) * jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695) * jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696) * jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, ensure all previously released errata relevant to your system is applied. See the following documentation, which will be updated shortly for release 3.11.569, for importantinstructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/3.11/html/release_notes/release-notes-ocp-3-11-release-notes This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1920894 - python2-urllib3: update 1.24.3 -> 1.26.2 for OCP breaks cloud-init ("Unable to get API token: None/latest/api/token") 2002671 - [3.11 backport] Improve logging-dump.sh (backport of LOG-1733) 2002909 - [Kuryr][3.11] dont block kuryr if one subnet runs out of IPs 2003491 - [Kuryr][3.11] Loadbalancer listener disappearing for an OpenShift services managed by Kuryr 2013496 - Kuryr-cni hitting > 1024 pid and crashing 2016467 - openshift-pipeline plugin gone missing in jenkins-2-rhel7:v3.11.462-3.git.10eb612 and newer 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path 2020341 - CVE-2021-21693jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key 2026193 - Placeholder bug for OCP 3.11.z image release 6. Package List: Red Hat OpenShift Container Platform3.11: Source: atomic-enterprise-service-catalog-3.11.569-1.g2e6be86.el7.src.rpm atomic-openshift-3.11.569-1.git.0.9dc951a.el7.src.rpm atomic-openshift-cluster-autoscaler-3.11.569-1.g99b2acf.el7.src.rpm atomic-openshift-descheduler-3.11.569-1.gd435537.el7.src.rpm atomic-openshift-dockerregistry-3.11.569-1.g3571208.el7.src.rpm atomic-openshift-metrics-server-3.11.569-1.gf8bf728.el7.src.rpm atomic-openshift-node-problem-detector-3.11.569-1.gc8f26da.el7.src.rpm atomic-openshift-service-idler-3.11.569-1.g39cfc66.el7.src.rpm atomic-openshift-web-console-3.11.569-1.g3e485e6.el7.src.rpm golang-github-openshift-oauth-proxy-3.11.569-1.gedebe84.el7.src.rpm golang-github-prometheus-alertmanager-3.11.569-1.g13de638.el7.src.rpm golang-github-prometheus-node_exporter-3.11.569-1.g609cd20.el7.src.rpm golang-github-prometheus-prometheus-3.11.569-1.g99aae51.el7.src.rpm jenkins-2-plugins-3.11.1637699107-1.el7.src.rpm jenkins-2.303.3.1637698110-1.el7.src.rpm openshift-ansible-3.11.569-1.git.0.9620ba1.el7.src.rpm openshift-enterprise-autoheal-3.11.569-1.gf2f435d.el7.src.rpm openshift-enterprise-cluster-capacity-3.11.569-1.g22be164.el7.src.rpm openshift-kuryr-3.11.569-1.g0c4bf66.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.11.569-1.git.0.9dc951a.el7.noarch.rpm atomic-openshift-excluder-3.11.569-1.git.0.9dc951a.el7.noarch.rpm jenkins-2-plugins-3.11.1637699107-1.el7.noarch.rpm jenkins-2.303.3.1637698110-1.el7.noarch.rpm openshift-ansible-3.11.569-1.git.0.9620ba1.el7.noarch.rpm openshift-ansible-docs-3.11.569-1.git.0.9620ba1.el7.noarch.rpm openshift-ansible-playbooks-3.11.569-1.git.0.9620ba1.el7.noarch.rpm openshift-ansible-roles-3.11.569-1.git.0.9620ba1.el7.noarch.rpm openshift-ansible-test-3.11.569-1.git.0.9620ba1.el7.noarch.rpm openshift-kuryr-cni-3.11.569-1.g0c4bf66.el7.noarch.rpm openshift-kuryr-common-3.11.569-1.g0c4bf66.el7.noarch.rpm openshift-kuryr-controller-3.11.569-1.g0c4bf66.el7.noarch.rpm python2-kuryr-kubernetes-3.11.569-1.g0c4bf66.el7.noarch.rpm ppc64le: atomic-enterprise-service-catalog-3.11.569-1.g2e6be86.el7.ppc64le.rpm atomic-enterprise-service-catalog-svcat-3.11.569-1.g2e6be86.el7.ppc64le.rpm atomic-openshift-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-clients-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-cluster-autoscaler-3.11.569-1.g99b2acf.el7.ppc64le.rpm atomic-openshift-descheduler-3.11.569-1.gd435537.el7.ppc64le.rpm atomic-openshift-hyperkube-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-hypershift-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-master-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-metrics-server-3.11.569-1.gf8bf728.el7.ppc64le.rpm atomic-openshift-node-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-node-problem-detector-3.11.569-1.gc8f26da.el7.ppc64le.rpm atomic-openshift-pod-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-sdn-ovs-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-service-idler-3.11.569-1.g39cfc66.el7.ppc64le.rpm atomic-openshift-template-service-broker-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-tests-3.11.569-1.git.0.9dc951a.el7.ppc64le.rpm atomic-openshift-web-console-3.11.569-1.g3e485e6.el7.ppc64le.rpm golang-github-openshift-oauth-proxy-3.11.569-1.gedebe84.el7.ppc64le.rpm openshift-enterprise-autoheal-3.11.569-1.gf2f435d.el7.ppc64le.rpm openshift-enterprise-cluster-capacity-3.11.569-1.g22be164.el7.ppc64le.rpm prometheus-3.11.569-1.g99aae51.el7.ppc64le.rpm prometheus-alertmanager-3.11.569-1.g13de638.el7.ppc64le.rpm prometheus-node-exporter-3.11.569-1.g609cd20.el7.ppc64le.rpm x86_64: atomic-enterprise-service-catalog-3.11.569-1.g2e6be86.el7.x86_64.rpm atomic-enterprise-service-catalog-svcat-3.11.569-1.g2e6be86.el7.x86_64.rpm atomic-openshift-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-clients-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-cluster-autoscaler-3.11.569-1.g99b2acf.el7.x86_64.rpm atomic-openshift-descheduler-3.11.569-1.gd435537.el7.x86_64.rpm atomic-openshift-dockerregistry-3.11.569-1.g3571208.el7.x86_64.rpm atomic-openshift-hyperkube-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-hypershift-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-master-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-metrics-server-3.11.569-1.gf8bf728.el7.x86_64.rpm atomic-openshift-node-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-node-problem-detector-3.11.569-1.gc8f26da.el7.x86_64.rpm atomic-openshift-pod-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-service-idler-3.11.569-1.g39cfc66.el7.x86_64.rpm atomic-openshift-template-service-broker-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-tests-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm atomic-openshift-web-console-3.11.569-1.g3e485e6.el7.x86_64.rpm golang-github-openshift-oauth-proxy-3.11.569-1.gedebe84.el7.x86_64.rpm openshift-enterprise-autoheal-3.11.569-1.gf2f435d.el7.x86_64.rpm openshift-enterprise-cluster-capacity-3.11.569-1.g22be164.el7.x86_64.rpm prometheus-3.11.569-1.g99aae51.el7.x86_64.rpm prometheus-alertmanager-3.11.569-1.g13de638.el7.x86_64.rpm prometheus-node-exporter-3.11.569-1.g609cd20.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7.References: https://access.redhat.com/security/cve/CVE-2021-21685 https://access.redhat.com/security/cve/CVE-2021-21686 https://access.redhat.com/security/cve/CVE-2021-21687 https://access.redhat.com/security/cve/CVE-2021-21688 https://access.redhat.com/security/cve/CVE-2021-21689 https://access.redhat.com/security/cve/CVE-2021-21690 https://access.redhat.com/security/cve/CVE-2021-21691 https://access.redhat.com/security/cve/CVE-2021-21692 https://access.redhat.com/security/cve/CVE-2021-21693 https://access.redhat.com/security/cve/CVE-2021-21694 https://access.redhat.com/security/cve/CVE-2021-21695 https://access.redhat.com/security/cve/CVE-2021-21696 https://access.redhat.com/security/cve/CVE-2021-21697 https://access.redhat.com/security/cve/CVE-2021-21698 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYamHENzjgjWX9erEAQhIsQ/+Pl2DBNxEvV9n9oItyknJ2Tl5eK6r9MM9 S7M9SZa/tBoEzz+CfD2AfZ1zHtlrxVY8yyuu6PPatQeoUpmaISKiNZpLACBi6x2v HMvEhRQ2xsCFDljIXlICP9u7pJ0Akh+0HroWC1UszNFe0by8iruJievShdQcOALf JtHJK+QMuirbY03Acls3YIbxQZfqUr4U7R0wVmgHbwDlRl/c/1MwLeJy7ovGXC5w lCAu8Lf1uKY7jQZxjubsWIWkT/zDcGgpBxa6fQPdjd2BooUpHfN5f2xN7v0r51Ov MxnhMefJICI3CWOYovVmJN0o9xns8wpqZnvmiBf6xbLpxN7ZnTrkrrEAW5dv4COp 7E94ETARqmr0B7u6PDnAe89+G9LkyfqdeSulLrELhoBlSSRlyyyjQJXfyAGD9zBF 5Di4hAedUYBMrp7XzOd5Yt3hcbbRXTA6tnizVl0DR//XLpaelsG0JjGmEceEWY7T 1oDlw0d5YbHmYdZEeS+E5rEJNBZaczM3O0zy1hKkos1Rha2I8tLQqETXXTwv9irm M6Qjwmz8eCJ2usIi5F+Po/ZlG7vV6wNSoyderxvNHAiNy8S/zlcW0yVUtYYF1Pw/ lUiMIlmQdgy+2oXRrsTtGgouocfV+LH+3EvBnAljzuk9qKZUAJs9nUbA3b83dbK0 ggS4dZtcycw=NKEn -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Red Hat OpenShift Container Platform release 4.6.51 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.51 packages and security update Advisory ID: RHSA-2021:4799-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:4799 Issue date: 2021-12-02 CVE Names: CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688 CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692 CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696 CVE-2021-21697 CVE-2021-21698 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.51 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.51. See the following advisory for the container images for thisrelease: https://access.redhat.com/errata/RHBA-2021:4800 Security Fix(es): * jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698) * jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685) * jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686) * jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687) * jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688) * jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689) * jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690) * jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691) * jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692) * jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. (CVE-2021-21693) * jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694) * jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695) * jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696) * jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section. All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at 4. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.6/html/release_notes/ocp-4-6-release-notes Details on how to access this content are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.6/html/updating_clusters/updating-cluster-cli 5. Bugs fixed (https://bugzilla.redhat.com/): 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files isonly checked after they’ve been created. 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key 6. Package List: Red Hat OpenShift Container Platform 4.6: Source: openshift-4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.src.rpm x86_64: openshift-hyperkube-4.6.0-202111100230.p0.git.6063298.assembly.stream.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.6: Source: jenkins-2-plugins-4.6.1637602169-1.el8.src.rpm jenkins-2.303.3.1637597493-1.el8.src.rpm openshift-4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.src.rpm openshift-kuryr-4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.src.rpm noarch: jenkins-2-plugins-4.6.1637602169-1.el8.noarch.rpm jenkins-2.303.3.1637597493-1.el8.noarch.rpm openshift-kuryr-cni-4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch.rpm openshift-kuryr-common-4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch.rpm openshift-kuryr-controller-4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch.rpm python3-kuryr-kubernetes-4.6.0-202111041131.p0.git.7c5a4f7.assembly.stream.el8.noarch.rpm ppc64le: openshift-hyperkube-4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.ppc64le.rpm s390x: openshift-hyperkube-4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.s390x.rpm x86_64: openshift-hyperkube-4.6.0-202111100230.p0.git.6063298.assembly.stream.el8.x86_64.rpm These packages areGPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-21685 https://access.redhat.com/security/cve/CVE-2021-21686 https://access.redhat.com/security/cve/CVE-2021-21687 https://access.redhat.com/security/cve/CVE-2021-21688 https://access.redhat.com/security/cve/CVE-2021-21689 https://access.redhat.com/security/cve/CVE-2021-21690 https://access.redhat.com/security/cve/CVE-2021-21691 https://access.redhat.com/security/cve/CVE-2021-21692 https://access.redhat.com/security/cve/CVE-2021-21693 https://access.redhat.com/security/cve/CVE-2021-21694 https://access.redhat.com/security/cve/CVE-2021-21695 https://access.redhat.com/security/cve/CVE-2021-21696 https://access.redhat.com/security/cve/CVE-2021-21697 https://access.redhat.com/security/cve/CVE-2021-21698 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYakvvNzjgjWX9erEAQjh+A/9FKWwooNtF3IjgMIA3XrSngqn0hSRtHWS IYHYy1rj7ZM+8+r8M4GrZKd0oR7twoek2ml3VVVCRs4AIUTggZmzIOk7/M9P1iM+ nfrqbAXWA8CvxBxU+Z8uRsafnFhdqqI/V2daB3VaLwwxeYOyrB0dOLRubme9is8C S8dtxFPYwikcuLdGtW78Vbwp7v16HO6RG0G2RTL8sfA+zpF+OaEAQ2iX2oqbL6Jk YZxWltUMLBqwcFdTPOLpYiNBc9pHLAXhEKo2dpKqv6p3iYwWAzaXckSvkyeKkBh5 Xdk0HQgzYa03qG+Z108se4jVL7UKESWUzIak1Q3HPRn68q+wTe7r18V3fIiLPGvv 6H2JtxnMnLxE/POy5Ymi6M6gBS8gFzrABPfJJzEqSpcwVu59SlshWL8RxuoeQ7z0 Z1pSrW6pgdS9CmXbD8+eJ57lPwUTnU3cTQBVycMZ9nP8IzJfgpL21SCi3EJIAH6+ p1JyvaAtGrSnVFfdvZoY17HJZgrBa1hdY1Jwfqy0eaKGb9616DFZAM1Hc+rPmak6 0KD8lMbI4exe14tTfh2Nv7LoMS7RyEV49O6N+sz8HysXXUcdXkRiKgae1uTQGN73 oYH8wO3FoTZYvywoW6bszp8VIbXBWjsxYTK4Qk0t/4FVfdemC7B+yFdALowHdga8 MDpgiFiPGv0=Gab1 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
The package jenkins before version 2.319-1 is vulnerable to multiple issues including arbitrary filesystem access and sandbox escape. . Arch Linux Security Advisory ASA-202111-1 ======================================== Severity: Critical Date : 2021-11-05 CVE-ID : CVE-2021-21685 CVE-2021-21686 CVE-2021-21687 CVE-2021-21688 CVE-2021-21689 CVE-2021-21690 CVE-2021-21691 CVE-2021-21692 CVE-2021-21693 CVE-2021-21694 CVE-2021-21695 CVE-2021-21696 CVE-2021-21697 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2526 Summary ====== The package jenkins before version 2.319-1 is vulnerable to multiple issues including arbitrary filesystem access and sandbox escape. Resolution ========= Upgrade to 2.319-1. # pacman -Syu "jenkins> =2.319-1" The problems have been fixed upstream in version 2.319. Workaround ========= If you are unable to immediately upgrade to Jenkins 2.319 right away, you can install the Remoting Security Workaround Plugin. It will prevent all agent-to-controller file access using FilePath APIs. Because it is more restrictive than Jenkins 2.319, more plugins are incompatible with it. Make sure to read the plugin documentation before installing it. Description ========== - CVE-2021-21685 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#mkdirs does not check permission to create parent directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21686 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain someinformation about Jenkins controller file systems. - CVE-2021-21687 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21688 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, #copyRecursiveTo). This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21689 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#unzip and FilePath#untar were not subject to any access control. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21690 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21691 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. Creating symbolic links is possible without the symlink permission. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. -CVE-2021-21692 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21693 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. When creating temporary files, permission to create files is only checked after they’ve been created. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21694 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21695 (arbitrary filesystem access) A security issue has been found in Jenkins before version 2.319. FilePath#listFiles lists files outside directories with agent read access when following symbolic links. This allows agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. - CVE-2021-21696 (sandbox escape) Jenkins before version 2.319 does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the "Pipeline: Shared Groovy Libraries" Plugin to store copies of shared libraries. This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting inunsandboxed code execution in the Jenkins controller process. Jenkins 2.319 prohibits agent read/write access to the libs/ directory inside build directories. - CVE-2021-21697 (arbitrary filesystem access) Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins before 2.319 include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata). Jenkins 2.319 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory. Impact ===== Agent processes could read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems. References ========= https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2455 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2423 https://www.jenkins.io/security/advisory/2021-11-04/#SECURITY-2428 https://security.archlinux.org/CVE-2021-21685 https://security.archlinux.org/CVE-2021-21686 https://security.archlinux.org/CVE-2021-21687 https://security.archlinux.org/CVE-2021-21688 https://security.archlinux.org/CVE-2021-21689 https://security.archlinux.org/CVE-2021-21690 https://security.archlinux.org/CVE-2021-21691 https://security.archlinux.org/CVE-2021-21692 https://security.archlinux.org/CVE-2021-21693 https://security.archlinux.org/CVE-2021-21694 https://security.archlinux.org/CVE-2021-21695 https://security.archlinux.org/CVE-2021-21696 https://security.archlinux.org/CVE-2021-21697 . Arch Linux Security Notification regarding Jenkins flaws linked to severe file system exposure and sandbox breaching vulnerabilities.. ArchLinux, Jenkins, Security Advisory, Filesystem Access, Sandbox Escape. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.