-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0755
        Important: Red Hat OpenShift Enterprise 2.2.9 security, bug
                        fix, and enhancement update
                               23 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Enterprise
Publisher:         Red Hat
Operating System:  Red Hat
                   Virtualisation
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8103 CVE-2015-7539 CVE-2015-7538
                   CVE-2015-7537 CVE-2015-5326 CVE-2015-5325
                   CVE-2015-5324 CVE-2015-5323 CVE-2015-5322
                   CVE-2015-5321 CVE-2015-5320 CVE-2015-5319
                   CVE-2015-5318 CVE-2015-5317 CVE-2015-5254

Reference:         ESB-2016.0729
                   ESB-2016.0685
                   ESB-2016.0182
                   ESB-2015.2817

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2016-0489.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:0489-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-0489.html
Issue date:        2016-03-22
CVE Names:         CVE-2015-5254 CVE-2015-5317 CVE-2015-5318 
                   CVE-2015-5319 CVE-2015-5320 CVE-2015-5321 
                   CVE-2015-5322 CVE-2015-5323 CVE-2015-5324 
                   CVE-2015-5325 CVE-2015-5326 CVE-2015-7537 
                   CVE-2015-7538 CVE-2015-7539 CVE-2015-8103 
=====================================================================

1. Summary:

Red Hat OpenShift Enterprise release 2.2.9, which fixes several 
security issues, several bugs, and introduces feature enhancements, is 
now available.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Enterprise Client 2.2 - noarch
Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64
Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64

3. Description:

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

The following security issue is addressed with this release:

It was found that ActiveMQ did not safely handle user supplied data 
when deserializing objects. A remote attacker could use this flaw to 
execute arbitrary code with the permissions of the ActiveMQ 
application. (CVE-2015-5254)

An update for Jenkins Continuous Integration Server that addresses a 
large number of security issues including XSS, CSRF, information 
disclosure and code execution have been addressed as well. 
(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, 
CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, 
CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, 
CVE-2015-7539, CVE-2015-8103)

Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.9, for details about these changes:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these 
updated packages.

4. Solution:

Before applying this update, make sure all previously released 
errata relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be 
updated shortly for release 2.2.9, for important instructions on how 
to fully apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at: 
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1111456 - jenkin app will be created as default small gear size when user create app with --enable-jenkins and non-default gear-size
1140816 - oo-admin-ctl-district missing documentation for listing districts
1160934 - "oo-admin-ctl-gears stopgear" failed to stop idled gear
1168480 - Should prompt correct information when execute oo-admin-ctl-user --addgearsize  $invalid value
1169690 - Webconsole should show warning info when add cartridge as quota used up to QUOTA_WARNING_PERCENT
1265423 - .gitconfig is not configurable for application create
1265811 - oo-accept-node reports a quota failures when a loop device is used.
1279584 - Users have nil value for resulting in failed oo-admin-repair
1282359 - CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
1282361 - CVE-2015-5318 jenkins: Public value used for CSRF protection salt (SECURITY-169)
1282362 - CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)
1282363 - CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184)
1282364 - CVE-2015-5321 jenkins: Information disclosure via sidepanel (SECURITY-192)
1282365 - CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
1282366 - CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
1282367 - CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)
1282368 - CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)
1282369 - CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
1282371 - CVE-2015-8103 jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)
1283372 - oo-admin-gear man page displays wrong option
1291292 - CVE-2015-5254 activemq: unsafe deserialization
1291795 - CVE-2015-7537 jenkins: CSRF vulnerability in some administrative actions (SECURITY-225)
1291797 - CVE-2015-7538 jenkins: CSRF protection ineffective (SECURITY-233)
1291798 - CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)
1294513 - oo-diagnostics test_enterprise_rpms fails for nodejs010-nodejs-debug
1299014 - [RFE] Configuration setting to set cipher on Openshift node web proxy
1299095 - oo-diagnostic error on broker No such file or directory - /etc/openshift/env/OPENSHIFT_BROKER_HOST
1302787 - Node web proxy configuration file is overwritten upon update
1305688 - oo-accept-broker incorrectly parses MONGO_HOST_PORT individual host and ports
1307174 - rhc ssh <appname> does not respect PATH env variable, nor the --ssh PATH option
1307175 - oo-accept-node does not validate whether threads are in cgroups
1308716 - rhc snapshot save different app  with the same name in the same dir didn't prompt conflict information
1308718 - It is better to return meaningful error message when do ssh in head gear of scalable app with incorrect user id or ssh url
1308720 - Unable to deploy Drupal
1308722 - Django quickstart can't bind address
1308739 - It will not validate the deployment type when do app deploy via REST API
1310247 - New configuration item, TRAFFIC_CONTROL_DEVS
1310266 - https using letsencrypt has B rating - chain incomplete
1310841 - Fix zsh autocompletion for rhc
1314535 - oo-admin-repair-node,oo-admin-ctl-iptables-port-proxy  and oo-admin-ctl-tc has no man page
1314546 - Python cartridge doesn't stop deploy process when it failed to install packages (It is different from behavior of other cartridges)

6. Package List:

Red Hat OpenShift Enterprise Client 2.2:

Source:
rhc-1.38.6.1-1.el6op.src.rpm

noarch:
rhc-1.38.6.1-1.el6op.noarch.rpm

Red Hat OpenShift Enterprise Infrastructure 2.2:

Source:
activemq-5.9.0-6.redhat.611454.el6op.src.rpm
openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm
openshift-origin-broker-util-1.37.5.3-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm
rubygem-openshift-origin-console-1.35.5.1-1.el6op.src.rpm
rubygem-openshift-origin-controller-1.38.5.1-1.el6op.src.rpm

noarch:
openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-upgrade-broker-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm
openshift-origin-broker-util-1.37.5.3-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm
rubygem-openshift-origin-console-1.35.5.1-1.el6op.noarch.rpm
rubygem-openshift-origin-controller-1.38.5.1-1.el6op.noarch.rpm

x86_64:
activemq-5.9.0-6.redhat.611454.el6op.x86_64.rpm
activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm

Red Hat OpenShift Enterprise Node 2.2:

Source:
activemq-5.9.0-6.redhat.611454.el6op.src.rpm
jenkins-1.625.3-1.el6op.src.rpm
openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.src.rpm
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.src.rpm
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.src.rpm
openshift-origin-cartridge-php-1.35.3.1-1.el6op.src.rpm
openshift-origin-cartridge-python-1.34.2.1-1.el6op.src.rpm
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.src.rpm
openshift-origin-node-proxy-1.26.2.1-1.el6op.src.rpm
openshift-origin-node-util-1.38.6.2-1.el6op.src.rpm
php-5.3.3-46.el6_7.1.src.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.src.rpm
rubygem-openshift-origin-node-1.38.5.3-1.el6op.src.rpm

noarch:
jenkins-1.625.3-1.el6op.noarch.rpm
openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-upgrade-node-2.2.9-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.noarch.rpm
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.noarch.rpm
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.noarch.rpm
openshift-origin-cartridge-php-1.35.3.1-1.el6op.noarch.rpm
openshift-origin-cartridge-python-1.34.2.1-1.el6op.noarch.rpm
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.noarch.rpm
openshift-origin-node-proxy-1.26.2.1-1.el6op.noarch.rpm
openshift-origin-node-util-1.38.6.2-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.noarch.rpm
rubygem-openshift-origin-node-1.38.5.3-1.el6op.noarch.rpm

x86_64:
activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm
php-bcmath-5.3.3-46.el6_7.1.x86_64.rpm
php-debuginfo-5.3.3-46.el6_7.1.x86_64.rpm
php-devel-5.3.3-46.el6_7.1.x86_64.rpm
php-fpm-5.3.3-46.el6_7.1.x86_64.rpm
php-imap-5.3.3-46.el6_7.1.x86_64.rpm
php-intl-5.3.3-46.el6_7.1.x86_64.rpm
php-mbstring-5.3.3-46.el6_7.1.x86_64.rpm
php-process-5.3.3-46.el6_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-5254
https://access.redhat.com/security/cve/CVE-2015-5317
https://access.redhat.com/security/cve/CVE-2015-5318
https://access.redhat.com/security/cve/CVE-2015-5319
https://access.redhat.com/security/cve/CVE-2015-5320
https://access.redhat.com/security/cve/CVE-2015-5321
https://access.redhat.com/security/cve/CVE-2015-5322
https://access.redhat.com/security/cve/CVE-2015-5323
https://access.redhat.com/security/cve/CVE-2015-5324
https://access.redhat.com/security/cve/CVE-2015-5325
https://access.redhat.com/security/cve/CVE-2015-5326
https://access.redhat.com/security/cve/CVE-2015-7537
https://access.redhat.com/security/cve/CVE-2015-7538
https://access.redhat.com/security/cve/CVE-2015-7539
https://access.redhat.com/security/cve/CVE-2015-8103
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFW8XglXlSAg2UNWIIRAoouAJ0XHeEABsx6OtQv/S8IBfl53g9JAgCeLtjq
xQ2Bp9Ov4WK0pelScKgBp0Y=
=hzs2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvHfBn6ZAP0PgtI9AQLi1hAApRoUlj7NhwIaP/6YAnnREruiwgaj0qUN
DoDxLCT27/tSNhNKTbxKAJVD8QrnBcWR11m2kcSE8FmL1oXoyFX8XPQBIouC0eAE
Qc+4XAGiS7BrY4gSAKJi/ETWrN3JOLhcPt5xAjwaMEf67AhV1rLwpBxe3eLtoxfR
60nb00AHhdiedd4wJ4JXT28C0KVTap/OyN/owDb02kyIseI5IZClJNqUwrobEgmC
FV/lI0At4/eHOZPf04f6UvpDttqK6WJxhNIkHmPCPlI7Sn9f+eyw0ErN2xAGUGys
0h6jU88BJciMEzPct2PObeT1KyHYwy6Ni/gVeKoWFDunvf1rItuFqa9jHyLE4n/Q
H7DpemFH/DUW5zSk3K7J4XhOxJ+w91mNQnXKH4znx8zitZbi9JBLvRI+s0nrMl2P
FG/yTpyVqYd9MPXfD3wxZzpFxtoApMHNSrxhEz8boEGe9u5CZirJN9w+oKPmeiNa
xOrBste8/eAo2G/EzDiqoHu499SmA8iCo3nDyQkJqFuMOXifEERX5YskdDRw3zh3
PAEq3G3rdMIh2IBpSw3wcKLjOt7zSEJmG0Dj6VTlMaWluOM6xnuS4tmwrTnqF1fI
l+PH6nNW6I68XNkGvXp4wyrZhfA9TcwTvI+a4cdf8oSwuR+VW7807A+uqesgH94w
BLMPGgCwcYo=
=byMh
-----END PGP SIGNATURE-----