-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1264
   Important: ansible and openshift-ansible security and bug fix update
                                18 May 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ansible
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7481 CVE-2017-7466 CVE-2016-9587

Reference:         ESB-2017.0681
                   ESB-2017.0588
                   ESB-2017.0370
                   ESB-2017.0231

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:1244

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: ansible and openshift-ansible security and bug fix update
Advisory ID:       RHSA-2017:1244-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1244
Issue date:        2017-05-17
CVE Names:         CVE-2017-7466 CVE-2017-7481 
=====================================================================

1. Summary:

Updated atomic-openshift-utils and openshift-ansible packages that fix two
security issues and several bugs are now available for OpenShift Container
Platform 3.5, 3.4, 3.3, and 3.2.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.2 - noarch
Red Hat OpenShift Container Platform 3.3 - noarch
Red Hat OpenShift Container Platform 3.4 - noarch
Red Hat OpenShift Container Platform 3.5 - noarch

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

* An input validation vulnerability was found in Ansible's handling of data
sent from client systems. An attacker with control over a client system
being managed by Ansible, and the ability to send facts back to the Ansible
server, could use this flaw to execute arbitrary code on the Ansible server
using the Ansible server privileges. (CVE-2017-7466)

* Ansible fails to properly mark lookup() results as unsafe,
if an attacker can control the results of lookup() calls they can inject
unicode strings which may then be parsed by the jinja2 templating system
resulting in code execution. (CVE-2017-7481)

This update also fixes the following bugs:

* The installer could fail to add iptables rules if other iptables rules
were being updated at the same time. This bug fix updates the installer to
wait to obtain a lock when updating iptables rules, ensuring that rules are
properly created. (BZ#1445194, BZ#1445282)

* In multi-master environments, if `ansible_host` and `openshift_hostname`
values differ and Ansible sorts one of the lists differently from the
other, then the CA host may be the first master but it was still signing
the initial certificates with the host names of the first master. By
ensuring that the host names of the CA host are used when creating the
certificate authority, this bug fix ensures that the certificates are
signed with the correct host names. (BZ#1447399, BZ#1440309, BZ#1447398)

* Running Ansible via `batch` systems like the `nohup` command caused
Ansible to leak file descriptors and abort playbooks whenever the maximum
number of open file descriptors was reached. Ansible 2.2.3.0 includes a fix
for this problem, and OCP channels have been updated to include this
version. (BZ#1439277)

* The OCP 3.4 logging stack upgraded the schema to use the common standard
logging data model. However, some of the Elasticsearch and Kibana
configuration to use this schema was missing. This caused Kibana to show an
error message upon startup. This bug fix adds the correct Elasticsearch and
Kibana configuration to the logging stack, including during upgrade from
OCP 3.3 to 3.4, and from 3.4.x to 3.4.y. As a result, Kibana works
correctly with the new logging data schema. (BZ#1444106)

* Because the upgrade playbooks upgraded packages in a serial manner rather
than all at once, yum dependency resolution would have installed the latest
version available in the enabled repositories rather than the requested
version. This bug fix updates the playbooks to upgrade all packages to the
requested version at once, which prevents yum from potentially upgrading to
the latest version. (BZ#1391325, BZ#1449220, BZ#1449221) 

* In an environment utilizing mixed containerized and RPM based
installation methods, the installer would fail to gather facts when a
master and node used different installation methods. This bug fix updates
the installer to ensure mixed installations work properly. (BZ#1408663)

* Previously, if `enable_excluders=false` was set the playbooks would still
install and upgrade the excluders during the config.yml playbook even if
the excluders were never previously installed. With this bug fix, if the
excluders were not previously installed, the playbooks will avoid
installing them. (BZ#1434679)

* Previously, the playbooks would abort if a namespace had non-ASCII
characters in their descriptions. This bug fix updates the playbooks to
properly decode unicode characters ensuring that upgrades to OCP 3.5 work
as expected. (BZ#1444806)

All OpenShift Container Platform users are advised to upgrade to these
updated packages.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To apply this update, run the following on all hosts where you intend to
initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1391325 - [3.5] openshift_pkg_version doesn't seem to work
1408663 - [3.4] facts collection for openshift.common.admin_binary does not seem to work in mixed environments
1418032 - [3.2] Update router and registry certificates in the redeploy-certificates.yml
1422541 - [3.5] [quick installer]Installer get stuck at "Gathering information from hosts..." if bad hostname checked
1434679 - [3.5] openshift-ansible should do nothing to existed excluders when set "enable_excluders=false"
1439212 - CVE-2017-7466 ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
1439277 - Ansible Install is unable to complete install due to module losing issues.
1440309 - [3.4] Post-install, master certs signed for wrong name
1444106 - [3.4 Backport] openshift users encountered confirmation "Apply these filters?" when switching between index list populated in the left panel on kibana
1444806 - [3.5] Unable to run upgrade playbook
1445194 - [3.4] Installer fails to add/check iptables rule due to lock on xtables
1445282 - [3.3] Installer fails to add/check iptables rule due to lock on xtables
1446741 - [3.4] Redeploy certificates fails with custom openshift_hosted_router_certificate
1446745 - [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate
1447398 - [3.3] Post-install, master certs signed for wrong name
1447399 - [3.5] Post-install, master certs signed for wrong name
1448842 - Installing Openshift Container Platform 3.5 returns an error on Play 11/28 (Disable excluders)
1449220 - [3.4] openshift_pkg_version doesn't seem to work
1449221 - [3.3] openshift_pkg_version doesn't seem to work
1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
1450412 - [3.4] Installing containerized using the 3.4 playbooks may install other versions
1450415 - [3.3] Installing containerized using the 3.3 playbooks may install other versions

6. Package List:

Red Hat OpenShift Container Platform 3.2:

Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.2.56-1.git.0.b844ab7.el7.src.rpm

noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-docs-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-filter-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-playbooks-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-roles-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.3:

Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.3.82-1.git.0.af0c922.el7.src.rpm

noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-callback-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-docs-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-filter-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-playbooks-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-roles-3.3.82-1.git.0.af0c922.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.4:

Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.src.rpm

noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-callback-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-docs-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-filter-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-playbooks-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-roles-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.5:

Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.5.71-1.git.0.128c2db.el7.src.rpm

noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-callback-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-docs-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-filter-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-playbooks-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-roles-3.5.71-1.git.0.128c2db.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-7466
https://access.redhat.com/security/cve/CVE-2017-7481
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZHIsFXlSAg2UNWIIRAuB1AJ9F/QzE7KWxmeObPZ4D1cr+b+kEDACghefR
WrXYiGid1xP2VEDz+gniRjk=
=Z/cV
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWRzjx4x+lLeg9Ub1AQhjrQ/+J7Pnh+DsRSDd2NlTgh6QnLYLGMj4CHC+
KJAKcW5NN37knwMd52hWdCBY2UHIlQIh8IF+/0Vb/COZ57k4OYQfGiUJkPcXjLVb
WbyzEK5yV8w0YJYSK4muqvBb+tB0Po0RW1DDmmr/V+GpwQoY6h5DlYHPOe8hYtbh
0v1yO4gPzR8BCirGqmid04AhTqIWNKnGQ9YU5gxUyaHLE8AvbvOvUnq476At/lhF
Sdy3URXcvArx9MUKvNIIlaCAKa63pz53ITEH+nNaCI8/8v0B2L64kQy92+X+jISL
1taAs9JxSU7LBYrSTztQXiYPRohSB/1257MCdV166HaZ+oDirscHqzhhflbbHVMG
EosdufKbrjDndmOpGx9hbFgJer3xThZ/Zu6bUSVeG7hoH5ISZepvpJYfxKsXI5JN
WtvyPcMuJlNxZaLhzXmeOVvsqFiL7VJvFMzscn0ZAoVTJFr8A4K4fL0OdASmvIH5
b6BXx9MsgkkkmkXps40j+wFhqt43ANEEOKG/JHNgamprKimElE2PBKxuoQ+e+Qji
XVRM4Z+8kmczbDU38TOWy5I8BiobmCBZ8vtZL11XwT5H5Ka6MUU48jwiB3RJ6IYT
pWkaiyuntxt7YI4CAFjz1F740wn5fOG+5VMNMVBLv0pkNs8vVQMsv67f/lHA/ZdT
3kao+M9Qyww=
=tJpJ
-----END PGP SIGNATURE-----