Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4687.3 OpenShift Container Platform 3.11 atomic-openshift security update 17 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-11255 CVE-2019-11250 CVE-2019-10432 CVE-2019-10431 CVE-2019-10176 CVE-2017-18367 Reference: ESB-2019.4639 ESB-2019.3694 ESB-2019.3527 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:4089 https://access.redhat.com/errata/RHSA-2019:4225 https://access.redhat.com/errata/RHSA-2019:4087 https://access.redhat.com/errata/RHSA-2019:4052 https://access.redhat.com/errata/RHSA-2019:4053 https://access.redhat.com/errata/RHSA-2019:4054 https://access.redhat.com/errata/RHSA-2019:4055 Comment: This bulletin contains seven (7) Red Hat security advisories. Revision History: December 17 2019: Added RHSA-2019:4089 December 17 2019: Added RHSA-2019:4225 and RHSA-2019:4087 December 17 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11 atomic-openshift security update Advisory ID: RHSA-2019:4052-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4052 Issue date: 2019-12-16 CVE Names: CVE-2019-11250 ===================================================================== 1. Summary: An update for atomic-openshift is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7) (CVE-2019-11250) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for release 3.11.157, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1740434 - CVE-2019-11250 kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7) 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: atomic-openshift-3.11.157-1.git.0.dfe38da.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.11.157-1.git.0.dfe38da.el7.noarch.rpm atomic-openshift-excluder-3.11.157-1.git.0.dfe38da.el7.noarch.rpm ppc64le: atomic-openshift-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-clients-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-hyperkube-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-hypershift-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-master-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-node-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-pod-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-sdn-ovs-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-template-service-broker-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm atomic-openshift-tests-3.11.157-1.git.0.dfe38da.el7.ppc64le.rpm x86_64: atomic-openshift-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-clients-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-hyperkube-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-hypershift-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-master-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-node-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-pod-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-template-service-broker-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm atomic-openshift-tests-3.11.157-1.git.0.dfe38da.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11250 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfeMBtzjgjWX9erEAQjm1g//a6m9MYdqDNBrKp9Xp+vDSXELdKQ0MUhj 2Xp/8G9ykFiu13ZFatcV7KLscHNZ19Zn0vtzaaQUqRCBzZJBskOuaTeF643Bjv8X MRGt3S5hq+AkqgUO1ZgfNI0PGrAldx5kF/pM3S7FIC8qxPE2/bQJ9mfQ4z25yxC8 SduDrU2akasxDNJv7Q3GdirLxIejUvz80d+YbpaPW1sDcnt3X6fMg/gv2ROR3u+U dDrcmq1EyWFhkerTjiTk6zt3xzYZKCX/14uff7euovxIQ1WK842snJRjCBvJl5Np VZVfr4818JnbQjvYEZm03xwVzAJd4EoWX8woPviEme7MSYFmE7YYyVWyyaBQPP+k o8rJoWq/LN+ZEw9nWnxyugxIYOd8p7TNMzG/RCENbsa9313mXgpiuvWbWT1AGozM zUGmTSt4jEABS9044ulsZF06DV9RmBWZaYDPCh7zU6k1+DhSx3kJKobKWiq0kGOs es1MKXWohfcgE4Ng3KhLiQe3PolT6OLB4hRA9yOWpSvDhV8DKjeVQrOImY0i+vRQ jk61FyKXUkp5B3rCdX6vsJeagw+/eOfNVQMJ+1RDSbBCZFltBycwyOj05OuIEoZx XGTGO60OGg/E8nXeaVrWkaH0ebmTDzs+sJGA3GdNEFDGZpvr+2CdCgysSH6rj/uV UFrJ3uBFt8E= =vMgM - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11 openshift-enterprise-console-container security update Advisory ID: RHSA-2019:4053-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4053 Issue date: 2019-12-16 CVE Names: CVE-2019-10176 ===================================================================== 1. Summary: An update for openshift-enterprise-console-container is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * atomic-openshift: CSRF tokens not refreshing while user is logged in and are exposed in the URL (CVE-2019-10176) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the following documentation, which will be updated shortly for release 3.11.157, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1712569 - CVE-2019-10176 atomic-openshift: CSRF tokens not refreshing while user is logged in and are exposed in the URL 5. References: https://access.redhat.com/security/cve/CVE-2019-10176 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfeOI9zjgjWX9erEAQjGJA//XQBmR6Fkax6uvJ8fG1aPSeRhw94v3fNQ c82fMdJzUAo+AynFsglF/oiOfuFA/Bg7b0F5ZtgnxoAGtnUqwN3uLS5osJtc2XHh 6BTOKvNXz4k+End0MZ2qB+YmpXmYkCGPLRe2ezQSLI7fqygWMbWoZGuztOHlMuPx Gpu2BXrGeawAdF+JGnQNOKCVTwNiprw7qDDzqWUrhnBREbudf4GIiMsKOKm15YaK Q4tBWspWAbLM5uWzQ4yMdvmeQwAiQzL4gr5CIjRRtXu9TQg4YtjGtj95ESxqWZS7 xREtiqoR61Ii1RqLggGM7uIl96P0sWi+xC5Hyw0D1zQl2MyiVesn4uBrENyfkQ+K fE5ZQ7vO1J87Gdb1R3jyvO5XYRVzs2U73S52JxETjkDNpuT7ljhezmxg/YXi+TpA 9z23FvdZo4ma4815a1p4WeuzJxDNCM4vudsHYIPyY1rjfOCsr8sE2ZVXp2mrKGT8 jS3YJNqhzQfLX8rQMED4u1iYh0BnmErqd96aKx/06nuSsyKAvLkMSo+XCD2j15jd fsjCOA3pP9048T3SABFRtW0v0/2Um36sX8gPnIFPl+vMf2xl8WL1krNuGSMGlutR IkbP3vU9t94x00vrYn/FUdN3cajz8P0nx5QmloTUiyR0NjYchsqISpqo40ugGCCt 1nWveTgxt6w= =qmL0 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11 openshift-external-storage security update Advisory ID: RHSA-2019:4054-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4054 Issue date: 2019-12-16 CVE Names: CVE-2019-11255 ===================================================================== 1. Summary: An update for openshift-external-storage is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation (CVE-2019-11255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for release 3.11.157, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: openshift-external-storage-0.0.2-10.gitd3c94f0.el7.src.rpm ppc64le: openshift-external-storage-cephfs-provisioner-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-debuginfo-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-efs-provisioner-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-local-provisioner-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-manila-provisioner-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-snapshot-controller-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm openshift-external-storage-snapshot-provisioner-0.0.2-10.gitd3c94f0.el7.ppc64le.rpm x86_64: openshift-external-storage-cephfs-provisioner-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-debuginfo-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-efs-provisioner-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-local-provisioner-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-manila-provisioner-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-controller-0.0.2-10.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-provisioner-0.0.2-10.gitd3c94f0.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11255 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfeM9tzjgjWX9erEAQhM9g//dr1lhXryx6/S4qM3M0S31aL5U1iO9MVk S5ta4JZcFBuL3Wa+33lT553eOkiL9ipvmlEwgwy6J4CNUVkADjU3HsBZ+P+e99Ia Zc70Ui6kH7JhxgkaWem+uy5kq3Iv7tG1+TzjE2v7GMENifKzAh4NuAeWC6Ag+ybX 2oB5WGTwemAgTeqLk2OWN/uipST5kznhggLQrZdTTO8XUPFbWYDOJfA/+mtsfDO1 N6Mu0u5+I6kSUGLROkusexUDTWs9OiapubRjLZSK/xbWBhem94Bq2MODlIPfq+jp Xt1LP+C8ZUEj+utUBis9WJuFIXqS7/+zViZGZOspaqh/wnV2dEzODQQ9hEq3MYih STiM87RSE0x0WFXNL8uwjCzsVWIXULosrYs/jU8Y9wg8xP906QwU/nREHIeQY8gE 4UOZs+e1IW/AiT3xc+f6eXPawWeMA1ixuVzCUm4CFCUhZl+oojnKouAOiBLJotfv 5Z3uRSTsF3FChRuoESQk2+9mYurWCUrS1p5FmzyNbGc3SQzK9HhfjnMZ1r762xue pQk19GfbKtAmr7e1wmvZHXVWZEehMWluJ1Kuf2F2vB9o/w2SgVqSZDXluKZt2v30 sJZXtr5H9a82o9KBW0eJRI8RAglV3LHyNVnQ1356xlNjCEhIFDd1bK5sgGIuWD1D nfgLAWhQiKs= =tTFC - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 3.11 jenkins-2-plugins security update Advisory ID: RHSA-2019:4055-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4055 Issue date: 2019-12-16 CVE Names: CVE-2019-10431 CVE-2019-10432 ===================================================================== 1. Summary: An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2019-10431) * jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin (CVE-2019-10432) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for release 3.11.157, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1764387 - CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin 1764390 - CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: jenkins-2-plugins-3.11.1575261255-1.el7.src.rpm noarch: jenkins-2-plugins-3.11.1575261255-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10431 https://access.redhat.com/security/cve/CVE-2019-10432 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfeMf9zjgjWX9erEAQiCaQ//SdlimUi9Pcm/7RPB5qUp4Oj5DWBsoNVd d0sQYr89Rbe5k4Mb+fWGUQ2b1SSYBRmoH2o/NewEezpwzYz1AoiJjJXMJzKD7y7a vpOT5ZzjnQIXnbpPkdeHmBIu0Efdky5oIl6CdD9zU1H2sigcDuMquJyCLqnEDwwk k0NXkJslSqtJCMvAgFwZaXKvUManeIVyW+sgjwhiS3xn16F0Hdr7AjGMnQLSH+sU 1YNNit1bd3+NafYK8f5LlwLnGIV3+pkiTsKMiCRgIcY4Ul23WxnREm7HkFbtxFp8 wGluYV4UN/DchoFVDCx0VTDm+nRIY0B36CDiXsHfjkeux2yqOkg7YahAvbrhUmpD m+uIsfR4MB51ONhSWRLCt3hcZPFp77YIN4tzKqvF7yMabqYKBE7X5lK7YPs37XSM EZvg3n5kKJgh2rUlJYCJw8wWxk7WM0QiRWYq7rRAXoHvfizcMEOJVKI7/+okp/nR QMCRxFrtWjCwZ/sm2tNMT1Wu32SBgTfFoow5OqyS7iLEBrzDF+mIQaiTEQ0LlKMN 8Dt9Lu7v2ptSvaqNWwXdpTFm9L8KlSmnAQz7t5zSujhByO3BuqucseXku++cjHv0 oV6Qus9rq9dIEhw0x7cEKO5Sc4svyK4VllHy9Nn/mTIEUe/1Bs/HxTlfKT+2XbQV yrtPY46Fp2o= =NHHH - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.1 openshift security update Advisory ID: RHSA-2019:4087-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4087 Issue date: 2019-12-17 CVE Names: CVE-2017-18367 CVE-2019-11250 ===================================================================== 1. Summary: An update for openshift is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.1 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions (CVE-2017-18367) * kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7) (CVE-2019-11250) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1706826 - CVE-2017-18367 libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions 1740434 - CVE-2019-11250 kubernetes: Bearer tokens written to logs at high verbosity levels (>= 7) 6. Package List: Red Hat OpenShift Container Platform 4.1: Source: openshift-4.1.27-201912021146.git.0.a40116f.el7.src.rpm x86_64: openshift-clients-4.1.27-201912021146.git.0.a40116f.el7.x86_64.rpm openshift-clients-redistributable-4.1.27-201912021146.git.0.a40116f.el7.x86_64.rpm openshift-hyperkube-4.1.27-201912021146.git.0.a40116f.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.1: Source: openshift-4.1.27-201912021146.git.0.a40116f.el8_0.src.rpm x86_64: openshift-clients-4.1.27-201912021146.git.0.a40116f.el8_0.x86_64.rpm openshift-clients-redistributable-4.1.27-201912021146.git.0.a40116f.el8_0.x86_64.rpm openshift-hyperkube-4.1.27-201912021146.git.0.a40116f.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18367 https://access.redhat.com/security/cve/CVE-2019-11250 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfg7GtzjgjWX9erEAQgzdA/8Ddb17fwoOsegGpWWVys4JKgUuwLzfDWr 4sUrJ1eBKgV3Q9gcuBxTQKtbR3rooZoMf0yNXbEIDeyDCKW9vcX763kTPapRUjEN CI0m1MSINazDN3PZXGut220kVPcu8BYBruEYv0OwMRzYSaGBjgDkJXSWg/UZ/wuI wDcNWlREnFff1wu7GPEd8yAkSJSHf6flYgg/gqYvMGImiX9Fb9qv+pVTCiMan4+N bIGEThmXj7SYwGWz2F5GBRym2JU2hFh6UVjVS7kZEN/WMRn6xOFh7n2jw4d49dcp tTeP2kv/9KkFPgRFjA9BK/NGUWWUBkrknpbcz1HRgc6OpT3mkXS2iGT/+nQIlNqC +YzJJg06Tq6oF3eeK9TJfnBYmn34pY20Fz3yczJcM2+7KmCgTGbMCqXh/TY03kpk db2Cio5xn55CbvjtkIJnRJIxK7fM3ey0kvFD3H/9HNRoTaCnBL9KuHb4/vKm81xb ZjoxcSvI9rpbIo03OeMiCE10vVGHSMHESjYeM5HdUahPfrhhMZyRVMznTStmHNhn ijqqkcI08BLFvCBTcIDBbaYqmbwekjYdEe+vcv60C51g1+lczuuhDmZw54m0QLbu cfWUUeE+djG1QZDbxlihfeel3hu8JKwuvZjzSnNy7Ms3rIt4X1LC9qgdavMheIis qthftZGjw3o= =C0Sb - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.1 openshift-external-storage security update Advisory ID: RHSA-2019:4225-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4225 Issue date: 2019-12-17 CVE Names: CVE-2019-11255 ===================================================================== 1. Summary: An update for openshift-external-storage is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.1 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes-csi: CSI volume snapshot, cloning, and resizing features can result in unauthorized volume data access or mutation (CVE-2019-11255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this synchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation 6. Package List: Red Hat OpenShift Container Platform 4.1: Source: openshift-external-storage-0.0.2-11.gitd3c94f0.el7.src.rpm x86_64: openshift-external-storage-cephfs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-debuginfo-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-efs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-local-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-manila-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-controller-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11255 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfg7K9zjgjWX9erEAQhThw//RXToy8ieLwgt2hEQHvzT8l3ESWfaF3kI /YaCHsy/xqpOh0MhZMOG931RS98b4HqLIi/zNsVEwVmWx40D6ABCV0pFIOQyuZ/3 XWAfwKE0Z7bSTraC6iQ3QRu7oucw+Dk90RDkVtkhH7VA+bJsCgYDBMw0oBsgf3TJ 0kJ/Lhi7BbXFIWhLLeU5zjIAgACS3QwD30gI1leL2S6r1/n54nhIcaU0g23E5EGa 3GPstxkE5fqBLPuFuAgagc28XkLeS1hSh6pVAUbvyhqPdXOCFkWdfYJZGfwCPjqt NINRJ7TI92FMxzsuhyz8kOADdT6awbIGL6aUpSHOyswWud30K61b2pVjMDk7J9qg 2LSdmRC7LolMiPMnXF8cUr8F543Qwy6Tg0jK0OA9RARshNAjxnbwW10uWFTAhCXq Q2uu9VT+NyZV5kxAPQT20KuDT2V9DOktLVOFZB7fyy/NswbDD/GgdLQP7cKIDZPz IiLNNlH27VL7hUFl73qh2VUg9J6zATC8GWih6vSig5UcJqePX66731orLsrEfZ6c nASEJIYNzO2CwdjZcj1mKyTnsvYN9ZwC9AnhA/1Dy4QuvyKK3xqQbOrg+FbWK7xE pf4srTK+DkPEgpsuQNZ6lGoQPj67EUfncd/n91Wt5yR1tex6/SDsd5cURO2QVYpS JGi51buqNME= =2Gow - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.1 jenkins-2-plugins security update Advisory ID: RHSA-2019:4089-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4089 Issue date: 2019-12-17 CVE Names: CVE-2019-10431 CVE-2019-10432 ===================================================================== 1. Summary: An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.1 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2019-10431) * jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin (CVE-2019-10432) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1764387 - CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin 1764390 - CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin 6. Package List: Red Hat OpenShift Container Platform 4.1: Source: jenkins-2-plugins-4.1.1574872364-1.el7.src.rpm noarch: jenkins-2-plugins-4.1.1574872364-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10431 https://access.redhat.com/security/cve/CVE-2019-10432 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfg7I9zjgjWX9erEAQg/Fg/9Gur5TBMHfdHtwDU00lb2QU+m4pOFjj1j 5FOGpehOewFnzjWbbP5drTswCtDNn93eO1AIkM8rPAWki3YaOqogMcyusysTLhKl l2sEbd3mfCZkNvftsbwMfxNCNl5WXFxCQk678aOlU1lhMWjK7pENzJvQvBx+AX/k y/70DTB87ugzi4cof3lS10BI6ik2VXqBEooCeGgxBoqaHQrh/AXpta84b+WemVvc +fxG4IIA1UtBZMIuXp/sypjmZrarxKHDUn0JtB5QpvYRTR/1j8+AIoROfz/ZUpc4 VUoBwj5BLt0a3QzHCjpT4KtoZJNBp8JjMTvTElCos9O44UTSgxrLXLzvpOnYBtm6 3kZtLwNil2AWW8XktdY/WGzdOWKvVcy0dcopfjjHX5kwL7FgbR5HRzPDoZQ3lOmX 9N4B29qKexB+XvAudtbFkXOeneKMNZ785GpUNk32Aw2siSZBI6BZD1PKKL1hvWg1 6aC0oxAW/oq5fOCDJgP56WvyjkTMZdeFIKd73jEgVe4nn1w0xAj8+6lNlYqt2j2U oegRNtq9u4+ycituXIfnR9ttH1mX3cie1RyQdPblofm54V9iUUxOHterYE8L2GzI 9Nf2tBJTB3pClnCV1Mp/ScbXazncMIZ9OpxpXTbwAAGYOQpyzHSEpg48sjmYSXKx lf7tV2TDaqQ= =Bm3N - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfhFpGaOgq3Tt24GAQhcjw//TDS3DarB54gYIv4xYM/Vy1M4BRNVZ0T6 VY9nnrqdC0ghxeGhKt/TiISGOQT6NzTTcGaddSJHbhZLNb2pybdKChqXUA8tX0nL xIpZUPTV86gCZ6QkEUm3JaO5SMdWP/xh9vgJobs/ydEoVjfit57/1R97I7UD20EF II4OkvDjXLFvFXh2vHXCtnnm0LmrQyy77upmabesormNihhfcjKnj0jIb8Co84nW JIGSZpf6EbqllEuvxTT5M/DzjTem2nyLZ0EYEzGuwW7d9+zE+1Gk2JNQLKgR4p/N +Wxid01K6zYZ6kL6E6bZIKO+xWFc4ejHxFkXGH6qP3x2RSU58F4IskjQEnzNu38Y m2//lvLwIU+33reVQqToGdLq6xCnHD+HrN62U1TTWfmp5KmGuMBtOh2FzTb2NtBq F4PJLCpD3x+IpPWHrOX+uVaC9ItAuRNfA4fOqmlB3kjw+IAD/YPg8IIzKrzhWLHg OzTo/dQcfrubQkMW1dn4u7Ijp2LI2IudmZrgrAfNBUCXydGU/CHphTGwyBraaen2 H3fpSl3DC2rqfbqf8fI69KlU0yFb8WL0haz4P0aa1SbfMtDv8NFCNwkhxfB1S/hW T8pbOgQZTGf0bI5ElLB78rJKEAobF6VKI6cVxHqIRqNV0OHk59EeYlggWB3oJZsm l9VvF3n48v4= =hl+N -----END PGP SIGNATURE-----