- Issued:
- 2015-12-17
- Updated:
- 2015-12-17
RHSA-2015:2666 - Security Advisory
Synopsis
Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Topic
Red Hat OpenShift Enterprise release 2.2.8, which fixes one security
issue, several bugs, and introduces feature enhancements, is now
available.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Description
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.
The following security issue is addressed with this release:
An implementation error related to the memory management of request
and responses was found within HAProxy's buffer_slow_realign()
function. An unauthenticated remote attacker could use this flaw
to leak certain memory buffer contents from a past request or
session. (CVE-2015-3281)
Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.8, for details about these changes:
https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html
All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.8, for important instructions on how to fully
apply this asynchronous errata update:
https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates
This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat OpenShift Enterprise Infrastructure 2.2 x86_64
- Red Hat OpenShift Enterprise Application Node 2.2 x86_64
- Red Hat OpenShift Enterprise Client Tools 2.2 x86_64
- Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 x86_64
Fixes
- BZ - 1045226 - oo-auto-idler man page incorrect
- BZ - 1054441 - oo-accept-node should test that BROKER_HOST is consistent
- BZ - 1064039 - RFE oo-diagnostics should report when node auth is failing (401 Unauthorized)
- BZ - 1101973 - oo-diagnostics tools is checking a non-existing dir after update ose-2.0 GA to ose-2.0.z puddle + RHSCL-1.1
- BZ - 1110415 - `oo-admin-broker-cache --clear --console` does not warn that --console flag does nothing
- BZ - 1111501 - REPORT_BUILD_ANALYTICS should be set to false by default
- BZ - 1111598 - oo-admin-chk gives bad advice to users when gears do not exist on the node.
- BZ - 1139608 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
- BZ - 1140766 - oo-admin-ctl-district doesn't suggest FQDN for -i in -h output
- BZ - 1155003 - Should prompt correct and important parameter information when use none or error parameter in "rhc server add" command
- BZ - 1177753 - Enable a configuration in rhc to use a different ssh executable
- BZ - 1211526 - HAProxy does not restart when pid is not found
- BZ - 1218872 - rhc setup fail during upload sshkey
- BZ - 1238305 - [RFE] gear-placement plugin domain_id as input data
- BZ - 1239072 - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
- BZ - 1241675 - [RFE] Check for missing openshift_application_aliases components f5-icontrol-rest.rb
- BZ - 1248439 - Routing SPI for Nginx doesn't preserve host in http request's headers
- BZ - 1255426 - API Call to disable HA does not remove 2nd haproxy head gear
- BZ - 1264722 - oo-register-dns shows erros with any option
- BZ - 1265609 - pandas not getting installed
- BZ - 1268080 - ChangeMembersDomainOp are not cleared by oo-admin-clear-pending-ops
- BZ - 1270660 - Haproxy health check should be in sync with rolling updates in EWS
- BZ - 1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory
- BZ - 1272195 - oo-admin-ctl-app -c remove-gear , ignores min scale setting
- BZ - 1277695 - hostname regex fails in update-cluster in some locales
- BZ - 1280438 - haproxy_ctld error on a close-to-quota gear
- BZ - 1282520 - Routing-daemon does not create the openshift_application_aliases policy
- BZ - 1282940 - Exception log output when using rhc app ssh "--ssh option" with exist directory
CVEs
References
Red Hat OpenShift Enterprise Infrastructure 2.2
| SRPM | |
|---|---|
| openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm | SHA-256: a92f0116cbc1770e40d0467d12cc2c706e550d0e32b618a4aa0807e46636502b |
| openshift-origin-broker-util-1.37.4.2-1.el6op.src.rpm | SHA-256: 34798b9b5e35345c7dd96219e7c4684902f402ffea3d128c7017fa70f54f7561 |
| rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm | SHA-256: ca4423b6c6315ac29fab7f24b8c730970453c5d8c11f858f340efd4460751509 |
| rubygem-openshift-origin-controller-1.38.4.2-1.el6op.src.rpm | SHA-256: 3594c83594333c91953b8216ab33b3e736b6db117d387ff0f89283071b8415d7 |
| rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.src.rpm | SHA-256: 18469e4dbe492b58c9cffdeb208f249bed5ebe2de6b40daed010d5a6c4e1a21a |
| x86_64 | |
| openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm | SHA-256: 16f64d6a6fd97205e55838b753dabf42e180fe66d7a73b35bf6c7e113ee29982 |
| openshift-enterprise-upgrade-broker-2.2.8-1.el6op.noarch.rpm | SHA-256: c62033e5e39a7fe8aab4f5feae13089bfc781692c4e7a9d3ed272a830cb11171 |
| openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm | SHA-256: 3ac90f74eb58c1a3eef2805ba287564bc37c5c20b576d53386eddc224fdad3a2 |
| openshift-origin-broker-util-1.37.4.2-1.el6op.noarch.rpm | SHA-256: 30585546572af6de17a7acc0ff8b527f80b19709429e9e8cc918e953c99e0555 |
| rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm | SHA-256: 12c4a20a72c64057764f9b969ad174c15eb46e6e7fc6852f4035ab72a7be3850 |
| rubygem-openshift-origin-controller-1.38.4.2-1.el6op.noarch.rpm | SHA-256: c494e5dcaf591f7b2bb77a7e4bcb8a79ce028acf322861b6635208427f5de08c |
| rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.noarch.rpm | SHA-256: e97b4a268e18bb69861367ef77be94bf80ec6ea3731dab5a74f9b4e546bb4ed6 |
Red Hat OpenShift Enterprise Application Node 2.2
| SRPM | |
|---|---|
| haproxy15side-1.5.4-2.el6op.src.rpm | SHA-256: 905c62e5f55d6b93424c6b0f5f336808148d5e76becdbc4ec96f99e3c86c18e0 |
| openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm | SHA-256: a92f0116cbc1770e40d0467d12cc2c706e550d0e32b618a4aa0807e46636502b |
| openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.src.rpm | SHA-256: 5d16b525b2c2866aab6902b9f66181bb3a2d8058f76f637a9ac854e82920b784 |
| openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.src.rpm | SHA-256: 3f7dd3f45defb60c3b47bfb755eabb3cd4f19c3b13172048c3b9523b471cea56 |
| openshift-origin-cartridge-python-1.34.1.1-1.el6op.src.rpm | SHA-256: a0176de47b6026c39668cd2e8480d521d33603861c00b0a61d1e1fa3632fb38d |
| openshift-origin-node-util-1.38.5.1-1.el6op.src.rpm | SHA-256: eebc7af5376352f645760f6553d558a54a3aeb3521cc0eefa0f7e11d9f49d643 |
| rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm | SHA-256: ca4423b6c6315ac29fab7f24b8c730970453c5d8c11f858f340efd4460751509 |
| rubygem-openshift-origin-node-1.38.4.1-1.el6op.src.rpm | SHA-256: 81556cb0e9c6a67087c3718db5eaaa9e5877c740e35ded8172da354e5fb494f8 |
| x86_64 | |
| haproxy15side-1.5.4-2.el6op.x86_64.rpm | SHA-256: fbc8dbd0f3310279a0bb5d494e32a04a66f9354a637022cfc06640628d2c9358 |
| haproxy15side-debuginfo-1.5.4-2.el6op.x86_64.rpm | SHA-256: 90292b662a549dba6b92a11af08514b66cb552cfb504ed10c2548023434daaf6 |
| openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm | SHA-256: 16f64d6a6fd97205e55838b753dabf42e180fe66d7a73b35bf6c7e113ee29982 |
| openshift-enterprise-upgrade-node-2.2.8-1.el6op.noarch.rpm | SHA-256: b2ba263a8a5afad8441122cd2e7616892733d2b3d0b184ce38d2d9ad9f3c3623 |
| openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm | SHA-256: 3ac90f74eb58c1a3eef2805ba287564bc37c5c20b576d53386eddc224fdad3a2 |
| openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.noarch.rpm | SHA-256: a0aa4fb096bb64f2594f71bece284188e23c65bc0ff565b0f2e47f0f037e92b7 |
| openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.noarch.rpm | SHA-256: 649ee8eb03e8dfd48ef39105f26d7cee539b34864214fd509516a038ce531a7b |
| openshift-origin-cartridge-python-1.34.1.1-1.el6op.noarch.rpm | SHA-256: 91b53dbf761626315ba8fcef7301dc1fa6f722d33fd49acab425925c7e64d5b3 |
| openshift-origin-node-util-1.38.5.1-1.el6op.noarch.rpm | SHA-256: 6a08577a26fa2dab566f999f081530e74a293e218c70795befebeecef882d4b0 |
| rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm | SHA-256: 12c4a20a72c64057764f9b969ad174c15eb46e6e7fc6852f4035ab72a7be3850 |
| rubygem-openshift-origin-node-1.38.4.1-1.el6op.noarch.rpm | SHA-256: 7dc336d3babbcce1889e01f38bf5aa1a066cc5b3a5414980af009bb04f47e5c8 |
Red Hat OpenShift Enterprise Client Tools 2.2
| SRPM | |
|---|---|
| rhc-1.38.4.5-1.el6op.src.rpm | SHA-256: e66100ed338490110b7338dbec8568ef96e4cbbbd7d58fadecf23a7d8353c7be |
| x86_64 | |
| rhc-1.38.4.5-1.el6op.noarch.rpm | SHA-256: fe056567ae262482eca79c05697756a8c02bc6dd645c19f135523fa64577ea2c |
Red Hat OpenShift Enterprise JBoss EAP add-on 2.2
| SRPM | |
|---|---|
| openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.src.rpm | SHA-256: 8e3ae4b66f7c531a5464d69f209cd2ad86cf44b82b4c3c8ac7645e470cb525e9 |
| x86_64 | |
| openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.noarch.rpm | SHA-256: adefe263b8f10f1b1156a43b82cd643e1589f26b95d1632d1857d976ba3557c2 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.