Red Hat Product Errata RHSA-2015:2666 - Security Advisory
Issued:
2015-12-17
Updated:
2015-12-17

RHSA-2015:2666 - Security Advisory

Synopsis

Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Enterprise release 2.2.8, which fixes one security
issue, several bugs, and introduces feature enhancements, is now
available.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

The following security issue is addressed with this release:

An implementation error related to the memory management of request
and responses was found within HAProxy's buffer_slow_realign()
function. An unauthenticated remote attacker could use this flaw
to leak certain memory buffer contents from a past request or
session. (CVE-2015-3281)

Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.8, for details about these changes:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.8, for important instructions on how to fully
apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Enterprise Infrastructure 2.2 x86_64
  • Red Hat OpenShift Enterprise Application Node 2.2 x86_64
  • Red Hat OpenShift Enterprise Client Tools 2.2 x86_64
  • Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 x86_64

Fixes

  • BZ - 1045226 - oo-auto-idler man page incorrect
  • BZ - 1054441 - oo-accept-node should test that BROKER_HOST is consistent
  • BZ - 1064039 - RFE oo-diagnostics should report when node auth is failing (401 Unauthorized)
  • BZ - 1101973 - oo-diagnostics tools is checking a non-existing dir after update ose-2.0 GA to ose-2.0.z puddle + RHSCL-1.1
  • BZ - 1110415 - `oo-admin-broker-cache --clear --console` does not warn that --console flag does nothing
  • BZ - 1111501 - REPORT_BUILD_ANALYTICS should be set to false by default
  • BZ - 1111598 - oo-admin-chk gives bad advice to users when gears do not exist on the node.
  • BZ - 1139608 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
  • BZ - 1140766 - oo-admin-ctl-district doesn't suggest FQDN for -i in -h output
  • BZ - 1155003 - Should prompt correct and important parameter information when use none or error parameter in "rhc server add" command
  • BZ - 1177753 - Enable a configuration in rhc to use a different ssh executable
  • BZ - 1211526 - HAProxy does not restart when pid is not found
  • BZ - 1218872 - rhc setup fail during upload sshkey
  • BZ - 1238305 - [RFE] gear-placement plugin domain_id as input data
  • BZ - 1239072 - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
  • BZ - 1241675 - [RFE] Check for missing openshift_application_aliases components f5-icontrol-rest.rb
  • BZ - 1248439 - Routing SPI for Nginx doesn't preserve host in http request's headers
  • BZ - 1255426 - API Call to disable HA does not remove 2nd haproxy head gear
  • BZ - 1264722 - oo-register-dns shows erros with any option
  • BZ - 1265609 - pandas not getting installed
  • BZ - 1268080 - ChangeMembersDomainOp are not cleared by oo-admin-clear-pending-ops
  • BZ - 1270660 - Haproxy health check should be in sync with rolling updates in EWS
  • BZ - 1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory
  • BZ - 1272195 - oo-admin-ctl-app -c remove-gear , ignores min scale setting
  • BZ - 1277695 - hostname regex fails in update-cluster in some locales
  • BZ - 1280438 - haproxy_ctld error on a close-to-quota gear
  • BZ - 1282520 - Routing-daemon does not create the openshift_application_aliases policy
  • BZ - 1282940 - Exception log output when using rhc app ssh "--ssh option" with exist directory

Red Hat OpenShift Enterprise Infrastructure 2.2

SRPM
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm SHA-256: a92f0116cbc1770e40d0467d12cc2c706e550d0e32b618a4aa0807e46636502b
openshift-origin-broker-util-1.37.4.2-1.el6op.src.rpm SHA-256: 34798b9b5e35345c7dd96219e7c4684902f402ffea3d128c7017fa70f54f7561
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm SHA-256: ca4423b6c6315ac29fab7f24b8c730970453c5d8c11f858f340efd4460751509
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.src.rpm SHA-256: 3594c83594333c91953b8216ab33b3e736b6db117d387ff0f89283071b8415d7
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.src.rpm SHA-256: 18469e4dbe492b58c9cffdeb208f249bed5ebe2de6b40daed010d5a6c4e1a21a
x86_64
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm SHA-256: 16f64d6a6fd97205e55838b753dabf42e180fe66d7a73b35bf6c7e113ee29982
openshift-enterprise-upgrade-broker-2.2.8-1.el6op.noarch.rpm SHA-256: c62033e5e39a7fe8aab4f5feae13089bfc781692c4e7a9d3ed272a830cb11171
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm SHA-256: 3ac90f74eb58c1a3eef2805ba287564bc37c5c20b576d53386eddc224fdad3a2
openshift-origin-broker-util-1.37.4.2-1.el6op.noarch.rpm SHA-256: 30585546572af6de17a7acc0ff8b527f80b19709429e9e8cc918e953c99e0555
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm SHA-256: 12c4a20a72c64057764f9b969ad174c15eb46e6e7fc6852f4035ab72a7be3850
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.noarch.rpm SHA-256: c494e5dcaf591f7b2bb77a7e4bcb8a79ce028acf322861b6635208427f5de08c
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.noarch.rpm SHA-256: e97b4a268e18bb69861367ef77be94bf80ec6ea3731dab5a74f9b4e546bb4ed6

Red Hat OpenShift Enterprise Application Node 2.2

SRPM
haproxy15side-1.5.4-2.el6op.src.rpm SHA-256: 905c62e5f55d6b93424c6b0f5f336808148d5e76becdbc4ec96f99e3c86c18e0
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm SHA-256: a92f0116cbc1770e40d0467d12cc2c706e550d0e32b618a4aa0807e46636502b
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.src.rpm SHA-256: 5d16b525b2c2866aab6902b9f66181bb3a2d8058f76f637a9ac854e82920b784
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.src.rpm SHA-256: 3f7dd3f45defb60c3b47bfb755eabb3cd4f19c3b13172048c3b9523b471cea56
openshift-origin-cartridge-python-1.34.1.1-1.el6op.src.rpm SHA-256: a0176de47b6026c39668cd2e8480d521d33603861c00b0a61d1e1fa3632fb38d
openshift-origin-node-util-1.38.5.1-1.el6op.src.rpm SHA-256: eebc7af5376352f645760f6553d558a54a3aeb3521cc0eefa0f7e11d9f49d643
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm SHA-256: ca4423b6c6315ac29fab7f24b8c730970453c5d8c11f858f340efd4460751509
rubygem-openshift-origin-node-1.38.4.1-1.el6op.src.rpm SHA-256: 81556cb0e9c6a67087c3718db5eaaa9e5877c740e35ded8172da354e5fb494f8
x86_64
haproxy15side-1.5.4-2.el6op.x86_64.rpm SHA-256: fbc8dbd0f3310279a0bb5d494e32a04a66f9354a637022cfc06640628d2c9358
haproxy15side-debuginfo-1.5.4-2.el6op.x86_64.rpm SHA-256: 90292b662a549dba6b92a11af08514b66cb552cfb504ed10c2548023434daaf6
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm SHA-256: 16f64d6a6fd97205e55838b753dabf42e180fe66d7a73b35bf6c7e113ee29982
openshift-enterprise-upgrade-node-2.2.8-1.el6op.noarch.rpm SHA-256: b2ba263a8a5afad8441122cd2e7616892733d2b3d0b184ce38d2d9ad9f3c3623
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm SHA-256: 3ac90f74eb58c1a3eef2805ba287564bc37c5c20b576d53386eddc224fdad3a2
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.noarch.rpm SHA-256: a0aa4fb096bb64f2594f71bece284188e23c65bc0ff565b0f2e47f0f037e92b7
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.noarch.rpm SHA-256: 649ee8eb03e8dfd48ef39105f26d7cee539b34864214fd509516a038ce531a7b
openshift-origin-cartridge-python-1.34.1.1-1.el6op.noarch.rpm SHA-256: 91b53dbf761626315ba8fcef7301dc1fa6f722d33fd49acab425925c7e64d5b3
openshift-origin-node-util-1.38.5.1-1.el6op.noarch.rpm SHA-256: 6a08577a26fa2dab566f999f081530e74a293e218c70795befebeecef882d4b0
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm SHA-256: 12c4a20a72c64057764f9b969ad174c15eb46e6e7fc6852f4035ab72a7be3850
rubygem-openshift-origin-node-1.38.4.1-1.el6op.noarch.rpm SHA-256: 7dc336d3babbcce1889e01f38bf5aa1a066cc5b3a5414980af009bb04f47e5c8

Red Hat OpenShift Enterprise Client Tools 2.2

SRPM
rhc-1.38.4.5-1.el6op.src.rpm SHA-256: e66100ed338490110b7338dbec8568ef96e4cbbbd7d58fadecf23a7d8353c7be
x86_64
rhc-1.38.4.5-1.el6op.noarch.rpm SHA-256: fe056567ae262482eca79c05697756a8c02bc6dd645c19f135523fa64577ea2c

Red Hat OpenShift Enterprise JBoss EAP add-on 2.2

SRPM
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.src.rpm SHA-256: 8e3ae4b66f7c531a5464d69f209cd2ad86cf44b82b4c3c8ac7645e470cb525e9
x86_64
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.noarch.rpm SHA-256: adefe263b8f10f1b1156a43b82cd643e1589f26b95d1632d1857d976ba3557c2

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.