- Issued:
- 2016-08-11
- Updated:
- 2016-08-11
RHSA-2016:1605 - Security Advisory
Synopsis
Moderate: Red Hat OpenShift Enterprise security update
Type/Severity
Security Advisory: Moderate
Topic
An update is now available for Red Hat OpenShift Enterprise 3.1 and Red Hat OpenShift Enterprise 3.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
OpenShift Enterprise by Red Hat is the company's cloud computing Platform-
as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.
The logging auth proxy is a reverse proxy that authenticates requests
against OpenShift, retrieving user information and setting the configured
header with the appropriate details.
Security Fix(es):
- A regular expression denial of service flaw was found in Negotiator. An attacker able to make an application using Negotiator to perform matching using a specially crafted glob pattern could cause the application to consume an excessive amount of CPU. (CVE-2016-1000022)
- A regular expression denial of service flaw was found in Minimatch. An attacker able to make an application using Minimatch to perform matching using a specially crafted glob pattern could cause the application to consume an excessive amount of CPU. (CVE-2016-1000023)
Refer to the changelog listed in the References section for a list of
changes.
This update includes the following images:
openshift3/logging-auth-proxy:3.1.1-13
openshift3/logging-auth-proxy:3.2.1-5
All OpenShift Enterprise 3 users are advised to upgrade to the updated
images.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat OpenShift Container Platform 3.2 x86_64
- Red Hat OpenShift Container Platform 3.1 x86_64
Fixes
- BZ - 1347677 - CVE-2016-1000022 nodejs-negotiator: Regular expression denial-of-service
- BZ - 1348509 - CVE-2016-1000023 nodejs-minimatch: Regular expression denial-of-service
CVEs
References
Red Hat OpenShift Container Platform 3.2
| SRPM | |
|---|---|
| nodejs-accepts-1.3.3-1.el7.src.rpm | SHA-256: c5c09c8cb44d348af342b3c7ab265269c8551c742072b85a0817a07764c57037 |
| nodejs-express-4.13.3-4.el7.src.rpm | SHA-256: 9f7bd05aa577ad3b32ff9fb352556d3cbb906719f20497114ac5403bdb460252 |
| nodejs-mime-db-1.23.0-1.el7.src.rpm | SHA-256: 62e044b7736e437ff65509c4762ef5f760889195402b64feefa4bb27c4e85999 |
| nodejs-mime-types-2.1.11-1.el7.src.rpm | SHA-256: ec472aecdc250b15864f245a385fc4dd6967aa06acfd9dfbb30ac81efe89a3c9 |
| nodejs-minimatch-3.0.2-1.el7.src.rpm | SHA-256: a201b4e46c5af2b16d3828a43d871e85fd4476f5d1a209ab51b6b2234d64b471 |
| nodejs-negotiator-0.6.1-1.el7.src.rpm | SHA-256: ba57f54ab916c8575c15d6354acc87c7da681c66c7368042529913731cf41bd2 |
| x86_64 | |
| nodejs-accepts-1.3.3-1.el7.noarch.rpm | SHA-256: c73adee1bbf6988cfcda9021ac28006d323745a9e421b2575fb26763e4a60aa1 |
| nodejs-express-4.13.3-4.el7.noarch.rpm | SHA-256: a7f15baff439bfa629932b420159080b101e329599a6a086115bc8ce2acc1576 |
| nodejs-mime-db-1.23.0-1.el7.noarch.rpm | SHA-256: 6a3fde4e8e19295d9d22ca65c8ce6b70fb6cd89299b395459414ad2ec019f5b3 |
| nodejs-mime-types-2.1.11-1.el7.noarch.rpm | SHA-256: 704ee6050d1e12263ee1bf91cd15127ab508fc220f80c44e11b09ce2dd61bd80 |
| nodejs-minimatch-3.0.2-1.el7.noarch.rpm | SHA-256: 88e62aa9b8f9ed34891faea0a7060d6c3305fcf02ad4bc8ea5a2661a239d83ae |
| nodejs-negotiator-0.6.1-1.el7.noarch.rpm | SHA-256: ab0a12c3d7ff1048a9f29863b422a2bc38896a68ecc42c6fdb91f5f69029664c |
Red Hat OpenShift Container Platform 3.1
| SRPM | |
|---|---|
| nodejs-accepts-1.3.3-1.el7.src.rpm | SHA-256: c5c09c8cb44d348af342b3c7ab265269c8551c742072b85a0817a07764c57037 |
| nodejs-express-4.13.3-4.el7.src.rpm | SHA-256: 9f7bd05aa577ad3b32ff9fb352556d3cbb906719f20497114ac5403bdb460252 |
| nodejs-mime-db-1.23.0-1.el7.src.rpm | SHA-256: 62e044b7736e437ff65509c4762ef5f760889195402b64feefa4bb27c4e85999 |
| nodejs-mime-types-2.1.11-1.el7.src.rpm | SHA-256: ec472aecdc250b15864f245a385fc4dd6967aa06acfd9dfbb30ac81efe89a3c9 |
| nodejs-minimatch-3.0.2-1.el7.src.rpm | SHA-256: a201b4e46c5af2b16d3828a43d871e85fd4476f5d1a209ab51b6b2234d64b471 |
| nodejs-negotiator-0.6.1-1.el7.src.rpm | SHA-256: ba57f54ab916c8575c15d6354acc87c7da681c66c7368042529913731cf41bd2 |
| x86_64 | |
| nodejs-accepts-1.3.3-1.el7.noarch.rpm | SHA-256: c73adee1bbf6988cfcda9021ac28006d323745a9e421b2575fb26763e4a60aa1 |
| nodejs-express-4.13.3-4.el7.noarch.rpm | SHA-256: a7f15baff439bfa629932b420159080b101e329599a6a086115bc8ce2acc1576 |
| nodejs-mime-db-1.23.0-1.el7.noarch.rpm | SHA-256: 6a3fde4e8e19295d9d22ca65c8ce6b70fb6cd89299b395459414ad2ec019f5b3 |
| nodejs-mime-types-2.1.11-1.el7.noarch.rpm | SHA-256: 704ee6050d1e12263ee1bf91cd15127ab508fc220f80c44e11b09ce2dd61bd80 |
| nodejs-minimatch-3.0.2-1.el7.noarch.rpm | SHA-256: 88e62aa9b8f9ed34891faea0a7060d6c3305fcf02ad4bc8ea5a2661a239d83ae |
| nodejs-negotiator-0.6.1-1.el7.noarch.rpm | SHA-256: ab0a12c3d7ff1048a9f29863b422a2bc38896a68ecc42c6fdb91f5f69029664c |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.