Red Hat Product Errata RHSA-2016:2064 - Security Advisory

Issued:: 2016-10-17
Updated:: 2016-10-17

RHSA-2016:2064 - Security Advisory

Overview
Updated Packages

Synopsis

Important: atomic-openshift security update

Type/Severity

Security Advisory: Important

Topic

An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.1, 3.2, and 3.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Security Fix(es):

It was found that Kubernetes did not correctly validate X.509 client
intermediate certificate host name fields. An attacker could use this flaw
to bypass authentication requirements by using a specially crafted X.509
certificate. (CVE-2016-7075)

This advisory contains the RPM packages for this release. See the following
advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2016:2065

All OpenShift Container Platform 3 users are advised to upgrade to these
updated images.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To apply this update, see the following cluster upgrade documentation that
relates to your installed version of OpenShift Container Platform.

For OpenShift Container Platform 3.3:

https://docs.openshift.com/container-platform/3.3/install_config/upgrading/automated_upgrades.html#upgrading-to-ocp-3-3-asynchronous-releases

For OpenShift Container Platform 3.2:

https://docs.openshift.com/enterprise/3.2/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-2-asynchronous-releases

For OpenShift Container Platform 3.1:

https://docs.openshift.com/enterprise/3.1/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-1-asynchronous-releases

Affected Products

Red Hat OpenShift Container Platform 3.3 x86_64
Red Hat OpenShift Container Platform 3.2 x86_64
Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

BZ - 1384112 - CVE-2016-7075 OpenShift 3: API server does not validate client-provided intermediate certificates correctly

CVEs

CVE-2016-7075

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.3

SRPM
atomic-openshift-3.3.0.35-1.git.0.d7bd9b6.el7.src.rpm	SHA-256: 42a0bb65ccf3e65aec0dd9ec17ca075e2384ab4ee547d49df5fe3e726b31c9fc
x86_64
atomic-openshift-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 2c6a90816033c6b0551d3506faa47b23006a150513ff731131784a4497b5b14d
atomic-openshift-clients-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: c6161c189cefbb40e67d10e2ab4dafe34b939721c0922c58e58cb5c663979f2b
atomic-openshift-clients-redistributable-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 7b08b7bfbb39ccb2dadcd1ca8df51e5a54781247d95e5bb9bffd5407b3d98891
atomic-openshift-dockerregistry-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: cc3440a116e45337a61bf270409cc0f18158ce06f0cf069e2ee73d96ade12d6b
atomic-openshift-master-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 32788913b1c4f759e2a93335c170e23fb104656faa8aa02ddb775f143cc15ea0
atomic-openshift-node-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 268dc223d9e8cdf462071f83a061b5818244f677ccaeac6848e6199be15d46e9
atomic-openshift-pod-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 8e9b35aa5077227c2df045c51cd69698b60a0e998edc5b4f78eff43936a6c503
atomic-openshift-sdn-ovs-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: 9e9de63ae9875ebcc41da341e3270120f425d5fd8ca384c4f3131cfca24d15f2
atomic-openshift-tests-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: a7983edaf4c8f560e61bc35876786c8dce2002ece8ea7408ef154351d82ac87e
tuned-profiles-atomic-openshift-node-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm	SHA-256: f8125d1e20642ce9e4148df5e1cc3538f48ea55238da86a66c6bec3f1350c2ae

Red Hat OpenShift Container Platform 3.2

SRPM
atomic-openshift-3.2.1.17-1.git.0.6d01b60.el7.src.rpm	SHA-256: 7cb5f701d4a95310ac895afe4a3e73f7060e202ed4640bb273883d11b511ede8
x86_64
atomic-openshift-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: abf3290e755c59ccb1d98070372372d887a2cfa24d84e9f2c878dcc51063d09b
atomic-openshift-clients-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 6d346e4d4341992b85f4a6603a59e137032113b02ec7250bc6b843fd94dab8e7
atomic-openshift-clients-redistributable-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 28ebb18273f464f97327950bc8339e4549aacd463523e726ad401084daa6d69f
atomic-openshift-dockerregistry-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: d71311d60b0d353bc7ce06ffa621d6a920c4a48d3e482adabac6f40ec616e93c
atomic-openshift-master-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 0422949e133917fb0ac5e49c83f6f3bcd7e4f3e65334fedc6dcacbdcddecbf29
atomic-openshift-node-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 9fec1a8e4e054c415b3dd42dd82f439102ff70a9a7615b7ffc17db6c73807666
atomic-openshift-pod-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: cdb8f14bea972f9c4e8732b6ff1f438b383997ed2987de8e08d9f7af82926620
atomic-openshift-recycle-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 8e6fadedaf451ed33e945e09f9937c6c43a6f1f368d2497139c50467923e19fd
atomic-openshift-sdn-ovs-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: abd02f76481c46ede17f6320b84e53ce5445763feb5bed7dfe611e83c9c61c93
atomic-openshift-tests-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 4e58c6f78fc86da56772063b7b5ff3d948a4d850f5a0ad92bb5d945d48424e92
tuned-profiles-atomic-openshift-node-3.2.1.17-1.git.0.6d01b60.el7.x86_64.rpm	SHA-256: 82ab4b647ddf6c07cd67e5eac135fdbd5750e4dbd96fc58e540a3927bb1dfcd7

Red Hat OpenShift Container Platform 3.1

SRPM
atomic-openshift-3.1.1.8-1.git.0.d469026.el7aos.src.rpm	SHA-256: 21a59c2850dd84ecca493d506b8d33ac5087028695b59b77b28ccec76b2a07d0
x86_64
atomic-openshift-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 96118090fd23a837839be68445089234fdd1ed22fc0d3d5b2bf90df694721106
atomic-openshift-clients-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: e7bdc02fcec3810c9ffb80f333fe327edf485699c7139ed8f1f225d693dbd675
atomic-openshift-clients-redistributable-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 2f5a0f9bdb176e2a1399199faad8e45ce6c8341d204494b9ba491b2c099d6a5e
atomic-openshift-dockerregistry-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 1f47f1fdaa5f113fbc5913fd0aa3af16cbbbbab027290b86f32b7ee38d791fab
atomic-openshift-master-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 793ba789c577e933f56b8a2330c93b10fecb3410e1a8dca4face9cd6adc656c3
atomic-openshift-node-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: c13b6fa3c57bbf3226fa1f86295b6c47dac7ace3dff48d139501a7689afb55db
atomic-openshift-pod-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 030d9a179808744b1f9215e7d12944de226fdf50b06f2da25f9cc05912b9d7ab
atomic-openshift-recycle-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: eaadcb71d27f25197b02a07c31cc8a2bb5303954f6c3632ec6dfd8469e8460ad
atomic-openshift-sdn-ovs-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 767f6499bd98f33597091f1645aa7aa5d3cbe3afa29d68ad6b72cdd0f5d4d3f9
tuned-profiles-atomic-openshift-node-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm	SHA-256: 9de75f633c9be1bf0d1c2e8e086fa3e02534a369f9cef8c59dcbccd126a170f6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories