Red Hat Product Errata RHSA-2016:2064 - Security Advisory
Issued:
2016-10-17
Updated:
2016-10-17

RHSA-2016:2064 - Security Advisory

Synopsis

Important: atomic-openshift security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.1, 3.2, and 3.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Security Fix(es):

  • It was found that Kubernetes did not correctly validate X.509 client

intermediate certificate host name fields. An attacker could use this flaw
to bypass authentication requirements by using a specially crafted X.509
certificate. (CVE-2016-7075)

This advisory contains the RPM packages for this release. See the following
advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2016:2065

All OpenShift Container Platform 3 users are advised to upgrade to these
updated images.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To apply this update, see the following cluster upgrade documentation that
relates to your installed version of OpenShift Container Platform.

For OpenShift Container Platform 3.3:

https://docs.openshift.com/container-platform/3.3/install_config/upgrading/automated_upgrades.html#upgrading-to-ocp-3-3-asynchronous-releases

For OpenShift Container Platform 3.2:

https://docs.openshift.com/enterprise/3.2/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-2-asynchronous-releases

For OpenShift Container Platform 3.1:

https://docs.openshift.com/enterprise/3.1/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-1-asynchronous-releases

Affected Products

  • Red Hat OpenShift Container Platform 3.3 x86_64
  • Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

  • BZ - 1384112 - CVE-2016-7075 OpenShift 3: API server does not validate client-provided intermediate certificates correctly

Red Hat OpenShift Container Platform 3.3

SRPM
atomic-openshift-3.3.0.35-1.git.0.d7bd9b6.el7.src.rpm SHA-256: 42a0bb65ccf3e65aec0dd9ec17ca075e2384ab4ee547d49df5fe3e726b31c9fc
x86_64
atomic-openshift-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 2c6a90816033c6b0551d3506faa47b23006a150513ff731131784a4497b5b14d
atomic-openshift-clients-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: c6161c189cefbb40e67d10e2ab4dafe34b939721c0922c58e58cb5c663979f2b
atomic-openshift-clients-redistributable-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 7b08b7bfbb39ccb2dadcd1ca8df51e5a54781247d95e5bb9bffd5407b3d98891
atomic-openshift-dockerregistry-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: cc3440a116e45337a61bf270409cc0f18158ce06f0cf069e2ee73d96ade12d6b
atomic-openshift-master-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 32788913b1c4f759e2a93335c170e23fb104656faa8aa02ddb775f143cc15ea0
atomic-openshift-node-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 268dc223d9e8cdf462071f83a061b5818244f677ccaeac6848e6199be15d46e9
atomic-openshift-pod-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 8e9b35aa5077227c2df045c51cd69698b60a0e998edc5b4f78eff43936a6c503
atomic-openshift-sdn-ovs-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: 9e9de63ae9875ebcc41da341e3270120f425d5fd8ca384c4f3131cfca24d15f2
atomic-openshift-tests-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: a7983edaf4c8f560e61bc35876786c8dce2002ece8ea7408ef154351d82ac87e
tuned-profiles-atomic-openshift-node-3.3.0.35-1.git.0.d7bd9b6.el7.x86_64.rpm SHA-256: f8125d1e20642ce9e4148df5e1cc3538f48ea55238da86a66c6bec3f1350c2ae

Red Hat OpenShift Container Platform 3.2

SRPM
atomic-openshift-3.2.1.17-1.git.0.6d01b60.el7.src.rpm SHA-256: 7cb5f701d4a95310ac895afe4a3e73f7060e202ed4640bb273883d11b511ede8
x86_64

Red Hat OpenShift Container Platform 3.1

SRPM
atomic-openshift-3.1.1.8-1.git.0.d469026.el7aos.src.rpm SHA-256: 21a59c2850dd84ecca493d506b8d33ac5087028695b59b77b28ccec76b2a07d0
x86_64
atomic-openshift-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 96118090fd23a837839be68445089234fdd1ed22fc0d3d5b2bf90df694721106
atomic-openshift-clients-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: e7bdc02fcec3810c9ffb80f333fe327edf485699c7139ed8f1f225d693dbd675
atomic-openshift-clients-redistributable-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 2f5a0f9bdb176e2a1399199faad8e45ce6c8341d204494b9ba491b2c099d6a5e
atomic-openshift-dockerregistry-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 1f47f1fdaa5f113fbc5913fd0aa3af16cbbbbab027290b86f32b7ee38d791fab
atomic-openshift-master-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 793ba789c577e933f56b8a2330c93b10fecb3410e1a8dca4face9cd6adc656c3
atomic-openshift-node-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: c13b6fa3c57bbf3226fa1f86295b6c47dac7ace3dff48d139501a7689afb55db
atomic-openshift-pod-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 030d9a179808744b1f9215e7d12944de226fdf50b06f2da25f9cc05912b9d7ab
atomic-openshift-recycle-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: eaadcb71d27f25197b02a07c31cc8a2bb5303954f6c3632ec6dfd8469e8460ad
atomic-openshift-sdn-ovs-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 767f6499bd98f33597091f1645aa7aa5d3cbe3afa29d68ad6b72cdd0f5d4d3f9
tuned-profiles-atomic-openshift-node-3.1.1.8-1.git.0.d469026.el7aos.x86_64.rpm SHA-256: 9de75f633c9be1bf0d1c2e8e086fa3e02534a369f9cef8c59dcbccd126a170f6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.