Red Hat Product Errata RHSA-2016:2915 - Security Advisory

Issued:: 2016-12-07
Updated:: 2016-12-07

RHSA-2016:2915 - Security Advisory

Overview
Updated Packages

Synopsis

Important: atomic-openshift security and bug fix update

Type/Severity

Security Advisory: Important

Topic

An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.1, 3.2, and 3.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform releases 3.3.1.7, 3.2.1.21, and 3.1.1.10. See the following
advisory for the container images for these releases:

https://access.redhat.com/errata/RHBA-2016:2916

Security Fix(es):

An input validation flaw was found in the way OpenShift handles requests
for images. A user, with a copy of the manifest associated with an image,
can pull an image even if they do not have access to the image normally,
resulting in the disclosure of any information contained within the image.
(CVE-2016-8651)

Bug Fix(es) for OpenShift Container Platform 3.3:

Previously when rapidly updating multiple namespaces
controlled by a single ClusterResourceQuota, the status.total.used can get
out of sync with the sum of the status.namespaces[*].used. This bug fix
ensures the ClusterResourceQuota objects are properly updated. (BZ#1400200)
When using the `oc new-app --search` command in an environment where
OpenShift Container Platform (OCP) could not reach Docker Hub, the command
failed for any query. OCP now prints a warning and continues with what was
found in other sources. (BZ#1388524)
The OpenShift Container Platform node daemon did not recover properly
from restarts, and it lost information about attached and mounted volumes.
In rare cases, the daemon deleted all data on a mounted volume, thinking
that it has been already unmounted while it was only missing its node's
cache. This bug fix ensures node caches are recovered after restarts, and
as a result no data loss occurs on the mounted volumes. (BZ#1398417)
Previously, ScheduledJobs were not cleaned up on project deletion. If a
new project was created with the same project name, the previously-defined
ScheduledJobs would re-appear. This bug fix ensures ScheduledJobs are
removed when a project is removed. (BZ#1399700)

Bug Fix(es) for OpenShift Container Platform 3.2:

When using the `oc new-app --search` command in an environment where
OpenShift Container Platform (OCP) could not reach Docker Hub, the command
failed for any query. OCP now prints a warning and continues with what was
found in other sources. (BZ#1388522)

All OpenShift Container Platform users are advised to upgrade to these
updated packages and images.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To apply this update, see the following cluster upgrade documentation that
relates to your installed version of OpenShift Container Platform.

For OpenShift Container Platform 3.3:

https://docs.openshift.com/container-platform/3.3/install_config/upgrading/automated_upgrades.html#upgrading-to-ocp-3-3-asynchronous-releases

For OpenShift Container Platform 3.2:

https://docs.openshift.com/enterprise/3.2/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-2-asynchronous-releases

For OpenShift Container Platform 3.1:

https://docs.openshift.com/enterprise/3.1/install_config/upgrading/automated_upgrades.html#upgrading-to-openshift-enterprise-3-1-asynchronous-releases

Affected Products

Red Hat OpenShift Container Platform 3.3 x86_64
Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

BZ - 1388522 - [backport] (3.2) Failed to "oc new-app --search" at the offline environment disconnected to the Internet
BZ - 1388524 - [backport] (3.3) Failed to "oc new-app --search" at the offline environment disconnected to the Internet
BZ - 1397987 - CVE-2016-8651 OpenShift Enterprise 3: Pulling of any image is possible with it manifest
BZ - 1398417 - Data from persistent volumes is wiped after a node service restart
BZ - 1399700 - Scheduledjob not deleted when project has been deleted
BZ - 1400200 - ClusterResourceQuota status total doesn't match sum of namespaces

CVEs

CVE-2016-8651

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.3

SRPM
atomic-openshift-3.3.1.7-1.git.0.0988966.el7.src.rpm	SHA-256: 431bce991887a1ccfe3bbf2b633771bc0842718b0912e49831c55b48570a12dd
x86_64
atomic-openshift-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 368424e294a567c16263668af8f4f14462a424206eea5c28eaf49e2a3958a0d0
atomic-openshift-clients-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 2cc6e36f28d846e51584db94f97df3d66196b44c406c04c14f1ae99993c6fc61
atomic-openshift-clients-redistributable-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 40e1d8281e77fc6813fb96abcb790cb214dfaac4d2832bed390b62ac1abcb080
atomic-openshift-docker-excluder-3.3.1.7-1.git.0.0988966.el7.noarch.rpm	SHA-256: f7e60ec48049265fdd8586b7c903d60f9a35b23b37591916a847f037cca91036
atomic-openshift-dockerregistry-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 2746f08797d81b931b45bad1df1d07560c120d410efd67cf231c6c890b769024
atomic-openshift-excluder-3.3.1.7-1.git.0.0988966.el7.noarch.rpm	SHA-256: 6f4fb9963fa168de004c1964da1dd102bc827be7c739f773cc00bcf181955545
atomic-openshift-master-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 4a4d8c9579232d38c2b5e33e50f40223b76c069f51c023957f109914a1783559
atomic-openshift-node-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 194be3eeea7cf9fb4c8e307d58b301309e7d4cc15320608bfedde6615ab8c973
atomic-openshift-pod-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 26574191bae75d8144fc189e1ef6dd566fafbd90f74b0418d7df21db450838ea
atomic-openshift-sdn-ovs-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 3c99d5e31a8c2f66df5f5e04b16c247286518adfb97648864faaa917699d43f4
atomic-openshift-tests-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 23b4e216296443c96455a3a61b6a757ce5de80d5aa54290d874acf6a98e056b6
tuned-profiles-atomic-openshift-node-3.3.1.7-1.git.0.0988966.el7.x86_64.rpm	SHA-256: 7c0b7d4fca28f9b3fb68c7b3bc281faa17646284d0716b2693f6a04dea120517

Red Hat OpenShift Container Platform 3.2

SRPM
atomic-openshift-3.2.1.21-1.git.0.4250771.el7.src.rpm	SHA-256: da003316d2c17effa4c637bc576495cd67d5920de9013a9844124a4af7cd32e6
x86_64

Red Hat OpenShift Container Platform 3.1

SRPM
atomic-openshift-3.1.1.10-1.git.0.efeef8d.el7aos.src.rpm	SHA-256: ac77288bfd3f81b3411a5c708cbde719c5b56b225b873445b4da6d90d3c086a5
x86_64
atomic-openshift-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 45eacf89c4ed6b87f93a90c53ab228458c0f9627025b01f8d7a9f00d1dcc54fe
atomic-openshift-clients-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 7b4034de0bc0342adf26701d34d3720ff5ff6378ec945e2df8ef359bf463a4f6
atomic-openshift-clients-redistributable-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 5755347f9958b9406e6163715604fe4e335f2fb0048e626dc17b86a1cec2d056
atomic-openshift-docker-excluder-3.1.1.10-1.git.0.efeef8d.el7aos.noarch.rpm	SHA-256: 5b0157881518ab5827f25ca6a67731172ce7f83738b5ec43536740aec1a1aa67
atomic-openshift-dockerregistry-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: dd2099d20afd68b70a4d83b7e53a43938d0ffef5e284a4b0602044da94d0bf25
atomic-openshift-excluder-3.1.1.10-1.git.0.efeef8d.el7aos.noarch.rpm	SHA-256: a86646e8deda4f06f96719375ed8cb346492a557863273efc92ba37bc8dad2a1
atomic-openshift-master-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 11f80422628a0ef4de37afd26b17ade94935aaf78a9d99e8d552c8618389faf7
atomic-openshift-node-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 91c91ccce0b773a0eeb35571284becbbceb54aa8de722e65f151e18ea266aaa4
atomic-openshift-pod-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 7be160b2b4eff682c38129efafcd6bd6df262f01ca96ff8a2a4873ba5d05c1fb
atomic-openshift-recycle-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: b09a75fe99e7813220be337025085b5fadde683b80722fa7bf93e423597d9c16
atomic-openshift-sdn-ovs-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 4231ebb02f1f7d50f08c9f03480ea8f143df7513284216d1eeedc04642262238
tuned-profiles-atomic-openshift-node-3.1.1.10-1.git.0.efeef8d.el7aos.x86_64.rpm	SHA-256: 9d4702907497b6af6033587dc2b3980573fe26cccc873a61030c0588f9495d1a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories