Red Hat Security Advisory 2015-2666-01 - OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issue is addressed with this release: An implementation error related to the memory management of request and responses was found within HAProxy's buffer_slow_realign() function. An unauthenticated remote attacker could use this flaw to leak certain memory buffer contents from a past request or session.
c4327e8c7d421a0cbc4ff37663cdff357f709ac3ab9cbc77ba10759b1555132d
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2666-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2666.html
Issue date: 2015-12-17
CVE Names: CVE-2015-3281
=====================================================================
1. Summary:
Red Hat OpenShift Enterprise release 2.2.8, which fixes one security
issue, several bugs, and introduces feature enhancements, is now
available.
Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
RHOSE Client 2.2 - noarch
RHOSE Infrastructure 2.2 - noarch
RHOSE JBoss EAP add-on 2.2 - noarch
RHOSE Node 2.2 - noarch, x86_64
3. Description:
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.
The following security issue is addressed with this release:
An implementation error related to the memory management of request
and responses was found within HAProxy's buffer_slow_realign()
function. An unauthenticated remote attacker could use this flaw
to leak certain memory buffer contents from a past request or
session. (CVE-2015-3281)
Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.8, for details about these changes:
https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/Technical_Notes/index.html
All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.8, for important instructions on how to fully
apply this asynchronous errata update:
https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates
This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1045226 - oo-auto-idler man page incorrect
1054441 - oo-accept-node should test that BROKER_HOST is consistent
1064039 - RFE oo-diagnostics should report when node auth is failing (401 Unauthorized)
1101973 - oo-diagnostics tools is checking a non-existing dir after update ose-2.0 GA to ose-2.0.z puddle + RHSCL-1.1
1110415 - `oo-admin-broker-cache --clear --console` does not warn that --console flag does nothing
1111501 - REPORT_BUILD_ANALYTICS should be set to false by default
1111598 - oo-admin-chk gives bad advice to users when gears do not exist on the node.
1139608 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
1140766 - oo-admin-ctl-district doesn't suggest FQDN for -i in -h output
1155003 - Should prompt correct and important parameter information when use none or error parameter in "rhc server add" command
1177753 - Enable a configuration in rhc to use a different ssh executable
1211526 - HAProxy does not restart when pid is not found
1218872 - rhc setup fail during upload sshkey
1238305 - [RFE] gear-placement plugin domain_id as input data
1239072 - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
1241675 - [RFE] Check for missing openshift_application_aliases components f5-icontrol-rest.rb
1248439 - Routing SPI for Nginx doesn't preserve host in http request's headers
1255426 - API Call to disable HA does not remove 2nd haproxy head gear
1264722 - oo-register-dns shows erros with any option
1265609 - pandas not getting installed
1268080 - ChangeMembersDomainOp are not cleared by oo-admin-clear-pending-ops
1270660 - Haproxy health check should be in sync with rolling updates in EWS
1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory
1272195 - oo-admin-ctl-app -c remove-gear , ignores min scale setting
1277695 - hostname regex fails in update-cluster in some locales
1280438 - haproxy_ctld error on a close-to-quota gear
1282520 - Routing-daemon does not create the openshift_application_aliases policy
1282940 - Exception log output when using rhc app ssh "--ssh option" with exist directory
6. Package List:
RHOSE Client 2.2:
Source:
rhc-1.38.4.5-1.el6op.src.rpm
noarch:
rhc-1.38.4.5-1.el6op.noarch.rpm
RHOSE Infrastructure 2.2:
Source:
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm
openshift-origin-broker-util-1.37.4.2-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.src.rpm
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.src.rpm
noarch:
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-upgrade-broker-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm
openshift-origin-broker-util-1.37.4.2-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.noarch.rpm
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.noarch.rpm
RHOSE JBoss EAP add-on 2.2:
Source:
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.src.rpm
noarch:
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.noarch.rpm
RHOSE Node 2.2:
Source:
haproxy15side-1.5.4-2.el6op.src.rpm
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.src.rpm
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.src.rpm
openshift-origin-cartridge-python-1.34.1.1-1.el6op.src.rpm
openshift-origin-node-util-1.38.5.1-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm
rubygem-openshift-origin-node-1.38.4.1-1.el6op.src.rpm
noarch:
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-upgrade-node-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.noarch.rpm
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.noarch.rpm
openshift-origin-cartridge-python-1.34.1.1-1.el6op.noarch.rpm
openshift-origin-node-util-1.38.5.1-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm
rubygem-openshift-origin-node-1.38.4.1-1.el6op.noarch.rpm
x86_64:
haproxy15side-1.5.4-2.el6op.x86_64.rpm
haproxy15side-debuginfo-1.5.4-2.el6op.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2015-3281
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWcuyDXlSAg2UNWIIRAs9iAKCg610Xq8HXhYNhIrml02r8Lesk+ACfYIA2
gXKNT+SfO8+09NHVvoedmUA=
=Vm9R
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce