what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2015-2666-01

Red Hat Security Advisory 2015-2666-01
Posted Dec 17, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2666-01 - OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. The following security issue is addressed with this release: An implementation error related to the memory management of request and responses was found within HAProxy's buffer_slow_realign() function. An unauthenticated remote attacker could use this flaw to leak certain memory buffer contents from a past request or session.

tags | advisory, remote
systems | linux, redhat
advisories | CVE-2015-3281
SHA-256 | c4327e8c7d421a0cbc4ff37663cdff357f709ac3ab9cbc77ba10759b1555132d

Red Hat Security Advisory 2015-2666-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2666-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2666.html
Issue date: 2015-12-17
CVE Names: CVE-2015-3281
=====================================================================

1. Summary:

Red Hat OpenShift Enterprise release 2.2.8, which fixes one security
issue, several bugs, and introduces feature enhancements, is now
available.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHOSE Client 2.2 - noarch
RHOSE Infrastructure 2.2 - noarch
RHOSE JBoss EAP add-on 2.2 - noarch
RHOSE Node 2.2 - noarch, x86_64

3. Description:

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

The following security issue is addressed with this release:

An implementation error related to the memory management of request
and responses was found within HAProxy's buffer_slow_realign()
function. An unauthenticated remote attacker could use this flaw
to leak certain memory buffer contents from a past request or
session. (CVE-2015-3281)

Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.8, for details about these changes:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.8, for important instructions on how to fully
apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s
ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1045226 - oo-auto-idler man page incorrect
1054441 - oo-accept-node should test that BROKER_HOST is consistent
1064039 - RFE oo-diagnostics should report when node auth is failing (401 Unauthorized)
1101973 - oo-diagnostics tools is checking a non-existing dir after update ose-2.0 GA to ose-2.0.z puddle + RHSCL-1.1
1110415 - `oo-admin-broker-cache --clear --console` does not warn that --console flag does nothing
1111501 - REPORT_BUILD_ANALYTICS should be set to false by default
1111598 - oo-admin-chk gives bad advice to users when gears do not exist on the node.
1139608 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
1140766 - oo-admin-ctl-district doesn't suggest FQDN for -i in -h output
1155003 - Should prompt correct and important parameter information when use none or error parameter in "rhc server add" command
1177753 - Enable a configuration in rhc to use a different ssh executable
1211526 - HAProxy does not restart when pid is not found
1218872 - rhc setup fail during upload sshkey
1238305 - [RFE] gear-placement plugin domain_id as input data
1239072 - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
1241675 - [RFE] Check for missing openshift_application_aliases components f5-icontrol-rest.rb
1248439 - Routing SPI for Nginx doesn't preserve host in http request's headers
1255426 - API Call to disable HA does not remove 2nd haproxy head gear
1264722 - oo-register-dns shows erros with any option
1265609 - pandas not getting installed
1268080 - ChangeMembersDomainOp are not cleared by oo-admin-clear-pending-ops
1270660 - Haproxy health check should be in sync with rolling updates in EWS
1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory
1272195 - oo-admin-ctl-app -c remove-gear , ignores min scale setting
1277695 - hostname regex fails in update-cluster in some locales
1280438 - haproxy_ctld error on a close-to-quota gear
1282520 - Routing-daemon does not create the openshift_application_aliases policy
1282940 - Exception log output when using rhc app ssh "--ssh option" with exist directory

6. Package List:

RHOSE Client 2.2:

Source:
rhc-1.38.4.5-1.el6op.src.rpm

noarch:
rhc-1.38.4.5-1.el6op.noarch.rpm

RHOSE Infrastructure 2.2:

Source:
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm
openshift-origin-broker-util-1.37.4.2-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.src.rpm
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.src.rpm

noarch:
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-upgrade-broker-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm
openshift-origin-broker-util-1.37.4.2-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm
rubygem-openshift-origin-controller-1.38.4.2-1.el6op.noarch.rpm
rubygem-openshift-origin-routing-daemon-0.26.4.4-1.el6op.noarch.rpm

RHOSE JBoss EAP add-on 2.2:

Source:
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.src.rpm

noarch:
openshift-origin-cartridge-jbosseap-2.27.3.1-1.el6op.noarch.rpm

RHOSE Node 2.2:

Source:
haproxy15side-1.5.4-2.el6op.src.rpm
openshift-enterprise-upgrade-2.2.8-1.el6op.src.rpm
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.src.rpm
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.src.rpm
openshift-origin-cartridge-python-1.34.1.1-1.el6op.src.rpm
openshift-origin-node-util-1.38.5.1-1.el6op.src.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.src.rpm
rubygem-openshift-origin-node-1.38.4.1-1.el6op.src.rpm

noarch:
openshift-enterprise-release-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-upgrade-node-2.2.8-1.el6op.noarch.rpm
openshift-enterprise-yum-validator-2.2.8-1.el6op.noarch.rpm
openshift-origin-cartridge-haproxy-1.31.4.1-1.el6op.noarch.rpm
openshift-origin-cartridge-jbossews-1.35.3.2-1.el6op.noarch.rpm
openshift-origin-cartridge-python-1.34.1.1-1.el6op.noarch.rpm
openshift-origin-node-util-1.38.5.1-1.el6op.noarch.rpm
rubygem-openshift-origin-common-1.29.4.1-1.el6op.noarch.rpm
rubygem-openshift-origin-node-1.38.4.1-1.el6op.noarch.rpm

x86_64:
haproxy15side-1.5.4-2.el6op.x86_64.rpm
haproxy15side-debuginfo-1.5.4-2.el6op.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-3281
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWcuyDXlSAg2UNWIIRAs9iAKCg610Xq8HXhYNhIrml02r8Lesk+ACfYIA2
gXKNT+SfO8+09NHVvoedmUA=
=Vm9R
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close