-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.6.1 package security update Advisory ID: RHSA-2020:4297-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:4297 Issue date: 2020-10-27 CVE Names: CVE-2019-16541 CVE-2020-2252 CVE-2020-2254 CVE-2020-2255 CVE-2020-8564 CVE-2020-14040 CVE-2020-14370 CVE-2020-16845 ==================================================================== 1. Summary: An update for jenkins-2-plugins, openshift-clients, podman, runc, and skopeo is now available for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64 3. Description: The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime. The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix(es): * jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541) * jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM (CVE-2020-2252) * jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files (CVE-2020-2254) * jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests. (CVE-2020-2255) * kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 (CVE-2020-8564) * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API (CVE-2020-14370) * golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1819663 - CVE-2019-16541 jenkins-jira-plugin: plugin information disclosure 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1867099 - CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs 1874268 - CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API 1880454 - CVE-2020-2252 jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM 1880456 - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files 1880460 - CVE-2020-2255 jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests. 1886637 - CVE-2020-8564 kubernetes: Docker config secrets leaked when file is malformed and loglevel >= 4 6. Package List: Red Hat OpenShift Container Platform 4.6: Source: openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el7.src.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el7.src.rpm x86_64: openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el7.x86_64.rpm openshift-clients-redistributable-4.6.0-202010081244.p0.git.3794.4743d24.el7.x86_64.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el7.x86_64.rpm runc-debuginfo-1.0.0-81.rhaos4.6.git5b757d4.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.6: Source: jenkins-2-plugins-4.6.1601368321-1.el8.src.rpm openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el8.src.rpm podman-1.9.3-3.rhaos4.6.el8.src.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el8.src.rpm skopeo-1.1.1-2.rhaos4.6.el8.src.rpm noarch: jenkins-2-plugins-4.6.1601368321-1.el8.noarch.rpm podman-docker-1.9.3-3.rhaos4.6.el8.noarch.rpm ppc64le: containers-common-1.1.1-2.rhaos4.6.el8.ppc64le.rpm openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el8.ppc64le.rpm podman-1.9.3-3.rhaos4.6.el8.ppc64le.rpm podman-debuginfo-1.9.3-3.rhaos4.6.el8.ppc64le.rpm podman-debugsource-1.9.3-3.rhaos4.6.el8.ppc64le.rpm podman-remote-1.9.3-3.rhaos4.6.el8.ppc64le.rpm podman-remote-debuginfo-1.9.3-3.rhaos4.6.el8.ppc64le.rpm podman-tests-1.9.3-3.rhaos4.6.el8.ppc64le.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el8.ppc64le.rpm runc-debuginfo-1.0.0-81.rhaos4.6.git5b757d4.el8.ppc64le.rpm runc-debugsource-1.0.0-81.rhaos4.6.git5b757d4.el8.ppc64le.rpm skopeo-1.1.1-2.rhaos4.6.el8.ppc64le.rpm skopeo-debuginfo-1.1.1-2.rhaos4.6.el8.ppc64le.rpm skopeo-debugsource-1.1.1-2.rhaos4.6.el8.ppc64le.rpm skopeo-tests-1.1.1-2.rhaos4.6.el8.ppc64le.rpm s390x: containers-common-1.1.1-2.rhaos4.6.el8.s390x.rpm openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el8.s390x.rpm podman-1.9.3-3.rhaos4.6.el8.s390x.rpm podman-debuginfo-1.9.3-3.rhaos4.6.el8.s390x.rpm podman-debugsource-1.9.3-3.rhaos4.6.el8.s390x.rpm podman-remote-1.9.3-3.rhaos4.6.el8.s390x.rpm podman-remote-debuginfo-1.9.3-3.rhaos4.6.el8.s390x.rpm podman-tests-1.9.3-3.rhaos4.6.el8.s390x.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el8.s390x.rpm runc-debuginfo-1.0.0-81.rhaos4.6.git5b757d4.el8.s390x.rpm runc-debugsource-1.0.0-81.rhaos4.6.git5b757d4.el8.s390x.rpm skopeo-1.1.1-2.rhaos4.6.el8.s390x.rpm skopeo-debuginfo-1.1.1-2.rhaos4.6.el8.s390x.rpm skopeo-debugsource-1.1.1-2.rhaos4.6.el8.s390x.rpm skopeo-tests-1.1.1-2.rhaos4.6.el8.s390x.rpm x86_64: containers-common-1.1.1-2.rhaos4.6.el8.x86_64.rpm openshift-clients-4.6.0-202010081244.p0.git.3794.4743d24.el8.x86_64.rpm openshift-clients-redistributable-4.6.0-202010081244.p0.git.3794.4743d24.el8.x86_64.rpm podman-1.9.3-3.rhaos4.6.el8.x86_64.rpm podman-debuginfo-1.9.3-3.rhaos4.6.el8.x86_64.rpm podman-debugsource-1.9.3-3.rhaos4.6.el8.x86_64.rpm podman-remote-1.9.3-3.rhaos4.6.el8.x86_64.rpm podman-remote-debuginfo-1.9.3-3.rhaos4.6.el8.x86_64.rpm podman-tests-1.9.3-3.rhaos4.6.el8.x86_64.rpm runc-1.0.0-81.rhaos4.6.git5b757d4.el8.x86_64.rpm runc-debuginfo-1.0.0-81.rhaos4.6.git5b757d4.el8.x86_64.rpm runc-debugsource-1.0.0-81.rhaos4.6.git5b757d4.el8.x86_64.rpm skopeo-1.1.1-2.rhaos4.6.el8.x86_64.rpm skopeo-debuginfo-1.1.1-2.rhaos4.6.el8.x86_64.rpm skopeo-debugsource-1.1.1-2.rhaos4.6.el8.x86_64.rpm skopeo-tests-1.1.1-2.rhaos4.6.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-16541 https://access.redhat.com/security/cve/CVE-2020-2252 https://access.redhat.com/security/cve/CVE-2020-2254 https://access.redhat.com/security/cve/CVE-2020-2255 https://access.redhat.com/security/cve/CVE-2020-8564 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-14370 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX5g1FNzjgjWX9erEAQhfKw/9HZ8kEz+eUKyypH7luedo+O5zm0Ocins5 iDsPll+InM9WF/zQE/VFbu0EZYGqCjkjKdwyNq30tRdZIJVrjd68yKmRwgwdmjHO Xy6JGd9wAG0DadkvIuCqdy+Q0gqHJt7+YiVRaya8/lBAWCtKPdhIyPEEZ90/Fe5q JW62U57KAt+xVMtLSTcEo8JnCmXxiTceNwIErUtkoKhfD1pEHk7QPYM2qhNzIVrk 1gA5GR0U1cFuHxf+pZAFlosNQZ/xHmTn8ezJR04KbpZL/3XVRGkk4+V595MPbzRQ Ve8rFQVEmD+mvCGLmNFy8SmHiAGSYDtncin3NVyblqgt989+617CjWsSZBV4x5f0 K77VqZU4ZuDPR6hgQ3vCi1xQz4V0DXL5uf1VrYzcLseoZ4j09S7DQ38XJrf4o7kR kHZwyYNaEsQUEOIoSgr4Bdk9XuTXFA/wjOc6fhg8W+RHpTX8tw+grnATW/zUyFSt n9nQ8l2XIlHz9gP0kI8qWoDfawcVkObECMrxyP4GWllia18X3QoIwUtpFrxRcDty pYFX8c1HtXKWnA4AZmeU1YYWNe52zpIp5Ga9aFoxD/l89JsJb2ia5Xwz7qNqOQv0 Fk3zszYHJfqDNWjWNJ2Q85IOND5HxkY6DwGObPY7SDXc9oVRDRuPwL/RyNbgSZtC 2BBNMjU4USI=S1NZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce