-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: ansible and openshift-ansible security and bug
 fix update
Advisory ID:       RHSA-2017:0448-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:0448
Issue date:        2017-03-06
CVE Names:         CVE-2016-9587 
=====================================================================

1. Summary:

An update for ansible and openshift-ansible is now available for Red Hat
OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3,
and Red Hat OpenShift Container Platform 3.4.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.2 - noarch
Red Hat OpenShift Container Platform 3.3 - noarch
Red Hat OpenShift Container Platform 3.4 - noarch

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

* An input validation vulnerability was found in Ansible's handling of data
sent from client systems. An attacker with control over a client system
being managed by Ansible and the ability to send facts back to the Ansible
server could use this flaw to execute arbitrary code on the Ansible server
using the Ansible server privileges. (CVE-2016-9587)

Bug Fix(es):

Space precludes documenting all of the non-security bug fixes in this
advisory. See the relevant OpenShift Container Platform Release Notes
linked to in the References section, which will be updated shortly for this
release.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.
 
To apply this update, run the following on all hosts where you intend to
initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables
 restarted
1388016 - [3.3] The insecure-registry address was removed during upgrade
1389263 - [3.4] the summary of json report should include total/ok number after
 certificate expiry check
1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails
1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running
 commands on the Ansible controller
1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows
 Login which requires dom\user format
1415067 - [3.2]Installer should persist net.ipv4.ip_forward
1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables
 restarted
1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables
 restarted
1417680 - [3.2] Backport openshift_certificate_expiry role
1417681 - [3.4] Backport openshift_certificate_expiry role
1417682 - [3.3] Backport openshift_certificate_expiry role
1419493 - [3.4] Installer pulls in 3.3 registry-console image
1419533 - [3.2]Installation on node failed when creating node config
1419654 - [3.4] Containerized advanced installation fails due to missing CA
 certificate /etc/origin/master/ca.crt
1420393 - [3.4] conntrack executable not found on $PATH during cluster
 horizontal run
1420395 - [3.3] conntrack executable not found on $PATH during cluster
 horizontal run
1421053 - [quick installer 3.4] quick installer failed due to a python method
 failure
1421059 - [quick installer 3.2]quick installer failed due to a python method
 failure
1421061 - [quick installer 3.3]quick installer failed due to a python method
 failure
1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match
 cAdvisor
1422361 - [3.4] Advanced installer fails if python-six not available
1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows
 Login which requires dom\user format

6. Package List:

Red Hat OpenShift Container Platform 3.2:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.2.53-1.git.0.2fefc17.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-docs-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-filter-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-playbooks-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-roles-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.3:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-callback-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-docs-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-filter-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-playbooks-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-roles-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.4:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-callback-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-docs-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-filter-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-playbooks-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-9587
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html
https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html
https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYvZOvXlSAg2UNWIIRAtBgAKC/a5j2ToXiQ4uD9JYy2bMKYn+9JwCeL4nh
A7ntVFTpJOYbu3M9BeVZGqk=
=mgid
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list