-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ansible and openshift-ansible security and bug fix update Advisory ID: RHSA-2017:0448-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2017:0448 Issue date: 2017-03-06 CVE Names: CVE-2016-9587 ===================================================================== 1. Summary: An update for ansible and openshift-ansible is now available for Red Hat OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3, and Red Hat OpenShift Container Platform 3.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.2 - noarch Red Hat OpenShift Container Platform 3.3 - noarch Red Hat OpenShift Container Platform 3.4 - noarch 3. Description: Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3. Security Fix(es): * An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. (CVE-2016-9587) Bug Fix(es): Space precludes documenting all of the non-security bug fixes in this advisory. See the relevant OpenShift Container Platform Release Notes linked to in the References section, which will be updated shortly for this release. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures: # yum update atomic-openshift-utils This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables restarted 1388016 - [3.3] The insecure-registry address was removed during upgrade 1389263 - [3.4] the summary of json report should include total/ok number after certificate expiry check 1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails 1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running commands on the Ansible controller 1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format 1415067 - [3.2]Installer should persist net.ipv4.ip_forward 1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables restarted 1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables restarted 1417680 - [3.2] Backport openshift_certificate_expiry role 1417681 - [3.4] Backport openshift_certificate_expiry role 1417682 - [3.3] Backport openshift_certificate_expiry role 1419493 - [3.4] Installer pulls in 3.3 registry-console image 1419533 - [3.2]Installation on node failed when creating node config 1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt 1420393 - [3.4] conntrack executable not found on $PATH during cluster horizontal run 1420395 - [3.3] conntrack executable not found on $PATH during cluster horizontal run 1421053 - [quick installer 3.4] quick installer failed due to a python method failure 1421059 - [quick installer 3.2]quick installer failed due to a python method failure 1421061 - [quick installer 3.3]quick installer failed due to a python method failure 1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match cAdvisor 1422361 - [3.4] Advanced installer fails if python-six not available 1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format 6. Package List: Red Hat OpenShift Container Platform 3.2: Source: ansible-2.2.1.0-2.el7.src.rpm openshift-ansible-3.2.53-1.git.0.2fefc17.el7.src.rpm noarch: ansible-2.2.1.0-2.el7.noarch.rpm atomic-openshift-utils-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-docs-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-filter-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-lookup-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-playbooks-3.2.53-1.git.0.2fefc17.el7.noarch.rpm openshift-ansible-roles-3.2.53-1.git.0.2fefc17.el7.noarch.rpm Red Hat OpenShift Container Platform 3.3: Source: ansible-2.2.1.0-2.el7.src.rpm openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.src.rpm noarch: ansible-2.2.1.0-2.el7.noarch.rpm atomic-openshift-utils-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-callback-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-docs-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-filter-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-lookup-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-playbooks-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm openshift-ansible-roles-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm Red Hat OpenShift Container Platform 3.4: Source: ansible-2.2.1.0-2.el7.src.rpm openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.src.rpm noarch: ansible-2.2.1.0-2.el7.noarch.rpm atomic-openshift-utils-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-callback-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-docs-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-filter-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-lookup-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-playbooks-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-9587 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYvZOvXlSAg2UNWIIRAtBgAKC/a5j2ToXiQ4uD9JYy2bMKYn+9JwCeL4nh A7ntVFTpJOYbu3M9BeVZGqk= =mgid -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce