-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.11 jenkins security update
Advisory ID:       RHSA-2019:3144-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3144
Issue date:        2019-10-18
CVE Names:         CVE-2019-10383 CVE-2019-10384
====================================================================
1. Summary:

An update for jenkins is now available for Red Hat OpenShift Container
Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 - noarch

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by CRON.

This advisory contains the updated jenkins RPM package for Red Hat
OpenShift Container Platform 3.11.

Security Fix(es):

* jenkins: CSRF protection tokens for anonymous users did not expire in
some circumstances (CVE-2019-10384)

* jenkins: stored cross-site scripting in update center web pages
(CVE-2019-10383)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation,which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1747293 - CVE-2019-10383 jenkins: stored cross-site scripting in update center web pages (SECURITY-1453)
1747297 - CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2.176.3.1569349414-1.el7.src.rpm

noarch:
jenkins-2.176.3.1569349414-1.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10383
https://access.redhat.com/security/cve/CVE-2019-10384
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXakXHdzjgjWX9erEAQhn0A/+JJ3WhLWybA6vJKFH0EUestKoZy077T8H
g25MA52Q828CaKEgRd1XDrwNwQRnis2NKXPwOB0Ri1DEIwd/vvfr0EqO2nzBgiE3
LnCvNHEZY+cYdJ/4x4mlGgWxPIP/1pcWT3JjD8E++evLxhbcsiRsAJF4We2sEuj8
AF/xQPbcvEOmzxrMnxbZv6owWPkpCvu+CbobTI8QPJONY0jq25VAMtMtllq3CaoP
3aTJa6+Ef625JteEghzwfs7jfQRelxgAU4QEAYVl1ikJHgIKUunKq9kDVeH0gJdX
B0Cko9KNXSrJu2I9RTbYKCRZ0Bv/tZSwhmiVBfiNet62t6wwVNaCu49caCOTYmqu
HEDLXsMUNzNLSE9a72pV7R+rjzLOM+N9urtq01VJNhCa7dIIWi8jPoQvakZFAq08
igl+hXrw+ChXNKiFfXEafgkvxzFsi3/r0n5Orqr/y3Qg7wm38qDCKGJOv3NCjsLi
eQWIo5YBjYu79F2YsRd3AFGGifb4i4m5aPDSs6e+kz+gG0b3ZJUC6BVH2JaZjSkl
6bcY7wfa6csl0ObSbppiJCffIol3Y4hAc1bwYdqRxLHdhgpQVushUWVLzfY4WUgC
FQgQLxjRFvhMnCyt64ggDK2df+bIZQEsa1Tl02H/8LoLoIlqL7K2KqgZwifQVIyH
QRSGnbshdEE=MWPj
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce