-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Container Platform 3.10 security and bug fix update Advisory ID: RHSA-2018:2709-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2018:2709 Issue date: 2018-11-11 CVE Names: CVE-2018-14632 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 3.10.66 is now available with updates to packages and images that fix several security, bug, and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.10 - noarch, ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.10.66. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2018:2824 Security Fix(es): * atomic-openshift: oc patch with json causes masterapi service crash (CVE-2018-14632) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Lars Haugan for reporting this issue. All OpenShift Container Platform 3.10 users are advised to upgrade to these updated packages and images. Bug Fix(es): * During etcd scaleup, facts about the etcd cluster are required to add new hosts. This bug fix adds the necessary tasks to ensure those facts get set before configuring new hosts, and therefore, allow the scaleup to complete as expected. (BZ#1578482) * Previously, sync pod was not available when the Prometheus install checked for available nodes. As a consequence, if a custom label was used for the Prometheus install to select an appropriate node, the sync pods must have already applied the label to the nodes. Otherwise, the Prometheus installer would not find any nodes with a matching label. This bug fix adds a check to the install process to wait for sync pods to become available before continuing. As a result, the node labeling process will complete, and the nodes will have the correct labels for the Prometheus pod to be scheduled. (BZ#1609019) * This bug fix corrects an issue where a pod is stuck terminating due to I/O errors on a FlexVolume mounted on the XFS file system. (BZ#1626054) * Previously, fluentd generated events internally with the `OneEventStream` class. This class does not have the `empty?` method. The Kubernetes metadata filter used the `empty?` method on the `EventStream` object to avoid processing an empty stream. Fluentd issued error messages about the missing `empty?` method, which overwhelmed container logging and caused disk issues. This bug fix changed the Kubernetes metadata filter only to call the `empty?` method on objects that have this method. As a result, fluentd logs do not contain this message. (BZ#1626552) * RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems with `SELinux deny_execmem=1`. This reversion caused fluentd to crash. This bug reverts the patch reversion. As a result, fluentd does not crash when using `SELinux deny_execmem=1`. (BZ#1628405) * This bug fix updates the *_redeploy-openshift-ca.yml_* playbook to reference the correct node client certificate file, `node/client-ca.crt`. (BZ#1628546) * The fix for BZ1628371 introduced a poorly built shared library with a missing symbol. This missing symbol caused fluentd to crash with an "undefined symbol: rbffi_Closure_Alloc" error message. This bug fix rebuilds the shared library with the correct symbols. As a result, fluentd does not crash. (BZ#1628798) * Previously, when using Docker with the journald log driver, all container logs, including system and plain Docker container logs, were logged to the journal, and read by fluentd. Fluentd did not know how to handle these non-Kubernetes container logs and threw exceptions. This bug fix treats non-Kubernetes container logs as logs from other system services, for example, sending them to the .operations.* index. As a result, logs from non-Kubernetes containers are indexed correctly and do not cause any errors. (BZ#1632361) 4. Solution: See the release notes documentation for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_r elease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1577955 - Router pod fails to deploy during installation 1578482 - OCP 3.10: etcd scaleup on CRI-O HA cluster fails with dict object has no attribute etcd_ip error 1594187 - Openshift-on-OpenStack playbook increase watch_retry_timeout for kuryr-cni 1608476 - OpenShift-Ansible ignores oreg_url for registry-console Docker image 1609019 - Prometheus deployment failed due to "No schedulable nodes found matching node selector" but it is not true 1609703 - APP pod unable to start after target port failure in cases where single paths are mounted on APP pods(BZ#1599742) 1614414 - OpenShift 3.10 Missing CA for LDAP Config 1615327 - upgrade fails when restarting nodes object has no attribute status 1619886 - OCP installer provisioning of instances playbook always fails first time running 1623602 - [3.10] installer oreg_url doesn't serve as universal url - needs to 1625885 - CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash 1625911 - Could not find csr for nodes - Bootstrapping task 1626054 - [3.10] Pod stuck in terminating while a volume mounted with flexvolume driver and XFS filesystem 1626552 - [3.10] fluentd pods are running with error logs which makes fill up disk very quickly. 1627764 - master static pod failed to start when LDAP auth is set 1628405 - [3.10] Fluentd pods failed to start after an update to 3.9.41 when deny_execmem=1 on nodes 1628546 - [3.10] Redeploy openshift ca playbook failed 1628798 - [3.10] Fluentd pod crashes with "undefined symbol: rbffi_Closure_Alloc" 1628964 - Could not find csr for node when using cni plugin 1629579 - Image efs-provisioner need to update to ose-efs-provisioner in OCP3.10 1631021 - Fail to atomic pull node image due to docker service was stopped in previous task 1631449 - RBD bind mount on RHEL does not transistively acquire _netdev from original mount 1632361 - [3.10] Fluentd cannot handle S2I Logs 1632418 - iSCSI doesn't give enough time multipathd to create multipath device 1632862 - [3.10] Could not find csr for node when using cni plugin 1632863 - [3.10] upgrade failed at TASK [openshift_node : Approve node certificates when bootstrapping] 1632865 - [3.10] Fail to atomic pull node image due to docker service was stopped in previous task 1633571 - Openshift-on-Openstack uninstall playbook failure in Remove RedHat subscriptions task 1638519 - [3.10] Ability to install a cluster with a mix of Docker and CRI-O nodes 1638521 - [3.10] Upgrade fails at "Set node schedulability" 1638525 - [3.10] Validation of static pod fails due to inconsistent names 1638899 - [3.10] Record is missing kubernetes field when use '--log-driver journald' in /etc/sysconfig/docker 1642052 - [3.10] Registry doesn't honors openshift_additional_ca 6. Package List: Red Hat OpenShift Container Platform 3.10: Source: atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.src.rpm atomic-openshift-3.10.66-1.git.0.91d1e89.el7.src.rpm atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.src.rpm atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.src.rpm atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.src.rpm atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.src.rpm golang-github-prometheus-node_exporter-3.10.66-1.git.1060.f6046fd.el7.src.rpm haproxy-1.8.14-2.el7.src.rpm image-inspector-2.4.0-3.el7.src.rpm openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.src.rpm openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.src.rpm openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.src.rpm perl-IO-String-1.08-20.el7.src.rpm python-py-1.4.32-2.el7.src.rpm python-setuptools-17.1.1-4.el7.src.rpm rubygem-ffi-1.9.25-4.el7_5.src.rpm noarch: atomic-openshift-docker-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm atomic-openshift-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm openshift-ansible-docs-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm openshift-ansible-playbooks-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm openshift-ansible-roles-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm perl-IO-String-1.08-20.el7.noarch.rpm python-py-1.4.32-2.el7.noarch.rpm python-setuptools-17.1.1-4.el7.noarch.rpm ppc64le: atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm atomic-openshift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.ppc64le.rpm atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.ppc64le.rpm atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.ppc64le.rpm atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.ppc64le.rpm haproxy-debuginfo-1.8.14-2.el7.ppc64le.rpm haproxy18-1.8.14-2.el7.ppc64le.rpm image-inspector-2.4.0-3.el7.ppc64le.rpm openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.ppc64le.rpm openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.ppc64le.rpm prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.ppc64le.rpm rubygem-ffi-1.9.25-4.el7_5.ppc64le.rpm rubygem-ffi-debuginfo-1.9.25-4.el7_5.ppc64le.rpm x86_64: atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm atomic-openshift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.x86_64.rpm atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.x86_64.rpm atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.x86_64.rpm atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.x86_64.rpm haproxy-debuginfo-1.8.14-2.el7.x86_64.rpm haproxy18-1.8.14-2.el7.x86_64.rpm image-inspector-2.4.0-3.el7.x86_64.rpm openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.x86_64.rpm openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.x86_64.rpm prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.x86_64.rpm rubygem-ffi-1.9.25-4.el7_5.x86_64.rpm rubygem-ffi-debuginfo-1.9.25-4.el7_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14632 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW+hbatzjgjWX9erEAQhcGBAAlweGshGT7w4jvXgUC1bZUHdQSMiF+g2D 6rZYMgcL1r6yG5oiNa4jyPmuTh4k76SCTFNKVwUa5CD8jPI/V8KSKKReA2HtsxhF FLp86g3HyQ0X4jeE5i7fsKpgFRv4WJz3UtzM6TvfBOWzYN+dkk0xTGZji/jzeWb4 FRcgmCeYv2H33W0diUgiVpFyOSECqyWsqM6JN2fVUXIF1FM5EaGVRMqWNCRiWzO1 TaCHOhdZJXQR08AQsBYc9xEL3Zq8c32W4tvPNmcS+HBMYd4TLMveXfqlwBE5cOyA A6MFLFSBG7R13h0U8Y7O6YdXeQ8vdMdCU3ExeA1jqgyZs/dc4wisHZRIgYDyVwxO BqRnvdVxwJzTUaWM5AOFqH58V9FBfNJqcy0nq3oL8cYIFUUGvHSachpsx3V7GOOi 4ivl4nraQuxjqsMuLyz4WSpfPB3Od+ca2cCTOSD42zjcmRe6/imUgR6E+EaQQVnI Ckc14PXpFA94QyVDNzBgYT6WepHwZHTn1apMaXNN2kVUYrga+6qiaei+kIobQnzs SGAW3ha5ckbl+bMlsQCErT5BxdsKVSEUdw84VwiEKq0DPM50Fnl8jl7IaXzFeDe8 /+ahdvfZXhfc2PujIAriKPHLci+YJQ/ulnukicK3r/AH5g16HvtRKixd2mjLnOAt sAjCYXTpyvA=aYqe -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce