-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 3.11 security update Advisory ID: RHSA-2020:3541-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:3541 Issue date: 2020-08-26 CVE Names: CVE-2019-16541 CVE-2020-1741 CVE-2020-2220 CVE-2020-2221 CVE-2020-2222 CVE-2020-2223 CVE-2020-2224 CVE-2020-2225 CVE-2020-2226 CVE-2020-13757 ==================================================================== 1. Summary: An update for jenkins, jenkins-2-plugins, openshift-ansible, and python-rsa is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch 3. Description: Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. The Matrix Project is a module which handles creating Jenkins multi-configuration projects (matrix projects). Matrix Authorization allows configuring the lowest level permissions, such as starting new builds, configuring items, or deleting them, individually. Python-RSA is a RSA implementation in Python. It can be used as a Python library as well as the commandline utility. Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3. Security Fix(es): * jenkins: Stored XSS vulnerability in job build time trend (CVE-2020-2220) * jenkins: Stored XSS vulnerability in upstream cause (CVE-2020-2221) * jenkins: Stored XSS vulnerability in 'keep forever' badge icons (CVE-2020-2222) * jenkins: Stored XSS vulnerability in console links (CVE-2020-2223) * jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips (CVE-2020-2224) * jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips (CVE-2020-2225) * jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin (CVE-2020-2226) * jenkins-jira-plugin: plugin information disclosure (CVE-2019-16541) * python-rsa: decryption of ciphertext leads to DoS (CVE-2020-13757) * openshift-ansible: cors allowed origin allows changing url protocol (CVE-2020-1741) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for release 3.11.272, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1802381 - CVE-2020-1741 openshift-ansible: cors allowed origin allows changing url protocol 1819663 - CVE-2019-16541 jenkins-jira-plugin: plugin information disclosure 1848507 - CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS 1857425 - CVE-2020-2220 jenkins: Stored XSS vulnerability in job build time trend 1857427 - CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause 1857431 - CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons 1857433 - CVE-2020-2223 jenkins: Stored XSS vulnerability in console links 1857436 - CVE-2020-2224 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in single axis builds tooltips 1857439 - CVE-2020-2225 jenkins-2-plugins/matrix-project: Stored XSS vulnerability in multiple axis builds tooltips 1857441 - CVE-2020-2226 jenkins-2-plugins/matrix-auth: Stored XSS vulnerability in Matrix Authorization Strategy Plugin 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: jenkins-2-plugins-3.11.1597310986-1.el7.src.rpm jenkins-2.235.2.1597220898-1.el7.src.rpm openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.src.rpm python-rsa-4.5-2.el7.src.rpm noarch: jenkins-2-plugins-3.11.1597310986-1.el7.noarch.rpm jenkins-2.235.2.1597220898-1.el7.noarch.rpm openshift-ansible-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-docs-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-playbooks-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-roles-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm openshift-ansible-test-3.11.272-1.git.0.79ab6e9.el7.noarch.rpm python2-rsa-4.5-2.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-16541 https://access.redhat.com/security/cve/CVE-2020-1741 https://access.redhat.com/security/cve/CVE-2020-2220 https://access.redhat.com/security/cve/CVE-2020-2221 https://access.redhat.com/security/cve/CVE-2020-2222 https://access.redhat.com/security/cve/CVE-2020-2223 https://access.redhat.com/security/cve/CVE-2020-2224 https://access.redhat.com/security/cve/CVE-2020-2225 https://access.redhat.com/security/cve/CVE-2020-2226 https://access.redhat.com/security/cve/CVE-2020-13757 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX0bmstzjgjWX9erEAQjTQQ//ZxCg3gPCNpNyo3vMDigEgUfso8aPVhAE L/OUqtBiaQYK495J9jwl6ZOtvKIBpzrd12emypAO30LYLbEm3znMqwosPxq7bGfi p8tHJ+KIpKmMLyK5bOWJh9wMJvRYPzuOU/5gFoP0H7NIUw6Z5J/G51g+dnXS1JXi 6/Bs9Ys7v6yrPmI2WBEfKRAsLzpUWJxC8Zi4hkBhVdpjCHNwUM543TAO5mdCrY06 ty1l+rGHEEpFvWCA6+cxs98Gww8ClYilBORmTWaVJa027HUIggg6WInRkKzipqVw FBUmMaHBU88PlJS9esyzaZaeWf29x6Rn5JU6dUx6O9HQ8CuzljybAV2Om/zmZbQ1 K0c6R6AtuIblf2FFOlXlOSBTJOjBn8Uml1kMcsQtBYhUT1ofsNHTPAPM0ds1XMTN fRBmI5792zLIdYuQh1tC2Gn4xlteplGZ6mb2yASVvXjrlMD4phOwzrzvVguNgb7I zxfa6eyC8/FEg+3EdstIAnA9TsX8YHhE6vlzp+m0h68ESV53viTFwG/iCbvCqGaz 8TTfsOSgXLDZAsZkjBOLINqLuDslyP3c8tE8g7QarMBKSNDNGRR/PQYPh7PZ1JKi srdu9BtBBeJwhscxXkqrpwTonvF6IQTgwAsyxW3vItdwmy3Wlewg9aKw2JYkoI0o ZcXmkKaTv2M=Uu+D -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce