-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11.318 jenkins-2-plugins security update Advisory ID: RHSA-2020:5102-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:5102 Issue date: 2020-11-17 CVE Names: CVE-2020-2252 CVE-2020-2254 CVE-2020-2255 ===================================================================== 1. Summary: An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM (CVE-2020-2252) * jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files (CVE-2020-2254) * jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests (CVE-2020-2255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1880454 - CVE-2020-2252 jenkins-2-plugins/mailer: Missing hostname validation in Mailer Plugin could result in MITM 1880456 - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files 1880460 - CVE-2020-2255 jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests. 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: jenkins-2-plugins-3.11.1603460090-1.el7.src.rpm noarch: jenkins-2-plugins-3.11.1603460090-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-2252 https://access.redhat.com/security/cve/CVE-2020-2254 https://access.redhat.com/security/cve/CVE-2020-2255 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX7NUM9zjgjWX9erEAQjayg//fqwPOJshflXoJ9n0cRQGdgNVtCRD1Kjt dIQnoj++xqm864EWPXEm9CaJBhV0KuBwxyxns0OhkSC+q8O74F2LOBq+UJRYATZz AWZCRhvNW2qX5lHMr8a43CaaEMYSKcwnmUXriHu4SoEtRSrcK2V9hudmakkom6Qy 12b73lQUJtDoIeZE6SDXqHiqhv0ecuiaQNWzUjQiqaJngI2RYHs4Mu3d5umK1xHO JKRBRTEh8y23MUbDlnt93iYtAIlpaRX6LrSUnRhVcYMPxFvQxWx3fF4ABIbXsB6z hFeWoLIQ6N2Y7es7paeQawdG5Np9DzBWCyRUUkis7Pkimjy8XiW54zH3SVUqS4LM ro7lv7ijezN/kkhtFvMZx2IAzTipwrYO24z5JT0iRI0EDBRUX+MDg2Zks0+M8N3O B4ho9wlr4fW/oxNn8noCNF272SXgxRRdyC1PIMC4KAyqT0nJPP434bjh9nsPBTMg aLL5Z+CqabLYYepopH30bl9ymRxeBJA4JaT8luSuO0Epd3EY++oyS/QiKjbk+ZKU z6gQp4M4Byl4op1Cg4DjJSZVL1DL2aApxR6W+22vUTrWAn8MTIHdWHCf+K/cPccI DiSYuDb84ZeCCMPCuwdRZJAlBrxYE0cFAl0NwwRQLSZtrJwn16Km0w+bjBBOyavV 3kQVZV2EiVs= =0JlV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce