[RHSA-2019:3144-01] Important: OpenShift Container Platform 3.11 jenkins security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Fri Oct 18 01:36:33 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 3.11 jenkins security update
Advisory ID: RHSA-2019:3144-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3144
Issue date: 2019-10-18
CVE Names: CVE-2019-10383 CVE-2019-10384
=====================================================================
1. Summary:
An update for jenkins is now available for Red Hat OpenShift Container
Platform 3.11.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by CRON.
This advisory contains the updated jenkins RPM package for Red Hat
OpenShift Container Platform 3.11.
Security Fix(es):
* jenkins: CSRF protection tokens for anonymous users did not expire in
some circumstances (CVE-2019-10384)
* jenkins: stored cross-site scripting in update center web pages
(CVE-2019-10383)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the following documentation,which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1747293 - CVE-2019-10383 jenkins: stored cross-site scripting in update center web pages (SECURITY-1453)
1747297 - CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)
6. Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
jenkins-2.176.3.1569349414-1.el7.src.rpm
noarch:
jenkins-2.176.3.1569349414-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10383
https://access.redhat.com/security/cve/CVE-2019-10384
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXakXHdzjgjWX9erEAQhn0A/+JJ3WhLWybA6vJKFH0EUestKoZy077T8H
g25MA52Q828CaKEgRd1XDrwNwQRnis2NKXPwOB0Ri1DEIwd/vvfr0EqO2nzBgiE3
LnCvNHEZY+cYdJ/4x4mlGgWxPIP/1pcWT3JjD8E++evLxhbcsiRsAJF4We2sEuj8
AF/xQPbcvEOmzxrMnxbZv6owWPkpCvu+CbobTI8QPJONY0jq25VAMtMtllq3CaoP
3aTJa6+Ef625JteEghzwfs7jfQRelxgAU4QEAYVl1ikJHgIKUunKq9kDVeH0gJdX
B0Cko9KNXSrJu2I9RTbYKCRZ0Bv/tZSwhmiVBfiNet62t6wwVNaCu49caCOTYmqu
HEDLXsMUNzNLSE9a72pV7R+rjzLOM+N9urtq01VJNhCa7dIIWi8jPoQvakZFAq08
igl+hXrw+ChXNKiFfXEafgkvxzFsi3/r0n5Orqr/y3Qg7wm38qDCKGJOv3NCjsLi
eQWIo5YBjYu79F2YsRd3AFGGifb4i4m5aPDSs6e+kz+gG0b3ZJUC6BVH2JaZjSkl
6bcY7wfa6csl0ObSbppiJCffIol3Y4hAc1bwYdqRxLHdhgpQVushUWVLzfY4WUgC
FQgQLxjRFvhMnCyt64ggDK2df+bIZQEsa1Tl02H/8LoLoIlqL7K2KqgZwifQVIyH
QRSGnbshdEE=
=MWPj
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list