5.8 - RHSA-2016:1206

Problem Description:

An updated Jenkins package and image that includes security fixes are now available for Red Hat OpenShift Enterprise 3.2.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Enterprise 3.1 - noarch, x86_64 Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

3. Description:

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727)

Refer to the changelog listed in the References section for a list of changes.

This update includes the following image:

openshift3/jenkins-1-rhel7:1.651.2-4

All OpenShift Enterprise 3.2 users are advised to upgrade to the updated package and image.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1333133 - better retry in accessing replication controllers from openshift jenkin-plugin 1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170) 1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243) 1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250) 1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266) 1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273) 1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276) 1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)