Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2173.2 OpenShift Container Platform - python-psutil security update 24 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform - python-psutil Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2019-18874 Reference: ESB-2019.4515 ESB-2019.4473 ESB-2019.4367 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2583 https://access.redhat.com/errata/RHSA-2020:2635 Comment: This bulletin contains two (2) Red Hat security advisories. Revision History: June 24 2020: Vendor released minor update June 23 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.4.9 python-psutil security update Advisory ID: RHSA-2020:2583-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:2583 Issue date: 2020-06-22 CVE Names: CVE-2019-18874 ===================================================================== 1. Summary: An update for python-psutil is now available for Red Hat OpenShift Container Platform 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.4 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * python-psutil: A double free issue has been discovered in python-psutil that may allow a local attacker to get code execution with the privileges of the user running the python-psutil application. (CVE-2019-18874) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.9, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling 6. Package List: Red Hat OpenShift Container Platform 4.4: Source: python-psutil-5.6.6-1.el7ar.src.rpm x86_64: python-psutil-debuginfo-5.6.6-1.el7ar.x86_64.rpm python2-psutil-5.6.6-1.el7ar.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-18874 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvFDftzjgjWX9erEAQjOaRAAn1xKRXMzspWF3Ka+KOdyktPCI9tEy9pE fun8nuJbZc3DHQg9JLBusDNKuQhxnnweIpZefwekqPBqRtrB9FtsOAqiCV61bRZ1 0drZTMQLxvtwgIrjrV7MdIk+myLPKOxqXHUWS6Yzxa58Wdo6G9SoQEigGqDu3mbb nQ3UjO45hKiDdAdoEb9iIHHw8ET1jOZQG3y1YD0Z6mIPkcDMIzYUL4FVqsURGkKt QQ33/Q73CKG9nLRrrmLVkq+FBACjiN7p+RHCg17yfHBU+nDXRHEGXUnYeyKQ672+ /Ce4LUKMIBoWi0P7v7AgdS1dr+QBYEt9aPA2TZEerT++XW3jueDj90UCs/tu+8Az 9mLbBwnNoyHQ8QSq1E4/Lb++lPISb/wUJxR9/9QVws9OifMcoLPTXhIdcL0fGND2 xhp+MnM7dKMNIMhNTVNIjI4XvsGHt0NlK4l2yO+4qu93CQiOWmmIuOpKyhirSN60 UFkEtHcRZ9K496HNFOijQ7MaUgI3ZOjc0wrzqGBMEPHMwR7X7ldw4lcc/6wzsdNS 3lNzakEDt7fpCDY8m6d3IJT5RP7c0l+j7iSF/7T1qO0rzH8EPmz1DuCMr5vmxO6x aMPj14GQXvvES9cd0His9ZmkdHeg9ftjJk2V9k2k+5oyfM+XJWFXWwgHfhAYGioc IGO1PBRscWs= =QZUw - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.3.26 python-psutil security update Advisory ID: RHSA-2020:2635-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:2635 Issue date: 2020-06-23 CVE Names: CVE-2019-18874 ===================================================================== 1. Summary: An update for python-psutil is now available for Red Hat OpenShift Container Platform 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.3 - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * python-psutil: double free because of refcount mishandling (CVE-2019-18874) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.3 see the following documentation, which will be updated shortly for release 4.3.26, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.3/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling 6. Package List: Red Hat OpenShift Container Platform 4.3: Source: python-psutil-5.6.6-1.el7ar.src.rpm ppc64le: python-psutil-debuginfo-5.6.6-1.el7ar.ppc64le.rpm python2-psutil-5.6.6-1.el7ar.ppc64le.rpm s390x: python-psutil-debuginfo-5.6.6-1.el7ar.s390x.rpm python2-psutil-5.6.6-1.el7ar.s390x.rpm x86_64: python-psutil-debuginfo-5.6.6-1.el7ar.x86_64.rpm python2-psutil-5.6.6-1.el7ar.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-18874 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXvJZstzjgjWX9erEAQjEuw//f6dljb6Q/KGKiG5pPMtC3Sz44CpOighQ h6KYx7ChR6/Q2FzORGpIqplbqdUmsEa86RL33eud2oHf6t2yzRQSe6h8MVrFWaio WOhzXlSlWYmZiFdkaFsXij3AFVG6UMilEz8P3jCGwml10SNhdZAo3gBrw5aaTEsW FrbfStH642VbAHWiRCwQryA/4WFyx7d1dr++0++Tt3rwGcCKErSUfxXua/O0dG8N U0b45eToeR8sHnWZqlzihIvbMS3hQ+BoyGu3jGHLPSeUVAP2Ps+TbQeZYOPqwoyf IoJWBPi3SNDylG9qLXx5u7FKGqUEb5V4bi+FltO3a0O6zgNaSiBxN6cPurhJNh0f FioSZq/FXH7iCTmP7QZiykPdbBZ3drhaon0CzkDVE0i6K7sziIUrlwhYpL0PdJHv M02Qf8Kf9R3hbZ5dCxT9zQlvJhs1BiYpIoziNeZ/9PyrCmZzhUY+Jhig/wGhV9ge BoG1ZRm1r/hjQPhVxw84VMVV3hY0fZbunvUbpQiPdGSieDm9J+N4GSv8bjluOwuf CP8mvMns46j7Fwh/K7DoYHSeE1ROeiPM8pb7QRLHQGzCXlbvuk3PUW3uHj9cuq/3 18Z1+FM2L93HRQFsHFj4xoxVL97HAik4qKSfYKM+I+v0Jd57/jADZ0cvzU9hTS5o iVJnXnvSPk0= =Rtlv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvKNI+NLKJtyKPYoAQgwSg/+P0tqYJHtPN72XFefEUc4Vp2//XS71mxA Hg0tKyZkLDOYP5Zl38VzwvxiX03nKZEqigggDd79D6t7Xt0r4U/DBb4PThihegfN i17j/fF9yvpsKo3IKPc7NV+uW/yOiB9xWJ4jbOOt3WWqGxducPJ1faPB/1mKJF/i Zmuf6T4iTlV2UIGmJUvBNk6CqxKYv/R1rn56rzV0Kq0zBXYRux+PjBFKofaV2VaM 5T25/CSBS6anBrFKJ5V2GWldeRI1GqS0nVTSUCxzO2GKHLPo5sfjUYG7oQgpdNTv EsVyHtA+AqxujaYJMOrVMxGZP+rEcffVl/pZPlxMV0BBfZSOsQwpEA+BN/ayWXNX oI6d6uRQ8y19khx9ky3P27RIJL+WUHR/Cio1ovveCPkXT8TiRMp+Da3lgEq7pDD9 6Fvc+RZ5OujgCGS57nNP+Fx/fr40oMH5uGHzIAkLCQvzmS+QYE9UT2l4nRs6JSmW 8NilpcQ1/7SJv1EG4glBwrGKaSQZZ7I4VHN54DHVIFAPMf0+8yBVbbSZYu3JLjL3 zrD+IlCIUakPZVmJs41IQEFkDCP14D8/YVlxhPDiJrxJf9UeQ2Z85vaNFZmK/1C+ AqknVt5U56zqvO6RBAygGQCOiEiywyDFuEYX63U/2PIAhEW9e79LA00+9CR5wiuh bYbLf5wCuG0= =vkpo -----END PGP SIGNATURE-----