Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2173.2
OpenShift Container Platform - python-psutil security update
24 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform - python-psutil
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18874
Reference: ESB-2019.4515
ESB-2019.4473
ESB-2019.4367
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2583
https://access.redhat.com/errata/RHSA-2020:2635
Comment: This bulletin contains two (2) Red Hat security advisories.
Revision History: June 24 2020: Vendor released minor update
June 23 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.9 python-psutil security update
Advisory ID: RHSA-2020:2583-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2583
Issue date: 2020-06-22
CVE Names: CVE-2019-18874
=====================================================================
1. Summary:
An update for python-psutil is now available for Red Hat OpenShift
Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.4 - x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* python-psutil: A double free issue has been discovered in python-psutil
that may allow a local attacker to get code execution with the privileges
of the user running the python-psutil application. (CVE-2019-18874)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.9, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling
6. Package List:
Red Hat OpenShift Container Platform 4.4:
Source:
python-psutil-5.6.6-1.el7ar.src.rpm
x86_64:
python-psutil-debuginfo-5.6.6-1.el7ar.x86_64.rpm
python2-psutil-5.6.6-1.el7ar.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXvFDftzjgjWX9erEAQjOaRAAn1xKRXMzspWF3Ka+KOdyktPCI9tEy9pE
fun8nuJbZc3DHQg9JLBusDNKuQhxnnweIpZefwekqPBqRtrB9FtsOAqiCV61bRZ1
0drZTMQLxvtwgIrjrV7MdIk+myLPKOxqXHUWS6Yzxa58Wdo6G9SoQEigGqDu3mbb
nQ3UjO45hKiDdAdoEb9iIHHw8ET1jOZQG3y1YD0Z6mIPkcDMIzYUL4FVqsURGkKt
QQ33/Q73CKG9nLRrrmLVkq+FBACjiN7p+RHCg17yfHBU+nDXRHEGXUnYeyKQ672+
/Ce4LUKMIBoWi0P7v7AgdS1dr+QBYEt9aPA2TZEerT++XW3jueDj90UCs/tu+8Az
9mLbBwnNoyHQ8QSq1E4/Lb++lPISb/wUJxR9/9QVws9OifMcoLPTXhIdcL0fGND2
xhp+MnM7dKMNIMhNTVNIjI4XvsGHt0NlK4l2yO+4qu93CQiOWmmIuOpKyhirSN60
UFkEtHcRZ9K496HNFOijQ7MaUgI3ZOjc0wrzqGBMEPHMwR7X7ldw4lcc/6wzsdNS
3lNzakEDt7fpCDY8m6d3IJT5RP7c0l+j7iSF/7T1qO0rzH8EPmz1DuCMr5vmxO6x
aMPj14GQXvvES9cd0His9ZmkdHeg9ftjJk2V9k2k+5oyfM+XJWFXWwgHfhAYGioc
IGO1PBRscWs=
=QZUw
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.3.26 python-psutil security update
Advisory ID: RHSA-2020:2635-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2635
Issue date: 2020-06-23
CVE Names: CVE-2019-18874
=====================================================================
1. Summary:
An update for python-psutil is now available for Red Hat OpenShift
Container Platform 4.3.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.3 - ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* python-psutil: double free because of refcount mishandling
(CVE-2019-18874)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.3 see the following documentation, which
will be updated shortly for release 4.3.26, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.3/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1772014 - CVE-2019-18874 python-psutil: double free because of refcount mishandling
6. Package List:
Red Hat OpenShift Container Platform 4.3:
Source:
python-psutil-5.6.6-1.el7ar.src.rpm
ppc64le:
python-psutil-debuginfo-5.6.6-1.el7ar.ppc64le.rpm
python2-psutil-5.6.6-1.el7ar.ppc64le.rpm
s390x:
python-psutil-debuginfo-5.6.6-1.el7ar.s390x.rpm
python2-psutil-5.6.6-1.el7ar.s390x.rpm
x86_64:
python-psutil-debuginfo-5.6.6-1.el7ar.x86_64.rpm
python2-psutil-5.6.6-1.el7ar.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXvJZstzjgjWX9erEAQjEuw//f6dljb6Q/KGKiG5pPMtC3Sz44CpOighQ
h6KYx7ChR6/Q2FzORGpIqplbqdUmsEa86RL33eud2oHf6t2yzRQSe6h8MVrFWaio
WOhzXlSlWYmZiFdkaFsXij3AFVG6UMilEz8P3jCGwml10SNhdZAo3gBrw5aaTEsW
FrbfStH642VbAHWiRCwQryA/4WFyx7d1dr++0++Tt3rwGcCKErSUfxXua/O0dG8N
U0b45eToeR8sHnWZqlzihIvbMS3hQ+BoyGu3jGHLPSeUVAP2Ps+TbQeZYOPqwoyf
IoJWBPi3SNDylG9qLXx5u7FKGqUEb5V4bi+FltO3a0O6zgNaSiBxN6cPurhJNh0f
FioSZq/FXH7iCTmP7QZiykPdbBZ3drhaon0CzkDVE0i6K7sziIUrlwhYpL0PdJHv
M02Qf8Kf9R3hbZ5dCxT9zQlvJhs1BiYpIoziNeZ/9PyrCmZzhUY+Jhig/wGhV9ge
BoG1ZRm1r/hjQPhVxw84VMVV3hY0fZbunvUbpQiPdGSieDm9J+N4GSv8bjluOwuf
CP8mvMns46j7Fwh/K7DoYHSeE1ROeiPM8pb7QRLHQGzCXlbvuk3PUW3uHj9cuq/3
18Z1+FM2L93HRQFsHFj4xoxVL97HAik4qKSfYKM+I+v0Jd57/jADZ0cvzU9hTS5o
iVJnXnvSPk0=
=Rtlv
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvKNI+NLKJtyKPYoAQgwSg/+P0tqYJHtPN72XFefEUc4Vp2//XS71mxA
Hg0tKyZkLDOYP5Zl38VzwvxiX03nKZEqigggDd79D6t7Xt0r4U/DBb4PThihegfN
i17j/fF9yvpsKo3IKPc7NV+uW/yOiB9xWJ4jbOOt3WWqGxducPJ1faPB/1mKJF/i
Zmuf6T4iTlV2UIGmJUvBNk6CqxKYv/R1rn56rzV0Kq0zBXYRux+PjBFKofaV2VaM
5T25/CSBS6anBrFKJ5V2GWldeRI1GqS0nVTSUCxzO2GKHLPo5sfjUYG7oQgpdNTv
EsVyHtA+AqxujaYJMOrVMxGZP+rEcffVl/pZPlxMV0BBfZSOsQwpEA+BN/ayWXNX
oI6d6uRQ8y19khx9ky3P27RIJL+WUHR/Cio1ovveCPkXT8TiRMp+Da3lgEq7pDD9
6Fvc+RZ5OujgCGS57nNP+Fx/fr40oMH5uGHzIAkLCQvzmS+QYE9UT2l4nRs6JSmW
8NilpcQ1/7SJv1EG4glBwrGKaSQZZ7I4VHN54DHVIFAPMf0+8yBVbbSZYu3JLjL3
zrD+IlCIUakPZVmJs41IQEFkDCP14D8/YVlxhPDiJrxJf9UeQ2Z85vaNFZmK/1C+
AqknVt5U56zqvO6RBAygGQCOiEiywyDFuEYX63U/2PIAhEW9e79LA00+9CR5wiuh
bYbLf5wCuG0=
=vkpo
-----END PGP SIGNATURE-----