Authorization Bypass

Red Hat OpenShift Container Platform is the company’s cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.6.1. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHEA-2017:2644 This update fixes the following bugs: * When the atomic-openshift-node service got restarted, all processes in its control group are terminated, including the glusterfs-mounted points. Each glusterfs volume in OpenShift corresponds to one mounted point. If all mounting points are lost, so are all of the volumes. Set the control group mode to terminate only the main process and leave the remaining glusterfs mounting points untouched. When the atomic-openshift-node service is restarted, no glusterfs mounting point is terminated. (BZ#1423640) * A route can front up to four services that handle the requests. The load balancing strategy governs which endpoint gets each request. When round-robin is chosen, the portion of the requests that each service handles is governed by the weight assigned to the service. Each endpoint in the service gets a fraction of the service’s requests. (BZ#1473736) * When fluentd was reading from the journald and the output buffer queue wass full, the fluentd log was filled up with KubeClient messages. This is a bug in the fluentd filter_kubernetes_metadata plug-in. Ignore fluentd log messages from Kubeclient::Common::WatchNotice. (BZ#1476731) * Previously, the Copy Service Labels link in the Create Route form did not correctly copy the labels from the service to the new route. It has been fixed to copy the selected service’s labels. (BZ#1477933) * Permissions on directories injected as a build input via the image source input mechanism have user-only access permissions. Therefore, the resulting application image cannot access the content when run as a random user ID. With this bug fix, the directories will be injected with group permissions, which will allow the user access to the container. (BZ#1479130) * Kibana nodejs runtime was not the same as the version distributed by Elastic. With this bug fix, the versioning is updated. (BZ#1479928) * Previously, the ScaleIO volume plug-in was missing in OpenShift Container Platform. With this bug fix, it is now fully enabled. (BZ#1482273) * Namespaces that use reserved names and were not created by infrastructure components should be blocked, as they will cause the upgrade to fail. (BZ#1484958) This update includes the following enhancement: * There is now the ability to set reference policy with oc import-image. Set reference policy using the --reference-policy flag when invoking oc import-image. When importing all tags (using the --all flag), all tags will get passed to reference policy, including overwriting the already present one. (BZ#1420976) All OpenShift Container Platform 3.6 users are advised to upgrade to these updated packages and images.