sfowl

## SECURITY.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sfowl
                / SECURITY.md
            
            
              Created
              July 23, 2020 09:47
            
          
    Policy

Defined below are the security contacts for this repo.
They are the contact point for the Product Security Committee to reach out
to for triaging and handling of incoming issues.
The below names agree to abide by the
Embargo Policy
and will be removed and replaced if they violate that agreement.

  
## golang-versions.txt
4.6
=======================================
atomic-enterprise-service-catalog-4.6.0-202007100531.p0.git.1808.4843b08.el8-root.log:  1.14.4-2.module+el8.3.0+7324+24e3ded4
atomic-openshift-service-idler-4.6.0-202010011936.p0.git.15.36f28b7.el8-root.log:  1.15.0-1.module+el8.4.0+7995+d3ff3d9b
buildah-1.11.6-8.rhaos4.5.el8-root.log:  1.13.4-2.module+el8.2.0+4946+bcbab5cc
containernetworking-plugins-0.8.6-1.rhaos4.5.el7-root.log: -1.12.12-4.el7.x86_64
containernetworking-plugins-0.8.6-1.rhaos4.5.el8-root.log:  1.13.4-2.module+el8.2.0+4946+bcbab5cc
cri-o-1.19.0-113.rhaos4.6.git97d715e.el7-root.log: -1.13.4-3.el7.x86_64
cri-o-1.19.0-20.rhaos4.6.git97d715e.el8-root.log:  1.15.0-1.module+el8.4.0+7995+d3ff3d9b
cri-tools-1.18.0-3.el7-root.log: -1.13.4-3.el7.x86_64

## 4.2.z
$ # OCP 4.2.z bugs
$ bugzilla --ensure-logged-in query --json --from-url
"buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&limit=50&bug_severity=high&bug_severity=urgent&target_release=4.2.z" | jq -r '.bugs[].summary' | sort -u | tee /tmp/all-4.2.z-trackers
CVE-2018-12207 machine-os-content-container: hw: Machine Check Error on Page Size Change (IPU) [openshift-4.2.z]
CVE-2019-10431 jenkins-2-plugins: jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin [openshift-4.2.z]
CVE-2019-10746 kibana: nodejs-mixin-deep: prototype pollution in function mixin-deep [openshift-4.2-default]
CVE-2019-16538 CVE-2020-2109 CVE-2020-2110 CVE-2020-2111 CVE-2020-2134 CVE-2020-2135 CVE-2020-2136 jenkins-2-plugins: various flaws [openshift-4.2.z]
CVE-2019-17638 CVE-2020-2229 CVE-2020-2230 CVE-2020-2231 jenkins: various flaws [openshift-4.2.z]
CVE-2019-9512 CVE-2019-9514 apb: various flaws [openshift-4.2]
CVE-2019-9512 CVE-2019-9514 containernetworking-plugins: various flaws

## closed-golang-stdlib-bugs.txt
$ bugzilla --ensure-logged-in query --json --from-url "buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&summary=CVE-2020-15586&status=CLOSED" | jq -r '.bugs[] | "\n" + .summary + "\n" + .comments[-1].text'

CVE-2020-15586 CVE-2020-16845 ignition: various flaws [openshift-4]
Fixed by below advisory, used FixCVENames to associate CVEs:

https://access.redhat.com/errata/RHBA-2020:4197

CVE-2020-15586 CVE-2020-16845 openshift-clients: various flaws [openshift-4]
Fixed in below advisory, used FixCVENames to asssociate CVEs:

## closed-golang-stdlib-bugs.txt
$ bugzilla --ensure-logged-in query --json --from-url "buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&summary=CVE-2020-15586&status=CLOSED" | jq -r '.bugs[] | "----\n" + .summary + "\n" + .comments[-1].text'
----
CVE-2020-15586 CVE-2020-16845 ignition: various flaws [openshift-4]
Fixed by below advisory, used FixCVENames to associate CVEs:

https://access.redhat.com/errata/RHBA-2020:4197
----
CVE-2020-15586 CVE-2020-16845 openshift-clients: various flaws [openshift-4]
Fixed in below advisory, used FixCVENames to asssociate CVEs:

## query
$ dnf repoquery --latest-limit=1  --repoid=fedora-source -a --qf="#%{NAME} [%{REQUIRES}]" | sed -r ':a;$!{N;s/\n//;ba}; s/([^\r]*)\r\n/\1 /g; s/#/\r\n/g' | grep -E 'golang|go-tool|go-compiler' | awk '{print $1}' | sort -u > golang-rpms
$ grep -v github /tmp/golang-rpms | grep -v golang
arduino-builder
buildah
caddy
cadvisor
cheat
containerd
containernetworking-plugins
cri-tools

## scanning-with-oscap.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sfowl
                / scanning-with-oscap.md
            
            
              Created
              December 7, 2020 08:07
            
          
    Requires:


oc, (>= v4) can be obtained from here: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/
podman and oscap-scanner packages installed (on Fedora or RHEL variant)
pull secret (can be obtained from try.openshift.com, save in ~/.docker/config.json)

Howto

Translate image to friendly name:


## errant-containers
assisted-installer-agent-container-v4.6.0-54
assisted-installer-container-v4.6.0-55
assisted-installer-reporter-container-v4.6.0-52
cluster-logging-operator-metadata-container-v4.6.0.202011221454.p0-1
cluster-nfd-operator-metadata-container-v4.6.0.202012050130.p0-1
cnf-tests-container-v4.6.0-32
compliance-content-container-v4.6.0-8
dpdk-base-container-v4.6.0-5.1604454995
elasticsearch-operator-metadata-container-v4.6.0.202011221454.p0-1
local-storage-operator-metadata-container-v4.6.0.202012050130.p0-1

## update.sh
#!/usr/bin/bash


# prereqs and token code written by Joel Smith
allprereqs=1
for i in cat shyaml hub jq curl git; do
	if ! command -v $i &> /dev/null; then
		echo $?
		echo "Missing prerequisite: $i"
		allprereqs=0

## update.sh
#!/usr/bin/bash


# prereqs and token code written by Joel Smith
allprereqs=1
for i in cat shyaml hub jq curl git; do
	if ! command -v $i &> /dev/null; then
		echo $?
		echo "Missing prerequisite: $i"
		allprereqs=0
	4.6
	=======================================
	atomic-enterprise-service-catalog-4.6.0-202007100531.p0.git.1808.4843b08.el8-root.log: 1.14.4-2.module+el8.3.0+7324+24e3ded4
	atomic-openshift-service-idler-4.6.0-202010011936.p0.git.15.36f28b7.el8-root.log: 1.15.0-1.module+el8.4.0+7995+d3ff3d9b
	buildah-1.11.6-8.rhaos4.5.el8-root.log: 1.13.4-2.module+el8.2.0+4946+bcbab5cc
	containernetworking-plugins-0.8.6-1.rhaos4.5.el7-root.log: -1.12.12-4.el7.x86_64
	containernetworking-plugins-0.8.6-1.rhaos4.5.el8-root.log: 1.13.4-2.module+el8.2.0+4946+bcbab5cc
	cri-o-1.19.0-113.rhaos4.6.git97d715e.el7-root.log: -1.13.4-3.el7.x86_64
	cri-o-1.19.0-20.rhaos4.6.git97d715e.el8-root.log: 1.15.0-1.module+el8.4.0+7995+d3ff3d9b
	cri-tools-1.18.0-3.el7-root.log: -1.13.4-3.el7.x86_64
	$ # OCP 4.2.z bugs
	$ bugzilla --ensure-logged-in query --json --from-url
	"buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&limit=50&bug_severity=high&bug_severity=urgent&target_release=4.2.z" \| jq -r '.bugs[].summary' \| sort -u \| tee /tmp/all-4.2.z-trackers
	CVE-2018-12207 machine-os-content-container: hw: Machine Check Error on Page Size Change (IPU) [openshift-4.2.z]
	CVE-2019-10431 jenkins-2-plugins: jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin [openshift-4.2.z]
	CVE-2019-10746 kibana: nodejs-mixin-deep: prototype pollution in function mixin-deep [openshift-4.2-default]
	CVE-2019-16538 CVE-2020-2109 CVE-2020-2110 CVE-2020-2111 CVE-2020-2134 CVE-2020-2135 CVE-2020-2136 jenkins-2-plugins: various flaws [openshift-4.2.z]
	CVE-2019-17638 CVE-2020-2229 CVE-2020-2230 CVE-2020-2231 jenkins: various flaws [openshift-4.2.z]
	CVE-2019-9512 CVE-2019-9514 apb: various flaws [openshift-4.2]
	CVE-2019-9512 CVE-2019-9514 containernetworking-plugins: various flaws
	$ bugzilla --ensure-logged-in query --json --from-url "buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&summary=CVE-2020-15586&status=CLOSED" \| jq -r '.bugs[] \| "\n" + .summary + "\n" + .comments[-1].text'

	CVE-2020-15586 CVE-2020-16845 ignition: various flaws [openshift-4]
	Fixed by below advisory, used FixCVENames to associate CVEs:

	https://access.redhat.com/errata/RHBA-2020:4197

	CVE-2020-15586 CVE-2020-16845 openshift-clients: various flaws [openshift-4]
	Fixed in below advisory, used FixCVENames to asssociate CVEs:
	$ bugzilla --ensure-logged-in query --json --from-url "buglist.cgi?product=OpenShift%20Container%20Platform&keywords=SecurityTracking&summary=CVE-2020-15586&status=CLOSED" \| jq -r '.bugs[] \| "----\n" + .summary + "\n" + .comments[-1].text'
	----
	CVE-2020-15586 CVE-2020-16845 ignition: various flaws [openshift-4]
	Fixed by below advisory, used FixCVENames to associate CVEs:

	https://access.redhat.com/errata/RHBA-2020:4197
	----
	CVE-2020-15586 CVE-2020-16845 openshift-clients: various flaws [openshift-4]
	Fixed in below advisory, used FixCVENames to asssociate CVEs:
	$ dnf repoquery --latest-limit=1 --repoid=fedora-source -a --qf="#%{NAME} [%{REQUIRES}]" \| sed -r ':a;$!{N;s/\n//;ba}; s/([^\r]*)\r\n/\1 /g; s/#/\r\n/g' \| grep -E 'golang\|go-tool\|go-compiler' \| awk '{print $1}' \| sort -u > golang-rpms
	$ grep -v github /tmp/golang-rpms \| grep -v golang
	arduino-builder
	buildah
	caddy
	cadvisor
	cheat
	containerd
	containernetworking-plugins
	cri-tools
	assisted-installer-agent-container-v4.6.0-54
	assisted-installer-container-v4.6.0-55
	assisted-installer-reporter-container-v4.6.0-52
	cluster-logging-operator-metadata-container-v4.6.0.202011221454.p0-1
	cluster-nfd-operator-metadata-container-v4.6.0.202012050130.p0-1
	cnf-tests-container-v4.6.0-32
	compliance-content-container-v4.6.0-8
	dpdk-base-container-v4.6.0-5.1604454995
	elasticsearch-operator-metadata-container-v4.6.0.202011221454.p0-1
	local-storage-operator-metadata-container-v4.6.0.202012050130.p0-1
	#!/usr/bin/bash


	# prereqs and token code written by Joel Smith
	allprereqs=1
	for i in cat shyaml hub jq curl git; do
	if ! command -v $i &> /dev/null; then
	echo $?
	echo "Missing prerequisite: $i"
	allprereqs=0