Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1390858

Summary: RHSA-2016:1940: openssl security update
Product: Red Hat Enterprise Linux 7 Reporter: Alex Jia <ajia>
Component: cockpit-ws-containerAssignee: Dominik Perpeet <dperpeet>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 7.3Keywords: Extras, Security
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 09:10:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Jia 2016-11-02 06:38:26 UTC 
Description of problem:
atomic scan found a CVE bug in registry.access.redhat.com/rhel7/cockpit-ws:latest(b43b419e).

Version-Release number of selected component (if applicable):

[root@atomic-00 cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Atomic Host release 7.3

[root@atomic-00 cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3 (2016-10-26 14:24:09)
        Commit: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97
        OSName: rhel-atomic-host
      Unlocked: development

[root@atomic-00 cloud-user]# rpm -q atomic
atomic-1.13.6-1.el7.x86_64

[root@atomic-00 cloud-user]# docker images
REPOSITORY                                                   TAG                 IMAGE ID            CREATED             SIZE
registry.access.redhat.com/rhel7/openscap                    latest              fe6f007ba9df        7 weeks ago         362.8 MB
registry.access.redhat.com/rhel7/cockpit-ws                  latest              b43b419e2783        7 weeks ago         218.8 MB


How reproducible:
always

Steps to Reproduce:
1. docker pull registry.access.redhat.com/rhel7/cockpit-ws
2. atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7/cockpit-ws


Actual results:

$ sudo atomic scan --scanner openscap --scan_type cve registry.access.redhat.com/rhel7/cockpit-ws

b43b419e2783b348b771fc92872654b9b9ae27aac112f034ef8f313fc26ead24 (registry.access.redhat.com/rhel7/cockpit-ws:latest)

The following issues were found:

     RHSA-2016:1940: openssl security update (Important)
     Severity: Important
       RHSA URL: https://rhn.redhat.com/errata/RHSA-2016-1940.html
       RHSA ID: RHSA-2016:1940-01
       Associated CVEs:
           CVE ID: CVE-2016-2177
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2177
           CVE ID: CVE-2016-2178
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2178
           CVE ID: CVE-2016-2179
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2179
           CVE ID: CVE-2016-2180
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2180
           CVE ID: CVE-2016-2181
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2181
           CVE ID: CVE-2016-2182
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-2182
           CVE ID: CVE-2016-6302
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6302
           CVE ID: CVE-2016-6304
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6304
           CVE ID: CVE-2016-6306
           CVE URL: https://access.redhat.com/security/cve/CVE-2016-6306


Expected results:


Additional info:
Comment 1 Dominik Perpeet 2016-11-02 11:19:40 UTC 
This will be fixed by the next release in sync with Extras 7.3
Comment 5 errata-xmlrpc 2016-11-04 09:10:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2632