Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1146
Moderate: CloudForms Commons 1.1 security update
5 December 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: CloudForms Commons 1.1
CloudForms System Engine
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server 5
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Administrator Compromise -- Existing Account
Modify Arbitrary Files -- Remote/Unauthenticated
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5605 CVE-2012-5603 CVE-2012-4574
CVE-2012-3867 CVE-2012-3865 CVE-2012-3864
CVE-2012-3538 CVE-2012-3465 CVE-2012-3464
CVE-2012-3463 CVE-2012-3424 CVE-2012-2695
CVE-2012-2694 CVE-2012-2661 CVE-2012-2660
CVE-2012-2140 CVE-2012-2139 CVE-2012-1988
CVE-2012-1987 CVE-2012-1986
Reference: ASB-2012.0113
ASB-2012.0111
ASB-2012.0100
ESB-2012.0673
ESB-2012.0376
ESB-2012.0372
ESB-2012.0364
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2012-1542.html
https://rhn.redhat.com/errata/RHSA-2012-1543.html
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms Commons 1.1 security update
Advisory ID: RHSA-2012:1542-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1542.html
Issue date: 2012-12-04
CVE Names: CVE-2012-1986 CVE-2012-1987 CVE-2012-1988
CVE-2012-2139 CVE-2012-2140 CVE-2012-2660
CVE-2012-2661 CVE-2012-2694 CVE-2012-2695
CVE-2012-3424 CVE-2012-3463 CVE-2012-3464
CVE-2012-3465 CVE-2012-3864 CVE-2012-3865
CVE-2012-3867
=====================================================================
1. Summary:
Updated CloudForms Commons packages that fix several security issues are
now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Cloud Engine for RHEL 6 Server - noarch
System Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds.
Multiple input validation vulnerabilities were discovered in
rubygem-activerecored. A remote attacker could possibly use these flaws
to perform an SQL injection attack against an application using
rubygem-activerecord. (CVE-2012-2660, CVE-2012-2661, CVE-2012-2694,
CVE-2012-2695)
Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.
A remote attacker could use these flaws to conduct XSS attacks against
users of an application using rubygem-actionpack. (CVE-2012-3463,
CVE-2012-3464, CVE-2012-3465)
A flaw was found in the HTTP digest authentication implementation in
rubygem-actionpack. A remote attacker could use this flaw to cause a
denial of service of an application using rubygem-actionpack and digest
authentication. (CVE-2012-3424)
An input validation flaw was found in rubygem-mail's Exim and Sendmail
delivery methods. A remote attacker could use this flaw to execute
arbitrary commands with the privileges of an application using
rubygem-mail. (CVE-2012-2140)
A directory traversal flaw was found in rubygem-mail's file delivery
method. A remote attacker could use this flaw to send a mail with a
specially crafted To: header and write to files with the privileges of
an application using rubygem-mail. (CVE-2012-2139)
Puppet was updated to version 2.6.17, which fixes multiple security
issues. These issues are not exposed by CloudForms. (CVE-2012-1986,
CVE-2012-1987, CVE-2012-1988, CVE-2012-3864, CVE-2012-3865, CVE-2012-3867)
Red Hat would like to thank Puppet Labs for reporting CVE-2012-1988,
CVE-2012-1986, CVE-2012-1987, CVE-2012-3864, CVE-2012-3865, and
CVE-2012-3867.
Users are advised to upgrade to these CloudForms Commons packages, which
resolve these issues.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
810069 - CVE-2012-1986 puppet: Filebucket arbitrary file read
810070 - CVE-2012-1987 puppet: Filebucket denial of service
810071 - CVE-2012-1988 puppet: Filebucket arbitrary code execution
816352 - CVE-2012-2139 CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline, file system traversal flaw
827353 - CVE-2012-2660 rubygem-actionpack: Unsafe query generation
827363 - CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters
831573 - CVE-2012-2695 rubygem-activerecord: SQL injection when processing nested query paramaters (a different flaw than CVE-2012-2661)
831581 - CVE-2012-2694 rubygem-actionpack: Unsafe query generation (a different flaw than CVE-2012-2660)
839130 - CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
839131 - CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master
839158 - CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests
843711 - CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest
847196 - CVE-2012-3463 rubygem-actionpack: potential XSS vulnerability in select_tag prompt
847199 - CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability
847200 - CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags
6. Package List:
Cloud Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/converge-ui-devel-1.0.4-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/puppet-2.6.17-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-actionpack-3.0.10-10.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-activerecord-3.0.10-6.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-activesupport-3.0.10-4.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-chunky_png-1.2.0-3.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-compass-0.11.5-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-compass-960-plugin-0.10.4-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-delayed_job-2.1.4-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-ldap_fluff-0.1.3-1.el6_3.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-mail-2.3.0-3.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-net-ldap-0.1.1-3.el6cf.src.rpm
noarch:
converge-ui-devel-1.0.4-1.el6cf.noarch.rpm
puppet-2.6.17-2.el6cf.noarch.rpm
puppet-server-2.6.17-2.el6cf.noarch.rpm
rubygem-actionpack-3.0.10-10.el6cf.noarch.rpm
rubygem-activerecord-3.0.10-6.el6cf.noarch.rpm
rubygem-activesupport-3.0.10-4.el6cf.noarch.rpm
rubygem-chunky_png-1.2.0-3.el6cf.noarch.rpm
rubygem-compass-0.11.5-2.el6cf.noarch.rpm
rubygem-compass-960-plugin-0.10.4-2.el6cf.noarch.rpm
rubygem-compass-960-plugin-doc-0.10.4-2.el6cf.noarch.rpm
rubygem-delayed_job-2.1.4-2.el6cf.noarch.rpm
rubygem-delayed_job-doc-2.1.4-2.el6cf.noarch.rpm
rubygem-ldap_fluff-0.1.3-1.el6_3.noarch.rpm
rubygem-mail-2.3.0-3.el6cf.noarch.rpm
rubygem-mail-doc-2.3.0-3.el6cf.noarch.rpm
rubygem-net-ldap-0.1.1-3.el6cf.noarch.rpm
System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/converge-ui-devel-1.0.4-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/puppet-2.6.17-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-actionpack-3.0.10-10.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-activerecord-3.0.10-6.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-activesupport-3.0.10-4.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-chunky_png-1.2.0-3.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-compass-0.11.5-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-compass-960-plugin-0.10.4-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-delayed_job-2.1.4-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-ldap_fluff-0.1.3-1.el6_3.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-mail-2.3.0-3.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-net-ldap-0.1.1-3.el6cf.src.rpm
noarch:
converge-ui-devel-1.0.4-1.el6cf.noarch.rpm
puppet-2.6.17-2.el6cf.noarch.rpm
puppet-server-2.6.17-2.el6cf.noarch.rpm
rubygem-actionpack-3.0.10-10.el6cf.noarch.rpm
rubygem-activerecord-3.0.10-6.el6cf.noarch.rpm
rubygem-activesupport-3.0.10-4.el6cf.noarch.rpm
rubygem-chunky_png-1.2.0-3.el6cf.noarch.rpm
rubygem-compass-0.11.5-2.el6cf.noarch.rpm
rubygem-compass-960-plugin-0.10.4-2.el6cf.noarch.rpm
rubygem-compass-960-plugin-doc-0.10.4-2.el6cf.noarch.rpm
rubygem-delayed_job-2.1.4-2.el6cf.noarch.rpm
rubygem-delayed_job-doc-2.1.4-2.el6cf.noarch.rpm
rubygem-ldap_fluff-0.1.3-1.el6_3.noarch.rpm
rubygem-mail-2.3.0-3.el6cf.noarch.rpm
rubygem-mail-doc-2.3.0-3.el6cf.noarch.rpm
rubygem-net-ldap-0.1.1-3.el6cf.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1986.html
https://www.redhat.com/security/data/cve/CVE-2012-1987.html
https://www.redhat.com/security/data/cve/CVE-2012-1988.html
https://www.redhat.com/security/data/cve/CVE-2012-2139.html
https://www.redhat.com/security/data/cve/CVE-2012-2140.html
https://www.redhat.com/security/data/cve/CVE-2012-2660.html
https://www.redhat.com/security/data/cve/CVE-2012-2661.html
https://www.redhat.com/security/data/cve/CVE-2012-2694.html
https://www.redhat.com/security/data/cve/CVE-2012-2695.html
https://www.redhat.com/security/data/cve/CVE-2012-3424.html
https://www.redhat.com/security/data/cve/CVE-2012-3463.html
https://www.redhat.com/security/data/cve/CVE-2012-3464.html
https://www.redhat.com/security/data/cve/CVE-2012-3465.html
https://www.redhat.com/security/data/cve/CVE-2012-3864.html
https://www.redhat.com/security/data/cve/CVE-2012-3865.html
https://www.redhat.com/security/data/cve/CVE-2012-3867.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFQvmNDXlSAg2UNWIIRAsT1AKC0njSJM+mT6sXBY2tY9K7a7wa2zwCfd6dz
7/ckq62GY//PjJhueUGO298=
=nIh2
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: CloudForms System Engine 1.1 update
Advisory ID: RHSA-2012:1543-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1543.html
Issue date: 2012-12-04
CVE Names: CVE-2012-3538 CVE-2012-4574 CVE-2012-5603
CVE-2012-5605
=====================================================================
1. Summary:
Updated CloudForms System Engine packages that fix multiple security
issues, several bugs, and add enhancements are now available.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms Tools for RHEL 5 Server - noarch
CloudForms Tools for RHEL 6 Server - noarch
System Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds.
This update fixes bugs in and adds enhancements to the System Engine
packages, and upgrades the system to CloudForms 1.1.
This update also fixes the following security issues:
It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)
It was discovered that Pulp logged administrative passwords to a world
readable log file. A local attacker could use this flaw to control systems
deployed and managed by CloudForms. (CVE-2012-3538)
It was discovered that the Pulp configuration file pulp.conf was installed
as world readable. A local attacker could use this flaw to view the
administrative password, allowing them to control systems deployed and
managed by CloudForms. (CVE-2012-4574)
It was discovered that grinder used insecure permissions for its cache
directory. A local attacker could use this flaw to access or modify files
in the cache. (CVE-2012-5605)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was
discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by
James Labocki of Red Hat.
After upgrading to these new packages, follow the instructions in the "4.1.
Upgrading CloudForms System Engine" section of the CloudForms 1.1
Installation Guide:
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html
To view the full list of changes in this update, view the CloudForms
Technical Notes:
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html
Users are advised to upgrade to these updated CloudForms System Engine
packages, which resolve these issues and add these enhancements.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
746765 - Systems are locked out of katello and cannot re-register
753128 - Sync status remains in "error syncing" state even after successful sync of repo.
760180 - Notifications should note the appropriate Org for org-specific actions.
766694 - UI should show virtual child pools as "children" of the parent.
769559 - Subscribe system ignores "facts -> cpu.cpu_socket(s)"
782954 - Unable to register systems with i18nized names
786176 - (Some) duplicitous notifications produced in multiple langs when using other locales
786226 - List of product repositories not sorted alphabetically
787184 - Devise a disaster recovery plan (or process)
787305 - Notices with details breaking the "Notice List" page
789139 - Unmet dependencies for some packages
789535 - Systems: Cannot add Package Groups
790138 - Systems: hand-rolled systems cannot be initially created with a multibyte name.
790342 - Error in async task is not returned
796047 - SecurityViolation error while accessing gpg key details with read only user
796972 - translatable strings broken up, causing translation to sound wrong
797299 - Display which environment a system is subscribed to in its Details tab
797321 - Gigantic footer
797412 - katello permission not working as expected
799538 - promotions -> errata -> packages filter causes page reload on click
800529 - RFE: As a sysadmin I would like to manage a user's org from the CLI
801454 - Out of place/non-contextual error messages in prod log when creating new orgs
801580 - Updating sync plan does not update associated product's (repo's) sync schedule
802925 - Tool tip in activation key Details screen has markup visible
803548 - Async success notifications pop up from syncs in other orgs
803702 - Synchronizing a repo with i18n characters in name fails for second time
803728 - rpmdiff failure for build gofer-0.66-1.el6
803761 - rpmdiff failure for build katello-selinux-0.1.8-1.el6
804127 - [RFE] no logging property for Katello
804555 - Orgs with international chars in name provide broken urls in redhat.repo
804610 - Can't promote packages from repos with international chars in name
804685 - System Details/Packages, unclear what Packages/PackageGroups radio button does
805027 - Inaccurate system count
805412 - improper message - dot "." in org name being created
805627 - While create a new user, unable to select "Save User"
805709 - Package filter name is unique to entire system
805956 - SE doesn't provide a way how to refresh imported repositories
806076 - Promotion - viewing system template doesn't show the repos in that template
806078 - Changeset History - changing name of a set does not update left panel
806083 - Users - Environments tab is missing the 'Remove User' link
806353 - Sync Plans: Manually entering a time can cause time selector to get stuck on screen
806879 - Apparent discrepancy between Dashboard > System Subscription Status and Systems > All for hypervisors
806940 - RHEL 6.2 not completing sync
806969 - sync_plan creation is setting time 1 hour behind the chosen time
807288 - Selecting changeset from 'changeset history' tab raising "undefined method `find_repos' for #"
807291 - Adding a "bonus pool" to an activation key, then removing parent pool, causes errors
807468 - Only one manifest/product can be imported per system
807804 - Hidden user can be added to a role.
808172 - There should be some implementation of "katello --version"
808437 - [RFE] Don't make notifications for CLI actions performed (and pop them up in UI)
809259 - System not registering with activation key.
810378 - RFE - Search needed on repository selection during promotion
810945 - Unable to delete pools referenced by activation keys
811556 - Displaced 'save' button while editing the changeset description under "changeset history" tab
811564 - Switch default to false for "match system" when listing available subscriptions
812417 - System Properties for registered system lists "Arch" as blank
813675 - on "-v" rework seems `user list` lost the "Disabled" field
815308 - package filter: search for package starting "^" - traceback
815802 - Description on package filter does not save properly
816935 - RFE: Provide possibility to encrypt/obfuscate plaintext passwords
817123 - deleted system template not removed from activation key
818204 - Sync silently "cancels" on some (very large?) repos
818261 - candlepin-cert-consumer rpm not installable on RHEL5 - rpmlib(PayloadIsXz) <= 5.2-1 is needed
818370 - Changeset Fails to Promote with Candlepin RPM
819593 - RFE: Redirect /subscriptions/* to /katello/api/*
819941 - missing dependencies in katello-common
820373 - [RFE] Remove one of the two logout buttons in System Engine interface
820385 - [RFE] Make pulp aware of local/remote syncs
820624 - [RFE] Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
820626 - Hide password and email creation fields at user creation time if LDAP auth is enabled in CFSE
820630 - String Updates
821345 - Promotions changeset of system template does not solve dependency of product
821644 - Create new CLI command admin crl_regen for recovery process
821929 - Typo: You -> Your
822119 - [cli] repo create without "http://" in url - python traceback
822484 - [cli] sync_plan list traceback
823688 - mouse cursor no longer turns to 'working' icon during ajax requests
824069 - katello CLI 'product list' should show marketing and engineering product relationships
824581 - GPG Key added to product/repo not added to existing instances which are subscribed to that product/repo
826581 - Hovering mouse from one top-level nav item to the next does not update 2nd level nav
827087 - Package sisu-cglib should not be built for RHEL6.x with a dependency on ant > 1.7.1
827108 - CLI reads "activation key" instead of "gpg key" for update in help.
828447 - CVE-2012-5605 Cloudforms grinder: /var/lib/pulp/cache/grinder directory is world-writeable.
828533 - katello agent AMQP port does not match /etc/services
829208 - Manifest import fail after creating a custom product
829437 - Hitting enter with blank field for GPG name returns JSON content
829794 - Trying to access many top-level menu items as a user w/ no rights throws ISEs rather than permission denied.
830176 - New System tooltip not localized
831664 - Repository sync failures not displaying detailed error in Notices
834006 - Templates: Package Listing in "Eligible Content" (sometimes) hangs/never renders
834013 - SAM is hiding the releaseVer variable from json causing subscription-manager-gui to disable the Release dropdown.
834242 - After user creation, the user name is not appearing in left pane.
834646 - IP Address for subscribed 6Server (6.3) system not displayed
834697 - Error in sasl_client_start when installing packages to subscribed client via web ui
835586 - UnicodeDecodeError: 'utf8' codec can't decode byte 0xe9 in position 270: invalid continuation byte
835591 - activation-key --limit not working
835875 - Runtime Error Could not execute JDBC batch update at org.postgresql.jdbc2.AbstractJdbc2Statement$BatchResultHandler.handleError:2,573
836339 - Total count of users is incorrect when looking at one's user profile page
836575 - 'ascii' codec error while assigning role to user
837000 - [RFE] when updating sync plan by CLI, it resets the interval.
839005 - remove the "force" checkbox from importing manifest
840616 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
840624 - Post creating new environment in headpin, webui returns row:NotFound error
840625 - Post 'import manifest' subscriptions return row:NotFound
841000 - Auto-complete field displaying json traceback if elasticsearch text is entered
841289 - inconsistency on system info: Katello-Candlepin: unresponsive "Systems" page
841300 - Zoom out on 2-Pane page causes rendering error
841310 - /api/pools does not work with admin
841686 - Selecting an organization from the Orgs selector shifts the org name to the left
841691 - Systems page always shows lo interface IP on list
841984 - Creating new user displays confusing/misleading notification
841998 - Login: Attempting to login w/o selecting org throws error
842003 - Content Search - Errata: Hitting submit on a blank search in the "Repos" div throws error
842005 - Content Search - Products: Hitting "Add" makes button bounce to next line
842010 - Content Search - Packages: Entering a string in Repos field and hitting enter returns error
842252 - [Content Search] When all packages/errata loaded, the link to 'show 25 more' should be removed/disabled from UI
842256 - [Content Search] The 'Show' drop down shows 'errata' as default selection even if user click on packages link to list
842271 - CLI: list the "bugfix" errata for system group shows empty result
842569 - UI - "Symbol as array index (TypeError)" Error when clicking on errata install result status "Install Finished" link for system groups.
842838 - Content Search: Compare - No way to remove packages/repos from compare, after adding them.
842858 - lock icon missing for promotions in review state
843059 - Content Search - Packages: Auto Complete widget should provide only refined content depending on Repos
843061 - Creating repo no longer works when Product name has multibyte text
843064 - Content Search - Products: Not required unless searching for Products itself, it's misleading when searching for Repos, Packages and Errata
843161 - Content Search: Compare - need tooltips or other methods to extend long lines in fields.
843165 - Content Search: Compare - Repo compare UI inexplicably expands to all/multiple environments upon return from Compare
843462 - system unregister should remove itself from the associated system groups too
843529 - UI - Error is displayed when clicking on system group event when system is missing.
843845 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
844414 - Interstitial org selector leaves user with no permissions with no options
844417 - User roles selector missing Plus/Minus signs
844678 - "Multi-entitlement not supported for pool with id" with activation key and custom product
844796 - async import manifest import progress causing errors
844806 - katello incorrectly prevents products with the same name in an organization
845060 - UI - Errata search by empty type in content search loads endless.
845096 - Some types of notifications don't go away on their own
845198 - Locale cannot be switched
845224 - Pulp can't connect to qpid on RHEL 6.2
845576 - Subscription quantity button does not align with text
845580 - Subscription quantity button does not have caption
845613 - System status discrepancy between Systems list and selected system panel
845668 - Spinner never stops after adding system to system group on FF3.6
845995 - CLI: wrong error when activation key name or system group name is wrong.
846251 - CLI: message issue when creating system group with existing name.
846482 - Bunch of icons showing up in duplicate alongside changetset history details
846719 - "Disclaimer" and "Terms of Use" links go nowhere
847002 - Web pages fail to render all elements and colors correctly in IE8 and IE9
847115 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
847858 - Blind Rescue causes Activation Key Pools to be Removed when an Exception is thrown
848038 - Locale files for CLI are not installed
849224 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
850342 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
850790 - Content promotion from CLI no longer works
851080 - CLI: product promote shows strange error
851142 - CLI: changeset update shows strange error
851512 - Selinux issue on /etc/candlepin/certs/* files preventing httpd to start
852006 - 'Type' field shouldn't be empty under 'changeset list' command and should show the changeset type e.g. (deletion/promotion)
852119 - Setting initial environment on org create no longer works
852167 - Alignment off in content search result tree
852199 - CVE-2012-3538 pulp: admin password logged in plaintext in world-readable katello/production.log
852316 - CLI: wrong query error is shown for "system tasks" command
852388 - [apidoc] No documentation for "remote" actions in katello/apidoc/
852791 - Button without label in Content search
852804 - Content search does not show results due to a JS error
853056 - Cli command "system register" without an environment returns "not found"
853229 - Regression in error notification when sync plan time is left blank
853356 - Syncronization raises an exception when package have a different name structure
853445 - trace-back upon adding ERRATA to deletion changeset
853995 - Error is incorrect for non-existing systems
854697 - After manifest upload fails with bad repo url, manifest can no longer be uploaded at all, even after url is fixed
855184 - Using --add_package gives undefined method `empty?' for nil:NilClass error
855267 - [RFE] in "product" CLI commands add new option "product_id"
855406 - rubygem-redcarpet should not be needed in runtime
856220 - Katello installer fails because Tomcat 6 is not up during seed
857078 - `yum update katello` fails: unpacking of archive failed on file /usr/share/katello/public/fonts: cpio: rename
857230 - [Content Search] Mouse over errata item displays error message in the web ui
857274 - Promotion stuck in "applying" status
857499 - When logging in user which has no permissions, user is told to choose an org, but obviously cannot.
857539 - Clicking the "contract" arrow in the org selector on the main UI does not contract the picker
857550 - ReST calls appear to be failing on Environment specific requests with 'NoneType' object has no attribute '__getitem__'
857574 - German locale seems to have been switched to Russian in the web interface and another language for the cli
857720 - Javascript error if selecting Org in Providers page
857727 - Uploading GPG key on multiple Orgs leaves web ui in bad state
857842 - CLI: "/usr/share/katello/script/katello-debug --notar" does not generate packages dir
858011 - CFSE tracker bug for object-labeling
858013 - katello-configure config option for KATELLO_JOB_WORKERS
858038 - Installer sets 2 thin processes no matter what
858193 - After uploading manifest, javascript error: TypeError: P.data("jsp") is undefined
858277 - Installer (tomcat6) fails due to bad dependency
858358 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
858360 - [RFE] katello-upgrade should take care of stopping and starting services
858363 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
858661 - impossible to remove not promoted repo: "Repository cannot be deleted since it has already been promoted."
858678 - rhsm registering for duplicate name fails: ERROR: duplicate key value violates unique constraint "index_systems_on_name_and_environment_id"
858682 - Cancelling a sync shows success in the dashboard
858706 - Configuration breaks badly if certain AD variables are missing
858960 - [ALL LANG][CFSE CLI] Run 'kateloo --help' with no en_US.UTF-8 locale produced traceback: 'ascii' codec can't encode characters in position.
859329 - [CFSE GUI] Unexpected code is displayed in the error message when uploading an empty file or no gpg file to GPG Key.
859407 - Puppet exec timeout not honored during configuration
859415 - Simple org creation not usable
859442 - System Panel - System Group dropdown menu does not contain system groups
859604 - [CFSE GUI] Upexpected code is displayed in the 'undefined method...Click here for more details' message.
859784 - [GFSE GUI] Unexpected code is displayed in the message when exporting a system template.
859963 - Systems> $system > Content > Packages: Improperly encoded section header reads "▲"
860251 - CloudForms System Engine not using branded Red Hat favicon
860421 - subscription-manager refresh throws LdapFluff::FreeIPA::MemberService::UIDNotFoundException
860702 - Only systems belonging to Organization's groups will be shown on Systems page, if at least one system group is defined.
860709 - After upgrading CFSE Pulp is not working correctly
862441 - Answering 'N' to stopping services question during upgrade needs to provide correct information
862997 - navigate "content search --> Repository comparison", spinner doesn't stop when user click 'show 25 more'
863187 - failed to sync: ('Package [%s] does not exist', u'b017e5e0-6d3e-4a9b-b3bb-53f55fc3e209')
863252 - katello-selinux-enable throws error
864216 - IE8 IE9 Content Search Rows - no Arrow and no expansion (basically unusable)
864372 - CLI - some keys does not work in "shell"
864936 - Product labels are not currently required to be unique.
864999 - pulp doesnt handle errata spanning across multiple repos case
865528 - Incorrect credentials shows strange bug "string indices must be integers"
865811 - Pulp timeouts under load
869575 - changeset update --add_product: "More than 1 product found with the name or label provided ..." - but actually not
871086 - template export fails: "error: string indices must be integers, not str"
872096 - Configuration files after upgrade are not deployed
872305 - When importing manifest, Katello doesn't scope the client certificate to access CDN by owner
872487 - CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin password
873850 - Cannot create a custom product without explicitly setting a label
874160 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
874185 - After 1.0 to 1.1 upgrade, seeing duplicated repositories in UI
874768 - [1.0.1 to 1.1 UPGRADE] Katello database failed
882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
882138 - CVE-2012-5605 CloudForms grinder: /var/lib/pulp/cache/grinder directory is world-writeable
6. Package List:
CloudForms Tools for RHEL 5 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/CloudForms/SRPMS/gofer-0.66.1-2.el5.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/CloudForms/SRPMS/katello-agent-1.1.2-1.el5.src.rpm
noarch:
gofer-0.66.1-2.el5.noarch.rpm
gofer-package-0.66.1-2.el5.noarch.rpm
gofer-watchdog-0.66.1-2.el5.noarch.rpm
katello-agent-1.1.2-1.el5.noarch.rpm
python-gofer-0.66.1-2.el5.noarch.rpm
CloudForms Tools for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/gofer-0.66.1-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-agent-1.1.2-1.el6cf.src.rpm
noarch:
gofer-0.66.1-2.el6cf.noarch.rpm
gofer-package-0.66.1-2.el6cf.noarch.rpm
gofer-watchdog-0.66.1-2.el6cf.noarch.rpm
katello-agent-1.1.2-1.el6cf.noarch.rpm
python-gofer-0.66.1-2.el6cf.noarch.rpm
System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/candlepin-0.7.8.1-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/gofer-0.66.1-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/grinder-0.0.150-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-1.1.12-22.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-certs-tools-1.1.8-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-cli-1.1.8-12.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-cli-tests-1.1.5-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-configure-1.1.9-12.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-selinux-1.1.1-2.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/pulp-1.1.14-1.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/quartz-2.1.5-4.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/rubygem-apipie-rails-0.0.11-3.el6cf.src.rpm
noarch:
candlepin-0.7.8.1-1.el6cf.noarch.rpm
candlepin-devel-0.7.8.1-1.el6cf.noarch.rpm
candlepin-selinux-0.7.8.1-1.el6cf.noarch.rpm
candlepin-tomcat6-0.7.8.1-1.el6cf.noarch.rpm
gofer-0.66.1-2.el6cf.noarch.rpm
gofer-package-0.66.1-2.el6cf.noarch.rpm
gofer-watchdog-0.66.1-2.el6cf.noarch.rpm
grinder-0.0.150-1.el6cf.noarch.rpm
katello-1.1.12-22.el6cf.noarch.rpm
katello-all-1.1.12-22.el6cf.noarch.rpm
katello-api-docs-1.1.12-22.el6cf.noarch.rpm
katello-certs-tools-1.1.8-1.el6cf.noarch.rpm
katello-cli-1.1.8-12.el6cf.noarch.rpm
katello-cli-common-1.1.8-12.el6cf.noarch.rpm
katello-cli-tests-1.1.5-2.el6cf.noarch.rpm
katello-common-1.1.12-22.el6cf.noarch.rpm
katello-configure-1.1.9-12.el6cf.noarch.rpm
katello-glue-candlepin-1.1.12-22.el6cf.noarch.rpm
katello-glue-pulp-1.1.12-22.el6cf.noarch.rpm
katello-selinux-1.1.1-2.el6cf.noarch.rpm
pulp-1.1.14-1.el6cf.noarch.rpm
pulp-admin-1.1.14-1.el6cf.noarch.rpm
pulp-client-lib-1.1.14-1.el6cf.noarch.rpm
pulp-common-1.1.14-1.el6cf.noarch.rpm
pulp-consumer-1.1.14-1.el6cf.noarch.rpm
pulp-selinux-server-1.1.14-1.el6cf.noarch.rpm
python-gofer-0.66.1-2.el6cf.noarch.rpm
quartz-2.1.5-4.el6cf.noarch.rpm
rubygem-apipie-rails-0.0.11-3.el6cf.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-3538.html
https://www.redhat.com/security/data/cve/CVE-2012-4574.html
https://www.redhat.com/security/data/cve/CVE-2012-5603.html
https://www.redhat.com/security/data/cve/CVE-2012-5605.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFQvmOhXlSAg2UNWIIRAqQHAJ9GSB25gII9bR3q50ejaFloEQhPUQCdHGmG
MMTOOD/1T9gVIwx1xpRHHHI=
=G5qC
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUL60ye4yVqjM2NGpAQK8ABAAtRpK8xFfxa7cbzvzWqtRItz8oJtjuKB7
xxiU86I0dCWoFvs0485FiUqjE0orR+Ub1SLaMh1N+A0TyaTl+sdQcVAbXRWOyTs0
cPCO+DzRw+h4R3jfIFmIY4w4lkfLAnf48uaGy2DCqXKgg1fRH997kFw6xmEQJIJj
lb3ODi2Oph72EPLRpM79P5EyJ/S2GbLbq6FVHA7p0VKl8TWbcCVPysQ1PrbhGses
1d7ZanGjzMqA16dRLp3WL5xgLR8dAlwj7iNbiStbvDe6EzD1qnuuMTrg2K74Rw2Y
r5ouoDoI9MDDJkqMGES1iRapY1uhSq86+12eZvqnsX+3dvhqiTW+y/SZ1IJzG7T0
DlT2G3ngDk5kx/83dpB95AJ+nNCYrXA/NSKouoxaviX1b1FxPrxZUlD5LWJCeCng
8gRNxylgaznA08MqCPjTd2MtTFbl6L6i7Ys4mzlFyqckrtN7Xgdw1nhzabLMXmtN
oe8hOwHmXEIyWffMKCoKJjjwfRca+hZuudgEbdRZCznkYLXOd6hkQEeu30SjqIF0
SUnPzK7hR5calC5zi9V14orrS64IfzIBLWih18c+h8i4zNcpUxti7YvIfh0Yn9kp
UhKsh2TpPAitBRfHSwOI0JLv4KwgIU/dQpqpKT179r3qd7+QozESo7tta2iPPHlj
NrvTSAKH+oU=
=6/eH
-----END PGP SIGNATURE-----