Operating System:

[RedHat]

Published:

22 February 2013

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0270
              Moderate: CloudForms System Engine 1.1.2 update
                             22 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CloudForms System Engine
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Existing Account            
                   Unauthorised Access            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-6116 CVE-2012-5561 

Reference:         ESB-2013.0267

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2013-0547.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: CloudForms System Engine 1.1.2 update
Advisory ID:       RHSA-2013:0547-01
Product:           Red Hat CloudForms
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0547.html
Issue date:        2013-02-21
CVE Names:         CVE-2012-5561 CVE-2012-6116 
=====================================================================

1. Summary:

CloudForms System Engine 1.1.2 is now available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

CloudForms System Engine for RHEL 6 Server - noarch

3. Description:

Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms System Engine can
be used to configure new systems, subscribe to updates, and maintain
installations in distributed environments.

It was found that the
"/usr/share/katello/script/katello-generate-passphrase" utility, which is
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/passphrase" file. A local attacker
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)

Note: After installing this update, ensure the
"/etc/katello/secure/passphrase" file is owned by the root user and group
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.

One task the katello-configure utility performs is creating an RPM to be
installed on client machines that need to connect to the Katello server. It
was found that this RPM set world-readable and writable permissions on the
pem file (containing the Certificate Authority certificate) used for
trusting the Katello server. An attacker could use this flaw to perform a
man-in-the-middle attack, allowing them to manage (such as installing and
removing software) Katello client systems. (CVE-2012-6116)

The CVE-2012-5561 issue was discovered by Aaron Weitekamp of the Red Hat
Cloud Quality Engineering team, and CVE-2012-6116 was discovered by Dominic
Cleal and James Laska of Red Hat.

This update also fixes the following bugs:

* The CloudForms System Engine command line tool incorrectly parsed
locales, which caused the following error:

"translation missing: de.activerecord.errors.messages.record_invalid"

This update replaces the controller for setting the locale. The translation
error no longer appears. (BZ#896251)

* Certain locales did not properly escape certain UI content for new role
creation. This broke the Save button for some locales. This update corrects
the escape behavior for localized UI content. The Save button now works
for new role creation. (BZ#896252)

* A missing icon stopped users from deleting recent or saved searches. This
update adds the icon and users can now delete recent or saved searches.
(BZ#896253)

* A performance issue in the Candlepin 0.7.8 component caused subscription
responsiveness to decrease as the number of systems subscribed to
CloudForms System Engine increases. This erratum updates to Candlepin
0.7.19, which corrects the performance issues. (BZ#896261)

* CloudForms System Engine would not fetch Extended Update Service (EUS)
entitlements. This blocked the user from seeing and enabling EUS
repositories. This update revises the manifest upload and deletion code,
which also corrects the behavior for fetching entitlements. System Engine
now fetches EUS entitlements. (BZ#896265)

* Issues with menu widths caused the localized UI to not render certain
menu items. This update corrects the style for the System Engine UI. The
Web UI now renders the menu items correctly. (BZ#903702)

Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/

To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide, section "4.1. Upgrading CloudForms System Engine":

https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html

Users of CloudForms System Engine are advised to upgrade to these updated
packages.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

807455 - Deleted template still available in promoted environment
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
896251 - [de_DE][zh_TW][pt_BR][ru_RU][SAM CLI] user module "translation missing: de.activerecord.errors.messages.record_invalid" errors
896253 - Search -- missing ability to remove saved and/or recent search queries -- missing icon
896261 - SCALE: Subscription of systems gets slower and slower as number of subscribed systems increases
896265 - Unable to enable repos for EUS product
903702 - Localized UI hides menu entries
904128 - Unable to save system template
906207 - CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
907250 - translation missing: pt_BR.time.formats.default (I18n::MissingTranslationData)

6. Package List:

CloudForms System Engine for RHEL 6 Server:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/candlepin-0.7.19-3.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-1.1.12.2-5.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-cli-1.1.8-14.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-configure-1.1.9-13.el6cf.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/CloudForms/SRPMS/katello-selinux-1.1.1-5.el6cf.src.rpm

noarch:
candlepin-0.7.19-3.el6cf.noarch.rpm
candlepin-devel-0.7.19-3.el6cf.noarch.rpm
candlepin-selinux-0.7.19-3.el6cf.noarch.rpm
candlepin-tomcat6-0.7.19-3.el6cf.noarch.rpm
katello-1.1.12.2-5.el6cf.noarch.rpm
katello-all-1.1.12.2-5.el6cf.noarch.rpm
katello-api-docs-1.1.12.2-5.el6cf.noarch.rpm
katello-cli-1.1.8-14.el6cf.noarch.rpm
katello-cli-common-1.1.8-14.el6cf.noarch.rpm
katello-common-1.1.12.2-5.el6cf.noarch.rpm
katello-configure-1.1.9-13.el6cf.noarch.rpm
katello-glue-candlepin-1.1.12.2-5.el6cf.noarch.rpm
katello-glue-pulp-1.1.12.2-5.el6cf.noarch.rpm
katello-selinux-1.1.1-5.el6cf.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2012-5561.html
https://www.redhat.com/security/data/cve/CVE-2012-6116.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/knowledge/docs/
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRJnRjXlSAg2UNWIIRAtrgAKCPq/A5TV3HDybGNOiDu/bLbMCk2gCgraj4
FaFkBPHApaE7juOnpZKvRlo=
=ZdWu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUScT2e4yVqjM2NGpAQK4mA/+NtgXLenaiA0XmReBzhpvLb8WstnvqPH4
AqUeJy1U2j7ibIZx3BFRzMubVjbdU3nmAu+BG1zWFqO5u/5BgmIF6EZHJcXpvfqT
cDd/tlNc+3qDyzs99PXbsPqOBJezLri+qQQR0vlsLPMpZIrmrnfn/ZR2+ZoowSpv
C/vi5ePt/put8cbNREyAYnR9hzipZJA38Xp8JV6Xw+PL6R6lr8+fG4S4CsM+hrBw
fxtRZbnfSRM9a8J1HwZGAxb+7YzUlr0kFGzZyro6VI1vJ5Y+YztSmRKA4NlLlHE3
5xl1JMYs3qze8+YLg0pybYbiDiyYeaariAtuarzDM2YhJXR3mC23zYPkjQd2s+c1
VRhr53atmZL5boUMZGvSqCXzoQx0fSdQT/Cmme2vkpWZTzkIiV3L0Q63pQWr43SU
dVArdPQsSj98FOU2PIc/9lqV4X70mGFo4atgsoYGSS6giY11jGf87eytB5l+FJmx
93n1UcZ8kF8iwQPvnvD4CEDSa3XkXA7ypJE99RSDDifMqXsAYNYQwf6RKPZ5T/sj
6eweB16aDbA1QcvsXF5v/ZOImoeHhJzAoMMAhbd28AJTX6EHyTNVrst77I2sO6Lg
oFmnkvKjNmV7utOdop9En6tiHFiJNCasLIn9Zcyu/RlrbwtgBwCue70gjGaOFat8
USYpsdcSrXQ=
=UEC+
-----END PGP SIGNATURE-----