Operating System:

[RedHat]

Published:

18 November 2014

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2014.2160 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2160
         Important: Subscription Asset Manager 1.4 security update
                             18 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Subscription Asset Manager
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
Impact/Access:     Denial of Service        -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0130 CVE-2013-6415 CVE-2013-6414
                   CVE-2013-4491 CVE-2013-1857 CVE-2013-1855
                   CVE-2013-1854  

Reference:         ESB-2014.1063
                   ESB-2014.0743
                   ESB-2014.0018
                   ASB-2013.0042
                   ESB-2013.1744
                   ESB-2013.0468

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2014-1863.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Subscription Asset Manager 1.4 security update
Advisory ID:       RHSA-2014:1863-01
Product:           Red Hat Subscription Asset Manager
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1863.html
Issue date:        2014-11-17
CVE Names:         CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 
                   CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 
                   CVE-2014-0130 
=====================================================================

1. Summary:

Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Subscription Asset Manager for RHEL 6 Server - noarch

3. Description:

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)

A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)

Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)

It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)

A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)

It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)

Red Hat would like to thank Ruby on Rails upstream for reporting these
issues. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.

All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the  helper of Ruby on Rails
1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue

6. Package List:

Red Hat Subscription Asset Manager for RHEL 6 Server:

Source:
katello-1.4.3.28-1.el6sam_splice.src.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm

noarch:
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2013-1854
https://access.redhat.com/security/cve/CVE-2013-1855
https://access.redhat.com/security/cve/CVE-2013-1857
https://access.redhat.com/security/cve/CVE-2013-4491
https://access.redhat.com/security/cve/CVE-2013-6414
https://access.redhat.com/security/cve/CVE-2013-6415
https://access.redhat.com/security/cve/CVE-2014-0130
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y
SoVal0zNgx0pwtSAkS1q5/0=
=i5aK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVGqwCxLndAQH1ShLAQJ0AQ/8Dn4xHO0tYO3rHHYXEG9wNsHlmvFV2Jh+
0Yat2b+1ESJjQkQ6m631BRViEP4WH80D/dN6urPK8zsZ2OzED1yHg5HC9WFmSaIB
RlopbkNcaQeSSPAOKukB/xbr9J14BU6zMCY3S7tqRZNzGsrbNGehyvXOE4c6HzFw
7o6sKOY1RcXn3xtfJTbmA6vxlkHh1ZEsMXfMossVz+WXEwzV0PR6QoBEn6y+Kx8w
Sta+wpLYJeZBB9+hhUcLSkXw6hVwB2Ki0wsa4JBwyzyP2dvIpsKvSpQLF6p0q23K
fgQL9jjoBRxBfkJ/p+MrJZ3Mq6j8kCeFAVWQU2KI5zBaBj8SlOshA7QmbhgWp5jE
+QhUFy+gjSrsgXfcBm/zZQR2ZAm/XG6ID6zdbSNayOfunjbCZi+BgNpL6vTWAApt
E2dTHajPvhJJBvIIIx9uv+hRb6g0Nhjm6xbxb2a+yZHsMCN4zpyIwx/YXyzDr20X
Tacv/GrpSm/7L51uZ29C2c/LUMGREd90w7sf0j2VROecoRSpFAxbLGsXkjf0hlCi
Kf45riKBdLjxOJn7q2U3zkpbtwvJc9VRQjpkD7Jpaojsc8MyTuVEUGvSKZyhNaqx
Jj7ee7I21oPEYfqcwy7LEZl8GRUorNHDHKZZddO/H1WJxvYvFKBJP/HW2AY/xwmJ
xTEBtIE4+08=
=KtV+
-----END PGP SIGNATURE-----