2.1 - RHSA-2016:2592

Problem Description:

An update for subscription-manager, subscription-manager-migration-data, and python-rhsm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform.

The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic (RHN) to Red Hat Subscription Management (RHSM).

The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of a Red Hat Unified Entitlement Platform. The Subscription Management tools use this interface to manage system entitlements, certificates, and access to content.

The following packages have been upgraded to a newer upstream version: subscription-manager (1.17.15), python-rhsm (1.17.9), subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555, BZ#1328559)

Security Fix(es):

* It was found that subscription-manager set weak permissions on files in /var/lib/rhsm/, causing an information disclosure. A local, unprivileged user could use this flaw to access sensitive data that could potentially be used in a social engineering attack. (CVE-2016-4455)

Red Hat would like to thank Robert Scheck for reporting this issue.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

874735 - [RFE] Network interface collection/facts do not support multiple address per interface 1104332 - [RFE] Separate out the rhsm certs into a separate RPM 1251516 - traceback on removing an import cert from 'my subs in gui' 1257179 - subscription-manager-initial-setup-addon - "Cancel" button does nothing 1262919 - exceptions from connection.RestlibException during autosubscribe should be printed to system error 1264108 - the red warning message in subscription-manager-initial-setup-addon should disappear when clicking Cancel/Back 1264470 - various RHEL7 channel maps to product certs are missing in subscription-manager-migration-data 1264964 - subscription-manager package profile submission is sending profiles with UUID=None to SLE endpoint 1268043 - Back button on first panel of subscription-manager-gui workflow has no effect 1268094 - Traceback in subscription-manager-gui from My Subscriptions Tab 1268307 - At the end of auto attach, the Back button does nothing 1306004 - The cmd "repos --list --proxy" with a fake proxy server url will not stop running. 1315901 - Stacktrace displayed when running rct against an inaccessible file 1325083 - Available subscriptions can not be sorted by number in subscription-manager-gui 1328553 - Rebase subscription-manager component to the latest upstream branch for RHEL 7.3 1328555 - Rebase python-rhsm component to the latest upstream branch for RHEL 7.3 1328559 - Rebase subscription-manager-migration-data component to the latest upstream branch for RHEL 7.3 1328579 - subscription-manager-migration-data for RHEL7.3 needs RHEL7.3 product certs 1328609 - missing RHN channel mappings to ppc64le product certs for product id 279 1328628 - rhel-x86_64-server-7-ost-7 channel maps are absent from channel-cert-mapping.txt 1328729 - Docker client doesn't link entitlements certs 1329397 - Rhsmcertd healinglib variable 'valid_tomorrow' referenced before assignment 1330021 - Initial-setup : no error message is thrown when user clicks on register button without entering credentials 1330054 - "Default" server url is not configuring the port and prefix details 1330515 - Traceback on the terminal when used CTRL+C to kill the subscription-manager-gui application 1333545 - rhel-x86_64-server-7-rhevh channel maps are absent from channel-cert-mapping.txt 1333904 - Subscription-manager-gui's combo "Service level preferences" does not change it's name if some value is choosen from AT-SPI perspective 1333906 - Subscription-manager-gui's combo "Release version" does not change it's name if some value is choosen from AT-SPI perspective 1334916 - YUM plugins reconfigure root logger 1335371 - Despite an "Insufficient" subscription status, the GUI is blocked from auto-subscribing by "No need to update subscriptions" message. 1335537 - typo in "Proxy connnection failed, please check your settings." 1336428 - rhsm-icon -i fails with libnotify-CRITICAL and GLib-GObject-CRITICAL errors 1336880 - [RFE] Update the 'rct' command to expose the virt_limit attribute to determine if virt-who is needed for the deployment. 1336883 - [RFE] Update the 'rct' command to allow not outputting content-set data 1340135 - Zanata translations for subscription-manager 1.17 are not 100% 1340525 - CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/ 1345962 - unbound method endheaders() must be called with HTTPSConnection instance as first argument (got RhsmProxyHTTPSConnection instance instead) 1346417 - [RFE] Allow users to set socket timeout. 1349533 - rhel-x86_64-server-7-ost-8 channel maps are absent from channel-cert-mapping.txt 1349538 - rhel-x86_64-server-7-rh-gluster-3-client channel maps are absent from channel-cert-mapping.txt 1349584 - RHN RHEL Channels 'rhel-x86_64--7-thirdparty-oracle-java' map to a '7.2' version cert; should be '7.3' 1349592 - RHN RHEL Channels 'rhel-x86_64--7-thirdparty-oracle-java-beta' map to a '7.2' version cert; should be '7.3 Beta' 1351370 - [ERROR] subscription-manager:31276 @dbus_interface.py:60 - org.freedesktop.DBus.Python.OSError: Traceback 1353662 - AttributeError: 'Identity' object has no attribute 'keypath' 1354653 - rhel-s390x-server-ha-7-beta channel maps are absent from channel-cert-mapping.txt 1354655 - rhel-s390x-server-rs-7-beta channel maps are absent from channel-cert-mapping.txt 1360909 - Clients unable to access newly released content (Satellite 6.2 GA) 1365280 - default_log_level in rhsm.conf should be INFO to honor bug 1266935 1366055 - man page for rhsm.conf is missing info on new [logging] section 1366301 - subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers//certificates?lazy_regen=true returned status 404 1366747 - RHN Channel mapping file '/usr/share/rhsm/product/RHEL-7/channel-cert-mapping.txt' does NOT account for RHN base channel 'rhel-ppc64le-server-7' 1366799 - failed to use host entitlement in containers 1367243 - 'Resource not found on the server' when running 'subscription-manager refresh' 1367657 - an empty error dialog message can appear in subscription-manager-gui when the server response message contains a pair of < > 1369522 - rct cat-manifest is not bash-completing new option --no-content 1372673 - checking "Manually attach subscriptions after registration" hangs the initial-setup screen in "registering" state for ever