Executive Summary
Summary | |
---|---|
Title | subscription-manager security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2016:2592 | First vendor Publication | 2016-11-03 |
Vendor | RedHat | Last vendor Modification | 2016-11-03 |
Severity (Vendor) | N/A | Revision | 02 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An update for subscription-manager, subscription-manager-migration-data, and python-rhsm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform. The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic (RHN) to Red Hat Subscription Management (RHSM). The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of a Red Hat Unified Entitlement Platform. The Subscription Management tools use this interface to manage system entitlements, certificates, and access to content. The following packages have been upgraded to a newer upstream version: subscription-manager (1.17.15), python-rhsm (1.17.9), subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555, BZ#1328559) Security Fix(es): * It was found that subscription-manager set weak permissions on files in /var/lib/rhsm/, causing an information disclosure. A local, unprivileged user could use this flaw to access sensitive data that could potentially be used in a social engineering attack. (CVE-2016-4455) Red Hat would like to thank Robert Scheck for reporting this issue. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 874735 - [RFE] Network interface collection/facts do not support multiple address per interface 1104332 - [RFE] Separate out the rhsm certs into a separate RPM 1251516 - traceback on removing an import cert from 'my subs in gui' 1257179 - subscription-manager-initial-setup-addon - "Cancel" button does nothing 1262919 - exceptions from connection.RestlibException during autosubscribe should be printed to system error 1264108 - the red warning message in subscription-manager-initial-setup-addon should disappear when clicking Cancel/Back 1264470 - various RHEL7 channel maps to product certs are missing in subscription-manager-migration-data 1264964 - subscription-manager package profile submission is sending profiles with UUID=None to SLE endpoint 1268043 - Back button on first panel of subscription-manager-gui workflow has no effect 1268094 - Traceback in subscription-manager-gui from My Subscriptions Tab 1268307 - At the end of auto attach, the Back button does nothing 1306004 - The cmd "repos --list --proxy" with a fake proxy server url will not stop running. 1315901 - Stacktrace displayed when running rct against an inaccessible file 1325083 - Available subscriptions can not be sorted by number in subscription-manager-gui 1328553 - Rebase subscription-manager component to the latest upstream branch for RHEL 7.3 1328555 - Rebase python-rhsm component to the latest upstream branch for RHEL 7.3 1328559 - Rebase subscription-manager-migration-data component to the latest upstream branch for RHEL 7.3 1328579 - subscription-manager-migration-data for RHEL7.3 needs RHEL7.3 product certs 1328609 - missing RHN channel mappings to ppc64le product certs for product id 279 1328628 - rhel-x86_64-server-7-ost-7 channel maps are absent from channel-cert-mapping.txt 1328729 - Docker client doesn't link entitlements certs 1329397 - Rhsmcertd healinglib variable 'valid_tomorrow' referenced before assignment 1330021 - Initial-setup : no error message is thrown when user clicks on register button without entering credentials 1330054 - "Default" server url is not configuring the port and prefix details 1330515 - Traceback on the terminal when used CTRL+C to kill the subscription-manager-gui application 1333545 - rhel-x86_64-server-7-rhevh channel maps are absent from channel-cert-mapping.txt 1333904 - Subscription-manager-gui's combo "Service level preferences" does not change it's name if some value is choosen from AT-SPI perspective 1333906 - Subscription-manager-gui's combo "Release version" does not change it's name if some value is choosen from AT-SPI perspective 1334916 - YUM plugins reconfigure root logger 1335371 - Despite an "Insufficient" subscription status, the GUI is blocked from auto-subscribing by "No need to update subscriptions" message. 1335537 - typo in "Proxy connnection failed, please check your settings." 1336428 - rhsm-icon -i fails with libnotify-CRITICAL and GLib-GObject-CRITICAL errors 1336880 - [RFE] Update the 'rct' command to expose the virt_limit attribute to determine if virt-who is needed for the deployment. 1336883 - [RFE] Update the 'rct' command to allow not outputting content-set data 1340135 - Zanata translations for subscription-manager 1.17 are not 100% 1340525 - CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/ 1345962 - unbound method endheaders() must be called with HTTPSConnection instance as first argument (got RhsmProxyHTTPSConnection instance instead) 1346417 - [RFE] Allow users to set socket timeout. 1349533 - rhel-x86_64-server-7-ost-8 channel maps are absent from channel-cert-mapping.txt 1349538 - rhel-x86_64-server-7-rh-gluster-3-client channel maps are absent from channel-cert-mapping.txt 1349584 - RHN RHEL Channels 'rhel-x86_64- |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2016-2592.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Os | 2 | |
Os | 2 | |
Os | 2 | |
Os | 2 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-05-01 | Name : The remote EulerOS host is missing a security update. File : EulerOS_SA-2016-1069.nasl - Type : ACT_GATHER_INFO |
2017-04-06 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20170321_subscription_manager_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2017-03-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-0698.nasl - Type : ACT_GATHER_INFO |
2017-01-10 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20161103_subscription_manager_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2016-11-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-2592.nasl - Type : ACT_GATHER_INFO |
2016-11-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-2592.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-04-25 21:25:25 |
|
2017-04-15 00:22:34 |
|
2016-11-29 13:23:41 |
|
2016-11-05 13:24:39 |
|
2016-11-03 13:22:44 |
|