6.5 - RHSA-2018:3816

Problem Description:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.

Security Fix(es):

* postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)

* postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements (CVE-2018-10925)

* postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask (CVE-2018-1053)

* postgresql: Uncontrolled search path element in pg_dump and other client applications (CVE-2018-1058)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915, CVE-2018-10925 and CVE-2018-1053. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915; and Tom Lane as the original reporter of CVE-2018-1053.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1539619 - CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask 1547044 - CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications 1609891 - CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 1610547 - [v2v] [RFE] Migrating VM with multiple DPG's fail to get assigned with correct NICs on RHV 1612619 - CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements 1618836 - Changing action order in catalog bundle removes resource 1623562 - [RFE] Don't show allocated IPs in dropdown while assigning floating IPs via CloudForms 1634809 - Button enablement and visibility by tag not working for buttons on Ansible services 1635034 - In the self service portal, reconfigure service shows "No Provisioning Dialog Available" 1635255 - Reports do not run when submitted through a UI which does not have reporting role on. 1635759 - Buttons not sorted in button group on Ansible Service 1635788 - Reverting snapshot fails for OpenStack instances 1638501 - Cannot login with an uppercase letter in username 1639351 - WebSocket push notifications no longer work in SUI 1639353 - [URI::InvalidComponentError]: bad component(expected host component): Method:[block in method_missing] 1639364 - Cannot change appliance name 1640194 - Service Dialogs are slow 1640258 - Update miqssh utilities. 1640629 - Variables field in provisioning a new service catalog item (Ansible playbook) changes when typing information into it 1640631 - User ID for Service Retirement Task Changes During Retires When First Retirement Fails 1641771 - Copying a custom report from a custom report menu changes source report name 1643042 - [RFE][Providers][RHOS] - Some flavors not visible in Instance Type dropdown when creating instance 1643261 - Unable to retire service via Global region 1643263 - Custom button[Template/Image]: after dialog execution not return to Detail page 1643539 - Validation failed: Description is not unique within region 1 Method:[block in method_missing] 1643959 - Custom Operator Role Can Edit Tags from Datastore Tab but not Through Provider > Datastore 1644410 - syncrou.manageiq-automate : Initialize the Workspace failed 1645198 - Unexpected error encountered when trying to cancel SSA scan task 1645204 - Custom Button: Navigation with relationship table breaks button display on destination. 1646435 - Prevent Service Ordering directly from REST-API 1646561 - The Server Name and Zone Name in the configuration page is blank upon visiting. 1646564 - Bad UI after adding a schedule for report 1646571 - Embedded Ansible: Wrong message in Notifications 1646599 - need to choose date two times in timepicker to take effect 1646604 - Button to start an ansible playbook does not work under self service portal 1646605 - Custom buttons that utilize dialogs with dynamic elements not do not populate from service UI 1646606 - Getting CORS error while creating quotas via javascript 1646613 - Extra buttons on Container Provider page 1646629 - Embedded Ansible needs a retry interval. We are currently setting limit and not interval. 1646646 - Azure refresh fails with [NoMethodError]: undefined method `sku' 1647056 - Memory peak usage of allocated for collected intervals (30 day average) field does not generate within report 1647108 - Infrastructure mapping not available shown incorrectly on Migration Plan 1647188 - unable to edit tags on an infrastructure host 1647489 - [Containers] Cannot Validate Metrics Endpoint for OCP Provider 1648674 - Unable to update Cloud Volume using CFME 5.9 with OSP 14 1648948 - Tags responding to `show` with true and having no classification produce 500-level errors for URL of `/api/tags?expand=resources&attributes=category,categorization` 1648955 - No registered resource provider found for location 'germanycentral' and API version '2014-04-01' for type 'virtualMachines' 1648991 - [RFE] Setting Retirement for a Service in Global Region Does Not get Replicated to Local Region 1649033 - Roles with SUI privileges can't access Services, Orders in SUI in empty appliance 1649380 - Dynamic Dropdown Multiselect: Default element is blank when loaded by another element 1649419 - SUI permissions not showing catalogs and not hiding snapshots menu 1650691 - Setting retirement date for Service via Centralized Administration raises InterRegionApiMethodRelayError 1651291 - [Regression] Static Dialogs are not Populated when Submitting API Requests for Service Catalog 1651347 - Amazon API filter limit breaks targeted refresh for more than 200 items 1651391 - Orchestration catalog items cannot be submitted because of tenant error 1653417 - CFME should not assign flavor id in OSP provider. 1653710 - Internet Explorer (IE) not able to login to CloudForms 1654436 - Remove_from_disk method is leaving VMs in an Orphaned State for VMware Provider 1654463 - Memory utilization by node is incorrect in Provider Overview page 1655081 - Catalog bundle resources not retiring 1655143 - cfme upgrade 5.8 --> 5.9 not working as it requires rh-ruby23-ruby(release) < 2.3.7 1655773 - Service not showing VMs belong to 1656168 - ansible tower items are not listed when part of service bundles 1656169 - retirement of the parent service does not retire child catalog items