Executive Summary
Summary | |
---|---|
Title | Satellite 6.5 Release |
Informations | |||
---|---|---|---|
Name | RHSA-2019:1222 | First vendor Publication | 2019-05-14 |
Vendor | RedHat | Last vendor Modification | 2019-05-14 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Red Hat Satellite 6.5 for RHEL 7 is now available containing security fixes, bug fixes, and enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 6.5 - noarch, x86_64 Red Hat Satellite Capsule 6.5 - noarch, x86_64 3. Description: Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix(es): * RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack (CVE-2016-6346) * pulp: Improper path parsing leads to overwriting of iso repositories (CVE-2018-10917) * foreman: Persisted XSS on all pages that use breadcrumbs (CVE-2018-14664) * foreman: stored XSS in success notification after entity creation (CVE-2018-16861) * katello: stored XSS in subscriptions and repositories pages (CVE-2018-16887) * candlepin: credentials exposure through log files (CVE-2019-3891) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1143987 - [RFE] Hammer task missing info subcommand 1155811 - [RFE] Support Infoblox IPAM appliances as subnet / domain providers 1170174 - [RFE] Satellite 6 product FIPS mode Compliance 1232475 - [RFE] generate a report of Specific fields in the Content Hosts -> Details section 1233431 - [RFE] CSR should not be mandatory when installing Satellite Server or generating Capsule certificate bundle with custom ssl certificates 1267766 - capsule installer generates invalid dhcp.conf for non local networks 1305040 - [RFE] User control of Capsule sync policy and other traffic from Satellite to capsule 1335621 - [RFE] Ignore warnings when syncing repos and SRC packages are missing 1339743 - [RFE] Search OpenSCAP reports using host collections 1356126 - [RFE] Implement host disassociation command 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack 1396974 - VM orchestration should provide better error reporting and logging 1397590 - [RFE] “Unregister Host†needs a clear instruction for options under it 1402134 - [RFE] Need Hammer CLI commands to do the HostGroup / Environments associations with Provisioning Template. 1408782 - [RFE] virt-who need to make sure there is only one entry in satellite content host for the same hypervisor when configure hypervisor_id for uuid or hostname or hwuuid 1418026 - goferd errors with "[...] Condition('amqp:resource-limit-exceeded', 'local-idle-timeout expired')" when pushing Errata from Satellite 1438030 - [RFE] Feature to use the 'dzdo' as the "remote_execution_effective_user_method" to run the remote commands with a non-root user. 1445070 - katello models not working with foreman-hooks plugin 1447963 - Switching installation media (or source) back and forth corrupts initdamdisk/kernel 1449290 - Global PXE hostgroups menu entries missing when Installation Media is set to Synced Content 1451277 - [RFE] Support storing and presenting Vendor field in package API 1458898 - [RFE] Pre-canned Virt-who roles do not have a description 1468557 - Discovery KExec does not work with Atomic Host 7 1470987 - discovery settings are named differently in hammer than in UI 1476379 - [RFE] Add randomness to SCAP client runs to avoid DDOS of the server 1476938 - katello-change-hostname should check for enough ram before making changes 1481315 - Cloud-init integration with ovirt supports just a subset of cloud-init keywords 1488235 - Email subject prefix accepts long strings 1488475 - Specifying wrong content source id for host or hostgroup via hammer throws SQL error 1489252 - [RFE] Add a note to ignore "WARNING" message when foreman_scap_client command executed manually 1489379 - Non admins users should be able to add Organization / Locations to themselves 1489486 - API hosts/X interfaces array info inconsistent return of interface flags 1492848 - Roles cleared when error detected in User creation dialog 1495308 - [RFE] Feature to add the "--fetch-remote-resources" to the foreman_scap_client. 1500972 - traceback when deleting organization: javax.persistence.RollbackException: Error while committing the transaction 1501683 - Pulp repository sync step not skipped automatically when fail with "Abnormal termination". 1501927 - RHV compute resource screen shows DataTables warning invalid json response 1502752 - refresh manifest - proxy password with special character 1508169 - incremental update of content-view added errata RHSA-2017:2998 packages and also added some other packages as well , which is not present in errata 1514013 - Atomic Host 7.4.2 deployed from Satellite 6.2.12 cannot be upgraded out of the box 1515082 - Rerunning a ReX job with JobTemplate not in current Org/Loc shows undefined method `input_values' for nil:NilClass 1515671 - [RFE] Extend "Service Action - SSH Default" job template to be able to enable and disable services 1516803 - uploading a package to custom repo does not trigger sync of Capsule in Library LE 1517084 - Duplicate hammer options to view available compute-resource image 1517706 - Could not able to see filters of any role with org_admin user 1519779 - puppet classes info doesn't consider puppet environments parameter 1523147 - Templates tab in Hosts>Operating Systems have confusing and misleading asterisks 1523433 - Celery worker consumes large number of memory when regenerating applicability for a consumer that binds to many repositories with many errata. 1523940 - [RFE] [sat 6.3] k5login should support setting selinux context and owner attributes 1528524 - [RFE][Satellite 6.3 Beta] Need a way to split pulp_data.tar into smaller files 1532675 - incorrectly rendered empty lines in commands output on "Detail of Commands run" page 1534608 - [RFE] Searching for all instances of packages in all repos 1534967 - reboot ReX fails with "Runner error: NameError - uninitialized constant ForemanRemoteExecutionCore::ScriptRunner::MAX_PROCESS_RETRIES" 1537266 - [RFE] Add option to lock template upon import using foreman_templates plugin 1538688 - 'hammer ping' can erroneously say foreman-tasks is down when its just busy 1541393 - Improve help and error messages when adding CVs to a CCV 1545364 - Cloned Satellite improperly handles Pulp event_notifier URL and db entries 1547821 - while creating new hosts RHEVM assocation of compute profile doesn't show correct network for the Cluster 1549088 - Various Action:: Tasks types stop with warning: "no such file or directory" for file in foreman cache hierarchy 1549761 - [RFE] Flag to avoid deletion from compute resource of an host associated when it's removed from satellite 1552142 - Installation on FIPS enabled rhel7 fails with '/usr/bin/pulp-gen-ca-certificate' returned 1 instead of one of [0] 1552159 - Installation on FIPS enabled rhel7 failing with with certutil issues 1552200 - Upgrade to 6.3 failed with "Could not find dependency Class[Puppet::Server::Install] for File[/etc/pki/katello/puppet]" 1553105 - composite_content_view_ids field of a content_view_version is always empty 1554421 - candlepin takes >2m on /candlepin/consumers/UUID/guests query 1557436 - Unnecessary requirement of CSR when running --certs-update-server 1560978 - hammer host list --thin removed in Red Hat Satellite 6.3 1561249 - Several JS errors visiting repo discovery page 1561691 - Creating user with hammer having authentication source LDAP/AD should not ask for password 1561990 - UI: After add the CV on the CCV, Content View still on the list to add 1563529 - Root password hash in Operating System written in capital letters 1564867 - update bootstrap.py to works also on RHEL5 1565903 - ansible_provisioning_callback snippet does not set executable permission for '/root/ansible_provisioning_call.sh' 1566000 - KVM hypervisor profile does not contain guests running on it in the webui and creates duplicate profile with virt-who-* prefix 1566092 - using a filter for bastion layout/partials/table.html does not update the selected counts 1566166 - unable to register client to freshly installed capsule on fresh katello 1566540 - javascript error on new gpg key page 1566543 - [Satellite6] cd-rom settings in compute profile for vmware compute resource never showed as enabled 1568063 - [RFE] Hammer Job Cancellation 1568700 - Sat6.3.1 WEBUI Documentation link is unaccessible 1568838 - [RFE] Handle multiple capsules' ssh keys 1568848 - [RFE] Handle multiple capsules' ssh keys 1569395 - [Satellite 6] Adding search for lifecycle_environment or lifecycle_environment_id in role host fiter with permission view_hosts does not construct SQL querry when API is used 1571889 - [RFE] Allow override of tftpd.map file location and/or contents during installer upgrades 1571913 - Clean up EL6 and service-wait from Katello scripts 1574257 - katello-remove does not completely remove data on mounted filesystems 1575766 - Org/Loc Button ordering not the same when moved after window resize 1577014 - Missing "-name" option on "openssl pkcs12" command may cause incorrect nickname added to the katello nssdb 1577966 - In partition tables, problem with snippet check-box together with operating system 1578021 - [RFE] enable high availability when using ovirt compute resource 1578022 - [RFE] As an API user, I should be able to compare the Packages of a Content View Version to the Packages in Library. 1578470 - [RFE] allow configuration of helloMaxAge and helloInterval 1579876 - MMV stats disappear rendering pmlogger unable to restart 1582210 - Create RHEV host: Listing Images produces traceback when no images on CR 1582293 - Unable to unset proxy settings once set 1582484 - [RFE] As an API user, I should be able to compare the Errata of a Content View Version to the installable Errata in Library. 1583318 - hammer recurring-logic list command does not accept options --per-page or --page but suggests those option 1584162 - Error: No such repository with name |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2019-1222.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
60 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
20 % | CWE-532 | Information Leak Through Log Files |
20 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-03-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-0826.nasl - Type : ACT_GATHER_INFO |
2017-03-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-0827.nasl - Type : ACT_GATHER_INFO |
2017-03-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2017-0829.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2020-03-19 13:18:18 |
|