6.4 - RHSA-2019:3172

Problem Description:

An update is now available for Red Hat Satellite 6.6 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Satellite 6.6 - noarch, x86_64 Red Hat Satellite Capsule 6.6 - noarch, x86_64

3. Description:

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

* rubygem-rack: Buffer size in multipart parser allows for denial of service (CVE-2018-16470)

* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632)

* foreman: authorization bypasses in foreman-tasks leading to information disclosure (CVE-2019-10198)

* katello: registry credentials are captured in plain text during repository discovery (CVE-2019-14825)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For detailed instructions how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.6/html/up grading_and_updating_red_hat_satellite/updating_satellite_server_capsule_se rver_and_content_hosts

5. Bugs fixed (https://bugzilla.redhat.com/):

1111223 - Removing a lifecycle environment from a capsule does not cause repos to be removed from 1152515 - [RFE] Dependency Resolution within content views + associated UI constructs. 1163020 - [RFE|TRACKER] Add systemd journal/systemd support 1194093 - [RFE] Update puppet provisioning snippet & installers to support sha256 1336439 - [RFE] Set Network Interface Type when creating new VMs in RHEV Compute Resource 1378579 - Deploying a New Host to vmware compute resource from existing template always ends up with thin provisioned disk 1402136 - [RFE] Provide method to add array, hashes as input value for Global parameters in hostgroups 1465521 - [RFE] API to cancel/delete Remote Execution tasks before their scheduled time 1490850 - [RFE] Need a way to mark a build as failed 1503426 - DynFlow logo in DynFlow console is missing 1505932 - [RFE] Show "Static Query" in Job invocations overview 1559006 - [RFE] Allow to select destination Storage Domain and storage allocation [thin / clone-indipendent] when provisioning from RHV template - a-la VMware 1561876 - qdrouterd crashes when burst of requests arise from katello-agent clients 1591629 - [RFE] Satellite should support SCAP reports without the need of puppet installed on hosts 1593480 - IndexContent step can take 20+ minutes during initial sync of a large repo 1596411 - [RFE] Advanced support of Modularity 1601602 - [RFE] Use chronyd instead of ntp in provisioning templates on RHEL systems 1608712 - [RFE] the hammer ansible plugin can not filter imported ansible roles 1609371 - The dynflow scheduling mechanism can lead to tasks initiated later to be executed sooner, leaving older tasks waiting 1612800 - [RFE] Option to specify filter_host_parents and exclude_hosts_parents on Satellite web UI virt-who configuration. 1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents 1630548 - Available repositories from repository-set are incomplete or missing 1634755 - [RFE] Add smart parameters alike feature to Ansible integration 1643649 - Sequential Actions::Katello::Host::Update calls from subscription-manager can fail under load 1644201 - satellite-installer waits for qpidd service status, not for qpid listening on port 5671 1646814 - CVE-2018-16470 rubygem-rack: Buffer size in multipart parser allows for denial of service 1649944 - Virt-who Configurations page on the Red Hat Satellite WebUI shows status as "No Report Yet" even with the updated hypervisors list and the working configuration. 1650641 - [RFE] disable auto-reload of the dashboard 1651389 - Red Hat Satellite 6.4 upgrade fails with error Validation failed: Name has already been taken at db:migrate stage 1653293 - Advance(Scoped_search) search in manage errata page 1658265 - [RFE] virt-who-configure-plugin should set 'NO_PROXY=*' by default. 1658284 - [RFE] Allow virt-who-configure plugin to have additional interval options 1658318 - [RFE] Foreman-debug should gather virt-who data. 1658553 - Cannot add new disk to VM when using image based to provision 1659979 - Unable to add Google Cloud Platform as compute resource to Satellite. 1671274 - [RFE] Support CNV as the virt-who resource 1671318 - [RFE] The CV exported tar should have minor version of Content View. 1672706 - candlepin's CertificateRevocationListTask does not scale well for 2M+ certificates 1673447 - Capsule sync planning in foreman-tasks sometimes takes too long 1679225 - Unable to build VM with bootdisk option using hammer-cli-foreman 1679300 - Unable to Change Host Location via Hammer 1684573 - [RFE] Rebase Ansible to 2.8 for Satellite 6.6 1686514 - Full Host ISO generated with 0 byte size init ram disk with on demand download policy kickstart repository 1687543 - [RFE] - Need a way to add headings in Virtual Machine View 1687801 - pxeboot images not downloading - Error -3 while decompressing: incorrect header check 1690070 - publishing promoting large docker repos in a content view can take a long time 1690204 - [RFE] merge the upstream Foreman Userdata plug-in into Satellite 1691074 - [RFE] Satellite should be able to sync Fedora 30, ignoring zChunk data. 1691443 - [RFE] Ship default role with permissions for ansible inventory callback 1698148 - [RFE] Satellite 6 should pass through SWID information in any repositories it is syncing 1698178 - [RFE] Allow the use of Ansible Runner instead of Ansible 1698182 - [RFE] Remove foreman docker 1703476 - No syncable repositories found for selected products and options. (RuntimeError) 1705099 - Regeneration of ueber certificate is causing optimized capsule sync to perform force full sync every time. 1706265 - Update from 6.5 to 6.6 is broken due to dependency issue 1706267 - fg: no job control in post scriptlet while installing satellite 6.6 1706274 - Error on accessing red hat subscription, red hat repository and module stream page 1706277 - katello-certs-check output print foreman-installer/ katello/foreman-proxy-certs-generate on sat 6.6 1706296 - uninitialized constant ForemanOpenscap::VERSION while creating new scap policy 1706721 - Installer still shows 6.4 to 6.5 version to upgrade existing capsule 1706743 - Candlepin service FAIL to start after satellite-change-hostname 1707157 - RHEL 8 with iPXE fails due to Deprecated Options used 1709761 - capsule-certs-generate shows output with foreman-installer --scenario foreman-proxy-content instead satellite-installer --scenario capsule 1712554 - Red Hat Insights inventory broken for large environments after upgrade to Red Hat Satellite 6.5 1712889 - Capsule certification generation command was failing due to the absence of certs-update-all parameter. 1712985 - Installation of Red Hat Satellite 6.5 or Red Hat Capsule 6.5 server fails when ipv6 is disabled. 1713103 - Unable to do image based provisioning with Cloud Init and VMware 1713248 - Hammer hostgroup create fails with 'The selected content source and lifecycle environment do not match' 1713274 - Missing rpms in erratum pkglist when an erratum appears in multiple enabled repos 1713802 - Every capsule sync causes importers/distributors to get updated making an optimized capsule sync a full sync 1714234 - some pages have blue menu (like upstream) instead of black/gray one (like downstream have) 1714604 - Puppet certs not getting signed automatically on provisioned host 1715898 - Disk space check during mongo storage upgrade to wiredtiger failing and dropping database 1716877 - enabled repository does not show under 'Enabled Repository' view without refresh the page 1716900 - The ACL /var/lib/qpidd/.qpidd/qpid_acls.acl gets removed with certain procedures 1717069 - Unable to retrieve gpg_keys through Capsule 1717248 - Satellite 6.5 Unable to provision new VMs on VMWare if datacenters are in a folder 1717883 - [RFE] Add logs about tasks state changes 1718009 - Add more default items to the default facts filter list: partitions*, mountpoints*, disks* 1718889 - [RFE] Improve the Tasks page - Dashboard 1720200 - REST API-based DNS conflict check 1721055 - Hourly Scheduled sync plan executed every minute on upgraded Satellite VM's(6.4.z to 6.5 GA). 1722475 - Cannot configure foreman_scap_client on host via puppet 1722713 - Unable to import content view when there are more than 20 of enabled repositories in the target Satellite 1723733 - Connection error for EC2 CR not rescued correctly 1724064 - [RFE] Show Console output for a instance created using GCE 1724739 - [RFE] Provide default custom-heira.yaml tuning templates for Satellite 6 1725250 - Mismatches for organization and location on production environment and domain 1725289 - undefined method `lookup_values' for nil:NilClass while creating host with foreman_scap_client ansible role 1727320 - satellite login page branding lost with snap 10 1727927 - Applying errata through remote execution doesn't work 1728289 - Host selection is ignored with bulk actions when applying errata via remote execution 1728306 - [Discovery] 'Create Host' and 'Customize Host' buttons not functionoing in Quick Provision dialog 1729049 - List all hosts in an organization takes long time when there is a lot of reports. 1729130 - CVE-2019-10198 foreman: authorization bypasses in foreman-tasks leading to information disclosure 1729149 - CVE-2019-10198 tfm-rubygem-foreman-tasks: Authorization bypasses when accessing task details [rhn_satellite_6-default] 1729153 - Lifecycle Environments does not shows details of associated C.V. /Repositories/Errata/packages, ..etc 1730397 - [Hammer] The discovered hosts provision fails with error 'resource have no errors' 1730668 - CVE-2019-14825 katello: Registry credentials are captured in plain text in dynflow task during repository discovery [rhn_satellite_6-default] 1731112 - Discovered hosts stuck when attribute set is missing 1731639 - Export to csv button on sub tasks page won't work 1732066 - checksum-type does not updated on already synced repository at Satellite Capsule. 1732601 - production.log does not log the request-id in registration calls 1737488 - [Satellite 6.6.0 Snap14] Some unwanted exception dumps during yum update in the cleanup phase(In Capsule Upgrade). 1739367 - Satellite 6.5.2 rejects to register hosts that were previously "pre-registered" via the API 1739485 - CVE-2019-14825 katello: registry credentials are captured in plain text during repository discovery 1739712 - Multiple NIC orchestrations are not orchestrated 1744515 - VIrt-who reported hypervisors tasks are failing with exception(undefined method `[]' for nil:NilClass) 1746166 - Installer fails when using signed certificate on the initial install 1746175 - Adding a 2nd disk type of storage_pod/datastore_cluster fails to create vm 1746581 - Gem loading error when enabling infoblox plugins 1747177 - Allow registration when host is unregistered and DMI UUID has changed - Error: This host is reporting a DMI UUID that differs from the existing registration 1747654 - Upgrade to 6.6 failed at foreman-rake db:migrate - undefined method `searchable_value=' 1750846 - Unable to load audits page - undefined method `abstract_class?' for Object:Class 1751384 - Setting to toggle host profile stealing 1752256 - Clicking on any tab from Left Navigation panel not working