Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: subscription-manager security, bug fix, and enhancement update

Related Vulnerabilities: CVE-2016-4455   CVE-2016-4455   CVE-2016-4455  

Source

Synopsis

Moderate: subscription-manager security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for subscription-manager, subscription-manager-migration-data, and python-rhsm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform.

The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic (RHN) to Red Hat Subscription Management (RHSM).

The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of a Red Hat Unified Entitlement Platform. The Subscription Management tools use this interface to manage system entitlements, certificates, and access to content.

The following packages have been upgraded to a newer upstream version: subscription-manager (1.17.15), python-rhsm (1.17.9), subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555, BZ#1328559)

Security Fix(es):

  • It was found that subscription-manager set weak permissions on files in /var/lib/rhsm/, causing an information disclosure. A local, unprivileged user could use this flaw to access sensitive data that could potentially be used in a social engineering attack. (CVE-2016-4455)

Red Hat would like to thank Robert Scheck for reporting this issue.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 7.6 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 7.5 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 7.4 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 7.3 x86_64
  • Red Hat Enterprise Linux Server - AUS 7.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 7.4 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.3 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4 ppc64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.3 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.5 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.4 x86_64
  • Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
  • Red Hat Enterprise Linux Server - AUS 7.3 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.4 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.3 ppc64le
  • Red Hat Enterprise Linux Server - TUS 7.6 x86_64
  • Red Hat Enterprise Linux Server - TUS 7.3 x86_64
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.4 ppc64le
  • Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.3 ppc64le
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.4 x86_64
  • Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.3 x86_64

Fixes

  • BZ - 874735 - [RFE] Network interface collection/facts do not support multiple address per interface
  • BZ - 1104332 - [RFE] Separate out the rhsm certs into a separate RPM
  • BZ - 1251516 - traceback on removing an import cert from 'my subs in gui'
  • BZ - 1257179 - subscription-manager-initial-setup-addon - "Cancel" button does nothing
  • BZ - 1262919 - exceptions from connection.RestlibException during autosubscribe should be printed to system error
  • BZ - 1264108 - the red warning message in subscription-manager-initial-setup-addon should disappear when clicking Cancel/Back
  • BZ - 1264470 - various RHEL7 channel maps to product certs are missing in subscription-manager-migration-data
  • BZ - 1264964 - subscription-manager package profile submission is sending profiles with UUID=None to SLE endpoint
  • BZ - 1268043 - Back button on first panel of subscription-manager-gui workflow has no effect
  • BZ - 1268094 - Traceback in subscription-manager-gui from My Subscriptions Tab
  • BZ - 1268307 - At the end of auto attach, the Back button does nothing
  • BZ - 1306004 - The cmd "repos --list --proxy" with a fake proxy server url will not stop running.
  • BZ - 1315901 - Stacktrace displayed when running rct against an inaccessible file
  • BZ - 1325083 - Available subscriptions can not be sorted by number in subscription-manager-gui
  • BZ - 1328553 - Rebase subscription-manager component to the latest upstream branch for RHEL 7.3
  • BZ - 1328555 - Rebase python-rhsm component to the latest upstream branch for RHEL 7.3
  • BZ - 1328559 - Rebase subscription-manager-migration-data component to the latest upstream branch for RHEL 7.3
  • BZ - 1328579 - subscription-manager-migration-data for RHEL7.3 needs RHEL7.3 product certs
  • BZ - 1328609 - missing RHN channel mappings to ppc64le product certs for product id 279
  • BZ - 1328628 - rhel-x86_64-server-7-ost-7 channel maps are absent from channel-cert-mapping.txt
  • BZ - 1328729 - Docker client doesn't link entitlements certs
  • BZ - 1329397 - Rhsmcertd healinglib variable 'valid_tomorrow' referenced before assignment
  • BZ - 1330021 - Initial-setup : no error message is thrown when user clicks on register button without entering credentials
  • BZ - 1330054 - "Default" server url is not configuring the port and prefix details
  • BZ - 1330515 - Traceback on the terminal when used CTRL+C to kill the subscription-manager-gui application
  • BZ - 1333545 - rhel-x86_64-server-7-rhevh channel maps are absent from channel-cert-mapping.txt
  • BZ - 1333904 - Subscription-manager-gui's combo "Service level preferences" does not change it's name if some value is choosen from AT-SPI perspective
  • BZ - 1333906 - Subscription-manager-gui's combo "Release version" does not change it's name if some value is choosen from AT-SPI perspective
  • BZ - 1334916 - YUM plugins reconfigure root logger
  • BZ - 1335371 - Despite an "Insufficient" subscription status, the GUI is blocked from auto-subscribing by "No need to update subscriptions" message.
  • BZ - 1335537 - typo in "Proxy connnection failed, please check your settings."
  • BZ - 1336428 - rhsm-icon -i fails with libnotify-CRITICAL and GLib-GObject-CRITICAL errors
  • BZ - 1336880 - [RFE] Update the 'rct' command to expose the virt_limit attribute to determine if virt-who is needed for the deployment.
  • BZ - 1336883 - [RFE] Update the 'rct' command to allow not outputting content-set data
  • BZ - 1340135 - Zanata translations for subscription-manager 1.17 are not 100%
  • BZ - 1340525 - CVE-2016-4455 subscription-manager: sensitive world readable files in /var/lib/rhsm/
  • BZ - 1345962 - unbound method endheaders() must be called with HTTPSConnection instance as first argument (got RhsmProxyHTTPSConnection instance instead)
  • BZ - 1346417 - [RFE] Allow users to set socket timeout.
  • BZ - 1349533 - rhel-x86_64-server-7-ost-8 channel maps are absent from channel-cert-mapping.txt
  • BZ - 1349538 - rhel-x86_64-server-7-rh-gluster-3-client channel maps are absent from channel-cert-mapping.txt
  • BZ - 1349584 - RHN RHEL Channels 'rhel-x86_64-<VARIANT>-7-thirdparty-oracle-java' map to a '7.2' version cert; should be '7.3'
  • BZ - 1349592 - RHN RHEL Channels 'rhel-x86_64-<VARIANT>-7-thirdparty-oracle-java-beta' map to a '7.2' version cert; should be '7.3 Beta'
  • BZ - 1351370 - [ERROR] subscription-manager:31276 @dbus_interface.py:60 - org.freedesktop.DBus.Python.OSError: Traceback
  • BZ - 1353662 - AttributeError: 'Identity' object has no attribute 'keypath'
  • BZ - 1354653 - rhel-s390x-server-ha-7-beta channel maps are absent from channel-cert-mapping.txt
  • BZ - 1354655 - rhel-s390x-server-rs-7-beta channel maps are absent from channel-cert-mapping.txt
  • BZ - 1360909 - Clients unable to access newly released content (Satellite 6.2 GA)
  • BZ - 1365280 - default_log_level in rhsm.conf should be INFO to honor bug 1266935
  • BZ - 1366055 - man page for rhsm.conf is missing info on new [logging] section
  • BZ - 1366301 - subscription-manager refresh causes: Server error attempting a PUT to /subscription/consumers/<UUID>/certificates?lazy_regen=true returned status 404
  • BZ - 1366747 - RHN Channel mapping file '/usr/share/rhsm/product/RHEL-7/channel-cert-mapping.txt' does NOT account for RHN base channel 'rhel-ppc64le-server-7'
  • BZ - 1366799 - failed to use host entitlement in containers
  • BZ - 1367243 - 'Resource not found on the server' when running 'subscription-manager refresh'
  • BZ - 1367657 - an empty error dialog message can appear in subscription-manager-gui when the server response message contains a pair of < >
  • BZ - 1369522 - rct cat-manifest is not bash-completing new option --no-content
  • BZ - 1372673 - checking "Manually attach subscriptions after registration" hangs the initial-setup screen in "registering" state for ever

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started