Synopsis
Important: Satellite 6.3 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat Satellite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.
This update provides Satellite 6.3 packages for Red Hat Enterprise Linux 7 Satellite server. For the full list of new features provided by Satellite 6.3, see the Release Notes linked to in the references section. See the Satellite 6 Installation Guide for detailed instructions on how to install a new Satellite 6.3 environment, or the Satellite 6 Upgrading and Updating guide for detailed instructions on how to upgrade from prior versions of Satellite 6.
All users who require Satellite version 6.3 are advised to install these new packages.
Security Fix(es):
- V8: integer overflow leading to buffer overflow in Zone::New (CVE-2016-1669)
- rubygem-will_paginate: XSS vulnerabilities (CVE-2013-6459)
- foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization (CVE-2014-8183)
- foreman: inspect in a provisioning template exposes sensitive controller information (CVE-2016-3693)
- pulp: Unsafe use of bash $RANDOM for NSS DB password and seed (CVE-2016-3704)
- foreman: privilege escalation through Organization and Locations API (CVE-2016-4451)
- foreman: inside discovery-debug, the root password is displayed in plaintext (CVE-2016-4996)
- foreman: Persistent XSS in Foreman remote execution plugin (CVE-2016-6319)
- foreman: Stored XSS via organization/location with HTML in name (CVE-2016-8639)
- katello-debug: Possible symlink attacks due to use of predictable file names (CVE-2016-9595)
- rubygem-hammer_cli: no verification of API server's SSL certificate (CVE-2017-2667)
- foreman: Image password leak (CVE-2017-2672)
- pulp: Leakage of CA key in pulp-qpid-ssl-cfg (CVE-2016-3696)
- foreman: Information disclosure in provisioning template previews (CVE-2016-4995)
- foreman-debug: missing obfuscation of sensitive information (CVE-2016-9593)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Randy Barlow (RedHat) for reporting CVE-2016-3704 and Sander Bos for reporting CVE-2016-3696. The CVE-2014-8183 issue was discovered by Eric Helms (Red Hat); the CVE-2016-3693 and CVE-2016-4995 issues were discovered by Dominic Cleal (Red Hat); the CVE-2016-4451 and CVE-2016-6319 issues were discovered by Marek Hulán (Red Hat); the CVE-2016-4996 issue was discovered by Thom Carlin (Red Hat); the CVE-2016-8639 issue was discovered by Sanket Jagtap (Red Hat); the CVE-2016-9595 issue was discovered by Evgeni Golov (Red Hat); the CVE-2017-2667 issue was discovered by Tomas Strachota (Red Hat); and the CVE-2016-9593 issue was discovered by Pavel Moravec (Red Hat).
Solution
For detailed instructions how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html/upgrading_and_updating_red_hat_satellite/
Affected Products
-
Red Hat Satellite 6.3 x86_64
-
Red Hat Satellite Capsule 6.3 x86_64
Fixes
- BZ - 1019214 - [RFE] Connect foreman bootiso when creating a new VM and boot from it.
- BZ - 1046642 - CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities
- BZ - 1132402 - [RFE] Support Facter 2 structured facts
- BZ - 1133515 - [RFE] Hammer repository upload-content doesn't support globs
- BZ - 1140671 - [RFE] API Missing creation of smart proxy autosign entries
- BZ - 1144042 - [RFE] API Missing activation key listing available service_levels
- BZ - 1145653 - [RFE] Satellite 6: UEFI PXE support
- BZ - 1154382 - [RFE] Ability to use tokenized authentication to hammer in lieu of username/password in configuration file.
- BZ - 1177766 - [RFE] Republish composite content views on republished component content view
- BZ - 1187338 - [RFE] Patch management functionality of satellite missing patch management functionality
- BZ - 1190002 - [RFE] add "update all" button to host collections package update, selecting multiple content hosts
- BZ - 1199204 - [RFE] Content Hosts: UI should have some indicator as if/which capsule is providing content
- BZ - 1210878 - [RFE] Allow user to disable SSL verification for custom repositories hosted via SSL
- BZ - 1215825 - [RFE] Showing Packages that can be updated on a content-host via the UI
- BZ - 1217523 - [RFE] Request for the support of mirrorlists for rpm repository feeds
- BZ - 1245642 - [RFE] Allow editing of taxonomy for discovered hosts
- BZ - 1255484 - [RFE] Make subnet an optional field
- BZ - 1257588 - [RFE] API routes for repositories in consistent with filter on per product and per organization
- BZ - 1260697 - [RFE] As a CLI user, I should be able to set the Content Source for a host and hostgroup.
- BZ - 1263748 - [RFE] Using Dynconsole to review tasks, unable to get back to Satellite GUI missing a "back" button
- BZ - 1264043 - [RFE] Unable to edit Mail configuration in API and WebUI
- BZ - 1264732 - [RFE] Predefined role which is equivalent of ORG ADMIN
- BZ - 1265125 - [RFE] Allow activation keys to enable product repos regardless of whether there is a subscription attached or not
- BZ - 1270771 - [RFE] Possibility to set value of memory for compute profile under RHEV other then dropdown list
- BZ - 1274159 - [RFE] Add content counters to Content View Versions Repositories overview
- BZ - 1278642 - [RFE] Expose config groups in host yaml
- BZ - 1278644 - [RFE] manage provisioning templates outside of the web interface
- BZ - 1284686 - [RFE] Support use of snapshots in katello-backup to allow service to be restored quickly
- BZ - 1291935 - [RFE] support for Parametized Subnets
- BZ - 1292510 - [RFE] Satellite should support OpenSCAP tailoring file
- BZ - 1293538 - [RFE] Netgroup LDAP Authentication with Satellite 6.
- BZ - 1303103 - [RFE] Allow ISO repositories to be added to a content view and published/distributed
- BZ - 1304608 - [RFE] Manager and viewer role do not contain permissions for katello, rex and other plugins actions
- BZ - 1305059 - [RFE] [Sat6] allow multiple rpms to be added via hammer content-view filter rule create
- BZ - 1306723 - [RFE] add multiple content views to a CCV which contain the same repository
- BZ - 1309569 - [RFE] Composite Content View Web UI: show if "Latest" view is in use or if new version of content view available
- BZ - 1309944 - [RFE] Create/update composite content-view by content-view Names
- BZ - 1313634 - [RFE] Warning message while pulp-puppet-module-builder overwrites existing module files.
- BZ - 1317614 - [RFE] - "hammer info" command should have information related to "Host Status"
- BZ - 1318534 - [RFE] Puppet classes inherited from a parent should indicate which one
- BZ - 1323436 - [RFE] Latest available packages are not listed in the update list over the Satellite Server Web UI
- BZ - 1324508 - [RFE] Accept 'organization' and 'location' parameters for POST/PUT requests for discovery rules
- BZ - 1327030 - [RFE] Add extension point to Subnets form for Discovery Proxy
- BZ - 1327471 - CVE-2016-3693 foreman: inspect in a provisioning template exposes sensitive controller information
- BZ - 1328238 - [RFE] katello-backup report times
- BZ - 1328930 - CVE-2016-3696 pulp: Leakage of CA key in pulp-qpid-ssl-cfg
- BZ - 1330264 - CVE-2016-3704 pulp: Unsafe use of bash $RANDOM for NSS DB password and seed
- BZ - 1335449 - CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New
- BZ - 1336924 - [RFE]hypervisors that do NOT have a subscription attached should NOT be green under content hosts
- BZ - 1339715 - [RFE] Initiate OpenSCAP scan from web ui
- BZ - 1339889 - CVE-2016-4451 foreman: privilege escalation through Organization and Locations API
- BZ - 1340559 - [RFE] Add ability to Sort Content Hosts by additional column headers in WebUI
- BZ - 1342623 - [RFE] Extend the foreman API for improved compliance/openscap usage
- BZ - 1344049 - [RFE] Ability to use subscription associated to hypervisor when adding a server with activation key
- BZ - 1348939 - CVE-2016-4995 foreman: Information disclosure in provisioning template previews
- BZ - 1349136 - CVE-2016-4996 foreman: inside discovery-debug, the root password is displayed in plaintext
- BZ - 1361473 - [RFE] - Display the errata or packages that would applicable/installable for a given host using Hammer CLI
- BZ - 1365815 - CVE-2016-6319 foreman: Persistent XSS in Foreman remote execution plugin
- BZ - 1366029 - [RFE] satellite installer doesn't allow for upgrading puppet
- BZ - 1370168 - [RFE] Update foreman-debug to by default not disclose confidential passwords and private keys
- BZ - 1376134 - [RFE] Pulp should log content unit downloads at a level other than DEBUG
- BZ - 1376191 - [RFE] Capability to Red Hat Satellite 6 to provision clients on IBM POWER
- BZ - 1382356 - [RFE] Delete smart class parameter when a puppet class is deleted
- BZ - 1382735 - [RFE] Allow accessing all template names for a host (in safe mode)
- BZ - 1384146 - [RFE] Discovery should not create an entry if the mac/serialnumber already exists as managed
- BZ - 1384548 - [RFE] cronjob to clear old tasks
- BZ - 1386266 - [RFE] krb5 support for remote execution job invocations
- BZ - 1386278 - [RFE] Job invocations should timeout
- BZ - 1390545 - [RFE] hammer sync-plan info should show associated products
- BZ - 1391831 - [RFE] Include Host's Host Collection to YAML definition.
- BZ - 1393291 - CVE-2016-8639 foreman: Stored XSS via organization/location with HTML in name
- BZ - 1393409 - [RFE] Enable Process Recycling for Pulp Worker Processes
- BZ - 1394056 - [RFE] Getting IP Auto-Suggestion via API
- BZ - 1402922 - [RFE] Publishing provisioning template by version control system
- BZ - 1406384 - CVE-2016-9593 foreman-debug: missing obfuscation of sensitive information
- BZ - 1406729 - CVE-2016-9595 katello-debug: Possible symlink attacks due to use of predictable file names
- BZ - 1410872 - [RFE] Rake task needed to clean up repos published to wrong directory
- BZ - 1412186 - [RFE] Track what user executed remote job in the production.log
- BZ - 1413851 - [RFE] OpenSCAP download full report XML is not usable, include the html or PDF report.
- BZ - 1416119 - [RFE] foreman-debug takes > 1 hour to complete at scale
- BZ - 1417073 - [RFE] Enhance Satelltie 6 UI to make the need for virt-who apparent
- BZ - 1420711 - [RFE] - Applying Erratum to a client, Cancel and Next button only visible while scrolling through the entire list of content-hosts
- BZ - 1422458 - [RFE] The search function shows dummy facts that are not used any more and the dummy facts should be deleted
- BZ - 1425121 - [RFE] Sort smart class parameter overrides by resolution order
- BZ - 1425523 - [RFE] Update Subscriptions Page in Satellite 6 to point to customer portal landing page.
- BZ - 1426404 - [RFE] Backport session/request id in logs
- BZ - 1426411 - [RFE] Allow batched content install actions during errata install
- BZ - 1426448 - [RFE] Add schema to full backup if dbfiles are corrupted
- BZ - 1428761 - [RFE] Show upgradable package count in Content Hosts list and at the Content Host page
- BZ - 1429426 - [RFE] set release version of a content host via bulk action
- BZ - 1434069 - [RFE] max_memory_per_executor support
- BZ - 1435972 - [RFE] - Option to disable autostart for puppet agent
- BZ - 1436262 - CVE-2017-2667 rubygem-hammer_cli: no verification of API server's SSL certificate
- BZ - 1438376 - [RFE] Hammer location list to optionally show parents of location
- BZ - 1439537 - CVE-2017-2672 foreman: Image password leak
- BZ - 1439850 - [RFE] Allow setting HTTPS CDN URLs in Satellite
- BZ - 1445807 - [RFE] Allow choice of target shell in Remote Execution
- BZ - 1446707 - [RFE] add confirmation step for manifest deletion (explaining when refresh will do, and when have to use delete)
- BZ - 1446719 - [RFE] Refreshing a manifest should re-generate entitlement certificates.
- BZ - 1452124 - [RFE] Hammer cli does not list Type field when listing subscriptions.
- BZ - 1455057 - [RFE] As a user, I expect the smart proxies page list of features to be sorted consistently
- BZ - 1455455 - [RFE] PXE less provisioning - Add delay to discovery image boot for slow DHCP networks
- BZ - 1458817 - [RFE] Prioritize attribute order in puppet classes limited to 255 chars
- BZ - 1464224 - [RFE] make the "Type" of a subscription a searchable unit
- BZ - 1468248 - [RFE] add task start time to "latest warning/error task" dashboard widget
- BZ - 1480346 - [RFE] Need a server side tool to assist with the process of changing the hostname of the Katello server
- BZ - 1480348 - [RFE] API to fetch list of hosts without full host details
- BZ - 1480886 - CVE-2014-8183 foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization
- BZ - 1493001 - [RFE] Add NIC ignore patterns for OpenStack and OpenShift
- BZ - 1493494 - [RFE] While adding a content-view to a composite view which is not published, clicking "Add Content Views" button does nothing, it should give an error.
- BZ - 1517827 - [RFE] Satellite 6: add the ability to choose supported cipher suites for Tomcat
- BZ - 1529099 - [RFE] Users with email address more than 60 characters should be able to login to Satellite GUI
CVEs
References
Vulmon