-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: bind security and enhancement update
Advisory ID: RHSA-2013:0550-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5689
==============================
1. Summary:
Updated bind packages that fix one security issue and add one enhancement
are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server (named); a
resolver library (routines for applications to use when interfacing with
DNS); and tools for verifying that the DNS server is operating correctly.
DNS64 is used to automatically generate DNS records so IPv6 based clients
can access IPv4 systems through a NAT64 server.
A flaw was found in the DNS64 implementation in BIND when using Response
Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to
a named server that is using RPZ rewrite rules, named could exit
unexpectedly with an assertion failure. Note that DNS64 support is not
enabled by default. (CVE-2012-5689)
This update also adds the following enhancement:
* Previously, it was impossible to configure the the maximum number of
responses sent per second to one client. This allowed remote attackers to
conduct traffic amplification attacks using DNS queries with spoofed source
IP addresses. With this update, it is possible to use the new "rate-limit"
configuration option in named.conf and configure the maximum number of
queries which the server responds to. Refer to the BIND documentation for
more details about the "rate-limit" option. (BZ#906312)
All bind users are advised to upgrade to these updated packages, which
contain patches to correct this issue and add this enhancement. After
installing the update, the BIND daemon (named) will be restarted
automatically.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
903417 - CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
906312 - bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise Linux 6
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
ppc64:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
s390x:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
ppc64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
s390x:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://access.redhat.com/
http://www.isc.org/software/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnU0XlSAg2UNWIIRAqmKAJ
AQqiP7kshwm4ZGsABl1I61k=
=gqtc
-----END PGP SIGNATURE-----
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Low: Red Hat Enterprise Virtualization 2 1-week EOL Notice
Advisory ID: RHSA-2013:0552-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
==============================
1. Summary:
This is the 1-week notification of the End Of Life plans for Red Hat
Enterprise Virtualization 2.
2. Description:
In accordance with the Red Hat Enterprise Virtualization Errata Support
Policy, the support for Red Hat Enterprise Virtualization 2 will end on
1st March, 2013.
Customers are recommended to upgrade their existing Red Hat Enterprise
Virtualization (RHEV) 2.x installations to version 3.0. The upgrade from
RHEV Manager version 2.2 running on Microsoft Windows to Red Hat Enterprise
Virtualization Manager 3.0 running on Red Hat Enterprise Linux is fully
supported and requires no downtime, during the upgrade all virtual machines
will continue to run without loss of service.
Details of the Red Hat Enterprise Virtualization life-cycle can be found on
the Red Hat website: https://access.redhat.com/
The links to detailed documentation on the upgrade process can be found in
the References section.
3. Solution:
Red Hat Enterprise Virtualization 2 support will end on 1st March, 2013.
4. References:
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
5. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnWwXlSAg2UNWIIRAg1MAJ
EN8fd57M3BWh6Myxv3Kk0rI=
=H7sF
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms System Engine 1.1.2 update
Advisory ID: RHSA-2013:0547-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5561 CVE-2012-6116
==============================
1. Summary:
CloudForms System Engine 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms System Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms System Engine can
be used to configure new systems, subscribe to updates, and maintain
installations in distributed environments.
It was found that the
"/usr/share/katello/script/
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)
Note: After installing this update, ensure the
"/etc/katello/secure/
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.
One task the katello-configure utility performs is creating an RPM to be
installed on client machines that need to connect to the Katello server. It
was found that this RPM set world-readable and writable permissions on the
pem file (containing the Certificate Authority certificate) used for
trusting the Katello server. An attacker could use this flaw to perform a
man-in-the-middle attack, allowing them to manage (such as installing and
removing software) Katello client systems. (CVE-2012-6116)
The CVE-2012-5561 issue was discovered by Aaron Weitekamp of the Red Hat
Cloud Quality Engineering team, and CVE-2012-6116 was discovered by Dominic
Cleal and James Laska of Red Hat.
This update also fixes the following bugs:
* The CloudForms System Engine command line tool incorrectly parsed
locales, which caused the following error:
"translation missing: de.activerecord.errors.
This update replaces the controller for setting the locale. The translation
error no longer appears. (BZ#896251)
* Certain locales did not properly escape certain UI content for new role
creation. This broke the Save button for some locales. This update corrects
the escape behavior for localized UI content. The Save button now works
for new role creation. (BZ#896252)
* A missing icon stopped users from deleting recent or saved searches. This
update adds the icon and users can now delete recent or saved searches.
(BZ#896253)
* A performance issue in the Candlepin 0.7.8 component caused subscription
responsiveness to decrease as the number of systems subscribed to
CloudForms System Engine increases. This erratum updates to Candlepin
0.7.19, which corrects the performance issues. (BZ#896261)
* CloudForms System Engine would not fetch Extended Update Service (EUS)
entitlements. This blocked the user from seeing and enabling EUS
repositories. This update revises the manifest upload and deletion code,
which also corrects the behavior for fetching entitlements. System Engine
now fetches EUS entitlements. (BZ#896265)
* Issues with menu widths caused the localized UI to not render certain
menu items. This update corrects the style for the System Engine UI. The
Web UI now renders the menu items correctly. (BZ#903702)
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide, section "4.1. Upgrading CloudForms System Engine":
https://access.redhat.com/
Users of CloudForms System Engine are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
807455 - Deleted template still available in promoted environment
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
896251 - [de_DE][zh_TW][pt_BR][ru_RU][
896253 - Search -- missing ability to remove saved and/or recent search queries -- missing icon
896261 - SCALE: Subscription of systems gets slower and slower as number of subscribed systems increases
896265 - Unable to enable repos for EUS product
903702 - Localized UI hides menu entries
904128 - Unable to save system template
906207 - CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
907250 - translation missing: pt_BR.time.formats.default (I18n::MissingTranslationData)
6. Package List:
CloudForms System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
candlepin-0.7.19-3.el6cf.
candlepin-devel-0.7.19-3.
candlepin-selinux-0.7.19-3.
candlepin-tomcat6-0.7.19-3.
katello-1.1.12.2-5.el6cf.
katello-all-1.1.12.2-5.el6cf.
katello-api-docs-1.1.12.2-5.
katello-cli-1.1.8-14.el6cf.
katello-cli-common-1.1.8-14.
katello-common-1.1.12.2-5.
katello-configure-1.1.9-13.
katello-glue-candlepin-1.1.12.
katello-glue-pulp-1.1.12.2-5.
katello-selinux-1.1.1-5.el6cf.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnRjXlSAg2UNWIIRAtrgAK
FaFkBPHApaE7juOnpZKvRlo=
=ZdWu
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms Cloud Engine 1.1.2 update
Advisory ID: RHSA-2013:0545-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5509 CVE-2012-6117 CVE-2012-6118
==============================
1. Summary:
CloudForms Cloud Engine 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms Cloud Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms Cloud Engine is a
management application for cloud resources.
It was found that the Aeolus Configuration Server stored passwords in plain
text in the world-readable "/var/log/aeolus-configserver/
file. A local attacker could use this flaw to obtain the administrative
passwords for other services (such as Katello, databases, and so on).
(CVE-2012-6117)
It was found that Conductor, the web-based management console, allowed
unprivileged users to modify their quota for the number of instances they
are allowed to run. An unprivileged user could use this flaw to monopolize
resources and run more instances than intended. (CVE-2012-6118)
It was found that the aeolus-configserver-setup script created a
world-readable file containing authentication details in plain text in the
"/tmp/" directory. A local attacker could use this flaw to obtain Audrey
credentials, allowing them to make configuration changes to Audrey-enabled
instances. (CVE-2012-5509)
The CVE-2012-6117 issue was discovered by James Laska of Red Hat;
CVE-2012-6118 was discovered by Tomas Sedovic of Red Hat; and CVE-2012-5509
was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team.
This update also fixes the following bug:
* A bug in the initial filter view for instances caused stopped instances
to display for the default "Non stopped applications" option until
auto-refresh. This bug fix corrects the form rendering for the filter view.
The filter view now displays only non-stopped instances. (BZ#895569)
Additionally, this update adds the following enhancements:
* Red Hat Enterprise Linux 5.9 support to guest image building in
CloudForms Cloud Engine. (BZ#903646)
* Support for Red Hat Enterprise Linux 5.9 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903651)
* Red Hat Enterprise Linux 6.4 support to guest image building in
CloudForms Cloud Engine. (BZ#903395)
* Support for Red Hat Enterprise Linux 6.4 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903650)
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide:
https://access.redhat.com/
Users of CloudForms Cloud Engine are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
875294 - CVE-2012-5509 aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak
895569 - Default Filter view option "Non stopped applications" lists stopped instance, and removes them after auto refresh
903395 - Add support for RHEL-6.4 to Oz
903646 - Add support for RHEL-5.9 to Oz
903650 - Update jeos AMI's for RHEL-6.4
903651 - Update jeos AMI's for RHEL-5.9
906192 - CVE-2012-6118 Aeolus Conductor: Unprivileged user can change their own Maximum Running Instances quota
906201 - CVE-2012-6117 Aeolus Configserver: Passwords from application blueprint stored plaintext in configserver.log
912395 - image customization fails using root user, must use ec2-user
6. Package List:
CloudForms Cloud Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
aeolus-all-0.13.26-1.el6cf.
aeolus-conductor-0.13.26-1.
aeolus-conductor-daemons-0.13.
aeolus-conductor-devel-0.13.
aeolus-conductor-doc-0.13.26-
aeolus-configserver-0.4.12-3.
imagefactory-1.0.3-1.el6cf.
imagefactory-jeosconf-ec2-
imagefactory-jeosconf-ec2-
oz-0.8.0-8.el6cf.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnQVXlSAg2UNWIIRAg1XAK
2cKPvsz+MCt3WTl+vIgXyR8=
=nMZt
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2013:0551-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2013-0640 CVE-2013-0641
==============================
1. Summary:
Updated acroread packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes two security flaws in Adobe Reader. These flaws are
detailed in the Adobe Security bulletin APSB13-07, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. (CVE-2013-0640, CVE-2013-0641)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.5.4, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
911099 - CVE-2013-0640 CVE-2013-0641 acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
x86_64:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
x86_64:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
http://www.adobe.com/support/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnWHXlSAg2UNWIIRAvwiAJ
FNI0kkkH7W+YbIRDxQL9pgY=
=28x7
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.2 update
Advisory ID: RHSA-2013:0544-01
Product: Red Hat Subscription Asset Manager
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5561 CVE-2012-5603 CVE-2012-5604
CVE-2012-6109 CVE-2012-6496 CVE-2013-0162
CVE-2013-0183 CVE-2013-0184
==============================
1. Summary:
Red Hat Subscription Asset Manager 1.2, which fixes several security
issues, multiple bugs, and adds various enhancements, is now available.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch, x86_64
3. Description:
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.
It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)
A vulnerability in rubygem-ldap_fluff allowed a remote attacker to bypass
authentication and log into Subscription Asset Manager when a Microsoft
Active Directory server was used as the back-end authentication server.
(CVE-2012-5604)
It was found that the
"/usr/share/katello/script/
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)
Note: After installing this update, ensure the
"/etc/katello/secure/
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.
Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)
A flaw was found in the way rubygem-activerecord dynamic finders extracted
options from method parameters. A remote attacker could possibly use this
flaw to perform SQL injection attacks against applications using the Active
Record dynamic finder methods. (CVE-2012-6496)
It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561 was
discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team; and CVE-2013-0162 was discovered by Michael Scherer of the Red Hat
Regional IT team.
These updated Subscription Asset Manager packages include a number of bug
fixes and enhancements. Space precludes documenting all of these changes
in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2
Release Notes for information about these changes:
https://access.redhat.com/
All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which fix these issues and add various
enhancements.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
760564 - UI should show virtual child pools as "children" of the parent.
800145 - Manifest import needs to be smarter about product attribute copying
809823 - katello-configure --deployment=katello is accepted in a SAM only installation.
813291 - [RFE] Username cannot contain characters other than alpha numerals,'_', '-', can not resume after failure
817845 - Better CLI error message when options are invalid
817946 - API not accessible from browser
818679 - katello-configure --help should show valid options.
818903 - Name of the pdf generated for sam system report command should be modified
819002 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
822942 - [RFE] Add new Application Shell to Subscription Asset Manager
822943 - [RFE] Improved Subscription Viewer
822945 - [RFE] Improved Visibility to Customer Portal
826099 - katello-debug returns unexpected error messages when run on a SAM installation
829474 - Assigning a subscription to a macihne in SAM does not update the compliance icon in the System List
832425 - SAM cli headpin Version command returns exitCode as 1 even after successful completion of command
832462 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
840595 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
840600 - Post creating new environment in headpin, webui returns row:NotFound error
840603 - Post 'import manifest' subscriptions return row:NotFound
840609 - katello-headpin displays system groups under activation key when headpin will not support system groups
840792 - Activation key delete displays error
840969 - Delete environment with members causes Couldn't find KTEnvironment with
841868 - Systems page always shows lo interface IP on list
843625 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
843857 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
843861 - Installing the candlepin-cert bootstrap package fails on RHEL5.8+
843904 - During transition between systems in the webui, user will see System Group and Errata elements along with install button and other.
845501 - katello-configure --deployment=headpin fails after katello-headpin-all install on fedora-16
845620 - [RFE] Improve messaging around results of setting the yStream
847024 - Web pages fail to render all elements and colors correctly in IE8 and IE9
847117 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
847598 - katello-configure --deployment failed after katello-all install
850336 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
852508 - User limited by role will receive ResourceTypeNotFound in Dashboard#index when logging in
854278 - After adding certain objects to katello one will see a warning, '' did not meet the current search criteria and is not being shown
854283 - When creating a new organization, the Environment specified at creation time is not being created.
854985 - subscription-manager register for a system fails using the activation key
856303 - "Invalid resource type 'system_groups' " error message when trying to unregister from SAM
856777 - Test case failure: As a Admin I would like to know that my manifest will load as scheduled, even if katello-jobs is not running when I submit the request.
856795 - Test case failure: [SAM] Install - Quick (Default) Fails
857452 - katello-configure fails with katello-jobs change to running failed
859128 - Consumer fails to consume content from a Headpin distributor PYCURL ERROR 52 - "Empty reply from server"
863461 - Headpin Cli automation : Failure to list the org updated with special chars other than ascii chars
865571 - man page for headpin shows katello context
866323 - Storing the user report via cli in a pdf format fails in headpin-cli upstream
866972 - katello-debug needs to take headpin into consideration
866995 - server version is "Unknown" when registered to a katello/cfse/sam server
868290 - Thumbslug needs to verify more certificates.
869380 - add confirmation dialog to "delete manifest" functionality
871622 - Upgrade from 1.0 to 1.2 fails with file conflict
872332 - Username/password from previous katello-configure returns CLI error "error: string indices must be integers"
872334 - existing orgs do not get default value for system_info_keys in database
872335 - deleting an imported manifest should add message to /owner/$owner/imports results
872602 - API: /consumers/{id}/entitlements returns incorrect data and Content-Type header
872687 - create a Role with single-character name fails
873038 - Entering an env name of "Library" when creating an organization does not give clear error message
873443 - RAM value listed should be "memory.memtotal" fact
873803 - subscription filter chooser on systems page blinks when page first loads
873809 - Javascript error when looking at Import History for subscriptions
874182 - Creating a consumer with blank sockets results in missing system
874280 - change of terminology related to subscriptions and distributors
874502 - Upload manifests UI in 'ja' language contains headings overwritten on each other
874510 - Activation Key Page in 'ja' language headings ovewritten in headpin
874583 - Environments do not populate when adding a new user without full admin
874737 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
874744 - Product labels are not currently required to be unique.
875101 - ISO installer uses 2.7 API, which does not run on RHEL 6
875609 - Could not find ESX/Hyper-V host on SAM WebUI
875876 - Thumbslug prevents client connections for unknown reason
876869 - [ja_JP][SAM Web GUI] Overlapped in Add Permission page and Edit Permission page.
876896 - [ja_JP][SAM Web GUI] Overlapped in Content - Subscriptions page
876911 - [ja_JP][SAM Web GUI] Overlapped in Content - Activation Keys page
877317 - [ALL_LANG][SAM Web GUI] Unlocalized string 'Viewing xx of xx results (xx Total xx)'.
877473 - SAM upgrade fails with uninitialized constant Glue::Foreman
877894 - [ALL_LANG][SAM Web GUI] Some unlocalized messages for creating Users.
878191 - CLI system remove_deletion fails calling candlepin proxy
878341 - [ja_JP][zh_TW][ko_KR][SAM Web GUI] Default environment name 'Library' should not be localized.
878355 - [ru_RU][fr_FR][SAM Web GUI] - Text not fitting in the level properly
878370 - [ALL_LANG][SAM Web GUI] Unlocalized date, tooltips for Release Version and strings for Systems
878377 - [es_ES] - Unlocalized strings in SAM Web GUI pages.
878693 - [RFE] Selecting multiple systems does not give me any action
878750 - [es_ES][it_IT][SAM Web GUI] - Mouse over and Click tool causing overlap with the other contents
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
879170 - [fr_FR][SAM Web GUI] - Untranslated strings in SAM Web GUI
879245 - [cli] `system subscriptions --uuid`returns python's "None" as system name
879320 - [cli] system list shows 127.0.0.1 for registered virtual guests
880113 - [ALL LANG][SAM CLI] undefined method `with_indifferent_access' for #<Array:0x7f9a1164f0e8> occurred when --add_subscription or --remove_subscription with blank or invalid ?? value for activation_key update module.
880116 - [ALL LANG][SAM CLI] undefined method `[]' for nil:NilClass occurred when --add_subscription with pool id for activation_key update module.
880710 - subscription-manager problems when organization label is different than name
880848 - Typo: Subscripton/Subscription in the Dashboard
880905 - [fr_FR][it_IT][SAM Web GUI] - New Role can not be created
881616 - [ALL_LANG][SAM Web GUI] Usage Limit value to be set as '-1' when uncheck the 'Unlimited' and Save the Activation Key.
882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
882136 - CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when handling anonymous LDAP bind
882957 - HTML id attributes are not unique
885096 - Headpin/SAM headpin mode new foreman command 'architecture' should be removed
886137 - Tracker: remove katello-reset-dbs script
886462 - [cli] ping returns $? == 30 (but all services are OK)
889649 - CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
890000 - Can not auto-subscribe against SAM-20121221.n.1 server
892639 - SAM Compose : 7th January puddle -> katello-configure failed
892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
896550 - Typo during generation of candlepin.conf
6. Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
apache-mime4j-0.6-4_redhat_1.
apache-mime4j-javadoc-0.6-4_
candlepin-0.7.23-1.el6_3.
candlepin-devel-0.7.23-1.el6_
candlepin-selinux-0.7.23-1.
candlepin-tomcat6-0.7.23-1.
elasticsearch-0.19.9-5.el6_3.
katello-certs-tools-1.2.1-1h.
katello-cli-1.2.1-12h.el6_3.
katello-cli-common-1.2.1-12h.
katello-common-1.2.1-15h.el6_
katello-configure-1.2.3-3h.
katello-glue-candlepin-1.2.1-
katello-headpin-1.2.1-15h.el6_
katello-headpin-all-1.2.1-15h.
katello-selinux-1.2.1-2h.el6_
lucene3-3.6.1-10h.el6_3.
lucene3-contrib-3.6.1-10h.el6_
puppet-2.6.17-2.el6cf.noarch.
puppet-server-2.6.17-2.el6cf.
quartz-2.1.5-4.el6_3.noarch.
rubygem-activesupport-3.0.10-
rubygem-apipie-rails-0.0.12-2.
rubygem-ldap_fluff-0.1.3-1.
rubygem-mail-2.3.0-3.el6cf.
rubygem-mail-doc-2.3.0-3.
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
thumbslug-0.0.28-1.el6_3.
thumbslug-selinux-0.0.28-1.
x86_64:
apache-commons-codec-1.7-2.
apache-commons-codec-
sigar-1.6.5-0.12.git58097d9h.
sigar-debuginfo-1.6.5-0.12.
sigar-java-1.6.5-0.12.
snappy-java-1.0.4-2.el6_3.x86_
snappy-java-debuginfo-1.0.4-2.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnPCXlSAg2UNWIIRAq2dAK
WrxtC+HWUg11apjnU7Lzjts=
=r0mR
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms Common 1.1.2 update
Advisory ID: RHSA-2013:0548-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-6109 CVE-2013-0162 CVE-2013-0183
CVE-2013-0184 CVE-2013-0256
==============================
1. Summary:
CloudForms Common 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms Cloud Engine for RHEL 6 Server - noarch, x86_64
CloudForms System Engine for RHEL 6 Server - noarch, x86_64
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way.
Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)
It was found that documentation created by rubygem-rdoc was vulnerable to
a cross-site scripting (XSS) attack. If such documentation was accessible
over a network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's session. As rubygem-rdoc is used for creating
documentation for Ruby source files (such as classes, modules, and so on),
it is not a common scenario to make such documentation accessible over the
network. (CVE-2013-0256)
It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)
Red Hat would like to thank Eric Hodel of RDoc upstream for reporting
CVE-2013-0256. Upstream acknowledges Evgeny Ermakov as the original
reporter of CVE-2013-0256. The CVE-2013-0162 issue was discovered by
Michael Scherer of the Red Hat Regional IT team.
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
Users of CloudForms Common are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
6. Package List:
CloudForms Cloud Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
rubygem-activesupport-3.0.10-
rubygem-delayed_job-2.1.4-3.
rubygem-delayed_job-doc-2.1.4-
rubygem-nokogiri-doc-1.5.0-0.
rubygem-rack-1.3.0-3.el6cf.
rubygem-rails_warden-0.5.5-2.
rubygem-rails_warden-doc-0.5.
rubygem-rdoc-3.8-6.el6cf.
rubygem-rdoc-doc-3.8-6.el6cf.
rubygem-rspec-rails-2.6.1-7.
rubygem-rspec-rails-doc-2.6.1-
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
rubygem-shoulda-2.11.3-5.
rubygem-shoulda-doc-2.11.3-5.
x86_64:
ruby-nokogiri-1.5.0-0.9.beta4.
rubygem-nokogiri-1.5.0-0.9.
rubygem-nokogiri-debuginfo-1.
CloudForms System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
rubygem-activesupport-3.0.10-
rubygem-delayed_job-2.1.4-3.
rubygem-delayed_job-doc-2.1.4-
rubygem-nokogiri-doc-1.5.0-0.
rubygem-rack-1.3.0-3.el6cf.
rubygem-rails_warden-0.5.5-2.
rubygem-rails_warden-doc-0.5.
rubygem-rdoc-3.8-6.el6cf.
rubygem-rdoc-doc-3.8-6.el6cf.
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
x86_64:
ruby-nokogiri-1.5.0-0.9.beta4.
rubygem-nokogiri-1.5.0-0.9.
rubygem-nokogiri-debuginfo-1.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnS3XlSAg2UNWIIRAqlfAJ
dDqeZ5fkafTxBkjC5g2S5oE=
=xVia
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Low: Red Hat Directory Server security and bug fix update
Advisory ID: RHSA-2013:0549-01
Product: Red Hat Directory Server
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-0833
==============================
1. Summary:
Updated Red Hat Directory Server and related packages that fix one security
issue and multiple bugs are now available for Red Hat Directory Server 8.2.
The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Directory Server 8 (for RHEL 5 Server) - i386, x86_64
3. Description:
The redhat-ds-base packages provide Red Hat Directory Server, which is an
LDAPv3 compliant server. The base packages include the Lightweight
Directory Access Protocol (LDAP) server and command-line utilities for
server administration.
A flaw was found in the way the 389 Directory Server daemon (ns-slapd)
handled access control instructions (ACIs) using certificate groups. If an
LDAP user that had a certificate group defined attempted to bind to the
directory server, it would cause ns-slapd to enter an infinite loop and
consume an excessive amount of CPU time. (CVE-2012-0833)
Red Hat would like to thank Graham Leggett for reporting this issue.
This update also fixes the following bugs:
* Search with a complex filter that included a range search filter was
slow. (BZ#853004)
* If the server was restarted, or there was some type of connection
failure, it was possible that users were no longer able to log into the
console. Manual action is required to apply this fix: You must add an aci
to each "cn=Server Group" entry in "o=netscaperoot", that allows
anonymous/all users read/search rights. (BZ#856089)
* With replication enabled, trying to replace an existing value, where the
new value only differs in case (for example, changing "cn: foo" to "cn:
FOO"), resulted in the operation failing with an error 20. (BZ#891866)
All users of Red Hat Directory Server 8.2 should upgrade to these updated
packages, which resolve these issues.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
787014 - CVE-2012-0833 389: denial of service when using certificate groups
6. Package List:
Red Hat Directory Server 8 (for RHEL 5 Server):
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
i386:
adminutil-1.1.8-3.el5dsrv.
adminutil-debuginfo-1.1.8-3.
adminutil-devel-1.1.8-3.
redhat-ds-base-8.2.11-5.
redhat-ds-base-debuginfo-8.2.
redhat-ds-base-devel-8.2.11-5.
x86_64:
adminutil-1.1.8-3.el5dsrv.x86_
adminutil-debuginfo-1.1.8-3.
adminutil-devel-1.1.8-3.
redhat-ds-base-8.2.11-5.
redhat-ds-base-debuginfo-8.2.
redhat-ds-base-devel-8.2.11-5.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnTzXlSAg2UNWIIRAj9gAJ
sYWwWlLHJkQ+VxeNPo6Xmpg=
=b4X0
-----END PGP SIGNATURE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: bind security and enhancement update
Advisory ID: RHSA-2013:0550-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5689
==============================
1. Summary:
Updated bind packages that fix one security issue and add one enhancement
are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server (named); a
resolver library (routines for applications to use when interfacing with
DNS); and tools for verifying that the DNS server is operating correctly.
DNS64 is used to automatically generate DNS records so IPv6 based clients
can access IPv4 systems through a NAT64 server.
A flaw was found in the DNS64 implementation in BIND when using Response
Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to
a named server that is using RPZ rewrite rules, named could exit
unexpectedly with an assertion failure. Note that DNS64 support is not
enabled by default. (CVE-2012-5689)
This update also adds the following enhancement:
* Previously, it was impossible to configure the the maximum number of
responses sent per second to one client. This allowed remote attackers to
conduct traffic amplification attacks using DNS queries with spoofed source
IP addresses. With this update, it is possible to use the new "rate-limit"
configuration option in named.conf and configure the maximum number of
queries which the server responds to. Refer to the BIND documentation for
more details about the "rate-limit" option. (BZ#906312)
All bind users are advised to upgrade to these updated packages, which
contain patches to correct this issue and add this enhancement. After
installing the update, the BIND daemon (named) will be restarted
automatically.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
903417 - CVE-2012-5689 bind: denial of service when processing queries and with both DNS64 and RPZ enabled
906312 - bind: Backport Response Rate Limiting (DNS RRL) patch into Red Hat Enterprise Linux 6
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
ppc64:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
s390x:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
ppc64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
s390x:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-9.8.2-0.17.rc1.el6.3.
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
x86_64:
bind-9.8.2-0.17.rc1.el6.3.x86_
bind-chroot-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-libs-9.8.2-0.17.rc1.el6.
bind-libs-9.8.2-0.17.rc1.el6.
bind-utils-9.8.2-0.17.rc1.el6.
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/
i386:
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
x86_64:
bind-debuginfo-9.8.2-0.17.rc1.
bind-debuginfo-9.8.2-0.17.rc1.
bind-devel-9.8.2-0.17.rc1.el6.
bind-devel-9.8.2-0.17.rc1.el6.
bind-sdb-9.8.2-0.17.rc1.el6.3.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://access.redhat.com/
http://www.isc.org/software/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnU0XlSAg2UNWIIRAqmKAJ
AQqiP7kshwm4ZGsABl1I61k=
=gqtc
-----END PGP SIGNATURE-----
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Low: Red Hat Enterprise Virtualization 2 1-week EOL Notice
Advisory ID: RHSA-2013:0552-01
Product: Red Hat Enterprise Virtualization
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
==============================
1. Summary:
This is the 1-week notification of the End Of Life plans for Red Hat
Enterprise Virtualization 2.
2. Description:
In accordance with the Red Hat Enterprise Virtualization Errata Support
Policy, the support for Red Hat Enterprise Virtualization 2 will end on
1st March, 2013.
Customers are recommended to upgrade their existing Red Hat Enterprise
Virtualization (RHEV) 2.x installations to version 3.0. The upgrade from
RHEV Manager version 2.2 running on Microsoft Windows to Red Hat Enterprise
Virtualization Manager 3.0 running on Red Hat Enterprise Linux is fully
supported and requires no downtime, during the upgrade all virtual machines
will continue to run without loss of service.
Details of the Red Hat Enterprise Virtualization life-cycle can be found on
the Red Hat website: https://access.redhat.com/
The links to detailed documentation on the upgrade process can be found in
the References section.
3. Solution:
Red Hat Enterprise Virtualization 2 support will end on 1st March, 2013.
4. References:
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
5. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnWwXlSAg2UNWIIRAg1MAJ
EN8fd57M3BWh6Myxv3Kk0rI=
=H7sF
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms System Engine 1.1.2 update
Advisory ID: RHSA-2013:0547-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5561 CVE-2012-6116
==============================
1. Summary:
CloudForms System Engine 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms System Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms System Engine can
be used to configure new systems, subscribe to updates, and maintain
installations in distributed environments.
It was found that the
"/usr/share/katello/script/
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)
Note: After installing this update, ensure the
"/etc/katello/secure/
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.
One task the katello-configure utility performs is creating an RPM to be
installed on client machines that need to connect to the Katello server. It
was found that this RPM set world-readable and writable permissions on the
pem file (containing the Certificate Authority certificate) used for
trusting the Katello server. An attacker could use this flaw to perform a
man-in-the-middle attack, allowing them to manage (such as installing and
removing software) Katello client systems. (CVE-2012-6116)
The CVE-2012-5561 issue was discovered by Aaron Weitekamp of the Red Hat
Cloud Quality Engineering team, and CVE-2012-6116 was discovered by Dominic
Cleal and James Laska of Red Hat.
This update also fixes the following bugs:
* The CloudForms System Engine command line tool incorrectly parsed
locales, which caused the following error:
"translation missing: de.activerecord.errors.
This update replaces the controller for setting the locale. The translation
error no longer appears. (BZ#896251)
* Certain locales did not properly escape certain UI content for new role
creation. This broke the Save button for some locales. This update corrects
the escape behavior for localized UI content. The Save button now works
for new role creation. (BZ#896252)
* A missing icon stopped users from deleting recent or saved searches. This
update adds the icon and users can now delete recent or saved searches.
(BZ#896253)
* A performance issue in the Candlepin 0.7.8 component caused subscription
responsiveness to decrease as the number of systems subscribed to
CloudForms System Engine increases. This erratum updates to Candlepin
0.7.19, which corrects the performance issues. (BZ#896261)
* CloudForms System Engine would not fetch Extended Update Service (EUS)
entitlements. This blocked the user from seeing and enabling EUS
repositories. This update revises the manifest upload and deletion code,
which also corrects the behavior for fetching entitlements. System Engine
now fetches EUS entitlements. (BZ#896265)
* Issues with menu widths caused the localized UI to not render certain
menu items. This update corrects the style for the System Engine UI. The
Web UI now renders the menu items correctly. (BZ#903702)
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide, section "4.1. Upgrading CloudForms System Engine":
https://access.redhat.com/
Users of CloudForms System Engine are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
807455 - Deleted template still available in promoted environment
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
896251 - [de_DE][zh_TW][pt_BR][ru_RU][
896253 - Search -- missing ability to remove saved and/or recent search queries -- missing icon
896261 - SCALE: Subscription of systems gets slower and slower as number of subscribed systems increases
896265 - Unable to enable repos for EUS product
903702 - Localized UI hides menu entries
904128 - Unable to save system template
906207 - CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
907250 - translation missing: pt_BR.time.formats.default (I18n::MissingTranslationData)
6. Package List:
CloudForms System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
candlepin-0.7.19-3.el6cf.
candlepin-devel-0.7.19-3.
candlepin-selinux-0.7.19-3.
candlepin-tomcat6-0.7.19-3.
katello-1.1.12.2-5.el6cf.
katello-all-1.1.12.2-5.el6cf.
katello-api-docs-1.1.12.2-5.
katello-cli-1.1.8-14.el6cf.
katello-cli-common-1.1.8-14.
katello-common-1.1.12.2-5.
katello-configure-1.1.9-13.
katello-glue-candlepin-1.1.12.
katello-glue-pulp-1.1.12.2-5.
katello-selinux-1.1.1-5.el6cf.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnRjXlSAg2UNWIIRAtrgAK
FaFkBPHApaE7juOnpZKvRlo=
=ZdWu
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms Cloud Engine 1.1.2 update
Advisory ID: RHSA-2013:0545-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5509 CVE-2012-6117 CVE-2012-6118
==============================
1. Summary:
CloudForms Cloud Engine 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms Cloud Engine for RHEL 6 Server - noarch
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms Cloud Engine is a
management application for cloud resources.
It was found that the Aeolus Configuration Server stored passwords in plain
text in the world-readable "/var/log/aeolus-configserver/
file. A local attacker could use this flaw to obtain the administrative
passwords for other services (such as Katello, databases, and so on).
(CVE-2012-6117)
It was found that Conductor, the web-based management console, allowed
unprivileged users to modify their quota for the number of instances they
are allowed to run. An unprivileged user could use this flaw to monopolize
resources and run more instances than intended. (CVE-2012-6118)
It was found that the aeolus-configserver-setup script created a
world-readable file containing authentication details in plain text in the
"/tmp/" directory. A local attacker could use this flaw to obtain Audrey
credentials, allowing them to make configuration changes to Audrey-enabled
instances. (CVE-2012-5509)
The CVE-2012-6117 issue was discovered by James Laska of Red Hat;
CVE-2012-6118 was discovered by Tomas Sedovic of Red Hat; and CVE-2012-5509
was discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team.
This update also fixes the following bug:
* A bug in the initial filter view for instances caused stopped instances
to display for the default "Non stopped applications" option until
auto-refresh. This bug fix corrects the form rendering for the filter view.
The filter view now displays only non-stopped instances. (BZ#895569)
Additionally, this update adds the following enhancements:
* Red Hat Enterprise Linux 5.9 support to guest image building in
CloudForms Cloud Engine. (BZ#903646)
* Support for Red Hat Enterprise Linux 5.9 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903651)
* Red Hat Enterprise Linux 6.4 support to guest image building in
CloudForms Cloud Engine. (BZ#903395)
* Support for Red Hat Enterprise Linux 6.4 Amazon Machine Images (AMI) on
Amazon Web Services (AWS) Elastic Compute Cloud (EC2) providers for
CloudForms Cloud Engine. (BZ#903650)
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide:
https://access.redhat.com/
Users of CloudForms Cloud Engine are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
875294 - CVE-2012-5509 aeolus-configserver: aeolus-configserver-setup /tmp file conductor credentials leak
895569 - Default Filter view option "Non stopped applications" lists stopped instance, and removes them after auto refresh
903395 - Add support for RHEL-6.4 to Oz
903646 - Add support for RHEL-5.9 to Oz
903650 - Update jeos AMI's for RHEL-6.4
903651 - Update jeos AMI's for RHEL-5.9
906192 - CVE-2012-6118 Aeolus Conductor: Unprivileged user can change their own Maximum Running Instances quota
906201 - CVE-2012-6117 Aeolus Configserver: Passwords from application blueprint stored plaintext in configserver.log
912395 - image customization fails using root user, must use ec2-user
6. Package List:
CloudForms Cloud Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
aeolus-all-0.13.26-1.el6cf.
aeolus-conductor-0.13.26-1.
aeolus-conductor-daemons-0.13.
aeolus-conductor-devel-0.13.
aeolus-conductor-doc-0.13.26-
aeolus-configserver-0.4.12-3.
imagefactory-1.0.3-1.el6cf.
imagefactory-jeosconf-ec2-
imagefactory-jeosconf-ec2-
oz-0.8.0-8.el6cf.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnQVXlSAg2UNWIIRAg1XAK
2cKPvsz+MCt3WTl+vIgXyR8=
=nMZt
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2013:0551-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2013-0640 CVE-2013-0641
==============================
1. Summary:
Updated acroread packages that fix two security issues are now available
for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes two security flaws in Adobe Reader. These flaws are
detailed in the Adobe Security bulletin APSB13-07, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. (CVE-2013-0640, CVE-2013-0641)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.5.4, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
911099 - CVE-2013-0640 CVE-2013-0641 acroread: Multiple unspecified vulnerabilities allow remote attackers to execute arbitrary code (APSB13-07)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
x86_64:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
x86_64:
acroread-9.5.4-1.el5_9.i386.
acroread-plugin-9.5.4-1.el5_9.
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
x86_64:
acroread-9.5.4-1.el6.i686.rpm
acroread-plugin-9.5.4-1.el6.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
http://www.adobe.com/support/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnWHXlSAg2UNWIIRAvwiAJ
FNI0kkkH7W+YbIRDxQL9pgY=
=28x7
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.2 update
Advisory ID: RHSA-2013:0544-01
Product: Red Hat Subscription Asset Manager
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-5561 CVE-2012-5603 CVE-2012-5604
CVE-2012-6109 CVE-2012-6496 CVE-2013-0162
CVE-2013-0183 CVE-2013-0184
==============================
1. Summary:
Red Hat Subscription Asset Manager 1.2, which fixes several security
issues, multiple bugs, and adds various enhancements, is now available.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch, x86_64
3. Description:
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.
It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)
A vulnerability in rubygem-ldap_fluff allowed a remote attacker to bypass
authentication and log into Subscription Asset Manager when a Microsoft
Active Directory server was used as the back-end authentication server.
(CVE-2012-5604)
It was found that the
"/usr/share/katello/script/
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)
Note: After installing this update, ensure the
"/etc/katello/secure/
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.
Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)
A flaw was found in the way rubygem-activerecord dynamic finders extracted
options from method parameters. A remote attacker could possibly use this
flaw to perform SQL injection attacks against applications using the Active
Record dynamic finder methods. (CVE-2012-6496)
It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561 was
discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team; and CVE-2013-0162 was discovered by Michael Scherer of the Red Hat
Regional IT team.
These updated Subscription Asset Manager packages include a number of bug
fixes and enhancements. Space precludes documenting all of these changes
in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2
Release Notes for information about these changes:
https://access.redhat.com/
All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which fix these issues and add various
enhancements.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
760564 - UI should show virtual child pools as "children" of the parent.
800145 - Manifest import needs to be smarter about product attribute copying
809823 - katello-configure --deployment=katello is accepted in a SAM only installation.
813291 - [RFE] Username cannot contain characters other than alpha numerals,'_', '-', can not resume after failure
817845 - Better CLI error message when options are invalid
817946 - API not accessible from browser
818679 - katello-configure --help should show valid options.
818903 - Name of the pdf generated for sam system report command should be modified
819002 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
822942 - [RFE] Add new Application Shell to Subscription Asset Manager
822943 - [RFE] Improved Subscription Viewer
822945 - [RFE] Improved Visibility to Customer Portal
826099 - katello-debug returns unexpected error messages when run on a SAM installation
829474 - Assigning a subscription to a macihne in SAM does not update the compliance icon in the System List
832425 - SAM cli headpin Version command returns exitCode as 1 even after successful completion of command
832462 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
840595 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
840600 - Post creating new environment in headpin, webui returns row:NotFound error
840603 - Post 'import manifest' subscriptions return row:NotFound
840609 - katello-headpin displays system groups under activation key when headpin will not support system groups
840792 - Activation key delete displays error
840969 - Delete environment with members causes Couldn't find KTEnvironment with
841868 - Systems page always shows lo interface IP on list
843625 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
843857 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
843861 - Installing the candlepin-cert bootstrap package fails on RHEL5.8+
843904 - During transition between systems in the webui, user will see System Group and Errata elements along with install button and other.
845501 - katello-configure --deployment=headpin fails after katello-headpin-all install on fedora-16
845620 - [RFE] Improve messaging around results of setting the yStream
847024 - Web pages fail to render all elements and colors correctly in IE8 and IE9
847117 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
847598 - katello-configure --deployment failed after katello-all install
850336 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
852508 - User limited by role will receive ResourceTypeNotFound in Dashboard#index when logging in
854278 - After adding certain objects to katello one will see a warning, '' did not meet the current search criteria and is not being shown
854283 - When creating a new organization, the Environment specified at creation time is not being created.
854985 - subscription-manager register for a system fails using the activation key
856303 - "Invalid resource type 'system_groups' " error message when trying to unregister from SAM
856777 - Test case failure: As a Admin I would like to know that my manifest will load as scheduled, even if katello-jobs is not running when I submit the request.
856795 - Test case failure: [SAM] Install - Quick (Default) Fails
857452 - katello-configure fails with katello-jobs change to running failed
859128 - Consumer fails to consume content from a Headpin distributor PYCURL ERROR 52 - "Empty reply from server"
863461 - Headpin Cli automation : Failure to list the org updated with special chars other than ascii chars
865571 - man page for headpin shows katello context
866323 - Storing the user report via cli in a pdf format fails in headpin-cli upstream
866972 - katello-debug needs to take headpin into consideration
866995 - server version is "Unknown" when registered to a katello/cfse/sam server
868290 - Thumbslug needs to verify more certificates.
869380 - add confirmation dialog to "delete manifest" functionality
871622 - Upgrade from 1.0 to 1.2 fails with file conflict
872332 - Username/password from previous katello-configure returns CLI error "error: string indices must be integers"
872334 - existing orgs do not get default value for system_info_keys in database
872335 - deleting an imported manifest should add message to /owner/$owner/imports results
872602 - API: /consumers/{id}/entitlements returns incorrect data and Content-Type header
872687 - create a Role with single-character name fails
873038 - Entering an env name of "Library" when creating an organization does not give clear error message
873443 - RAM value listed should be "memory.memtotal" fact
873803 - subscription filter chooser on systems page blinks when page first loads
873809 - Javascript error when looking at Import History for subscriptions
874182 - Creating a consumer with blank sockets results in missing system
874280 - change of terminology related to subscriptions and distributors
874502 - Upload manifests UI in 'ja' language contains headings overwritten on each other
874510 - Activation Key Page in 'ja' language headings ovewritten in headpin
874583 - Environments do not populate when adding a new user without full admin
874737 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
874744 - Product labels are not currently required to be unique.
875101 - ISO installer uses 2.7 API, which does not run on RHEL 6
875609 - Could not find ESX/Hyper-V host on SAM WebUI
875876 - Thumbslug prevents client connections for unknown reason
876869 - [ja_JP][SAM Web GUI] Overlapped in Add Permission page and Edit Permission page.
876896 - [ja_JP][SAM Web GUI] Overlapped in Content - Subscriptions page
876911 - [ja_JP][SAM Web GUI] Overlapped in Content - Activation Keys page
877317 - [ALL_LANG][SAM Web GUI] Unlocalized string 'Viewing xx of xx results (xx Total xx)'.
877473 - SAM upgrade fails with uninitialized constant Glue::Foreman
877894 - [ALL_LANG][SAM Web GUI] Some unlocalized messages for creating Users.
878191 - CLI system remove_deletion fails calling candlepin proxy
878341 - [ja_JP][zh_TW][ko_KR][SAM Web GUI] Default environment name 'Library' should not be localized.
878355 - [ru_RU][fr_FR][SAM Web GUI] - Text not fitting in the level properly
878370 - [ALL_LANG][SAM Web GUI] Unlocalized date, tooltips for Release Version and strings for Systems
878377 - [es_ES] - Unlocalized strings in SAM Web GUI pages.
878693 - [RFE] Selecting multiple systems does not give me any action
878750 - [es_ES][it_IT][SAM Web GUI] - Mouse over and Click tool causing overlap with the other contents
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
879170 - [fr_FR][SAM Web GUI] - Untranslated strings in SAM Web GUI
879245 - [cli] `system subscriptions --uuid`returns python's "None" as system name
879320 - [cli] system list shows 127.0.0.1 for registered virtual guests
880113 - [ALL LANG][SAM CLI] undefined method `with_indifferent_access' for #<Array:0x7f9a1164f0e8> occurred when --add_subscription or --remove_subscription with blank or invalid ?? value for activation_key update module.
880116 - [ALL LANG][SAM CLI] undefined method `[]' for nil:NilClass occurred when --add_subscription with pool id for activation_key update module.
880710 - subscription-manager problems when organization label is different than name
880848 - Typo: Subscripton/Subscription in the Dashboard
880905 - [fr_FR][it_IT][SAM Web GUI] - New Role can not be created
881616 - [ALL_LANG][SAM Web GUI] Usage Limit value to be set as '-1' when uncheck the 'Unlimited' and Save the Activation Key.
882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
882136 - CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when handling anonymous LDAP bind
882957 - HTML id attributes are not unique
885096 - Headpin/SAM headpin mode new foreman command 'architecture' should be removed
886137 - Tracker: remove katello-reset-dbs script
886462 - [cli] ping returns $? == 30 (but all services are OK)
889649 - CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
890000 - Can not auto-subscribe against SAM-20121221.n.1 server
892639 - SAM Compose : 7th January puddle -> katello-configure failed
892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
896550 - Typo during generation of candlepin.conf
6. Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
apache-mime4j-0.6-4_redhat_1.
apache-mime4j-javadoc-0.6-4_
candlepin-0.7.23-1.el6_3.
candlepin-devel-0.7.23-1.el6_
candlepin-selinux-0.7.23-1.
candlepin-tomcat6-0.7.23-1.
elasticsearch-0.19.9-5.el6_3.
katello-certs-tools-1.2.1-1h.
katello-cli-1.2.1-12h.el6_3.
katello-cli-common-1.2.1-12h.
katello-common-1.2.1-15h.el6_
katello-configure-1.2.3-3h.
katello-glue-candlepin-1.2.1-
katello-headpin-1.2.1-15h.el6_
katello-headpin-all-1.2.1-15h.
katello-selinux-1.2.1-2h.el6_
lucene3-3.6.1-10h.el6_3.
lucene3-contrib-3.6.1-10h.el6_
puppet-2.6.17-2.el6cf.noarch.
puppet-server-2.6.17-2.el6cf.
quartz-2.1.5-4.el6_3.noarch.
rubygem-activesupport-3.0.10-
rubygem-apipie-rails-0.0.12-2.
rubygem-ldap_fluff-0.1.3-1.
rubygem-mail-2.3.0-3.el6cf.
rubygem-mail-doc-2.3.0-3.
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
thumbslug-0.0.28-1.el6_3.
thumbslug-selinux-0.0.28-1.
x86_64:
apache-commons-codec-1.7-2.
apache-commons-codec-
sigar-1.6.5-0.12.git58097d9h.
sigar-debuginfo-1.6.5-0.12.
sigar-java-1.6.5-0.12.
snappy-java-1.0.4-2.el6_3.x86_
snappy-java-debuginfo-1.0.4-2.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnPCXlSAg2UNWIIRAq2dAK
WrxtC+HWUg11apjnU7Lzjts=
=r0mR
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms Common 1.1.2 update
Advisory ID: RHSA-2013:0548-01
Product: Red Hat CloudForms
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-6109 CVE-2013-0162 CVE-2013-0183
CVE-2013-0184 CVE-2013-0256
==============================
1. Summary:
CloudForms Common 1.1.2 is now available.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
CloudForms Cloud Engine for RHEL 6 Server - noarch, x86_64
CloudForms System Engine for RHEL 6 Server - noarch, x86_64
3. Description:
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way.
Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)
It was found that documentation created by rubygem-rdoc was vulnerable to
a cross-site scripting (XSS) attack. If such documentation was accessible
over a network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's session. As rubygem-rdoc is used for creating
documentation for Ruby source files (such as classes, modules, and so on),
it is not a common scenario to make such documentation accessible over the
network. (CVE-2013-0256)
It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)
Red Hat would like to thank Eric Hodel of RDoc upstream for reporting
CVE-2013-0256. Upstream acknowledges Evgeny Ermakov as the original
reporter of CVE-2013-0256. The CVE-2013-0162 issue was discovered by
Michael Scherer of the Red Hat Regional IT team.
Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/
Users of CloudForms Common are advised to upgrade to these updated
packages.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
6. Package List:
CloudForms Cloud Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
rubygem-activesupport-3.0.10-
rubygem-delayed_job-2.1.4-3.
rubygem-delayed_job-doc-2.1.4-
rubygem-nokogiri-doc-1.5.0-0.
rubygem-rack-1.3.0-3.el6cf.
rubygem-rails_warden-0.5.5-2.
rubygem-rails_warden-doc-0.5.
rubygem-rdoc-3.8-6.el6cf.
rubygem-rdoc-doc-3.8-6.el6cf.
rubygem-rspec-rails-2.6.1-7.
rubygem-rspec-rails-doc-2.6.1-
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
rubygem-shoulda-2.11.3-5.
rubygem-shoulda-doc-2.11.3-5.
x86_64:
ruby-nokogiri-1.5.0-0.9.beta4.
rubygem-nokogiri-1.5.0-0.9.
rubygem-nokogiri-debuginfo-1.
CloudForms System Engine for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
noarch:
rubygem-activesupport-3.0.10-
rubygem-delayed_job-2.1.4-3.
rubygem-delayed_job-doc-2.1.4-
rubygem-nokogiri-doc-1.5.0-0.
rubygem-rack-1.3.0-3.el6cf.
rubygem-rails_warden-0.5.5-2.
rubygem-rails_warden-doc-0.5.
rubygem-rdoc-3.8-6.el6cf.
rubygem-rdoc-doc-3.8-6.el6cf.
rubygem-ruby_parser-2.0.4-6.
rubygem-ruby_parser-doc-2.0.4-
x86_64:
ruby-nokogiri-1.5.0-0.9.beta4.
rubygem-nokogiri-1.5.0-0.9.
rubygem-nokogiri-debuginfo-1.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://www.redhat.com/
https://access.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnS3XlSAg2UNWIIRAqlfAJ
dDqeZ5fkafTxBkjC5g2S5oE=
=xVia
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==============================
Red Hat Security Advisory
Synopsis: Low: Red Hat Directory Server security and bug fix update
Advisory ID: RHSA-2013:0549-01
Product: Red Hat Directory Server
Advisory URL: https://rhn.redhat.com/errata/
Issue date: 2013-02-21
CVE Names: CVE-2012-0833
==============================
1. Summary:
Updated Red Hat Directory Server and related packages that fix one security
issue and multiple bugs are now available for Red Hat Directory Server 8.2.
The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Directory Server 8 (for RHEL 5 Server) - i386, x86_64
3. Description:
The redhat-ds-base packages provide Red Hat Directory Server, which is an
LDAPv3 compliant server. The base packages include the Lightweight
Directory Access Protocol (LDAP) server and command-line utilities for
server administration.
A flaw was found in the way the 389 Directory Server daemon (ns-slapd)
handled access control instructions (ACIs) using certificate groups. If an
LDAP user that had a certificate group defined attempted to bind to the
directory server, it would cause ns-slapd to enter an infinite loop and
consume an excessive amount of CPU time. (CVE-2012-0833)
Red Hat would like to thank Graham Leggett for reporting this issue.
This update also fixes the following bugs:
* Search with a complex filter that included a range search filter was
slow. (BZ#853004)
* If the server was restarted, or there was some type of connection
failure, it was possible that users were no longer able to log into the
console. Manual action is required to apply this fix: You must add an aci
to each "cn=Server Group" entry in "o=netscaperoot", that allows
anonymous/all users read/search rights. (BZ#856089)
* With replication enabled, trying to replace an existing value, where the
new value only differs in case (for example, changing "cn: foo" to "cn:
FOO"), resulted in the operation failing with an error 20. (BZ#891866)
All users of Red Hat Directory Server 8.2 should upgrade to these updated
packages, which resolve these issues.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/
5. Bugs fixed (http://bugzilla.redhat.com/):
787014 - CVE-2012-0833 389: denial of service when using certificate groups
6. Package List:
Red Hat Directory Server 8 (for RHEL 5 Server):
Source:
ftp://ftp.redhat.com/pub/
ftp://ftp.redhat.com/pub/
i386:
adminutil-1.1.8-3.el5dsrv.
adminutil-debuginfo-1.1.8-3.
adminutil-devel-1.1.8-3.
redhat-ds-base-8.2.11-5.
redhat-ds-base-debuginfo-8.2.
redhat-ds-base-devel-8.2.11-5.
x86_64:
adminutil-1.1.8-3.el5dsrv.x86_
adminutil-debuginfo-1.1.8-3.
adminutil-devel-1.1.8-3.
redhat-ds-base-8.2.11-5.
redhat-ds-base-debuginfo-8.2.
redhat-ds-base-devel-8.2.11-5.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/
7. References:
https://www.redhat.com/
https://access.redhat.com/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRJnTzXlSAg2UNWIIRAj9gAJ
sYWwWlLHJkQ+VxeNPo6Xmpg=
=b4X0
-----END PGP SIGNATURE-----