Red Hat Training
A Red Hat training course is available for Red Hat Satellite
Release Notes
Product notes, new features, and known bugs for Red Hat Satellite 6.3.
Red Hat Satellite Documentation Team
satellite-doc-list@redhat.comAbstract
Chapter 1. Introduction
Red Hat Satellite is a system management solution that enables you to deploy, configure, and maintain your systems across physical, virtual, and cloud environments. Satellite provides provisioning, remote management and monitoring of multiple Red Hat Enterprise Linux deployments with a single, centralized tool.
Red Hat Satellite Server synchronizes the content from Red Hat Customer Portal and other sources, and provides functionality including fine-grained life cycle management, user and group role-based access control, integrated subscription management, as well as advanced GUI, CLI, or API access.
Red Hat Satellite Capsule Server mirrors content from Red Hat Satellite Server to facilitate content federation across various geographical locations. Host systems can pull content and configuration from the Capsule Server in their location and not from the central Satellite Server. The Capsule Server also provides localized services such as Puppet Master, DHCP, DNS, or TFTP. Capsule Servers assist you in scaling Red Hat Satellite as the number of managed systems increases in your environment.
1.1. Satellite 6 Component Versions
Red Hat Satellite is a combination of a number of upstream projects. For the full details of the major projects included, and the version of those projects included in each major and minor release of Red Hat Satellite, see Satellite 6 Component Versions.
1.2. Red Hat Satellite and Proxy Server Life Cycle
For an overview of the life cycle phases for Red Hat Network Satellite and Red Hat Satellite and the status of support for these products, see Red Hat Satellite and Proxy Server Life Cycle.
1.3. Red Hat Satellite FAQ
For a list of frequently asked questions about Red Hat Satellite 6, see Red Hat Satellite 6 FAQ.
Chapter 2. Content Delivery Network Repositories
This section describes the repositories required to install Red Hat Satellite 6.3.
You can install Red Hat Satellite 6.3 through the Content Delivery Network (CDN). To do so, configure subscription-manager to use the correct repository for your operating system version and variant.
Run the following command to enable a CDN repository:
# subscription-manager repos --enable=[reponame]Run the following command to disable a CDN repository:
# subscription-manager repos --disable=[reponame]The following sections outline the repositories required by Red Hat Satellite 6.3. When one of these repositories is required to install a package, the steps to enable the required repositories are included in the documentation.
2.1. Red Hat Satellite
The following table lists the repositories for Red Hat Satellite Server.
Table 2.1. Red Hat Satellite
| Channel | Repository Name |
|---|---|
| Red Hat Satellite 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
2.2. Red Hat Satellite Capsule
The following table lists the repositories for Red Hat Satellite Capsule Server.
Table 2.2. Red Hat Satellite Capsule
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Capsule 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Capsule 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
2.3. Red Hat Satellite Maintenance
The following table lists the repositories for Red Hat Satellite Maintenance.
Table 2.3. Red Hat Satellite Maintenance
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Maintenance 6 (for RHEL 7 Server) (RPMs) |
|
2.4. Red Hat Satellite Tools
The following table lists the repositories for Red Hat Satellite Tools.
Table 2.4. Red Hat Satellite Tools
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Tools 6.3 (for RHEL 5 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 5 Server - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 5 for System Z - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for System Z) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for System Z - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for IBM Power) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for IBM Power - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for System Z) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for System Z - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power LE) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power LE - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server for ARM) (RPMs) |
|
2.5. Red Hat Satellite Tools - Puppet 4
The following table lists the repositories for Red Hat Satellite Tools - Puppet 4.
Table 2.5. Red Hat Satellite Tools - Puppet 4
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 5 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 5 Server - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for IBM Power LE) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for IBM Power LE - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server for ARM) (RPMs) |
|
Chapter 3. Key Changes to the Documentation Set
Several notable changes were made to the Red Hat Satellite documentation set for this release. The following list outlines and explains these changes.
- Errata Management Guide
- The Errata Management Guide is a new title that describes how to set up patching in a Red Hat Satellite environment.
- Hammer CLI Guide
- A full reference to Hammer commands has now been added. For more information, see Reference in the Hammer CLI Guide.
- Host Configuration Guide
- The Host Configuration Guide included in the Red Hat Satellite 6.2 documentation suite has now been renamed Managing Hosts to more closely reflect the content it contains. Content on configuring provisioning environments and managing content previously found in this guide has been moved to the Provisioning Guide and Content Management Guide respectively.
- Installation Guide
- Content on upgrading and updating Red Hat Satellite has been moved to a standalone title Upgrading and Updating Red Hat Satellitie.
- Server Administration Guide
- The Server Administration Guide included in the Red Hat Satellite 6.2 documentation suite has now been renamed Administering Red Hat Satellite to more closely reflect the content it contains. Content on managing content previously found in this guide has been moved to the Content Management Guide.
Chapter 4. New Features and Enhancements
This chapter introduces new features in Red Hat Satellite 6.3, and links to further information.
- Ansible Tower Integration
- Satellite 6.3 now supports Ansible Tower Integration. Ansible Tower is a web-based graphical interface for automating management tasks such as cloud provisioning, configuration, and application deployment. Red Hat Satellite, with Ansible Tower, provides a dynamic inventory, and provisioning callbacks. Ansible Tower is able to use Red Hat Satellite as a dynamic inventory source, and both products are able to sync inventory. Systems provisioned by Red Hat Satellite are able to ‘callback’ to Tower, allowing Ansible playbooks to run post provisioning.
- Arbitrary Files in Content Views
- Satellite 6.3 provides the ability for custom products to include repositories for custom file types. This provides a generic method to incorporate arbitrary files in a product. Applications range from distributing SSH keys and source code files to larger files such as virtual machine images and ISO files.
- Bulk Subscription Upgrade Tooling
- Satellite 6.3 subscription management now provides the ability to manage subscriptions against multiple systems. This includes the ability to export subscriptions to a file in CSV format, import from a previously exported CSV file, and bulk-attach subscriptions using the API and CLI.
- Cloning Utility
- Satellite 6.3 provides the ability to restore Red Hat Satellite to a bare metal environment by cloning an existing Red Hat Satellite 6.1 or 6.2 backup, and then upgrading the clone to Red Hat Satellite 6.3.
- Content Synchronization Policies
- Red Hat Satellite Capsules now feature their own user selectable download policy for repositories: On Demand, Background, Immediate, and Inherit from Repository.
- EC2 Support
- Satellite 6.3 now supports running on Amazon Elastic Compute Cloud (Amazon EC2).
- Email Setting Configuration
- Satellite 6.3 introduces user configurable email settings by the API and the Administer settings of the web user interface. Settings include Sendmail/SMTP settings, authentication settings, and how emails are sent by Satellite.
- Future-Dated Subscriptions
- Satellite 6.3 introduces the ability to view and attach future dated subscriptions to systems. The Red Hat Customer Portal now has the facility to view and download manifests containing future dated subscriptions.
- Host Name Control
- Satellite 6.3 features improved hostname creation logic for clients with Discovery, providing the ability to set the fact that is used for the hostname of the system.
- Improved Compute Resource Configuration
- Satellite 6.3 introduces user configurable resource allocation within hypervisor environments.
- LDAP User Organization and Location Assignment
- This release adds to Hammer the ability to change the default location or organisation of a user, using the name of the location or organization in addition to the ID.
- Login Page Messages
- This release adds the ability to specify a custom message on the login screen to the Red Hat Satellite Server web user interface.
- Notifications Area
This release adds a notifications area to the Red Hat Satellite Server web user interface. It displays event notifications to inform administrators of important environment changes, such as the following:
- Host discovery
- Host deletion
- Successful provisioning of a system
- Imported host with no owner
- OpenSCAP Tailoring Files
- This release adds the ability to upload and use tailoring files to customize existing OpenSCAP policies.
- Organization Administrator Role
- This release adds a new organization administrator role by default. This role can view the configuration of every element of the Satellite structure, logs, and statistics.
- Parameterized Subnets
- This release adds a method to specify parameters for subnets in a similar way as for domains. From the Infrastructure menu, when you create or edit subnets, there is a new Parameters tab.
- Puppet 4 Support
- This release supports hosts with Puppet version 3.8 or later. You can now update hosts to the Puppet 4 agent.
- Red Hat Virtualization 4.0 Support
- This release adds support for Red Hat Virtualization 4.0 as a compute resource back end.
- Rename Utility
- This release includes a tool for renaming a Satellite or Capsule Server.
- SSH Key Provisioning Support
- This release adds support for the deployment of public SSH keys as part of the provisioning process.
- Static IP Configuration in Bootdisks
- This release adds support for static IP configuration to be included in full host bootdisks.
- Template Enhancements
- This release adds two enhancements to provisioning templates. It is now possible to export templates. The template editor now features a Help tab which contains information about the template syntax.
- Tokenized Authentication for Hammer
- This release adds the ability to initiate a token-based authenticated session with Satellite and avoid storing credentials in plain text. You are only prompted once for credentials at the beginning of a session when running Hammer commands.
- UEFI Support
- This release adds support for PXE booting of UEFI systems.
- User Description Field
- This release adds the ability to specify a custom description for individual users in the Red Hat Satellite Server web user interface.
- virt-who Configuration Utility
-
This release adds a feature which assists the task of creating and deploying virt-who configuration files. For RHEV3, RHV4 and RHEL-Based hypervisors, this release supports the following virt-who configuration types:
rhevmandlibvirt.
Chapter 5. Release Information
These release notes highlight technology preview items, recommended practices, known issues, and deprecated functionality to be taken into consideration when deploying this release of Red Hat Satellite 6.
Notes for updates released during the support lifecycle of this Red Hat Satellite 6 release will appear in the advisory text associated with each update.
5.1. Enhancements
This release of Red Hat Satellite 6 features the following enhancements:
BZ#1329051
Previously, users had to synchronize the Atomic Kickstart Tree content manually through a custom repository. With this release, users can synchronize the Atomic Kickstart Tree content from within the Red Hat Content Delivery Network.
5.2. Technology Preview
The items listed in this section are provided as Technology Previews. For further information on the scope of Technology Preview status, and the associated support implications, see https://access.redhat.com/support/offerings/techpreview/.
- Synchronize Templates from Git Repositories
- Satellite 6.3 introduces a plug-in that allows templates to be pushed to, and pulled from, an external Git repository or filesystem. For more information, see Synchronizing Templates with Git.
- Auto-attach Bootdisk for VMWare
- Satellite 6.3 introduces an auto-attach bootdisk for VMWare as a feature. For more information, see Satellite 6.3 Feature Overview: Auto-attach Bootdisk for VMWare [Tech Preview].
- Tracer
- Satellite 6.3 introduces Tracer, an integration with the Tracer tool that monitors running processes and identifies if they need to be restarted due to package updates or similar activities. For more information, see Satellite 6.3 Feature Overview: Tracer [Tech Preview].
BZ#1376191
Previously, provisioning on IBM POWER was not available. With this release, provisioning clients on IBM POWER via BOOTP is available as a Technology Preview feature.
5.3. Release Notes
This section outlines important details about the release, including recommended practices and notable changes to Red Hat Satellite. You must take this information into account to ensure the best possible outcomes for your deployment.
BZ#1432285
Previously, there was an API JSON field named "enabled_override" for the API at "/api/v2/hosts/1/subscriptions/product_content". With this release, the API JSON field name "enabled_override" has been deprecated in favor of "override" to improve consistency.
BZ#1433458
To synchronize container images from a registry with self-signed certificates, you must either configure certificates manually or disable the SSL Verify option.
BZ#1435007
With this release, the roles included in Red Hat Satellite are now read only. If any of these roles were previously customized, an editable version of those roles with the name "Cuztomized XXXX" is created when you upgrade your environment to this version.
BZ#1469599
Because of security fixes that were introduced with this fix, if you clone templates that contain Ruby's `to-proc` syntax in Satellite 6.2, and then upgrade to Satellite 6.3, you cannot use the template.
As a workaround, write the same code as a full Ruby block, for example, `(1..3).collect(&:to_s)` becomes `(1..3).collect {|num| num.to_s}`.
To find affected code, search the template for `&:`. Replace `…(&:…)` with `…{|i| i.…}`.
Use the following two examples as a guide:
Ruby syntax in 6.2 cloned template:
<% host_param('ssh_authorized_keys').split(',').map(&:strip).each do |ssh_key| -%>
Updated Ruby syntax for Satellite 6.3:
<% host_param('ssh_authorized_keys').split(',').map{ |item| item.strip }.each do |ssh_key| -%>
Ruby syntax in 6.2 cloned template:
nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select(&:present?).join(',')}
Updated Ruby syntax for Satellite 6.3:
nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select{ |item| item.present? }.join(',')}BZ#1552093
Previously, the templates used "<%= foreman_url %>" to notify Satellite that the build is done. In 6.3, the templates use "<%= foreman_url('built') %>", which explicitly calls the 'built' template.BZ#1512959
If you plan to manually upgrade from Satellite 6.2 to Satellite 6.3, and if you previously installed the python-pulp-agent-lib package, you must enable the satellite-tools repository to successfully perform the upgrade. This package was moved into the tools repository for Satellite 6.3.BZ#1560607
Several parameters of thecapsule-certs-generatecommand were changed, and some were added. Those prefixed--capsulewere changed to a--foreman-proxyprefix. New parameters prefixed--resetwere added to allow commonly-used parameters to be reset to their default values. A--certs-resetparameter was added to reset any custom certificates and use the self-signed CA instead.
5.4. Deprecated Functionality
Subscriptions Manager Registration Snippet
In this release, you can no longer use the subscription_manager_registration snippet in a template to enable Satellite Tools repositories. You must configure your repositories to be enabled using an activation key.
Hammer Import Tool
In this release, you can no longer use hammer import functionality. To import hosts, you can use the bootstrap script bootstrap.py. For more information, see Importing Existing Hosts via the Bootstrap Script.
5.5. Known Issues
These known issues exist in Red Hat Satellite 6 at this time.
BZ#1321041
- Known Issue
- Hosts provisioned by Satellite, but not registered, are showing a green icon, indicating they are covered by a subscription. These should show a red icon, indicating they are not covered by a subscription.
BZ#1382090
- Known Issue
- In the Red Hat Subscriptions tab of the user interface, the hyperlinks used in the subscription type "Guests of hypervisor-name" are incorrect and broken. This is due to the hyperlink using the candlepin uuid rather than the host ID.
BZ#1445625
- Known Issue
On Puppet Forge, some Puppet modules are invalid and cannot sync with Satellite.
These invalid Puppet modules cause error messages such as
Invalid propertiesorMissingModulePile.Despite receiving a report of a sync failure, the valid Puppet modules sync from Puppet Forge into Satellite.
BZ#1507848
- Known Issue
- Satellite Installer requires absolute paths. Always provide an absolute path for --certs-tar. For example, /root/new.name-certs.tar. If you run the installer with a relative path, run the installer again with the absolute path and the --scenario parameter to create the last_scenario.yml.
BZ#1518848
- Known Issue
- The command katello-change-hostname creates an error condition when run on Satellite 6.2 during migration and upgrade. This occurs because of a bug in the version of the katello-change-hostname command in the 6.2 release. To avoid this problem, complete the upgrade to Satellite 6.3 before running the katello-change-hostname command.
BZ#1523392
- Known Issue
-
Running the
./install_packagescommand when attempting to set up a disconnected Satellite Server fails and returns NOKEY error. - Workaround
- For more information, see the KCS Solution at https://access.redhat.com/solutions/3275791
BZ#1538597
- Known Issue
- When using image-based provisioning against VMWare, attempting to add additional storage to the new host returns an error.
BZ#1541002
- Known Issue
If you try to delete a subnet that is used to provision a machine, instead of receiving a user-friendly error message, you receive a confusing error message:
| NoMethodError: undefined method `klass' for nil:NilClass | Did you mean? class
BZ#1541481
- Known Issue
- If you have SELinux enabled, using Kerberos (KRB) keys instead of RSA keys can cause remote execution jobs to fail.
BZ#1541885
For ISO-based disconnected Satellite users
- Known Issue
- The RPM script is missing "--local", which makes it search the internet to install the "oauth" gem. For disconnected Satellites, this is a problem.
- Workaround
If Puppet 4 is installed, when
yuminstalls packages using the default Puppet 4 repositories, before you runsatellite-installer, enter the following command:/opt/puppetlabs/puppet/bin/gem install --local /usr/share/foreman-installer/gems/oauth-0.5.1.gem- Workaround
If you upgrade to Puppet 4, before you enter the
--upgrade-puppetcommand, enter the following commands:# yum remove -y puppet-server # yum install puppetserver puppet-agent puppet-agent-oauth /opt/puppetlabs/puppet/bin/gem install --local /usr/share/foreman-installer/gems/oauth-0.5.1.gem
BZ#1544401
- Known Issue
-
Running
katello-backupwith a relative path for the destination, for example `katello-backup .', causes an error. - Workaround
-
Run
katello-backupwith a full path. For example 'katello-backup /backup-destination'.
Chapter 6. Technical Notes
This section contains the summary text for bug fixes and enhancements in Red Hat Satellite errata advisories. The information and procedures in this section are relevant to Red Hat Satellite administrators.
6.1. Red Hat Satellite 6.3.0
This section outlines the errata advisories released for Red Hat Satellite 6.3.0.
6.1.1. RHSA-2018:0336: Important: Satellite 6.3 Release
Information about this advisory is available at https://access.redhat.com/errata/product/250/ver=6.3/rhel---7/x86_64/RHSA-2018:0336.
vulnerability
- BZ#1335449
An integer-overflow flaw was found in V8's Zone class when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges.
- BZ#1046642
It was found that ruby will_paginate is vulnerable to a XSS via malformed input that cause pagination to occur on an improper boundary. This could allow an attacker with the ability to pass data to the will_paginate gem to display arbitrary HTML including scripting code within the web interface.
- BZ#1327471
A flaw was found in the provisioning template handling in foreman. An attacker, with permissions to create templates, can cause internal Rails information to be displayed when it is processed, resulting in potentially sensitive information being disclosed.
- BZ#1330264
Pulp makes unsafe use of Bash's $RANDOM to generate a NSS DB password and seed resulting in insufficient randomness. An attacker could potentially guess the seed used given enough time and compute resources.
- BZ#1339889
It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.
- BZ#1349136
A flaw was found in discovery-debug in foreman. An attacker, with permissions to view the debug results, would be able to view the root password associated with that system, potentially allowing them to access it.
- BZ#1365815
It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface.
- BZ#1393291
It was found that foreman is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
- BZ#1406729
A flaw was found in katello-debug where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
- BZ#1436262
It was found that the hammer_cli command line client disables SSL/TLS certificate verification by default. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.
- BZ#1439537
A flaw was found in foreman's logging during the adding or registering of images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.
- BZ#1480886
It was found that foreman in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.
- BZ#1328930
It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.
- BZ#1348939
A flaw was found in foreman's handling of template previews. An attacker with permissions to preview host templates can access the template preview for any host if they are able to guess the host name, disclosing potentially sensitive information.
- BZ#1406384
A flaw was found in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems.
6.1.2. RHBA-2018:0337: Satellite 6.3 Libraries
Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0337.html.
6.1.3. RHBA-2018:0338: Satellite 6.3 Tools Release
Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0338.html.
katello-agent
- BZ#1395700
Under certain conditions, build 19 of the dispatch router can terminate unexpectedly with a segmentation fault. The memory management has been improved to prevent this happening.
- BZ#1463809
You can now manage clients without goferd. This limits the host management functionality only to uploading the package profile after installing, removing, updating packages, and triggering the Satellite tasks such as the applicable errata.
- BZ#1272758
When repeatedly installing and removing a package on the same Content Host, goferd accumulates memory over time. This has been fixed by locally settling down received messages in qpid-proton library.
- BZ#1331710
Reinstalling katello-ca-consumer on a RHEL 7 Content Host did not restart goferd service. Consequently, katello agent did not reconnect to Satellite. This is now fixed.
- BZ#1379341
Restarting the agent on the client forced package applicability calculations which were not necessary. This case has been fixed.
- BZ#1403029
Updating katello-agent did not update dependencies. This is now fixed.
- BZ#1446726
While pushing Errata using the Web UI and katello-agent, goferd terminated with a segmentation fault on some clients. This is now fixed.- BZ#1530709
Several memory usage bugs in goferd and qpid have been resolved.
- BZ#1371585
When removing katello-ca-consumer RPM, the backup of /etc/rhsm/rhsm.conf was not restored. This is now fixed.
- BZ#1388545
Several memory leaks have been fixed in the qpid dispatch router.
- BZ#1394386
Hypervisor names reported by virt-who are now validated on input.
- BZ#1426380
When qdrouterd was not accessible, the goferd process had a memory leak and goferd terminated unexpectedly. This is now fixed.- BZ#1482635
After installing 'katello-hosts-tools' and running the Puppet agent,enabled_repos_upload sent output to stdout after all of the 'yum check-update' had output their data. This caused errors for the Puppet agent on the client.Qpid
- BZ#1463800
During scaling testing of content hosts, qpid consumed huge amounts of memory. This is now fixed.
- BZ#1417303
Previously, Satellite had a hard limit of 64k Content Hosts that can run katello agent. The Qpid Dispatch Router has been improved to remove this limit.
- BZ#1452183
When pausing a Satellite in a VM, any goferd client on a machine registered to a Capsule failed to connect to the Capsule and logged “qd:no-route-to-dest” error. The error persisted after qdrouterd on the Satellite resumed. The qpid dispatch router has been improved to unmap all addresses in a more reliable way.
- BZ#1519140
During scale testing, qdrouterd experienced segmentation faults in libqpid.so. This is now fixed.- BZ#1530689
qdrouterd on Capsule Server was deadlocked and did not react to commands to kill the process. This is now fixed.
- BZ#1530692
When several goferd client connections tried to use qdrouterd on Satellite to link to qpidd, qdrouterd experienced a segmentation fault. This is now fixed.
- BZ#1450495
During an upgrade, theqpidduser could not access or read the/etc/pki/katello/nssdb/nss_db_password-filefile. The qpidd broker attempted to restart, which caused a segmentation fault.
- BZ#1457977
The 'hammer host-collection erratum install` installation failed with a sub-task error. With the latest update to qpid, this is now fixed.
