Red Hat Product Errata RHSA-2008:1001 - Security Advisory

Issued:: 2008-11-25
Updated:: 2008-11-25

RHSA-2008:1001 - Security Advisory

Overview
Updated Packages

Synopsis

Important: tog-pegasus security update

Type/Severity

Security Advisory: Important

Topic

Updated tog-pegasus packages that fix security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

The tog-pegasus packages provide OpenPegasus Web-Based Enterprise
Management (WBEM) services. WBEM is a platform and resource independent
Distributed Management Task Force (DMTF) standard that defines a common
information model and communication protocol for monitoring and controlling
resources.

Red Hat defines additional security enhancements for OpenGroup Pegasus WBEM
services in addition to those defined by the upstream OpenGroup Pegasus
release. For details regarding these enhancements, refer to the file
"README.RedHat.Security", included in the Red Hat tog-pegasus package.

After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these
additional security enhancements were no longer being applied. As a
consequence, access to OpenPegasus WBEM services was not restricted to the
dedicated users as described in README.RedHat.Security. An attacker able to
authenticate using a valid user account could use this flaw to send
requests to WBEM services. (CVE-2008-4313)

Note: default SELinux policy prevents tog-pegasus from modifying system
files. This flaw's impact depends on whether or not tog-pegasus is confined
by SELinux, and on any additional CMPI providers installed and enabled on a
particular system.

Failed authentication attempts against the OpenPegasus CIM server were not
logged to the system log as documented in README.RedHat.Security. An
attacker could use this flaw to perform password guessing attacks against a
user account without leaving traces in the system log. (CVE-2008-4315)

All tog-pegasus users are advised to upgrade to these updated packages,
which contain patches to correct these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.2 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.2 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.2 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.2 s390x
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.2 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 459217 - CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase
BZ - 472017 - CVE-2008-4315 tog-pegasus: failed authentication attempts not logged via PAM

CVEs

References

http://www.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
x86_64
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: aaad55eb7d5d2aacb866ceb48fad54771a983e8f00d6f910ba529aab39153882
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: 52f3b1164439ffa768571234310bf2fd60088d98f922707b73abdcc109c8c2ca
ia64
tog-pegasus-2.7.0-2.el5_2.1.ia64.rpm	SHA-256: 10db7895ee376053af94d0a5b7b09b2932041be4722717446e22d1089fe6488f
tog-pegasus-devel-2.7.0-2.el5_2.1.ia64.rpm	SHA-256: e67d283f9258c478699c2cce9dff4e7d31a8d79e460f640fc60cc628b0c143c0
i386
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91

Red Hat Enterprise Linux Workstation 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
x86_64
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: aaad55eb7d5d2aacb866ceb48fad54771a983e8f00d6f910ba529aab39153882
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: 52f3b1164439ffa768571234310bf2fd60088d98f922707b73abdcc109c8c2ca
i386
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91

Red Hat Enterprise Linux Desktop 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
x86_64
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: aaad55eb7d5d2aacb866ceb48fad54771a983e8f00d6f910ba529aab39153882
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: 52f3b1164439ffa768571234310bf2fd60088d98f922707b73abdcc109c8c2ca
i386
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
s390x
tog-pegasus-2.7.0-2.el5_2.1.s390.rpm	SHA-256: 1226bedd406bd8af839cd07e9579d22ca178cb9804dde8d578488b8db546b390
tog-pegasus-2.7.0-2.el5_2.1.s390x.rpm	SHA-256: 8363cdde738e70c059e3119c7a64274c82ef74c09cf3f30dcf59a6d75028b716
tog-pegasus-devel-2.7.0-2.el5_2.1.s390.rpm	SHA-256: 5f5ff11f98c025e9bd05abd56b2afdf3d4b25f9c4a50a03887fca4d7a10a922f
tog-pegasus-devel-2.7.0-2.el5_2.1.s390x.rpm	SHA-256: 0683853c4ab391bd123f5891fd652b34af712b1e81fffa6526bc4933dd8be2eb

Red Hat Enterprise Linux for Power, big endian 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
ppc
tog-pegasus-2.7.0-2.el5_2.1.ppc.rpm	SHA-256: 6a00f65140b674adefbee6eeafcae375e78a452c3d1af4fd4500eed0fa9f5e6d
tog-pegasus-2.7.0-2.el5_2.1.ppc64.rpm	SHA-256: 7ced9e67c50ebb36bcb166d3a7b30cab9ff469803266655819800c9c05f5c6d1
tog-pegasus-devel-2.7.0-2.el5_2.1.ppc.rpm	SHA-256: 921f1d46f2654d6fbeb4d26316c435f49400e9f773e57b7985356adcff4499c3
tog-pegasus-devel-2.7.0-2.el5_2.1.ppc64.rpm	SHA-256: 57c37ec2877b4e9b763f37274fced335b0676269a3fa486f790e3ca245c32f30

Red Hat Enterprise Linux Server from RHUI 5

SRPM
tog-pegasus-2.7.0-2.el5_2.1.src.rpm	SHA-256: 0f9ebe56e0efda07187a243db39e8dc891046bf2a9899242f9994433a6c8c287
x86_64
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: aaad55eb7d5d2aacb866ceb48fad54771a983e8f00d6f910ba529aab39153882
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm	SHA-256: 52f3b1164439ffa768571234310bf2fd60088d98f922707b73abdcc109c8c2ca
i386
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm	SHA-256: a26382d23542b97042fbe848dc7555f84c0ba672bfc87eee03fef010d1f940ef
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm	SHA-256: 0aef2d05d03861affe56ccfc3699f00ce9ce8019678a69812a26a9fd2af1ae91

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories