RHSA-2013:0544 - Security Advisory

Topic

Red Hat Subscription Asset Manager 1.2, which fixes several security
issues, multiple bugs, and adds various enhancements, is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

[Updated 25th February 2013]
This erratum previously failed to include the updated rubygem-rack package.
It also previously incorrectly documented CVE-2012-5604 as being fixed,
however that issue never affected Subscription Asset Manager and is no
longer listed. As well, CVE-2012-6496 was described as being fixed, however
that issue had previously been fixed in RHSA-2013:0154.

Description

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.

It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)

It was found that the
"/usr/share/katello/script/katello-generate-passphrase" utility, which is
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/passphrase" file. A local attacker
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)

Note: After installing this update, ensure the
"/etc/katello/secure/passphrase" file is owned by the root user and group
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.

Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)

It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud
Quality Engineering team; and CVE-2013-0162 was discovered by Michael
Scherer of the Red Hat Regional IT team.

These updated Subscription Asset Manager packages include a number of bug
fixes and enhancements. Space precludes documenting all of these changes
in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2
Release Notes for information about these changes:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html

All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which fix these issues and add various
enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64

Fixes

• BZ - 760564 - UI should show virtual child pools as "children" of the parent.
• BZ - 800145 - Manifest import needs to be smarter about product attribute copying
• BZ - 809823 - katello-configure --deployment=katello is accepted in a SAM only installation.
• BZ - 813291 - [RFE] Username cannot contain characters other than alpha numerals,'_', '-', can not resume after failure
• BZ - 817845 - Better CLI error message when options are invalid
• BZ - 817946 - API not accessible from browser
• BZ - 818679 - katello-configure --help should show valid options.
• BZ - 818903 - Name of the pdf generated for sam system report command should be modified
• BZ - 819002 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
• BZ - 819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on 127.0.0.1 instead of 127.0.0.1 and 0.0.0.0
• BZ - 822942 - [RFE] Add new Application Shell to Subscription Asset Manager
• BZ - 822943 - [RFE] Improved Subscription Viewer
• BZ - 822945 - [RFE] Improved Visibility to Customer Portal
• BZ - 826099 - katello-debug returns unexpected error messages when run on a SAM installation
• BZ - 829474 - Assigning a subscription to a macihne in SAM does not update the compliance icon in the System List
• BZ - 832425 - SAM cli headpin Version command returns exitCode as 1 even after successful completion of command
• BZ - 832462 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
• BZ - 840595 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
• BZ - 840600 - Post creating new environment in headpin, webui returns row:NotFound error
• BZ - 840603 - Post 'import manifest' subscriptions return row:NotFound
• BZ - 840609 - katello-headpin displays system groups under activation key when headpin will not support system groups
• BZ - 840792 - Activation key delete displays error
• BZ - 840969 - Delete environment with members causes Couldn't find KTEnvironment with
• BZ - 841868 - Systems page always shows lo interface IP on list
• BZ - 843625 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
• BZ - 843857 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
• BZ - 843861 - Installing the candlepin-cert bootstrap package fails on RHEL5.8+
• BZ - 843904 - During transition between systems in the webui, user will see System Group and Errata elements along with install button and other.
• BZ - 845501 - katello-configure --deployment=headpin fails after katello-headpin-all install on fedora-16
• BZ - 845620 - [RFE] Improve messaging around results of setting the yStream
• BZ - 847024 - Web pages fail to render all elements and colors correctly in IE8 and IE9
• BZ - 847117 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
• BZ - 847598 - katello-configure --deployment failed after katello-all install
• BZ - 850336 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
• BZ - 852508 - User limited by role will receive ResourceTypeNotFound in Dashboard#index when logging in
• BZ - 854278 - After adding certain objects to katello one will see a warning, '' did not meet the current search criteria and is not being shown
• BZ - 854283 - When creating a new organization, the Environment specified at creation time is not being created.
• BZ - 854985 - subscription-manager register for a system fails using the activation key
• BZ - 856303 - "Invalid resource type 'system_groups' " error message when trying to unregister from SAM
• BZ - 856777 - Test case failure: As a Admin I would like to know that my manifest will load as scheduled, even if katello-jobs is not running when I submit the request.
• BZ - 856795 - Test case failure: [SAM] Install - Quick (Default) Fails
• BZ - 857452 - katello-configure fails with katello-jobs change to running failed
• BZ - 859128 - Consumer fails to consume content from a Headpin distributor PYCURL ERROR 52 - "Empty reply from server"
• BZ - 863461 - Headpin Cli automation : Failure to list the org updated with special chars other than ascii chars
• BZ - 865571 - man page for headpin shows katello context
• BZ - 866323 - Storing the user report via cli in a pdf format fails in headpin-cli upstream
• BZ - 866972 - katello-debug needs to take headpin into consideration
• BZ - 866995 - server version is "Unknown" when registered to a katello/cfse/sam server
• BZ - 868290 - Thumbslug needs to verify more certificates.
• BZ - 869380 - add confirmation dialog to "delete manifest" functionality
• BZ - 871622 - Upgrade from 1.0 to 1.2 fails with file conflict
• BZ - 872332 - Username/password from previous katello-configure returns CLI error "error: string indices must be integers"
• BZ - 872334 - existing orgs do not get default value for system_info_keys in database
• BZ - 872335 - deleting an imported manifest should add message to /owner/$owner/imports results
• BZ - 872602 - API: /consumers/{id}/entitlements returns incorrect data and Content-Type header
• BZ - 872687 - create a Role with single-character name fails
• BZ - 873038 - Entering an env name of "Library" when creating an organization does not give clear error message
• BZ - 873443 - RAM value listed should be "memory.memtotal" fact
• BZ - 873803 - subscription filter chooser on systems page blinks when page first loads
• BZ - 873809 - Javascript error when looking at Import History for subscriptions
• BZ - 874182 - Creating a consumer with blank sockets results in missing system
• BZ - 874280 - change of terminology related to subscriptions and distributors
• BZ - 874502 - Upload manifests UI in 'ja' language contains headings overwritten on each other
• BZ - 874510 - Activation Key Page in 'ja' language headings ovewritten in headpin
• BZ - 874583 - Environments do not populate when adding a new user without full admin
• BZ - 874737 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
• BZ - 874744 - Product labels are not currently required to be unique.
• BZ - 875101 - ISO installer uses 2.7 API, which does not run on RHEL 6
• BZ - 875609 - Could not find ESX/Hyper-V host on SAM WebUI
• BZ - 875876 - Thumbslug prevents client connections for unknown reason
• BZ - 876869 - [ja_JP][SAM Web GUI] Overlapped in Add Permission page and Edit Permission page.
• BZ - 876896 - [ja_JP][SAM Web GUI] Overlapped in Content - Subscriptions page
• BZ - 876911 - [ja_JP][SAM Web GUI] Overlapped in Content - Activation Keys page
• BZ - 877317 - [ALL_LANG][SAM Web GUI] Unlocalized string 'Viewing xx of xx results (xx Total xx)'.
• BZ - 877473 - SAM upgrade fails with uninitialized constant Glue::Foreman
• BZ - 877894 - [ALL_LANG][SAM Web GUI] Some unlocalized messages for creating Users.
• BZ - 878191 - CLI system remove_deletion fails calling candlepin proxy
• BZ - 878341 - [ja_JP][zh_TW][ko_KR][SAM Web GUI] Default environment name 'Library' should not be localized.
• BZ - 878355 - [ru_RU][fr_FR][SAM Web GUI] - Text not fitting in the level properly
• BZ - 878370 - [ALL_LANG][SAM Web GUI] Unlocalized date, tooltips for Release Version and strings for Systems
• BZ - 878377 - [es_ES] - Unlocalized strings in SAM Web GUI pages.
• BZ - 878693 - [RFE] Selecting multiple systems does not give me any action
• BZ - 878750 - [es_ES][it_IT][SAM Web GUI] - Mouse over and Click tool causing overlap with the other contents
• BZ - 879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
• BZ - 879170 - [fr_FR][SAM Web GUI] - Untranslated strings in SAM Web GUI
• BZ - 879245 - [cli] `system subscriptions --uuid`returns python's "None" as system name
• BZ - 879320 - [cli] system list shows 127.0.0.1 for registered virtual guests
• BZ - 880113 - [ALL LANG][SAM CLI] undefined method `with_indifferent_access' for #<Array:0x7f9a1164f0e8> occurred when --add_subscription or --remove_subscription with blank or invalid ?? value for activation_key update module.
• BZ - 880116 - [ALL LANG][SAM CLI] undefined method `[]' for nil:NilClass occurred when --add_subscription with pool id for activation_key update module.
• BZ - 880710 - subscription-manager problems when organization label is different than name
• BZ - 880848 - Typo: Subscripton/Subscription in the Dashboard
• BZ - 880905 - [fr_FR][it_IT][SAM Web GUI] - New Role can not be created
• BZ - 881616 - [ALL_LANG][SAM Web GUI] Usage Limit value to be set as '-1' when uncheck the 'Unlimited' and Save the Activation Key.
• BZ - 882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
• BZ - 882957 - HTML id attributes are not unique
• BZ - 885096 - Headpin/SAM headpin mode new foreman command 'architecture' should be removed
• BZ - 886137 - Tracker: remove katello-reset-dbs script
• BZ - 886462 - [cli] ping returns $? == 30 (but all services are OK)
• BZ - 890000 - Can not auto-subscribe against SAM-20121221.n.1 server
• BZ - 892639 - SAM Compose : 7th January puddle -> katello-configure failed
• BZ - 892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
• BZ - 895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
• BZ - 895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
• BZ - 895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
• BZ - 896550 - Typo during generation of candlepin.conf

CVEs

• CVE-2012-5603
• CVE-2012-5561
• CVE-2013-0162
• CVE-2013-0184
• CVE-2012-6109
• CVE-2013-0183

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.2/html/Release_Notes/index.html