Synopsis

Moderate: Red Hat Gluster Storage Web Administration security update

Type/Severity

Security Advisory: Moderate

Topic

Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration Batch Update 3 on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS.

Security Fix(es):

• django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536)
  
• django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537)
  
• django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank the Django project for reporting CVE-2018-7536 and CVE-2018-7537.

Users of Red Hat Gluster Storage Web Administration with Red Hat Gluster Storage are advised to upgrade to this updated package to fix these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64
• Red Hat Gluster Storage Web Administration (for RHEL Server) 3 x86_64

Fixes

• BZ - 1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc'
• BZ - 1549779 - CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html'
• BZ - 1609031 - CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
• BZ - 1654338 - tendrl-commons doesn't specify minimal ansible version it requires
• BZ - 1655424 - Need to change graphite db initialization command in tendrl-ansible as per new graphite-web version-1.1.4-1
• BZ - 1655433 - Need to restrict few services port from outside access to web-admin
• BZ - 1658245 - graphite data migration process from graphite-web-0.X.X to graphite-web-1.X.X should done from tendrl-upgrade script
• BZ - 1659678 - Grafana unable to fetch data after updating graphite-web to 1.x.x
• BZ - 1660779 - After migration to graphite-1.1.4 the brick specific dashboards are not visible in grafana

CVEs

• CVE-2018-7536
• CVE-2018-7537
• CVE-2018-14574

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat Gluster Storage Server for On-premise 3 for RHEL 7

SRPM
tendrl-commons-1.6.3-15.el7rhgs.src.rpm	SHA-256: fe17ce9b8b695fbb0abb6ad321ed1031c440589c9c40188d4447c276e9b5b068
tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm	SHA-256: 7280f05d23a705110701a9e19b254734d9bc9e888f9343e2d3d0db4af52a9ca6
tendrl-selinux-1.5.4-3.el7rhgs.src.rpm	SHA-256: 05f63efd5348ce46e6afa6a6be9efa597bbb0b6edc7b93b499a9e2fd8812ec15
x86_64
tendrl-collectd-selinux-1.5.4-3.el7rhgs.noarch.rpm	SHA-256: da8c08d2706c2f3085b7e976e6548b1d60e5d27584f23f039b01c94a3a92487c
tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm	SHA-256: b6e5ed585502be1e3a1335fd2527290385682e7f6b55e97e44c84a6abe2d2d4b
tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm	SHA-256: 25ac386a6eee0da59fbbfbeb5a9cc1978795b9cb09ba1972901a872b75fa7961
tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm	SHA-256: ca82bf7964eca26fdbdb55784020f13d47d15034d4744d7fd09ca3f5f9a795ca

Red Hat Gluster Storage Web Administration (for RHEL Server) 3

SRPM
graphite-web-1.1.4-1.el7rhgs.src.rpm	SHA-256: 2f88c6c21a08cf3bd2e302ed477c44b94305ece60f15fe7de11f3d5d9e6c9427
python-cachetools-1.0.3-1.1.el7rhgs.src.rpm	SHA-256: f94c60cc90fecd5847ad2d78cc95813bc453dbf3b6bdb575648b8d57499d4fea
python-carbon-1.1.4-1.el7rhgs.src.rpm	SHA-256: 71fc58ee5b68b50bcc3d65e50241609760c9eb838f87547b8e0c51941b68c876
python-django-1.11.15-4.el7rhgs.src.rpm	SHA-256: c2e0e13be9ba526d5673dd9fbfdbe1ac90bc9eb061076c39a3abb5c83403087a
python-django-tagging-0.4.6-1.el7rhgs.src.rpm	SHA-256: fb77cc379954132c81aa1e2614275b3ec5f549e6eef2343e2f55eacf39c16ac9
python-scandir-1.3-1.el7rhgs.src.rpm	SHA-256: b711534435114c59b1e40b2f783e052699642952651445b2c3d780aac8e89f83
python-whisper-1.1.4-1.el7rhgs.src.rpm	SHA-256: 41096b552322ac60f69d0bc67a7cdd813a802dcc9620d361b9f312bfc9c5eaae
tendrl-ansible-1.6.3-11.el7rhgs.src.rpm	SHA-256: 64a5d68b401aa32f703fdf096b00a5916412ab2b77ee637934edf843f3019366
tendrl-api-1.6.3-10.el7rhgs.src.rpm	SHA-256: 275afb95c8210a942181ea475dc1dd0b7d9ee39dea0ca47e8d87a903b1214816
tendrl-commons-1.6.3-15.el7rhgs.src.rpm	SHA-256: fe17ce9b8b695fbb0abb6ad321ed1031c440589c9c40188d4447c276e9b5b068
tendrl-monitoring-integration-1.6.3-20.el7rhgs.src.rpm	SHA-256: 8fe7eb1dd2275e719e1bd5ad15d118e693408cfb492dbfe255078e11de81e1b0
tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm	SHA-256: 7280f05d23a705110701a9e19b254734d9bc9e888f9343e2d3d0db4af52a9ca6
tendrl-selinux-1.5.4-3.el7rhgs.src.rpm	SHA-256: 05f63efd5348ce46e6afa6a6be9efa597bbb0b6edc7b93b499a9e2fd8812ec15
x86_64
carbon-selinux-1.5.4-3.el7rhgs.noarch.rpm	SHA-256: 71c4ec9dfd7d3e5bb480d965c8032d05a53f1b7d6e441c3ad194524a48787e78
graphite-web-1.1.4-1.el7rhgs.noarch.rpm	SHA-256: f386665b8ec2685c813cbf917ab305ed92b6f712c8c3a36adab4d9d612bb03b2
python-cachetools-1.0.3-1.1.el7rhgs.noarch.rpm	SHA-256: fd77061ead68ee3e6259ce032e6198dcb3d036a55891cbf1258310ffeb5ec3d4
python-carbon-1.1.4-1.el7rhgs.noarch.rpm	SHA-256: d8278d41f2a4dbad1677747db55dad186c255a1bfce07af8d69d6155c057714d
python-django-bash-completion-1.11.15-4.el7rhgs.noarch.rpm	SHA-256: a3a1f5f252cc39f6a656862177b83b7755a563c40719d99d9dc21ab4b28b7ae3
python-django-tagging-0.4.6-1.el7rhgs.noarch.rpm	SHA-256: a948c53096642d70f28cfb9ad8b2c09000bc4628fbb14555dd27da9b63dc7502
python-scandir-1.3-1.el7rhgs.x86_64.rpm	SHA-256: a58c9147baddab09a00eac77bc93123f406981c562176a4eaadd2fbcb9185b72
python-scandir-debuginfo-1.3-1.el7rhgs.x86_64.rpm	SHA-256: e461bcb935df7b39636e25da2e6931051ecf6989d247cd3e1fe0b1ac168dd765
python-whisper-1.1.4-1.el7rhgs.noarch.rpm	SHA-256: 03463d590d9d2009d09ab0e537e30bb4301507af8d6751ade350b1340af97ca8
python2-django-1.11.15-4.el7rhgs.noarch.rpm	SHA-256: 4e67ab11d385611187a3d86adb23e2feb0284a9e46110b4dd5354e402f6e253d
python2-django-doc-1.11.15-4.el7rhgs.noarch.rpm	SHA-256: d00c6df9163eba3c6d989d7e49fe702d21199f803b3e3f12da836d45179fa0b3
tendrl-ansible-1.6.3-11.el7rhgs.noarch.rpm	SHA-256: 303b65c86b8199075931cb0c7c5ccd0b99ca3f0a728612f1573efc7f82f01e62
tendrl-api-1.6.3-10.el7rhgs.noarch.rpm	SHA-256: 0148ae95e8a8e95becb9ff1072317c82e604238428862608b2580a2c745adb4a
tendrl-api-httpd-1.6.3-10.el7rhgs.noarch.rpm	SHA-256: dd5ead76d09642d555cc4a9bf1d0be187a6bd2468696235f4b2865e2b28d8de1
tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm	SHA-256: b6e5ed585502be1e3a1335fd2527290385682e7f6b55e97e44c84a6abe2d2d4b
tendrl-grafana-plugins-1.6.3-20.el7rhgs.noarch.rpm	SHA-256: fee1ca0ae2ced291723c808a91a5e70411283c538491850535e6a8a2272ac231
tendrl-grafana-selinux-1.5.4-3.el7rhgs.noarch.rpm	SHA-256: 62d1a8f172c43fbd4ff60debf7d1eaa8631b002e3ef5bc4467059727b11799aa
tendrl-monitoring-integration-1.6.3-20.el7rhgs.noarch.rpm	SHA-256: 088de4b05955c8ecaae7abd7032518d7ae39493199f09ed48e7cd4a03c5c3c39
tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm	SHA-256: 25ac386a6eee0da59fbbfbeb5a9cc1978795b9cb09ba1972901a872b75fa7961
tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm	SHA-256: ca82bf7964eca26fdbdb55784020f13d47d15034d4744d7fd09ca3f5f9a795ca