Is spacewalk-backend-libs-1.2.13-52 vulnerable to CVE-2012-0059?
Environment
- Red Hat Satellite 5.4
Issue
- Is spacewalk-backend-libs-1.2.13-52 vulnerable to CVE-2012-0059?
- Do we need install the packages provided by errata RHSA-2012:0101?
Resolution
-
Based on the details mentioned in errata RHSA-2012:0101, there is a fix for CVE-2012-0059.
-
To address this CVE, changes were made in RH Satellite code. There were no changes made to the client-side code. These changes were made in the
/usr/share/rhn/server/handlers/xmlrpc/registration.pyfile, which is provided by thespacewalk-backend-xmlrpcpackage.
# rpm -qf /usr/share/rhn/server/handlers/xmlrpc/registration.py
spacewalk-backend-xmlrpc-1.2.13-78.el5sat.noarch
-
Code changes made with this errata are listed in commit 76d0064693107148e4a949fc7ad62d72bb3ec26c
-
All
spacewalk-backend*packages are built using source packagespacewalk-backend-1.2.13-66.el5sat.src.rpm. Changes were only made in thespacewalk-backend-xmlrpcpackage, but allspacewalk-backend*packages were re-built because they all share a single source RPM. Earlier, thespacewalk-backend-libspackage was shipped in the RHN Tools channel, but after thespacewalk-backend-libs-1.2.13-52version, this was moved to the RH Satellite channel. Therefore, no new versions of thespacewalk-backend-libspackage will be released into the RHN Tools channel. -
CVE-2012-0059 is not applicable for the
spacewalk-backend-libs-1.2.13-52.el5satand lower version of packages which are shipped in RHN Tools channel.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments