Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

             Important: Subscription Asset Manager 1.2 update
                             22 February 2013


        AusCERT Security Bulletin Summary

Product:           Subscription Asset Manager
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Existing Account      
                   Overwrite Arbitrary Files       -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Access Confidential Data        -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0184 CVE-2013-0183 CVE-2013-0162
                   CVE-2012-6496 CVE-2012-6109 CVE-2012-5604
                   CVE-2012-5603 CVE-2012-5561 

Reference:         ESB-2013.0139

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Subscription Asset Manager 1.2 update
Advisory ID:       RHSA-2013:0544-01
Product:           Red Hat Subscription Asset Manager
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2013-0544.html
Issue date:        2013-02-21
CVE Names:         CVE-2012-5561 CVE-2012-5603 CVE-2012-5604 
                   CVE-2012-6109 CVE-2012-6496 CVE-2013-0162 
                   CVE-2013-0183 CVE-2013-0184 

1. Summary:

Red Hat Subscription Asset Manager 1.2, which fixes several security
issues, multiple bugs, and adds various enhancements, is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Subscription Asset Manager for RHEL 6 Server - noarch, x86_64

3. Description:

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.

It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users'
systems if they knew the target system's UUID. (CVE-2012-5603)

A vulnerability in rubygem-ldap_fluff allowed a remote attacker to bypass
authentication and log into Subscription Asset Manager when a Microsoft
Active Directory server was used as the back-end authentication server.

It was found that the
"/usr/share/katello/script/katello-generate-passphrase" utility, which is
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/passphrase" file. A local attacker
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.

Note: After installing this update, ensure the
"/etc/katello/secure/passphrase" file is owned by the root user and group
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.

Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)

A flaw was found in the way rubygem-activerecord dynamic finders extracted
options from method parameters. A remote attacker could possibly use this
flaw to perform SQL injection attacks against applications using the Active
Record dynamic finder methods. (CVE-2012-6496)

It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5604 was discovered by Og Maciel of Red Hat; CVE-2012-5561 was
discovered by Aaron Weitekamp of the Red Hat Cloud Quality Engineering
team; and CVE-2013-0162 was discovered by Michael Scherer of the Red Hat
Regional IT team.

These updated Subscription Asset Manager packages include a number of bug
fixes and enhancements. Space precludes documenting all of these changes
in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2
Release Notes for information about these changes:


All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which fix these issues and add various

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

5. Bugs fixed (http://bugzilla.redhat.com/):

760564 - UI should show virtual child pools as "children" of the parent.
800145 - Manifest import needs to be smarter about product attribute copying
809823 - katello-configure --deployment=katello is accepted in a SAM only installation.
813291 - [RFE] Username cannot contain characters other than alpha numerals,'_', '-', can not resume after failure
817845 - Better CLI error message  when options are invalid
817946 - API not accessible from browser
818679 - katello-configure --help should show valid options.
818903 - Name of the pdf generated for sam system report command should be modified
819002 - [RFE] Hide password creation and Email fields at user creation time if LDAP auth is enabled in CFSE
819611 - [RFE] SAM 1.0 Have PostgreSQL only listen on instead of and
822942 - [RFE] Add new Application Shell to Subscription Asset Manager
822943 - [RFE] Improved Subscription Viewer
822945 - [RFE] Improved Visibility to Customer Portal
826099 - katello-debug returns unexpected error messages when run on a SAM installation
829474 - Assigning a subscription to a macihne in SAM does not update the compliance icon in the System List
832425 - SAM cli headpin Version command returns exitCode as 1 even after successful completion of command
832462 - katello-cli and katello-cli-headpin should now how to handle upgrading to prevent file conflicts over client.conf.
840595 - katello-configure --help optparse.rb:395:in `+': can't convert nil into String (TypeError)
840600 - Post creating new environment in headpin, webui returns row:NotFound error
840603 - Post 'import manifest' subscriptions return row:NotFound
840609 - katello-headpin displays system groups under activation key when headpin will not support system groups
840792 - Activation key delete displays error
840969 - Delete environment with members causes Couldn't find KTEnvironment with
841868 - Systems page always shows lo interface IP on list
843625 - The thin server on sam installations will listen on all ip addresses, should listen on localhost only.
843857 - Katello Webui dashboard does not render the pie chart (graph) in the appropriate location
843861 - Installing the candlepin-cert bootstrap package fails on RHEL5.8+
843904 - During transition between systems in the webui, user will see System Group and Errata elements along with install button and other.
845501 - katello-configure  --deployment=headpin  fails  after katello-headpin-all install on fedora-16
845620 - [RFE] Improve messaging around results of setting the yStream
847024 - Web pages fail to render all elements and colors correctly in IE8 and IE9
847117 - Extend scroll bug on content tab, with > 50 subscriptions only the first 50 will populate.
847598 - katello-configure --deployment failed after katello-all install
850336 - As a user I would like the organization selector at login to provide feedback once I have selected the org I wish to login to.
852508 - User limited by role will receive ResourceTypeNotFound in Dashboard#index when logging in
854278 - After adding certain objects to katello one will see a warning, '' did not meet the current search criteria and is not being shown
854283 - When creating a new organization, the Environment specified at creation time is not being created.
854985 - subscription-manager register for a system fails using the activation key
856303 - "Invalid resource type 'system_groups' " error message when trying to unregister from SAM
856777 - Test case failure: As a Admin I would like to know that my manifest will load as scheduled, even if katello-jobs is not running when I submit the request.
856795 - Test case failure: [SAM] Install - Quick (Default) Fails
857452 - katello-configure fails with katello-jobs change to running failed
859128 - Consumer fails to consume content from a Headpin distributor PYCURL ERROR 52 - "Empty reply from server"
863461 - Headpin Cli automation : Failure to list the org updated with special chars other than ascii chars
865571 - man page for headpin shows katello context
866323 - Storing the user report via cli in a pdf format fails in headpin-cli upstream
866972 - katello-debug needs to take headpin into consideration
866995 - server version is "Unknown" when registered to a katello/cfse/sam server
868290 - Thumbslug needs to verify more certificates.
869380 - add confirmation dialog to "delete manifest" functionality
871622 - Upgrade from 1.0 to 1.2 fails with file conflict
872332 - Username/password from previous katello-configure returns CLI error "error: string indices must be integers"
872334 - existing orgs do not get default value for system_info_keys in database
872335 - deleting an imported manifest should add message to /owner/$owner/imports results
872602 - API: /consumers/{id}/entitlements returns incorrect data and Content-Type header
872687 - create a Role with single-character name fails
873038 - Entering an env name of "Library" when creating an organization does not give clear error message
873443 - RAM value listed should be "memory.memtotal" fact
873803 - subscription filter chooser on systems page blinks when page first loads
873809 - Javascript error when looking at Import History for subscriptions
874182 - Creating a consumer with blank sockets results in missing system
874280 - change of terminology related to subscriptions and distributors
874502 - Upload manifests UI in 'ja' language contains headings overwritten on each other
874510 - Activation Key Page  in 'ja' language headings ovewritten in headpin
874583 - Environments do not populate when adding a new user without full admin
874737 - [upgrade] 1.0 to 1.1 upgrades brings UI error on Organizations edit page
874744 - Product labels are not currently required to be unique.
875101 - ISO installer uses 2.7 API, which does not run on RHEL 6
875609 - Could not find ESX/Hyper-V host on SAM WebUI
875876 - Thumbslug prevents client connections for unknown reason
876869 - [ja_JP][SAM Web GUI] Overlapped in Add Permission page and Edit Permission page.
876896 - [ja_JP][SAM Web GUI] Overlapped in Content - Subscriptions page
876911 - [ja_JP][SAM Web GUI] Overlapped in Content - Activation Keys page
877317 - [ALL_LANG][SAM Web GUI] Unlocalized string 'Viewing xx of xx results (xx Total xx)'.
877473 - SAM upgrade fails with uninitialized constant Glue::Foreman
877894 - [ALL_LANG][SAM Web GUI] Some unlocalized messages for creating Users.
878191 - CLI system remove_deletion fails calling candlepin proxy
878341 - [ja_JP][zh_TW][ko_KR][SAM Web GUI] Default environment name 'Library' should not be localized.
878355 - [ru_RU][fr_FR][SAM Web GUI] - Text not fitting in the level properly
878370 - [ALL_LANG][SAM Web GUI] Unlocalized date, tooltips for Release Version and strings for Systems
878377 - [es_ES] - Unlocalized strings in SAM Web GUI pages.
878693 - [RFE] Selecting multiple systems does not give me any action
878750 - [es_ES][it_IT][SAM Web GUI] - Mouse over and Click tool causing overlap with the other contents
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
879170 - [fr_FR][SAM Web GUI] - Untranslated strings in SAM Web GUI
879245 - [cli] `system subscriptions --uuid`returns python's "None" as system name
879320 - [cli] system list shows for registered virtual guests
880113 - [ALL LANG][SAM CLI] undefined method `with_indifferent_access' for #<Array:0x7f9a1164f0e8> occurred when --add_subscription or  --remove_subscription with blank or invalid ?? value for activation_key update module.
880116 - [ALL LANG][SAM CLI] undefined method `[]' for nil:NilClass occurred when --add_subscription with pool id for activation_key update module.
880710 - subscription-manager problems when organization label is different than name
880848 - Typo: Subscripton/Subscription in the Dashboard
880905 - [fr_FR][it_IT][SAM Web GUI] - New Role can not be created
881616 - [ALL_LANG][SAM Web GUI] Usage Limit value to be set as '-1' when uncheck the 'Unlimited' and Save the Activation Key.
882129 - CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb
882136 - CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when handling anonymous LDAP bind
882957 - HTML id attributes are not unique
885096 - Headpin/SAM headpin mode new foreman command 'architecture' should be removed
886137 - Tracker: remove katello-reset-dbs script
886462 - [cli] ping returns $? == 30 (but all services are OK)
889649 - CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
890000 - Can not auto-subscribe against SAM-20121221.n.1 server
892639 - SAM Compose : 7th January puddle -> katello-configure failed
892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
896550 - Typo during generation of candlepin.conf

6. Package List:

Red Hat Subscription Asset Manager for RHEL 6 Server:




These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
Version: GnuPG v1.4.4 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967