Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3408
Satellite 6.7.4 Async Bug Fix Update
1 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Satellite 6
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Root Compromise -- Existing Account
Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14334
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:4127
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Satellite 6.7.4 Async Bug Fix Update
Advisory ID: RHSA-2020:4127-01
Product: Red Hat Satellite 6
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4127
Issue date: 2020-09-30
CVE Names: CVE-2020-14334
=====================================================================
1. Summary:
Updated Satellite 6.7 packages that fix several bugs are now available for
Red Hat Satellite.
2. Relevant releases/architectures:
Red Hat Satellite 6.7 - noarch
Red Hat Satellite Capsule 6.7 - noarch
3. Description:
Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.
Security Fix(es):
* foreman: unauthorized cache read on RPM-based installations through local
user (CVE-2020-14334)
This update fixes the following bugs:
1305773 - Changing Content View of a Content Host needs to better inform
the user around client needs
1666324 - The Host configuration chart shows 100% even if few hosts are
not in sync or reporting.
1781875 - Red Hat Inventory Uploads does not use proxy
1793416 - Searching for task requires clicking Search twice to get correct
results
1816464 - Decreased performance in GenerateApplicability in 6.6
1822564 - vmrc not working 6.7
1823396 - Hosts are rejected due to mismatch of metadata.json and actual
hosts included in satellite inventory report
1829412 - Unable to search by value of certain Hostgroup parameter
1853466 - RH Cloud -> Insights page does not report error when
rh_cloud_token setting is not set
1854711 - Sync Plan fails with 'uninitialized constant
Actions::Foreman::Exception'
1858307 - CVE-2020-14334 foreman: unauthorized cache read on RPM-based
installations through local user [rhn_satellite_6.7]
1862260 - Default job templates are not locked
1867258 - After upgrading to 6.7 and promoting content, Capsule sync is
extremely slow
Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For detailed instructions how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/up
grading_and_updating_red_hat_satellite/updating_satellite_server_capsule_se
rver_and_content_hosts
5. Bugs fixed (https://bugzilla.redhat.com/):
1305773 - Changing Content View of a Content Host needs to better inform the user around client needs
1666324 - The Host configuration chart shows 100% even if few hosts are not in sync or reporting.
1781875 - Red Hat Inventory Uploads does not use proxy
1793416 - Searching for task requires clicking Search twice to get correct results
1816464 - Decreased performance in GenerateApplicability in 6.6
1822564 - vmrc not working 6.7
1823396 - Hosts are rejected due to mismatch of metadata.json and actual hosts included in satellite inventory report
1829412 - Unable to search by value of certain Hostgroup parameter
1853466 - RH Cloud -> Insights page does not report error when rh_cloud_token setting is not set
1854711 - Sync Plan fails with 'uninitialized constant Actions::Foreman::Exception'
1858284 - CVE-2020-14334 foreman: unauthorized cache read on RPM-based installations through local user
1862260 - Default job templates are not locked
1867258 - After upgrading to 6.7 and promoting content, Capsule sync is extremely slow
6. Package List:
Red Hat Satellite Capsule 6.7:
Source:
foreman-1.24.1.28-3.el7sat.src.rpm
foreman-proxy-1.24.1-3.el7sat.src.rpm
pulp-2.21.0.4-1.el7sat.src.rpm
satellite-6.7.4-1.el7sat.src.rpm
noarch:
foreman-debug-1.24.1.28-3.el7sat.noarch.rpm
foreman-proxy-1.24.1-3.el7sat.noarch.rpm
foreman-proxy-journald-1.24.1-3.el7sat.noarch.rpm
pulp-admin-client-2.21.0.4-1.el7sat.noarch.rpm
pulp-maintenance-2.21.0.4-1.el7sat.noarch.rpm
pulp-nodes-child-2.21.0.4-1.el7sat.noarch.rpm
pulp-nodes-common-2.21.0.4-1.el7sat.noarch.rpm
pulp-nodes-parent-2.21.0.4-1.el7sat.noarch.rpm
pulp-selinux-2.21.0.4-1.el7sat.noarch.rpm
pulp-server-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-agent-lib-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-bindings-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-client-lib-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-common-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-oid_validation-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-repoauth-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-streamer-2.21.0.4-1.el7sat.noarch.rpm
satellite-capsule-6.7.4-1.el7sat.noarch.rpm
satellite-common-6.7.4-1.el7sat.noarch.rpm
satellite-debug-tools-6.7.4-1.el7sat.noarch.rpm
Red Hat Satellite 6.7:
Source:
foreman-1.24.1.28-3.el7sat.src.rpm
foreman-proxy-1.24.1-3.el7sat.src.rpm
pulp-2.21.0.4-1.el7sat.src.rpm
satellite-6.7.4-1.el7sat.src.rpm
tfm-rubygem-foreman-tasks-0.17.5.8-1.el7sat.src.rpm
tfm-rubygem-foreman_ansible-4.0.3.8-1.el7sat.src.rpm
tfm-rubygem-foreman_openscap-2.0.2.1-1.el7sat.src.rpm
tfm-rubygem-foreman_rh_cloud-1.0.10-1.el7sat.src.rpm
tfm-rubygem-katello-3.14.0.31-1.el7sat.src.rpm
noarch:
foreman-1.24.1.28-3.el7sat.noarch.rpm
foreman-cli-1.24.1.28-3.el7sat.noarch.rpm
foreman-debug-1.24.1.28-3.el7sat.noarch.rpm
foreman-ec2-1.24.1.28-3.el7sat.noarch.rpm
foreman-gce-1.24.1.28-3.el7sat.noarch.rpm
foreman-journald-1.24.1.28-3.el7sat.noarch.rpm
foreman-libvirt-1.24.1.28-3.el7sat.noarch.rpm
foreman-openstack-1.24.1.28-3.el7sat.noarch.rpm
foreman-ovirt-1.24.1.28-3.el7sat.noarch.rpm
foreman-postgresql-1.24.1.28-3.el7sat.noarch.rpm
foreman-proxy-1.24.1-3.el7sat.noarch.rpm
foreman-proxy-journald-1.24.1-3.el7sat.noarch.rpm
foreman-rackspace-1.24.1.28-3.el7sat.noarch.rpm
foreman-telemetry-1.24.1.28-3.el7sat.noarch.rpm
foreman-vmware-1.24.1.28-3.el7sat.noarch.rpm
pulp-admin-client-2.21.0.4-1.el7sat.noarch.rpm
pulp-maintenance-2.21.0.4-1.el7sat.noarch.rpm
pulp-selinux-2.21.0.4-1.el7sat.noarch.rpm
pulp-server-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-bindings-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-client-lib-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-common-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-oid_validation-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-repoauth-2.21.0.4-1.el7sat.noarch.rpm
python-pulp-streamer-2.21.0.4-1.el7sat.noarch.rpm
satellite-6.7.4-1.el7sat.noarch.rpm
satellite-capsule-6.7.4-1.el7sat.noarch.rpm
satellite-cli-6.7.4-1.el7sat.noarch.rpm
satellite-common-6.7.4-1.el7sat.noarch.rpm
satellite-debug-tools-6.7.4-1.el7sat.noarch.rpm
tfm-rubygem-foreman-tasks-0.17.5.8-1.el7sat.noarch.rpm
tfm-rubygem-foreman_ansible-4.0.3.8-1.el7sat.noarch.rpm
tfm-rubygem-foreman_openscap-2.0.2.1-1.el7sat.noarch.rpm
tfm-rubygem-foreman_rh_cloud-1.0.10-1.el7sat.noarch.rpm
tfm-rubygem-katello-3.14.0.31-1.el7sat.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-14334
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX3SFCNzjgjWX9erEAQj/vw/+MbhzTnUsm6nWumrFzA6TgklXqIs3WPRD
FOylT3DVGa4B4zKBBoICMyjF5Vq1XN1fYhYKc+DYWNd3XKKZBD/tF78qzWz+DHe4
pVwr9eTBaTewzZIJEFQ32uOWBNQKxHqOe029twQCZp53Jv61UFS8pFw1w6vZj4MV
dNKZj/CStfARm6ucsQHRcW8DdNBL02Jr4NGaQV8MLn/qhO6d8S+q3+3WtsYprQqt
A+LrYj0iIl9CZPS5486nHgPUlZ1aoFOSooeO426Eyi901hh8jStt9FiXZIJAkuDH
13icrsdcc+rUhshdzRwB0UpKcBxx+2IWvAtXvoMACgkw9Cf+a3Ogg5BSMUoqJc1l
s/bl8HqyzOO+6fvQvSH4NVfDqu35oUDRAdV3MRL8bAtU31+LFDKZ6ypttz0e4DbM
0YfLTPskPAmIXwNm5e9/S9KV/v6o8CAB7x36J9CRpKyO0dZEtqq9xkb+6Gi9cAj7
EFv3jA3V8/3ToTvjnClHeT88aq2mO1tLu7MRDAZx+JQM5LIpM/nNdBzscBhNpKhb
cIZ/q7QriVm+ncW3RrqL/7PVXY2jm3egqLfE8Ht3c54jqIy8JpxAH6AvrZ8Ayzvm
DXxK3GYo20I1iUUu+8cdsNwASM1OAwKbN+4T2/E59yFrEHQw5lbSI94W1/DA+6fn
XHE6J8DFynQ=
=6gjZ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3UjH+NLKJtyKPYoAQi7+A/+OWZCrQprX5eOrork4gBtqtatOEkgNX5i
L6PylItDoo/FewuEkKn6pF1cPvuVxaGSf/ZNhHuRWMY33Ys5SEdbrDQwODW14OiU
teQ+XjkQ3a8d+FBIDu+ocEhq1nScXt5TbNMyK2GStyaxbipBrDi6iRzOlrSoZehs
/jyitA5O+Lz7hUrQff1GzE0qcS7UDPq885yo3B8tBXUSDW8ZejNaBYV+vdJf0Yvx
S/8PUvYDpfJnukZ/RtFaJHtt6exI03pRrQF0zDvEljeym/VGo8NfGbJJ+dCyVKC9
TLsRj7xhuI8zOKmv/ee7AVGdEwPN+2PXGRmHEuuLwxP6ur+BtWlbYEv4bYcZu6eL
t902yPUDwKope+iZPb7tcX0nCoREFk9HA62UxW68tE1z3P9vB8Wt33qdmHUTTUAQ
LRuuhSb0y3Nnfq4/YXAXOdNqbafSICski9v6hGn64f1Q6C8m6coGxAnHcjWrN2f2
cRjQPDErQQ08stxnKKb+jUX7fitsot6n2x5h3pYz6aEctRF760Xm1C6oBySyaoAq
0OedkE5UUzsshn4w+Ba0XbvcOSMmVTf5IEN3h/qKYIU0zNOVYDdqh6Va4aC7JgXt
IHc9IXTGOoSuWS7Np5r7czYS5HQxtw0ghIWh/iwfpRWMQM1Cqis+JW591yzO2Fnp
fOcxsi9dnf4=
=ZtlO
-----END PGP SIGNATURE-----