Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3408 Satellite 6.7.4 Async Bug Fix Update 1 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Satellite 6 Publisher: Red Hat Operating System: Red Hat Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-14334 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4127 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Satellite 6.7.4 Async Bug Fix Update Advisory ID: RHSA-2020:4127-01 Product: Red Hat Satellite 6 Advisory URL: https://access.redhat.com/errata/RHSA-2020:4127 Issue date: 2020-09-30 CVE Names: CVE-2020-14334 ===================================================================== 1. Summary: Updated Satellite 6.7 packages that fix several bugs are now available for Red Hat Satellite. 2. Relevant releases/architectures: Red Hat Satellite 6.7 - noarch Red Hat Satellite Capsule 6.7 - noarch 3. Description: Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334) This update fixes the following bugs: 1305773 - Changing Content View of a Content Host needs to better inform the user around client needs 1666324 - The Host configuration chart shows 100% even if few hosts are not in sync or reporting. 1781875 - Red Hat Inventory Uploads does not use proxy 1793416 - Searching for task requires clicking Search twice to get correct results 1816464 - Decreased performance in GenerateApplicability in 6.6 1822564 - vmrc not working 6.7 1823396 - Hosts are rejected due to mismatch of metadata.json and actual hosts included in satellite inventory report 1829412 - Unable to search by value of certain Hostgroup parameter 1853466 - RH Cloud -> Insights page does not report error when rh_cloud_token setting is not set 1854711 - Sync Plan fails with 'uninitialized constant Actions::Foreman::Exception' 1858307 - CVE-2020-14334 foreman: unauthorized cache read on RPM-based installations through local user [rhn_satellite_6.7] 1862260 - Default job templates are not locked 1867258 - After upgrading to 6.7 and promoting content, Capsule sync is extremely slow Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For detailed instructions how to apply this update, refer to: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/up grading_and_updating_red_hat_satellite/updating_satellite_server_capsule_se rver_and_content_hosts 5. Bugs fixed (https://bugzilla.redhat.com/): 1305773 - Changing Content View of a Content Host needs to better inform the user around client needs 1666324 - The Host configuration chart shows 100% even if few hosts are not in sync or reporting. 1781875 - Red Hat Inventory Uploads does not use proxy 1793416 - Searching for task requires clicking Search twice to get correct results 1816464 - Decreased performance in GenerateApplicability in 6.6 1822564 - vmrc not working 6.7 1823396 - Hosts are rejected due to mismatch of metadata.json and actual hosts included in satellite inventory report 1829412 - Unable to search by value of certain Hostgroup parameter 1853466 - RH Cloud -> Insights page does not report error when rh_cloud_token setting is not set 1854711 - Sync Plan fails with 'uninitialized constant Actions::Foreman::Exception' 1858284 - CVE-2020-14334 foreman: unauthorized cache read on RPM-based installations through local user 1862260 - Default job templates are not locked 1867258 - After upgrading to 6.7 and promoting content, Capsule sync is extremely slow 6. Package List: Red Hat Satellite Capsule 6.7: Source: foreman-1.24.1.28-3.el7sat.src.rpm foreman-proxy-1.24.1-3.el7sat.src.rpm pulp-2.21.0.4-1.el7sat.src.rpm satellite-6.7.4-1.el7sat.src.rpm noarch: foreman-debug-1.24.1.28-3.el7sat.noarch.rpm foreman-proxy-1.24.1-3.el7sat.noarch.rpm foreman-proxy-journald-1.24.1-3.el7sat.noarch.rpm pulp-admin-client-2.21.0.4-1.el7sat.noarch.rpm pulp-maintenance-2.21.0.4-1.el7sat.noarch.rpm pulp-nodes-child-2.21.0.4-1.el7sat.noarch.rpm pulp-nodes-common-2.21.0.4-1.el7sat.noarch.rpm pulp-nodes-parent-2.21.0.4-1.el7sat.noarch.rpm pulp-selinux-2.21.0.4-1.el7sat.noarch.rpm pulp-server-2.21.0.4-1.el7sat.noarch.rpm python-pulp-agent-lib-2.21.0.4-1.el7sat.noarch.rpm python-pulp-bindings-2.21.0.4-1.el7sat.noarch.rpm python-pulp-client-lib-2.21.0.4-1.el7sat.noarch.rpm python-pulp-common-2.21.0.4-1.el7sat.noarch.rpm python-pulp-oid_validation-2.21.0.4-1.el7sat.noarch.rpm python-pulp-repoauth-2.21.0.4-1.el7sat.noarch.rpm python-pulp-streamer-2.21.0.4-1.el7sat.noarch.rpm satellite-capsule-6.7.4-1.el7sat.noarch.rpm satellite-common-6.7.4-1.el7sat.noarch.rpm satellite-debug-tools-6.7.4-1.el7sat.noarch.rpm Red Hat Satellite 6.7: Source: foreman-1.24.1.28-3.el7sat.src.rpm foreman-proxy-1.24.1-3.el7sat.src.rpm pulp-2.21.0.4-1.el7sat.src.rpm satellite-6.7.4-1.el7sat.src.rpm tfm-rubygem-foreman-tasks-0.17.5.8-1.el7sat.src.rpm tfm-rubygem-foreman_ansible-4.0.3.8-1.el7sat.src.rpm tfm-rubygem-foreman_openscap-2.0.2.1-1.el7sat.src.rpm tfm-rubygem-foreman_rh_cloud-1.0.10-1.el7sat.src.rpm tfm-rubygem-katello-3.14.0.31-1.el7sat.src.rpm noarch: foreman-1.24.1.28-3.el7sat.noarch.rpm foreman-cli-1.24.1.28-3.el7sat.noarch.rpm foreman-debug-1.24.1.28-3.el7sat.noarch.rpm foreman-ec2-1.24.1.28-3.el7sat.noarch.rpm foreman-gce-1.24.1.28-3.el7sat.noarch.rpm foreman-journald-1.24.1.28-3.el7sat.noarch.rpm foreman-libvirt-1.24.1.28-3.el7sat.noarch.rpm foreman-openstack-1.24.1.28-3.el7sat.noarch.rpm foreman-ovirt-1.24.1.28-3.el7sat.noarch.rpm foreman-postgresql-1.24.1.28-3.el7sat.noarch.rpm foreman-proxy-1.24.1-3.el7sat.noarch.rpm foreman-proxy-journald-1.24.1-3.el7sat.noarch.rpm foreman-rackspace-1.24.1.28-3.el7sat.noarch.rpm foreman-telemetry-1.24.1.28-3.el7sat.noarch.rpm foreman-vmware-1.24.1.28-3.el7sat.noarch.rpm pulp-admin-client-2.21.0.4-1.el7sat.noarch.rpm pulp-maintenance-2.21.0.4-1.el7sat.noarch.rpm pulp-selinux-2.21.0.4-1.el7sat.noarch.rpm pulp-server-2.21.0.4-1.el7sat.noarch.rpm python-pulp-bindings-2.21.0.4-1.el7sat.noarch.rpm python-pulp-client-lib-2.21.0.4-1.el7sat.noarch.rpm python-pulp-common-2.21.0.4-1.el7sat.noarch.rpm python-pulp-oid_validation-2.21.0.4-1.el7sat.noarch.rpm python-pulp-repoauth-2.21.0.4-1.el7sat.noarch.rpm python-pulp-streamer-2.21.0.4-1.el7sat.noarch.rpm satellite-6.7.4-1.el7sat.noarch.rpm satellite-capsule-6.7.4-1.el7sat.noarch.rpm satellite-cli-6.7.4-1.el7sat.noarch.rpm satellite-common-6.7.4-1.el7sat.noarch.rpm satellite-debug-tools-6.7.4-1.el7sat.noarch.rpm tfm-rubygem-foreman-tasks-0.17.5.8-1.el7sat.noarch.rpm tfm-rubygem-foreman_ansible-4.0.3.8-1.el7sat.noarch.rpm tfm-rubygem-foreman_openscap-2.0.2.1-1.el7sat.noarch.rpm tfm-rubygem-foreman_rh_cloud-1.0.10-1.el7sat.noarch.rpm tfm-rubygem-katello-3.14.0.31-1.el7sat.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-14334 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3SFCNzjgjWX9erEAQj/vw/+MbhzTnUsm6nWumrFzA6TgklXqIs3WPRD FOylT3DVGa4B4zKBBoICMyjF5Vq1XN1fYhYKc+DYWNd3XKKZBD/tF78qzWz+DHe4 pVwr9eTBaTewzZIJEFQ32uOWBNQKxHqOe029twQCZp53Jv61UFS8pFw1w6vZj4MV dNKZj/CStfARm6ucsQHRcW8DdNBL02Jr4NGaQV8MLn/qhO6d8S+q3+3WtsYprQqt A+LrYj0iIl9CZPS5486nHgPUlZ1aoFOSooeO426Eyi901hh8jStt9FiXZIJAkuDH 13icrsdcc+rUhshdzRwB0UpKcBxx+2IWvAtXvoMACgkw9Cf+a3Ogg5BSMUoqJc1l s/bl8HqyzOO+6fvQvSH4NVfDqu35oUDRAdV3MRL8bAtU31+LFDKZ6ypttz0e4DbM 0YfLTPskPAmIXwNm5e9/S9KV/v6o8CAB7x36J9CRpKyO0dZEtqq9xkb+6Gi9cAj7 EFv3jA3V8/3ToTvjnClHeT88aq2mO1tLu7MRDAZx+JQM5LIpM/nNdBzscBhNpKhb cIZ/q7QriVm+ncW3RrqL/7PVXY2jm3egqLfE8Ht3c54jqIy8JpxAH6AvrZ8Ayzvm DXxK3GYo20I1iUUu+8cdsNwASM1OAwKbN+4T2/E59yFrEHQw5lbSI94W1/DA+6fn XHE6J8DFynQ= =6gjZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX3UjH+NLKJtyKPYoAQi7+A/+OWZCrQprX5eOrork4gBtqtatOEkgNX5i L6PylItDoo/FewuEkKn6pF1cPvuVxaGSf/ZNhHuRWMY33Ys5SEdbrDQwODW14OiU teQ+XjkQ3a8d+FBIDu+ocEhq1nScXt5TbNMyK2GStyaxbipBrDi6iRzOlrSoZehs /jyitA5O+Lz7hUrQff1GzE0qcS7UDPq885yo3B8tBXUSDW8ZejNaBYV+vdJf0Yvx S/8PUvYDpfJnukZ/RtFaJHtt6exI03pRrQF0zDvEljeym/VGo8NfGbJJ+dCyVKC9 TLsRj7xhuI8zOKmv/ee7AVGdEwPN+2PXGRmHEuuLwxP6ur+BtWlbYEv4bYcZu6eL t902yPUDwKope+iZPb7tcX0nCoREFk9HA62UxW68tE1z3P9vB8Wt33qdmHUTTUAQ LRuuhSb0y3Nnfq4/YXAXOdNqbafSICski9v6hGn64f1Q6C8m6coGxAnHcjWrN2f2 cRjQPDErQQ08stxnKKb+jUX7fitsot6n2x5h3pYz6aEctRF760Xm1C6oBySyaoAq 0OedkE5UUzsshn4w+Ba0XbvcOSMmVTf5IEN3h/qKYIU0zNOVYDdqh6Va4aC7JgXt IHc9IXTGOoSuWS7Np5r7czYS5HQxtw0ghIWh/iwfpRWMQM1Cqis+JW591yzO2Fnp fOcxsi9dnf4= =ZtlO -----END PGP SIGNATURE-----