-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: spacewalk-java security update Advisory ID: RHSA-2015:0957-01 Product: Red Hat Satellite Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0957.html Issue date: 2015-05-11 CVE Names: CVE-2014-8162 ===================================================================== 1. Summary: Updated spacewalk packages that fix one security issue are now available for Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.7 (RHEL v.6) - noarch 3. Description: Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. It was found that the RPC interface in Satellite would resolve external entities, allowing an attacker to conduct XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the Satellite server, and potentially perform other more advanced XXE attacks. (CVE-2014-8162) Red Hat would like to thank Travis Emmert for reporting this issue. All spacewalk users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1187339 - CVE-2014-8162 Satellite5: RPC API XML External Entities file disclosure 6. Package List: Red Hat Satellite 5.7 (RHEL v.6): Source: spacewalk-java-2.3.8-103.el6sat.src.rpm spacewalk-setup-2.3.0-17.el6sat.src.rpm noarch: spacewalk-java-2.3.8-103.el6sat.noarch.rpm spacewalk-java-config-2.3.8-103.el6sat.noarch.rpm spacewalk-java-lib-2.3.8-103.el6sat.noarch.rpm spacewalk-java-oracle-2.3.8-103.el6sat.noarch.rpm spacewalk-java-postgresql-2.3.8-103.el6sat.noarch.rpm spacewalk-setup-2.3.0-17.el6sat.noarch.rpm spacewalk-taskomatic-2.3.8-103.el6sat.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-8162 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVUOnxXlSAg2UNWIIRApmPAKCWVXrdI7FNTNbkp3eHbCOCB+qBFACgojU+ OWYS/d0CkfNzl7/btNbAp9Y= =5RMi -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce