-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: CFME 5.6.1 security, bug fix, and enhancement update Advisory ID: RHSA-2016:1634-02 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1634.html Issue date: 2016-08-18 Cross references: RHBA-2016:22329 CVE Names: CVE-2016-5383 ===================================================================== 1. Summary: An update for cfme is now available for Red Hat CloudForms 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.6 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * It was found that the CloudForms web UI did not properly filter input in certain fields. A remote, authenticated attacker could use this flaw to execute arbitrary code on the system running CloudForms. (CVE-2016-5383) This issue was discovered by Eric Hayes (Red Hat). Additional Changes: This update also fixes several bugs and adds various enhancements. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1240443 - Catalog Item : Changing the provider template after filling all tabs shows error 1255389 - [Scale] - Large render time on Configure -> Configuration -> Access Control administration page with large scale environment 1273404 - Optimize Planning does not show duplicate VMs 1278003 - SmartState analysis fails for users Last Logon on RHEL7 hosts 1284084 - Refresh Relationships on SCVMM Provider throws ERROR if any VM contains 2 DVD drives. 1295523 - Editing catalog item when the template used is removed form provider : undefined method `fulltree_arranged' for nil:NilClass [catalog/tree_select] 1316842 - /System/Process/Event should not be displayed as a valid entry point for Automate Simulation 1335669 - Automate | Assertion with failed substitution should raise error 1337676 - Ceilometer events does not work with openstack mitaka 1338754 - Containers -- Providers -- Tile View - Port number is shown incorrectly 1338957 - [RFE] - Changes to the existing Utilisation Reporting for Red Hat products 1340072 - parent tenant name changes are not reflected via the api 1341665 - Error "Invalid input [cloud_volume/create]" on add new cloud volume 1341666 - UI: 'Perform SmartState Analysis' for Datastore shows wrong flash message(No Datastores were selected for Analysis) 1341667 - Smart State Analysis timed out scans are not displayed as "timed out" in CFME 1341668 - After selecting any container's Relationship from Containers List, the path label will show incorrect path 1341669 - remove delete cloud volume if its not supported 1341670 - Dialog content not fully displayed 1341671 - False flash message displayed when clicked on commit while importing service dialog 1342122 - monitoring button appears after policy button in the containers tab while appears before on all other pages 1342220 - Scale down compute node does not remove nova service from the removed compute node 1342221 - timeline page should not have dashboard and summary view 1342222 - inconsistency on the monitoring button between pages 1343515 - 5.6.0.8 memory usage is ~370MiB higher than 5.5.4.2 when idle 1343720 - Azure Smart State not capturing expected details for Ubuntu VM. 1343721 - missing scroll bar on capacity planning " Reference VM Selection " 1343723 - Remove "Middleware" from the Product features tree in Access control 1344050 - Replication stops if network connection is lost for over 60s 1344327 - Terminate instance term is confusing 1344328 - SSUI - Filters are not working correctly for "Pending" requests 1344329 - Flash message not displayed long enough on widget import/export page 1344330 - [ja_JP] Translation issues on cloud intelligence->reports->edit report menus page 1344331 - [ALL LANG] No fully localized on Clouds -> Providers page. 1346036 - [Bug] Optimize: Utilization by Classification Throws Exception 1346037 - VMware VM Reconfigure Add Disk fails when a new SCSI controller is needed 1346057 - Add container nodes, pods and replicators to Control 1346312 - [RFE] sort flavors by their size 1346443 - [RFE] GCE image not prepared for use on Google Compute Platform 1346909 - Retired instance can be resumed from provider side and it is not powered off. 1346951 - [RFE] "NoMethodError: undefined method `where' for MiqAeMethodService::MiqAeServiceClassification:Class" 1346956 - Tag Control issues on service dialogue imports between appliances 1346968 - Catalog Item : Editing a catalog item after deleting provider shows error 1346991 - [RFE] The OpenShift provider should use the proxy configured in CloudForms 1347018 - When quota source is group display quota exceed message for which the quota is validated for 1347695 - Unexpected error when sorting "instances" column in network manager security groups 1348221 - Apply button enabled after a failed attempt to upload invalid file for importing tags 1348630 - Show cloud Tenant field in cloud image summary page. 1348632 - CFME 4.0 session setting necessary for proper CFME operation in Load Balancer environment is no longer acceptable and causes worker failures 1348636 - [ALL LANG] Unlocalized strings on cloud intelligence->reports->dashboard widgets page. 1348638 - [RFE] - Need default validation for data type on TextBox fields when submitting Dialog (Web UI) 1348645 - [ja_JP] Translation issues on cloud intelligence->reports->import/export page 1348650 - Policy Simulation detail page blank for VM sub lists (i.e. on Provider or Host) 1348651 - Add new Cloud volume fails 1348989 - Start rhevm vm with use_cloud_init flag on first boot 1349060 - [ja_JP] Translation issues on Services -> Workloads -> Templates & Images page 1349061 - [ja_JP] Translation issues on cloud intelligence->chargeback->rates page 1349062 - [Scale] perf_capture_timer message timeout, cycles Generic/Priority Workers 1349063 - [RFE] Set API port to 13000 for SSL enabled Openstack providers 1349410 - Provider name should be included for Chargeback reports for infra and cloud VMs 1349414 - Unexpected error when clicked on upload button in import custom reports 1349417 - Reconfigure instance fails in html error 1349418 - Control/Simulation expand all icon is missing 1349419 - "Expand All" button is broken in container image compliance history 1349421 - memory metric not being rolled up to OSP Availability zones 1349426 - [Ansible Tower] Tower stack cannot be retired 1349427 - Policy profiles actions unclickable 1349482 - Since update cannot obtain tenant inventory data from OpenStack ( NON RH OPENSTACK VERSION! ) 1349624 - Error:"no implicit conversion of Symbol into Integer" when clicked on download in VM comparison page 1349625 - Creating provisioning dialog with no type chosen(default used named Choose) 1349626 - Floating IPs have no displayed names in Grid View 1349627 - Hovering on 'Select host to validate against' drop down on Host credential page displays "<Choose>" 1349628 - Sorting select form is turn rounded in Virtual Machines 1349630 - "Adress" typo in sorting options 1349631 - Websockets icon missing in diagnostics 1349636 - Default view settings fails for some pages 1349637 - Remove Hand pointer from edit timeprofile page 1349869 - CFME provisioning on RHEV limited to max 4096GB of memory 1349876 - SSUI : Blank virtual machine row is displayed for service with no VM 1349988 - RBAC:Unexpected error when clicked on VM in "EVM: Recently Discovered VMs" widget of tenant user 1349989 - Services: Setting a Retirement Dates/ Retiring for a service shows error in log 1350448 - Azure request remains Active even after instance is fully provisioned 1350449 - CF does not notice RHEV VMs being suspended 1350592 - Error:Uninitialized constant ApplicationHelper in production.log when clicked on configured system in Red Hat Satellite Provider 1350593 - All Ansible tower provider configured systems are getting listed under satellite provider in accordion 1350594 - Error "uninitialized constant ProviderForemanController.." when downloading summary of inventory group in Ansible tower 1350842 - Warnings about session threshold 1350903 - Service order through API does not auto approve 1350904 - Widget import 'select all' button doesn't work 1350905 - 'Show host events' check box not needed on datastore bottleneck page 1350906 - Suspicious values in Chargeback for Containers 1351176 - Provisioning requests are not been transmitted successfully from the global region to the local region - getting "500 Internal Server Error" message 1351177 - Appliance_console crash 1351178 - RedHat Domain - Change placement methods to avoidA read-only datastores 1351669 - default repo's stored in the appliance are incorrect 1351674 - C&U : Performance metrics collection fails for Azure 1351678 - [Release Candidate] validation skipped on azure when subscription id is populated 1351696 - Unexpected error when clicked on download button in Timelines 1352011 - Cannot specify security_protocol when creating a cloud provider via the API 1352012 - Extra Vars not passed to Ansible Tower when using custom state machines in service catalog 1352014 - [Ansible Tower 3.0] Unsupported media type "application/x-www-form-urlencoded" in request 1352027 - Filters are missing in both cloud and infrastructure providers 1352134 - log: first installation shows git error in evm.log 1353201 - [RFE] Tagging on Ansible Template Jobs 1353228 - Key Pairs: wrong quadicon displayed 1353231 - Automate | Services | Remove ConfigureChildDialog method and state value. 1353233 - ManageIQ Automate domain cleanup 1353234 - Openstack cloud provider not disabled Timelines subbutton when no events available 1353235 - Monitoring button in EC2 cloud provider summary should be disabled 1353237 - Add India, Australia and US Gov regions for Azure 1353239 - Database garbage collection errs with undefined local variable or method `current_db_opts' for # 1353240 - Quota enforcement for user as quota source does not work 1353243 - Service : Azure service catalog request fails with error 1353253 - Configuration database pagination is broken for tables and indexes 1353255 - add instance to trigger miqevents from a button 1353258 - When clicked on reload button it throws an error in log:RoutingError (No route matches [POST] "/miq_capacity/reload") 1353260 - Error"undefined method `length' for nil:NilClass" in download link of template summary page 1353277 - Wrong html markup in SNMP section of an Alert 1353279 - Dashboard widgets menu Minimize/Maximize improper mouseover 1353285 - SCVMM Refresh fails if there is a Recovery Partition or a partition with no drive letter. 1353287 - RubyRep replication in CFME 5.5.3.4 failing in large multi region environment 1353288 - provision_requests call with a request_type "clone_to_vm" fails with undefined method datacenter_name 1353290 - UI Constants need to use delayed translations 1353292 - Tenant Quota widget needs formatting 1353294 - UX: Automate - Configuration button is not present in read-only domains until there is a writeable domain available 1353299 - Clear filter in datastores should lead to All Datastores 1353300 - All datastores add clear link after advanced search open and close 1353302 - Unexpected error encountered during reconfiguration 1353308 - hosts fail to archive upon provider deletion 1353310 - Importing a service dialog should invalidate Service Dialogs tree cache to rebuild it with current dialogs 1353323 - Inventory refresh doesn't work with version 4 of oVirt 1353324 - [ja_JP] Translations are missing in 'Cloud Intel' menu and its sub menu's pages 1353326 - [ja_JP, zh_CN] Many strings on Compute ->Containers -> Overview page are untranslated. 1353587 - New company tags not listed alphabetically 1353646 - In Network Providers are My Filters unclickable 1353647 - Sorting "Total Configured Systems" in Inventory Groups under Ansible Tower Provider fails. 1353651 - Unable to change zone setting of a configuration management provider 1353657 - Inconsistency in NOR values on VM summary page and Right size recommendation page 1353717 - Report listing empty after canceling "Add a new schedule" 1353719 - Azure Hard/Soft Reboot not working. 1353722 - CVE-2016-5383 CloudForms: Lack of field filters on user input 1353974 - Truncate miq_request user_message length. 1354562 - vms deployed in a multi-cluster rhevm environment are tied to the cluster of the template 1355785 - It should be possible to define/modify the relevant hawkular endpoint 1355786 - Incorrect options listed for host related actions while adding a schedule 1355787 - Cloud providers security groups back button redirects me to network manager 1355788 - Unexpected error when Navigating Configuration and clicked on simulate in custom button. 1355789 - Add OpenSCAP failed rules summary 1356133 - Advanced Setting screen only shows the first 24 lines until browser resize 1356251 - User_data is being base64 encoded twice causing init script to fail for Openstack provisioning 1356256 - [RFE] SSUI should be able to set locales separately from Operations UI 1356624 - Relationship links do not work within an OSE project 1356647 - Control Explorer: Error when clicking on Edit assignments for this Alert Profile button 1356659 - Edit report menus list is hiding items, which are not in square 1356703 - CF4.0 to CF4.1 upgrade breaks Networks/Networks UI 1356704 - Errno::ECONNREFUSED: Connection refused when dynamic dialog menus are set to refresh 1356705 - CFME 4.1 appliance fail to perform logrotate for /vmdb/log and postgresql pg_log directory log files 1356973 - Dialogue Input are truncated when submitted 1357519 - Empty Overview Menu 1357520 - Unable to create a new v2_key when the old one is removed 1358037 - Fix gulp ECMDERR on older node, by forcing plato to 1.4 1358303 - Container auto-tagging from labels breaks refresh on labels with empty value 1359075 - Error when clicking on custom buttons item under Automate -> Customization -> Buttons 1359150 - Error when retiring an orchestration stack from list view 1359155 - Summary Screens: Download Summary to PDF toolbar button is missing 1359295 - immediately after upgrade from CFME 4.0 TO cfme 4.1 UI requests to separate VMDB appliance are timing out- 1359785 - Service : Not able to provision more than certain number of VM's for Google Compute Engine 1359937 - Fields observed with interval send changes multiple times if focused multiple times 1359966 - In Control - Policy & PolicyProfile don't automatically expand *all* the nodes 1360330 - Scheduled reports are emailing ever few seconds rather then just 1 1360364 - Worker nice_delta is not set in 5.6.0.13 1360384 - No cross-linking of OpenShift node to OpenStack instance 1360772 - pods are named 'container groups' in the policy explorer right cell 1360901 - "Load error! (parseerror)" in Policy Profiles and Policies explorers 1361189 - UI: Group editor/summary screen throwing an error when user has more than 5000 tags 1361237 - Watermark VMs per Provider header mismatch 1361308 - [Ansible Tower] Unable to add provider - Add button not clickable 1361610 - RubyRep fails to start after 5.5 -> 5.6 migration 1361844 - Relationship links lead to wrong menu in OSE project 1362181 - Policies explorer is recursive, doesn't show policies 1362228 - Broken image for inactive Control Policy 1362271 - Constant lookup wasn't working properly 1362654 - Azure - Discover Azure provider throws errors. 1363808 - UI: When recovering from timeout parameter page is set to zero, and causes an error in rendering the show_list page. 1364061 - Container dashboard does not show 'Aggregated Node Utilization' unless appliance timezone is UTC 1364063 - Container Image SmartState Analysis duplicate tasks and errors 1365907 - Connection to Ceilometer fails in fog/openstack 1366359 - Missing option to configure smartstate temp space 1366360 - CFME appliance console showing ManageIQ branding 6. Package List: CloudForms Management Engine 5.6: Source: cfme-5.6.1.2-1.el7cf.src.rpm cfme-appliance-5.6.1.2-1.el7cf.src.rpm cfme-gemset-5.6.1.2-1.el7cf.src.rpm google-compute-engine-2.0.0-1.el7cf.src.rpm google-config-2.0.0-1.el7cf.src.rpm noarch: google-compute-engine-2.0.0-1.el7cf.noarch.rpm x86_64: cfme-5.6.1.2-1.el7cf.x86_64.rpm cfme-appliance-5.6.1.2-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.6.1.2-1.el7cf.x86_64.rpm cfme-debuginfo-5.6.1.2-1.el7cf.x86_64.rpm cfme-gemset-5.6.1.2-1.el7cf.x86_64.rpm google-config-2.0.0-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-5383 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/release-notes/release-notes 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXthL3XlSAg2UNWIIRAkjRAKCdeI4t67GjvxC9AvoPUAMcoV4L6ACgw2p4 VYciMpFRaafl/zcLP33oz5g= =8FB5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce