-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: CFME 4.1 bug fixes and enhancement update Advisory ID: RHSA-2016:1996-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1996.html Issue date: 2016-10-04 Cross references: RHSA-2016:1634 CVE Names: CVE-2016-7040 ===================================================================== 1. Summary: Updated cfme packages that fix bugs and add various enhancements are now available for Red Hat CloudForms 4.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.6 - noarch, x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. * An input validation flaw was found in the way CloudForms regular expressions were passed to the expression engine via the JSON API and the web-based UI. A user with the ability to view collections and filter them could use this flaw to execute arbitrary shell commands on the host with the privileges of the CloudForms process. (CVE-2016-7040) This issue was discovered by Tim Wade (Red Hat). Additional Changes: This update fixes bugs and adds various enhancements. Documentation for these changes is available in the Release Notes linked to in the References section. All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1337552 - Common datastore across multiple vcenter causes inventory confusion for provisions 1337577 - service requests don't show dynamic drop down selections 1343517 - When using external auth and removing a user from all groups the user's groups are not updated and he is still able to log-in to CFME Web-UI 1343717 - Openstack cloud provider - when using Keystone v3 domain for registration we need to ignore the projects that the user doesn't have access to 1343719 - Provisioning from RHEVM 3.6 template loses template boot sequence 1346953 - [RFE] Unable to set number_of_vms in non-generic service catalog items 1346989 - [RFE] Keystone domains support 1346990 - VM refreshes are failing but the message status from each of the EmsRefresh.refresh commands shows 'ok' in error 1347278 - [RFE] - lifecycle button missing from cloud images 1347330 - [ja_JP] Translations are missing in 'Compute'-'Clouds' menu and its sub menus 1347692 - [ja_JP] Translation issues on cloud intelligence->chargeback->assignments page. 1348631 - CPU Right Size recommendations only take into account CPU sockets, not cores per socket 1348637 - [ja_JP] Translation issues observed on cloud intelligence->Reports->reports page. 1348644 - [ja_JP] Translation issues on Services -> Requests page 1348648 - [ja_JP] Translations are missing in Compute-Services menu 1348649 - [ALL LANG] All contents are unlocalized under Control->Log. 1349059 - [ja_JP] Translations are either misplaced or missing on Settings->Configuration->Settings 1349423 - Dynamic Dropdown list of AWS instance Type for AWS GovCloud seems to be returning instance types that are not supported by AWS GovCloud 1351332 - [RFE] [SDN] - No providers tags relations displayed in Tolopogy 1352016 - Missing policy button on some of the Network Manager Relationship pages 1353291 - String interpolations must not be present in toolbar definitions 1354503 - OSP refresh fails with Policy doesn't allow os_compute_api:os-availability-zone:detail to be performed. 1357865 - RHEV VM Reconfigure: Set memory to a size smaller than guaranteed memory fail 1358323 - In Networks menu should all names in plural 1361175 - Error when canceling orchestration stack retirement form 1361176 - [RFE] Chargeback of containers based on tags 1361178 - Cannot Cancel Smart State Analysis of Container that is not completing - 1361693 - Advanced search in workloads expression element "Registry" hides select bar for element type 1362227 - Clicking on Reset button while editing a provider throws error message in UI for firefox browser 1362627 - [RFE] Allow reporting relationship between OpenShift pods and the image they run 1362631 - Maintain uniformity in dropdown values in japanese locale 1362634 - Package/Application icon in CloudForms looks like Apple AppStore logo 1362704 - Stack : Link " ManageIQ/Providers/Cloud Manager/Orchestration Stacks" shows "Page does not exists" 1363753 - SSUI : All languages are not shown in SSUI login dropdown 1363754 - [RFE] 'LDAP Group Look Up' string needs to changed to 'External auth Group Look Up' when auth mode is set to external(httpd) 1363891 - Datastores: " ActionController::RoutingError " when clicking on reload button 1364222 - Accessing the tags method of an MiqAeServiceLan object results in a NoMethodError exception 1364501 - Customer reporting growth of sessions table to an enormous size and postgresql logs don't indicate any auto-vacuum activity is happening 1366358 - SSUI: logo not displayed on login screen 1366596 - Container SSA results are aggregated instead of updated 1366597 - unable to tag datastores via rest api or UI 1366598 - Failed container scanning job does not timeout 1366599 - Image List shows "Unknown image source" for images 1368165 - Start date for report schedule is set to tomorrow 1368167 - Service provisioning messages overlapped in self service ui 1368168 - Editing RHEVM has default API Port 5000 in UI even though no port was set when creaing 1368170 - GCE instance was retired, but was not power off 1369583 - [Configuration management Jobs] - Wrong title of downloaded files 1370196 - LDAP group lookup fails with json UTF conversion errors 1370198 - Cloud tenant and AZ from overcloud show up in undercloud relationships 1370202 - page doesn't exist after session timeout on provider timeline page 1370208 - Unable to authenticate to RHEV provider after migration from cfme-5.4.4.2 (3.2) to cfme-5.6.0.13 (4.1) 1370209 - Request to restore diagnostic functionality critical to support (ie, current appliance settings) removed in the CFME 4.1 1370211 - Azure: undefined method `downcase' 1370216 - Azure provider fails EMS refresh 1370309 - missing rights to show AWS security groups caused null 1370310 - add support for secondary fixed IP addresses for AWS ENI interfaces 1370476 - No html Id's defined for the bootstrap switches in manage quota form 1370478 - "unexpected token at ..." error when validating Tower which returns internal server error 500 1370480 - Incorrect name is used for default Azure provider during discovery 1370481 - Catalog item becomes corrupt after removing template it was using 1370488 - Changing default instance_name in custom button from "Automation" to "Request" 1370568 - METHOD:: does not accept a full path to a method 1370569 - VMware folder support showing more than just folders 1370574 - Errno::ETIMEDOUT: Connection timed out on Azure at gallery.azure.com 1370575 - Region description doesn't change 1370586 - Multi-rate chargeback report can not be queued. 1371174 - After adding generic/orchestration catalog item infinispinner and 502 error(appliance crashed) 1371267 - Unable to get to Topology link in breadcrumb trail on Network Manager entities page 1371268 - [RFE] Add Global filters for RHEV block datastores 1371269 - C&U collection tab can sometimes be blank 1371270 - Cloud network manager availability zones back button redirects me to cloud provider 1371272 - unable to use {nil => ""} with self provisioning when selecting dialog_tenant_name 1371311 - [Ansible Tower] Provider cannot be removed when selected from accordion tree 1371640 - [RFE] Create AWS EC2 appliance 1371666 - [ja_JP, zh_CN] Need to translate the title and tool-tips on Control -> Log page. 1371668 - [ja_JP, zh_CN] Need to translate drop-down config. menu options on Compute -> Containers -> Providers 1371669 - [ja_JP, zh_CN] Need to translate menu options under configuration on Networks -> providers. 1371670 - [ja_JP, zh_CN] Need to translate drop-down options and some strings on Optimize -> Planning page. 1371671 - [ja_JP, zh_CN] Need to translate strings on Automate -> Requests page 1371979 - Error:undefined method `size' for nil:NilClass when clicked on cloud provider after deleting network manager 1371980 - Automation Method Error When Accessing 'host'/'hosts' From a Switch 1371981 - Type Template/VM filter under VMs is useless 1372413 - UI: Inconsistent behavior when adding duplicate provider; infra provider X configuration manager 1372775 - Refresh Configuration Management Provider does not work when selected from the explorer tree 1372801 - Add ability to swap the default threaded puma web server for thin 1374377 - [RFE] Reporting on OpenShift Custom Labels 1374420 - multiple ip address for the same network_port_id for openStack provider 1374423 - Select button options " By Infrastructure providers" and "All VMs" should be renamed 1374450 - Compliance check history isn't shown if compliance policy is unconditional 1374695 - Multi-tenancy - tenant name not renamed in Set group ownership dropdown menu 1374696 - Adding rhevm infrastrcture provider and filling in bad IP bad user/pass error 1374815 - Error on Azure Cloud Discovery: wrong number of arguments 1375205 - SSUI displays "null" for azure resource group or fails if is selected 1375311 - validate_request for cloud does not include support for flavors 1375326 - Providers quick search should have searched string in brackets next to the title like all other pages 1375330 - Azure provisioning missing pre and post methods. 1375343 - Upgrade azure-armrest to 0.2.9. 1376010 - Amazon Image details doesn't open 1376130 - Utilization tree remembers selected node 1376132 - :cold_sweat: Don't include AvailabilityMixin into Object, that's really bad 1376137 - Fix report scheduler timer_types 1376138 - Change column type of cpu_cores_used_cost in reports to currency 1376139 - Fixed port_scan.rb file and related changes 1376140 - Memoize image_path helper in build_tags_tree 1376141 - Add single select false to guest access pair options on EC2 1376143 - Move _('locale_name') to Vmdb::FastGettextHelper 1376144 - ChargebackContainerProject - Filter project by tag 1376146 - Discrepancy in objects count in Containers Overview following Provider overview 1376147 - Re-check Authentication button for Providers in the GTL view 1376150 - Fix the toolbar button tooltip for Providers in GTL view 1376151 - Container Chargeback report: Rate Range by Project 1376153 - Update x1.32xlarge to enhanced and clustered networking. 1376154 - Replace corrupted PNGs 1376155 - cap&u dont puke when _debug 1376157 - SSUI : language : Shopping cart validation message needs to switch language when one is selected 1376158 - Update gettext catalogs from Zanata 1376159 - Use Rails version 5.0.0.1 or higher 1376160 - Relationships filter_by_resource_type scope 1376161 - Azure - Enhanced C&U support 1376162 - Azure cache 1376163 - Move join region logic into a rake task 1376164 - recent version of draper gem 1376165 - Changing default instance_name in custom button from "Automation" to "Request" 1376167 - Reworked building VMware nested datacenter folders in factory girl 1376168 - Fix Caching Issues for MiqDiskCache Module 1376169 - Show provider status color by bearer type authentication on container topology 1376170 - Multi endpoints dialog message 1376171 - Update required ovirt_metrics version 1376172 - BAT Handling in Checkpoint Disks Issues 1376173 - With the updated net-ldap 0.14.0, Net::LDAP:LdapError is no longer used. 1376174 - Make connection_configuration respect the default authentication type 1376175 - ArVirtual - Ownership uses virtual attributes / delegates 1376176 - Modify Azure Runner to use existing EMS 1376177 - Take 2: Speed up "VMs & Instances in My LDAP Group" filter in /vm_or_template/explorer 1376178 - Allow more than one iso datastore per type of EMS 1376513 - Unexpected error when clicked on service request 1376520 - service template provision tasks failing in check provision method 1376528 - [RHV 4.0] Provision VM ends up with "Validating New Vm" endless retries 1376557 - Clicking Automate triggers an error. 1376574 - Azure Enterprise Agreement subscriptions not catching events 1377416 - Unknown Error while refreshing Azure 1377420 - [ja_JP, zh_CN] User login credentials verification fail message is not localized 6. Package List: CloudForms Management Engine 5.6: Source: cfme-5.6.2.1-1.el7cf.src.rpm cfme-appliance-5.6.2.1-1.el7cf.src.rpm cfme-gemset-5.6.2.1-1.el7cf.src.rpm rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.src.rpm rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.src.rpm rh-ruby22-rubygem-thin-1.7.0-1.el7cf.src.rpm noarch: rh-ruby22-rubygem-pkg-config-1.1.7-1.el7cf.noarch.rpm rh-ruby22-rubygem-pkg-config-doc-1.1.7-1.el7cf.noarch.rpm x86_64: cfme-5.6.2.1-1.el7cf.x86_64.rpm cfme-appliance-5.6.2.1-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.6.2.1-1.el7cf.x86_64.rpm cfme-debuginfo-5.6.2.1-1.el7cf.x86_64.rpm cfme-gemset-5.6.2.1-1.el7cf.x86_64.rpm rh-ruby22-rubygem-nokogiri-1.6.8-1.el7cf.x86_64.rpm rh-ruby22-rubygem-nokogiri-debuginfo-1.6.8-1.el7cf.x86_64.rpm rh-ruby22-rubygem-thin-1.7.0-1.el7cf.x86_64.rpm rh-ruby22-rubygem-thin-debuginfo-1.7.0-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-7040 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX8+h1XlSAg2UNWIIRAqC2AKCMq63wLKLBDCXsdyPCEBLX4K2c+QCgnP56 9CChz44Y3Wq4W9WuVYHX4Bs= =CHp6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce