-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Satellite 6 security, bug fix, and enhancement update Advisory ID: RHSA-2018:0273-01 Product: Red Hat Satellite 6 Advisory URL: https://access.redhat.com/errata/RHSA-2018:0273 Issue date: 2018-02-05 CVE Names: CVE-2016-1000111 ===================================================================== 1. Summary: An update is now available for Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 6.2 - noarch, x86_64 Red Hat Satellite Capsule 6.2 - noarch, x86_64 3. Description: Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix(es): * It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111) Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue. This update fixes the following bugs: * Upgrades from Satellite 6.2 to Satellite 6.3 were failing due to the use of certificates with custom authorities. These upgrade paths now work. (BZ#1523880, BZ#1527963) * Additional tooling is provided to support data validation when upgrading from Satellite 6.2 to Satellite 6.3. (BZ#1519904) * Several memory usage bugs in goferd and qpid have been resolved. (BZ#1319165, BZ#1318015, BZ#1492355, BZ#1491160, BZ#1440235) * The performance of Puppet reporting and errata applicability has been improved. (BZ#1465146, BZ#1482204) * Upgrading from 6.2.10 to 6.2.11 without correctly stopping services can cause the upgrade to fail on removing qpid data. This case is now handled properly. (BZ#1482539) * The cipher suites for the Puppet server can now be configured by the installation process. (BZ#1491363) * The default cipher suite for the Apache server is now more secure by default. (BZ#1467434) * The Pulp server contained in Satellite has been enhanced to better handle concurrent processing of errata applicability for a single host and syncing Puppet repositories. (BZ#1515195, BZ#1421594) * VDC subscriptions create guest pools which are for a single host only. Administrators were attaching these pools to activation keys which was incorrect. The ability to do this has been disabled. (BZ#1369189) * Satellite was not susceptible to RHSA-2016:1978 but security scanners would incorrectly flag this as an issue. The package from this errata is now delivered in the Satellite channel to avoid these false positives. (BZ#1497337) * OpenScap report parsing resulted in a memory leak. This leak has been fixed. (BZ#1454743) * The validation on the length of names for docker containers and repositories was too restrictive. Names can now be longer. (BZ#1424689) Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For this update to take effect, Red Hat Satellite must be restarted ("/usr/sbin/rhn-satellite restart"). 5. Bugs fixed (https://bugzilla.redhat.com/): 1319165 - goferd close_wait leak and occasional segfault when qpidd restarted 1357345 - CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header 1369189 - Cannot attach VDC Guest subscription to an Activation Key. 1421594 - Possible race condition when sync multiple puppet repos at the same time 1424689 - Docker upstream repository name length limit 1440235 - candlepin event listener does not acknowledge every 100th message 1454743 - foreman-proxy memory leak when processing OpenScap report 1465146 - fetching list of applicable errata is slow with if lots of hosts need lots of errata 1482204 - Puppet reports recalculate all statuses (including errata status) 1482539 - Upgrade of Satellite to 6.2.11 error on removal of qpid dat2 directory 1491160 - qdrouterd segfault when processing bursts of goferd requests 1491363 - Puppet vhost should allow setting SSLProtocols and SSLCipherSuite using parameters 1492355 - sporadic deadlock of qdrouterd on bursts of goferd (dis)connection requests 1497337 - RHSA-2016:1978 (python-twisted-web-12.1.0-5.el7_2.x86_64.rpm) is missing from rhel-7-server-satellite-6.2-rpms repo 1515195 - generate errata applicability task occasionally raises duplicatekey error [6.2.z] 1519904 - [RFE] Allow running pre 2.x DB data validation step independently via cpdb 1531609 - undefined method 'value' in 12-check_capsule_tar.rb when running satellite-installer 6. Package List: Red Hat Satellite Capsule 6.2: Source: foreman-1.11.0.86-1.el6sat.src.rpm foreman-installer-1.11.0.18-1.el6sat.src.rpm katello-3.0.0-33.el6sat.src.rpm katello-installer-base-3.0.0.101-1.el6sat.src.rpm pulp-2.8.7.18-1.el6sat.src.rpm pulp-puppet-2.8.7.2-1.el6sat.src.rpm qpid-dispatch-0.4-27.el6sat.src.rpm qpid-proton-0.9-21.el6.src.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.src.rpm satellite-6.2.14-4.0.el6sat.src.rpm noarch: foreman-debug-1.11.0.86-1.el6sat.noarch.rpm foreman-installer-1.11.0.18-1.el6sat.noarch.rpm foreman-installer-katello-3.0.0.101-1.el6sat.noarch.rpm katello-capsule-3.0.0-33.el6sat.noarch.rpm katello-debug-3.0.0-33.el6sat.noarch.rpm katello-installer-base-3.0.0.101-1.el6sat.noarch.rpm katello-service-3.0.0-33.el6sat.noarch.rpm pulp-admin-client-2.8.7.18-1.el6sat.noarch.rpm pulp-nodes-child-2.8.7.18-1.el6sat.noarch.rpm pulp-nodes-common-2.8.7.18-1.el6sat.noarch.rpm pulp-nodes-parent-2.8.7.18-1.el6sat.noarch.rpm pulp-puppet-admin-extensions-2.8.7.2-1.el6sat.noarch.rpm pulp-puppet-plugins-2.8.7.2-1.el6sat.noarch.rpm pulp-selinux-2.8.7.18-1.el6sat.noarch.rpm pulp-server-2.8.7.18-1.el6sat.noarch.rpm python-pulp-agent-lib-2.8.7.18-1.el6sat.noarch.rpm python-pulp-bindings-2.8.7.18-1.el6sat.noarch.rpm python-pulp-client-lib-2.8.7.18-1.el6sat.noarch.rpm python-pulp-common-2.8.7.18-1.el6sat.noarch.rpm python-pulp-oid_validation-2.8.7.18-1.el6sat.noarch.rpm python-pulp-puppet-common-2.8.7.2-1.el6sat.noarch.rpm python-pulp-repoauth-2.8.7.18-1.el6sat.noarch.rpm python-pulp-streamer-2.8.7.18-1.el6sat.noarch.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.noarch.rpm satellite-capsule-6.2.14-4.0.el6sat.noarch.rpm satellite-debug-tools-6.2.14-4.0.el6sat.noarch.rpm x86_64: libqpid-dispatch-0.4-27.el6sat.x86_64.rpm python-qpid-proton-0.9-21.el6.x86_64.rpm qpid-dispatch-debuginfo-0.4-27.el6sat.x86_64.rpm qpid-dispatch-router-0.4-27.el6sat.x86_64.rpm qpid-dispatch-tools-0.4-27.el6sat.x86_64.rpm qpid-proton-c-0.9-21.el6.x86_64.rpm qpid-proton-debuginfo-0.9-21.el6.x86_64.rpm Red Hat Satellite 6.2: Source: candlepin-0.9.54.26-1.el6.src.rpm foreman-1.11.0.86-1.el6sat.src.rpm foreman-installer-1.11.0.18-1.el6sat.src.rpm katello-3.0.0-33.el6sat.src.rpm katello-installer-base-3.0.0.101-1.el6sat.src.rpm pulp-2.8.7.18-1.el6sat.src.rpm pulp-puppet-2.8.7.2-1.el6sat.src.rpm qpid-dispatch-0.4-27.el6sat.src.rpm qpid-proton-0.9-21.el6.src.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.src.rpm satellite-6.2.14-4.0.el6sat.src.rpm tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el6sat.src.rpm tfm-rubygem-katello-3.0.0.162-1.el6sat.src.rpm noarch: candlepin-0.9.54.26-1.el6.noarch.rpm candlepin-selinux-0.9.54.26-1.el6.noarch.rpm foreman-1.11.0.86-1.el6sat.noarch.rpm foreman-compute-1.11.0.86-1.el6sat.noarch.rpm foreman-debug-1.11.0.86-1.el6sat.noarch.rpm foreman-ec2-1.11.0.86-1.el6sat.noarch.rpm foreman-gce-1.11.0.86-1.el6sat.noarch.rpm foreman-installer-1.11.0.18-1.el6sat.noarch.rpm foreman-installer-katello-3.0.0.101-1.el6sat.noarch.rpm foreman-libvirt-1.11.0.86-1.el6sat.noarch.rpm foreman-openstack-1.11.0.86-1.el6sat.noarch.rpm foreman-ovirt-1.11.0.86-1.el6sat.noarch.rpm foreman-postgresql-1.11.0.86-1.el6sat.noarch.rpm foreman-rackspace-1.11.0.86-1.el6sat.noarch.rpm foreman-vmware-1.11.0.86-1.el6sat.noarch.rpm katello-3.0.0-33.el6sat.noarch.rpm katello-capsule-3.0.0-33.el6sat.noarch.rpm katello-common-3.0.0-33.el6sat.noarch.rpm katello-debug-3.0.0-33.el6sat.noarch.rpm katello-installer-base-3.0.0.101-1.el6sat.noarch.rpm katello-service-3.0.0-33.el6sat.noarch.rpm pulp-admin-client-2.8.7.18-1.el6sat.noarch.rpm pulp-puppet-admin-extensions-2.8.7.2-1.el6sat.noarch.rpm pulp-puppet-plugins-2.8.7.2-1.el6sat.noarch.rpm pulp-puppet-tools-2.8.7.2-1.el6sat.noarch.rpm pulp-selinux-2.8.7.18-1.el6sat.noarch.rpm pulp-server-2.8.7.18-1.el6sat.noarch.rpm python-pulp-agent-lib-2.8.7.18-1.el6sat.noarch.rpm python-pulp-bindings-2.8.7.18-1.el6sat.noarch.rpm python-pulp-client-lib-2.8.7.18-1.el6sat.noarch.rpm python-pulp-common-2.8.7.18-1.el6sat.noarch.rpm python-pulp-oid_validation-2.8.7.18-1.el6sat.noarch.rpm python-pulp-puppet-common-2.8.7.2-1.el6sat.noarch.rpm python-pulp-repoauth-2.8.7.18-1.el6sat.noarch.rpm python-pulp-streamer-2.8.7.18-1.el6sat.noarch.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.noarch.rpm satellite-6.2.14-4.0.el6sat.noarch.rpm satellite-capsule-6.2.14-4.0.el6sat.noarch.rpm satellite-cli-6.2.14-4.0.el6sat.noarch.rpm satellite-debug-tools-6.2.14-4.0.el6sat.noarch.rpm tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el6sat.noarch.rpm tfm-rubygem-katello-3.0.0.162-1.el6sat.noarch.rpm x86_64: libqpid-dispatch-0.4-27.el6sat.x86_64.rpm python-qpid-proton-0.9-21.el6.x86_64.rpm qpid-dispatch-debuginfo-0.4-27.el6sat.x86_64.rpm qpid-dispatch-router-0.4-27.el6sat.x86_64.rpm qpid-dispatch-tools-0.4-27.el6sat.x86_64.rpm qpid-proton-c-0.9-21.el6.x86_64.rpm qpid-proton-debuginfo-0.9-21.el6.x86_64.rpm Red Hat Satellite Capsule 6.2: Source: foreman-1.11.0.86-1.el7sat.src.rpm foreman-installer-1.11.0.18-1.el7sat.src.rpm katello-3.0.0-33.el7sat.src.rpm katello-installer-base-3.0.0.101-1.el7sat.src.rpm pulp-2.8.7.18-1.el7sat.src.rpm pulp-puppet-2.8.7.2-1.el7sat.src.rpm python-twisted-web-12.1.0-5.el7_2.src.rpm qpid-dispatch-0.4-27.el7sat.src.rpm qpid-proton-0.9-21.el7.src.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.src.rpm satellite-6.2.14-4.0.el7sat.src.rpm noarch: foreman-debug-1.11.0.86-1.el7sat.noarch.rpm foreman-installer-1.11.0.18-1.el7sat.noarch.rpm foreman-installer-katello-3.0.0.101-1.el7sat.noarch.rpm katello-capsule-3.0.0-33.el7sat.noarch.rpm katello-debug-3.0.0-33.el7sat.noarch.rpm katello-installer-base-3.0.0.101-1.el7sat.noarch.rpm katello-service-3.0.0-33.el7sat.noarch.rpm pulp-admin-client-2.8.7.18-1.el7sat.noarch.rpm pulp-nodes-child-2.8.7.18-1.el7sat.noarch.rpm pulp-nodes-common-2.8.7.18-1.el7sat.noarch.rpm pulp-nodes-parent-2.8.7.18-1.el7sat.noarch.rpm pulp-puppet-admin-extensions-2.8.7.2-1.el7sat.noarch.rpm pulp-puppet-plugins-2.8.7.2-1.el7sat.noarch.rpm pulp-selinux-2.8.7.18-1.el7sat.noarch.rpm pulp-server-2.8.7.18-1.el7sat.noarch.rpm python-pulp-agent-lib-2.8.7.18-1.el7sat.noarch.rpm python-pulp-bindings-2.8.7.18-1.el7sat.noarch.rpm python-pulp-client-lib-2.8.7.18-1.el7sat.noarch.rpm python-pulp-common-2.8.7.18-1.el7sat.noarch.rpm python-pulp-oid_validation-2.8.7.18-1.el7sat.noarch.rpm python-pulp-puppet-common-2.8.7.2-1.el7sat.noarch.rpm python-pulp-repoauth-2.8.7.18-1.el7sat.noarch.rpm python-pulp-streamer-2.8.7.18-1.el7sat.noarch.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.noarch.rpm satellite-capsule-6.2.14-4.0.el7sat.noarch.rpm satellite-debug-tools-6.2.14-4.0.el7sat.noarch.rpm x86_64: libqpid-dispatch-0.4-27.el7sat.x86_64.rpm python-qpid-proton-0.9-21.el7.x86_64.rpm python-twisted-web-12.1.0-5.el7_2.x86_64.rpm qpid-dispatch-debuginfo-0.4-27.el7sat.x86_64.rpm qpid-dispatch-router-0.4-27.el7sat.x86_64.rpm qpid-dispatch-tools-0.4-27.el7sat.x86_64.rpm qpid-proton-c-0.9-21.el7.x86_64.rpm qpid-proton-debuginfo-0.9-21.el7.x86_64.rpm Red Hat Satellite 6.2: Source: candlepin-0.9.54.26-1.el7.src.rpm foreman-1.11.0.86-1.el7sat.src.rpm foreman-installer-1.11.0.18-1.el7sat.src.rpm katello-3.0.0-33.el7sat.src.rpm katello-installer-base-3.0.0.101-1.el7sat.src.rpm pulp-2.8.7.18-1.el7sat.src.rpm pulp-puppet-2.8.7.2-1.el7sat.src.rpm python-twisted-web-12.1.0-5.el7_2.src.rpm qpid-dispatch-0.4-27.el7sat.src.rpm qpid-proton-0.9-21.el7.src.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.src.rpm satellite-6.2.14-4.0.el7sat.src.rpm tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el7sat.src.rpm tfm-rubygem-katello-3.0.0.162-1.el7sat.src.rpm noarch: candlepin-0.9.54.26-1.el7.noarch.rpm candlepin-selinux-0.9.54.26-1.el7.noarch.rpm foreman-1.11.0.86-1.el7sat.noarch.rpm foreman-compute-1.11.0.86-1.el7sat.noarch.rpm foreman-debug-1.11.0.86-1.el7sat.noarch.rpm foreman-ec2-1.11.0.86-1.el7sat.noarch.rpm foreman-gce-1.11.0.86-1.el7sat.noarch.rpm foreman-installer-1.11.0.18-1.el7sat.noarch.rpm foreman-installer-katello-3.0.0.101-1.el7sat.noarch.rpm foreman-libvirt-1.11.0.86-1.el7sat.noarch.rpm foreman-openstack-1.11.0.86-1.el7sat.noarch.rpm foreman-ovirt-1.11.0.86-1.el7sat.noarch.rpm foreman-postgresql-1.11.0.86-1.el7sat.noarch.rpm foreman-rackspace-1.11.0.86-1.el7sat.noarch.rpm foreman-vmware-1.11.0.86-1.el7sat.noarch.rpm katello-3.0.0-33.el7sat.noarch.rpm katello-capsule-3.0.0-33.el7sat.noarch.rpm katello-common-3.0.0-33.el7sat.noarch.rpm katello-debug-3.0.0-33.el7sat.noarch.rpm katello-installer-base-3.0.0.101-1.el7sat.noarch.rpm katello-service-3.0.0-33.el7sat.noarch.rpm pulp-admin-client-2.8.7.18-1.el7sat.noarch.rpm pulp-puppet-admin-extensions-2.8.7.2-1.el7sat.noarch.rpm pulp-puppet-plugins-2.8.7.2-1.el7sat.noarch.rpm pulp-puppet-tools-2.8.7.2-1.el7sat.noarch.rpm pulp-selinux-2.8.7.18-1.el7sat.noarch.rpm pulp-server-2.8.7.18-1.el7sat.noarch.rpm python-pulp-agent-lib-2.8.7.18-1.el7sat.noarch.rpm python-pulp-bindings-2.8.7.18-1.el7sat.noarch.rpm python-pulp-client-lib-2.8.7.18-1.el7sat.noarch.rpm python-pulp-common-2.8.7.18-1.el7sat.noarch.rpm python-pulp-oid_validation-2.8.7.18-1.el7sat.noarch.rpm python-pulp-puppet-common-2.8.7.2-1.el7sat.noarch.rpm python-pulp-repoauth-2.8.7.18-1.el7sat.noarch.rpm python-pulp-streamer-2.8.7.18-1.el7sat.noarch.rpm rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.noarch.rpm satellite-6.2.14-4.0.el7sat.noarch.rpm satellite-capsule-6.2.14-4.0.el7sat.noarch.rpm satellite-cli-6.2.14-4.0.el7sat.noarch.rpm satellite-debug-tools-6.2.14-4.0.el7sat.noarch.rpm tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el7sat.noarch.rpm tfm-rubygem-katello-3.0.0.162-1.el7sat.noarch.rpm tfm-rubygem-katello_ostree-3.0.0.162-1.el7sat.noarch.rpm x86_64: libqpid-dispatch-0.4-27.el7sat.x86_64.rpm python-qpid-proton-0.9-21.el7.x86_64.rpm python-twisted-web-12.1.0-5.el7_2.x86_64.rpm qpid-dispatch-debuginfo-0.4-27.el7sat.x86_64.rpm qpid-dispatch-router-0.4-27.el7sat.x86_64.rpm qpid-dispatch-tools-0.4-27.el7sat.x86_64.rpm qpid-proton-c-0.9-21.el7.x86_64.rpm qpid-proton-debuginfo-0.9-21.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-1000111 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/cve/CVE-2016-1000111 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaeGJ4XlSAg2UNWIIRAnr0AKCk792e2ZNqwOW214s/gy+Hm/vQ9QCgmTNC d3mkeAjZi3UNcKmCyhewqsA= =zeqv -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce