-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: web-admin-build security and bug fix update Advisory ID: RHSA-2020:5599-01 Product: Red Hat Gluster Storage Advisory URL: https://access.redhat.com/errata/RHSA-2020:5599 Issue date: 2020-12-17 CVE Names: CVE-2020-13379 ===================================================================== 1. Summary: Updated web-admin-build packages that fixes one bug are now available for Red Hat Gluster Storage 3.5 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Gluster 3.5 Web Administration Node Agent on RHEL-7 - noarch Red Hat Gluster 3.5 Web Administration on RHEL-7 - noarch, x86_64 3. Description: Red Hat Gluster Storage is software only scale-out storage solution that provides flexible and affordable unstructured data storage. It unifies data storage and infrastructure, increases performance, and improves availability and manageability to meet enterprise-level storage challenges. Security Fix(es): * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This advisory fixes the following bug: * Previously, tendrl-node-agent service was unable to import the cluster in a VMware environment as tendrl was looking for the serial number of the devices. With the current update, tendrl-node-agent service is able to import the cluster in a VMware environment without failure as the hardware_id and parent_id of the devices are used after proper validation instead of the serial number. (BZ#1809920) Users of web-admin-build with Red Hat Gluster Storage are advised to upgrade to these updated packages. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1809920 - [TestOnly][RHEL 7 only]QE Web Admin on VMWare platform 1843640 - CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL 6. Package List: Red Hat Gluster 3.5 Web Administration Node Agent on RHEL-7: Source: tendrl-node-agent-1.6.3-20.el7rhgs.src.rpm noarch: tendrl-node-agent-1.6.3-20.el7rhgs.noarch.rpm Red Hat Gluster 3.5 Web Administration on RHEL-7: Source: grafana-5.2.4-3.el7rhgs.src.rpm python-django-1.11.27-1.el7rhgs.src.rpm tendrl-monitoring-integration-1.6.3-23.el7rhgs.src.rpm tendrl-node-agent-1.6.3-20.el7rhgs.src.rpm noarch: python-django-bash-completion-1.11.27-1.el7rhgs.noarch.rpm python2-django-1.11.27-1.el7rhgs.noarch.rpm python2-django-doc-1.11.27-1.el7rhgs.noarch.rpm tendrl-grafana-plugins-1.6.3-23.el7rhgs.noarch.rpm tendrl-monitoring-integration-1.6.3-23.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-20.el7rhgs.noarch.rpm x86_64: grafana-5.2.4-3.el7rhgs.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-13379 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9reYtzjgjWX9erEAQiETw/+N33RGgUIN2wB0koFTgWMNfx4P/vLp5jp j7BLy0jc/AlcBNoIx4dLj5emZFKkjoZ+Mbx7VVz25Ban/IGiEZ/gWTo1pJezEhY7 +g6fHv+89Gj9AkI1tvT7UxGWB3lmQbqzV/oQ/2GibqZSvto/BY31Hh+wGC4phDIW TcdpeLP70S7/EvxMx+/ZOJ1fPHl5czbsRca6S3uXKBgadUdB6Fq0qxY2bhk7LTGQ rstLeviW6PNK/hDht6WaWmYAK9Kj/kxW4J0EpC4iKhNKDjinfk5Zc9hRWp++MIW3 c9VIgRcQ32DvnFY+YoIJir8C45FcsYcbBAVKbWPh9vxLSHPeThdJ1wro0rTfbumH DOhIiDg8tkTvHPw2ZRHcbzaZo3cRS2dOKU+yHcEYL3al/PafGxCEbsAmRGekDxry Ei58cRH6ySu8g99uQiycD4Kekz61VS+fOkx0Ct2cFkzARZKY39PNpFz4WMhsNllP XDHm8hf/0QdKmJ87lfzN6lEugy+RayjFfEXt/X9H4/5fhTbd9pvTLivl94aurpGI sGZJKX5ylPaEF9YHSCryVXM5VYDlYZiwUfbZNq30jM8FAKx+W+A5kPRluK78dff3 1nqF7zNm6ebU7FaSacBZutciRScP1eIf9J8d+FF7/Bfe7tdJ18V0xzoDdZpxRa/q pfqxmA/z9+g= =RVjJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce