Red Hat Security Advisory: CloudForms System Engine 1.1 update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1543 Final 1 1 2012-12-04T19:29:00Z Current version 2012-12-04T19:29:00Z 2012-12-04T19:29:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-12-04T19:57:02Z Updated CloudForms System Engine packages that fix multiple security issues, several bugs, and add enhancements are now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service (IaaS) product that lets you create and manage private and public clouds. This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1. This update also fixes the following security issues: It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID. (CVE-2012-5603) It was discovered that Pulp logged administrative passwords to a world readable log file. A local attacker could use this flaw to control systems deployed and managed by CloudForms. (CVE-2012-3538) It was discovered that the Pulp configuration file pulp.conf was installed as world readable. A local attacker could use this flaw to view the administrative password, allowing them to control systems deployed and managed by CloudForms. (CVE-2012-4574) It was discovered that grinder used insecure permissions for its cache directory. A local attacker could use this flaw to access or modify files in the cache. (CVE-2012-5605) The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat. After upgrading to these new packages, follow the instructions in the "4.1. Upgrading CloudForms System Engine" section of the CloudForms 1.1 Installation Guide: https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html To view the full list of changes in this update, view the CloudForms Technical Notes: https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html Users are advised to upgrade to these updated CloudForms System Engine packages, which resolve these issues and add these enhancements. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2012-1543.html https://rhn.redhat.com/errata/RHSA-2012-1543.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html https://bugzilla.redhat.com/show_bug.cgi?id=746765 https://bugzilla.redhat.com/show_bug.cgi?id=746765 https://bugzilla.redhat.com/show_bug.cgi?id=753128 https://bugzilla.redhat.com/show_bug.cgi?id=753128 https://bugzilla.redhat.com/show_bug.cgi?id=760180 https://bugzilla.redhat.com/show_bug.cgi?id=760180 https://bugzilla.redhat.com/show_bug.cgi?id=766694 https://bugzilla.redhat.com/show_bug.cgi?id=766694 https://bugzilla.redhat.com/show_bug.cgi?id=769559 https://bugzilla.redhat.com/show_bug.cgi?id=769559 https://bugzilla.redhat.com/show_bug.cgi?id=782954 https://bugzilla.redhat.com/show_bug.cgi?id=782954 https://bugzilla.redhat.com/show_bug.cgi?id=786176 https://bugzilla.redhat.com/show_bug.cgi?id=786176 https://bugzilla.redhat.com/show_bug.cgi?id=786226 https://bugzilla.redhat.com/show_bug.cgi?id=786226 https://bugzilla.redhat.com/show_bug.cgi?id=787184 https://bugzilla.redhat.com/show_bug.cgi?id=787184 https://bugzilla.redhat.com/show_bug.cgi?id=787305 https://bugzilla.redhat.com/show_bug.cgi?id=787305 https://bugzilla.redhat.com/show_bug.cgi?id=789139 https://bugzilla.redhat.com/show_bug.cgi?id=789139 https://bugzilla.redhat.com/show_bug.cgi?id=789535 https://bugzilla.redhat.com/show_bug.cgi?id=789535 https://bugzilla.redhat.com/show_bug.cgi?id=790138 https://bugzilla.redhat.com/show_bug.cgi?id=790138 https://bugzilla.redhat.com/show_bug.cgi?id=790342 https://bugzilla.redhat.com/show_bug.cgi?id=790342 https://bugzilla.redhat.com/show_bug.cgi?id=796047 https://bugzilla.redhat.com/show_bug.cgi?id=796047 https://bugzilla.redhat.com/show_bug.cgi?id=796972 https://bugzilla.redhat.com/show_bug.cgi?id=796972 https://bugzilla.redhat.com/show_bug.cgi?id=797299 https://bugzilla.redhat.com/show_bug.cgi?id=797299 https://bugzilla.redhat.com/show_bug.cgi?id=797321 https://bugzilla.redhat.com/show_bug.cgi?id=797321 https://bugzilla.redhat.com/show_bug.cgi?id=797412 https://bugzilla.redhat.com/show_bug.cgi?id=797412 https://bugzilla.redhat.com/show_bug.cgi?id=799538 https://bugzilla.redhat.com/show_bug.cgi?id=799538 https://bugzilla.redhat.com/show_bug.cgi?id=800529 https://bugzilla.redhat.com/show_bug.cgi?id=800529 https://bugzilla.redhat.com/show_bug.cgi?id=801454 https://bugzilla.redhat.com/show_bug.cgi?id=801454 https://bugzilla.redhat.com/show_bug.cgi?id=801580 https://bugzilla.redhat.com/show_bug.cgi?id=801580 https://bugzilla.redhat.com/show_bug.cgi?id=802925 https://bugzilla.redhat.com/show_bug.cgi?id=802925 https://bugzilla.redhat.com/show_bug.cgi?id=803548 https://bugzilla.redhat.com/show_bug.cgi?id=803548 https://bugzilla.redhat.com/show_bug.cgi?id=803702 https://bugzilla.redhat.com/show_bug.cgi?id=803702 https://bugzilla.redhat.com/show_bug.cgi?id=803728 https://bugzilla.redhat.com/show_bug.cgi?id=803728 https://bugzilla.redhat.com/show_bug.cgi?id=803761 https://bugzilla.redhat.com/show_bug.cgi?id=803761 https://bugzilla.redhat.com/show_bug.cgi?id=804127 https://bugzilla.redhat.com/show_bug.cgi?id=804127 https://bugzilla.redhat.com/show_bug.cgi?id=804555 https://bugzilla.redhat.com/show_bug.cgi?id=804555 https://bugzilla.redhat.com/show_bug.cgi?id=804610 https://bugzilla.redhat.com/show_bug.cgi?id=804610 https://bugzilla.redhat.com/show_bug.cgi?id=804685 https://bugzilla.redhat.com/show_bug.cgi?id=804685 https://bugzilla.redhat.com/show_bug.cgi?id=805027 https://bugzilla.redhat.com/show_bug.cgi?id=805027 https://bugzilla.redhat.com/show_bug.cgi?id=805412 https://bugzilla.redhat.com/show_bug.cgi?id=805412 https://bugzilla.redhat.com/show_bug.cgi?id=805627 https://bugzilla.redhat.com/show_bug.cgi?id=805627 https://bugzilla.redhat.com/show_bug.cgi?id=805709 https://bugzilla.redhat.com/show_bug.cgi?id=805709 https://bugzilla.redhat.com/show_bug.cgi?id=805956 https://bugzilla.redhat.com/show_bug.cgi?id=805956 https://bugzilla.redhat.com/show_bug.cgi?id=806076 https://bugzilla.redhat.com/show_bug.cgi?id=806076 https://bugzilla.redhat.com/show_bug.cgi?id=806078 https://bugzilla.redhat.com/show_bug.cgi?id=806078 https://bugzilla.redhat.com/show_bug.cgi?id=806083 https://bugzilla.redhat.com/show_bug.cgi?id=806083 https://bugzilla.redhat.com/show_bug.cgi?id=806353 https://bugzilla.redhat.com/show_bug.cgi?id=806353 https://bugzilla.redhat.com/show_bug.cgi?id=806879 https://bugzilla.redhat.com/show_bug.cgi?id=806879 https://bugzilla.redhat.com/show_bug.cgi?id=806940 https://bugzilla.redhat.com/show_bug.cgi?id=806940 https://bugzilla.redhat.com/show_bug.cgi?id=806969 https://bugzilla.redhat.com/show_bug.cgi?id=806969 https://bugzilla.redhat.com/show_bug.cgi?id=807288 https://bugzilla.redhat.com/show_bug.cgi?id=807288 https://bugzilla.redhat.com/show_bug.cgi?id=807291 https://bugzilla.redhat.com/show_bug.cgi?id=807291 https://bugzilla.redhat.com/show_bug.cgi?id=807468 https://bugzilla.redhat.com/show_bug.cgi?id=807468 https://bugzilla.redhat.com/show_bug.cgi?id=807804 https://bugzilla.redhat.com/show_bug.cgi?id=807804 https://bugzilla.redhat.com/show_bug.cgi?id=808172 https://bugzilla.redhat.com/show_bug.cgi?id=808172 https://bugzilla.redhat.com/show_bug.cgi?id=808437 https://bugzilla.redhat.com/show_bug.cgi?id=808437 https://bugzilla.redhat.com/show_bug.cgi?id=809259 https://bugzilla.redhat.com/show_bug.cgi?id=809259 https://bugzilla.redhat.com/show_bug.cgi?id=810378 https://bugzilla.redhat.com/show_bug.cgi?id=810378 https://bugzilla.redhat.com/show_bug.cgi?id=810945 https://bugzilla.redhat.com/show_bug.cgi?id=810945 https://bugzilla.redhat.com/show_bug.cgi?id=811556 https://bugzilla.redhat.com/show_bug.cgi?id=811556 https://bugzilla.redhat.com/show_bug.cgi?id=811564 https://bugzilla.redhat.com/show_bug.cgi?id=811564 https://bugzilla.redhat.com/show_bug.cgi?id=812417 https://bugzilla.redhat.com/show_bug.cgi?id=812417 https://bugzilla.redhat.com/show_bug.cgi?id=813675 https://bugzilla.redhat.com/show_bug.cgi?id=813675 https://bugzilla.redhat.com/show_bug.cgi?id=815308 https://bugzilla.redhat.com/show_bug.cgi?id=815308 https://bugzilla.redhat.com/show_bug.cgi?id=815802 https://bugzilla.redhat.com/show_bug.cgi?id=815802 https://bugzilla.redhat.com/show_bug.cgi?id=816935 https://bugzilla.redhat.com/show_bug.cgi?id=816935 https://bugzilla.redhat.com/show_bug.cgi?id=817123 https://bugzilla.redhat.com/show_bug.cgi?id=817123 https://bugzilla.redhat.com/show_bug.cgi?id=818204 https://bugzilla.redhat.com/show_bug.cgi?id=818204 https://bugzilla.redhat.com/show_bug.cgi?id=818261 https://bugzilla.redhat.com/show_bug.cgi?id=818261 https://bugzilla.redhat.com/show_bug.cgi?id=818370 https://bugzilla.redhat.com/show_bug.cgi?id=818370 https://bugzilla.redhat.com/show_bug.cgi?id=819593 https://bugzilla.redhat.com/show_bug.cgi?id=819593 https://bugzilla.redhat.com/show_bug.cgi?id=819941 https://bugzilla.redhat.com/show_bug.cgi?id=819941 https://bugzilla.redhat.com/show_bug.cgi?id=820373 https://bugzilla.redhat.com/show_bug.cgi?id=820373 https://bugzilla.redhat.com/show_bug.cgi?id=820385 https://bugzilla.redhat.com/show_bug.cgi?id=820385 https://bugzilla.redhat.com/show_bug.cgi?id=820624 https://bugzilla.redhat.com/show_bug.cgi?id=820624 https://bugzilla.redhat.com/show_bug.cgi?id=820626 https://bugzilla.redhat.com/show_bug.cgi?id=820626 https://bugzilla.redhat.com/show_bug.cgi?id=820630 https://bugzilla.redhat.com/show_bug.cgi?id=820630 https://bugzilla.redhat.com/show_bug.cgi?id=821345 https://bugzilla.redhat.com/show_bug.cgi?id=821345 https://bugzilla.redhat.com/show_bug.cgi?id=821644 https://bugzilla.redhat.com/show_bug.cgi?id=821644 https://bugzilla.redhat.com/show_bug.cgi?id=821929 https://bugzilla.redhat.com/show_bug.cgi?id=821929 https://bugzilla.redhat.com/show_bug.cgi?id=822119 https://bugzilla.redhat.com/show_bug.cgi?id=822119 https://bugzilla.redhat.com/show_bug.cgi?id=822484 https://bugzilla.redhat.com/show_bug.cgi?id=822484 https://bugzilla.redhat.com/show_bug.cgi?id=823688 https://bugzilla.redhat.com/show_bug.cgi?id=823688 https://bugzilla.redhat.com/show_bug.cgi?id=824069 https://bugzilla.redhat.com/show_bug.cgi?id=824069 https://bugzilla.redhat.com/show_bug.cgi?id=824581 https://bugzilla.redhat.com/show_bug.cgi?id=824581 https://bugzilla.redhat.com/show_bug.cgi?id=826581 https://bugzilla.redhat.com/show_bug.cgi?id=826581 https://bugzilla.redhat.com/show_bug.cgi?id=827087 https://bugzilla.redhat.com/show_bug.cgi?id=827087 https://bugzilla.redhat.com/show_bug.cgi?id=827108 https://bugzilla.redhat.com/show_bug.cgi?id=827108 https://bugzilla.redhat.com/show_bug.cgi?id=828447 https://bugzilla.redhat.com/show_bug.cgi?id=828447 https://bugzilla.redhat.com/show_bug.cgi?id=828533 https://bugzilla.redhat.com/show_bug.cgi?id=828533 https://bugzilla.redhat.com/show_bug.cgi?id=829208 https://bugzilla.redhat.com/show_bug.cgi?id=829208 https://bugzilla.redhat.com/show_bug.cgi?id=829437 https://bugzilla.redhat.com/show_bug.cgi?id=829437 https://bugzilla.redhat.com/show_bug.cgi?id=829794 https://bugzilla.redhat.com/show_bug.cgi?id=829794 https://bugzilla.redhat.com/show_bug.cgi?id=830176 https://bugzilla.redhat.com/show_bug.cgi?id=830176 https://bugzilla.redhat.com/show_bug.cgi?id=831664 https://bugzilla.redhat.com/show_bug.cgi?id=831664 https://bugzilla.redhat.com/show_bug.cgi?id=834006 https://bugzilla.redhat.com/show_bug.cgi?id=834006 https://bugzilla.redhat.com/show_bug.cgi?id=834013 https://bugzilla.redhat.com/show_bug.cgi?id=834013 https://bugzilla.redhat.com/show_bug.cgi?id=834242 https://bugzilla.redhat.com/show_bug.cgi?id=834242 https://bugzilla.redhat.com/show_bug.cgi?id=834646 https://bugzilla.redhat.com/show_bug.cgi?id=834646 https://bugzilla.redhat.com/show_bug.cgi?id=834697 https://bugzilla.redhat.com/show_bug.cgi?id=834697 https://bugzilla.redhat.com/show_bug.cgi?id=835586 https://bugzilla.redhat.com/show_bug.cgi?id=835586 https://bugzilla.redhat.com/show_bug.cgi?id=835591 https://bugzilla.redhat.com/show_bug.cgi?id=835591 https://bugzilla.redhat.com/show_bug.cgi?id=835875 https://bugzilla.redhat.com/show_bug.cgi?id=835875 https://bugzilla.redhat.com/show_bug.cgi?id=836339 https://bugzilla.redhat.com/show_bug.cgi?id=836339 https://bugzilla.redhat.com/show_bug.cgi?id=836575 https://bugzilla.redhat.com/show_bug.cgi?id=836575 https://bugzilla.redhat.com/show_bug.cgi?id=837000 https://bugzilla.redhat.com/show_bug.cgi?id=837000 https://bugzilla.redhat.com/show_bug.cgi?id=839005 https://bugzilla.redhat.com/show_bug.cgi?id=839005 https://bugzilla.redhat.com/show_bug.cgi?id=840616 https://bugzilla.redhat.com/show_bug.cgi?id=840616 https://bugzilla.redhat.com/show_bug.cgi?id=840624 https://bugzilla.redhat.com/show_bug.cgi?id=840624 https://bugzilla.redhat.com/show_bug.cgi?id=840625 https://bugzilla.redhat.com/show_bug.cgi?id=840625 https://bugzilla.redhat.com/show_bug.cgi?id=841000 https://bugzilla.redhat.com/show_bug.cgi?id=841000 https://bugzilla.redhat.com/show_bug.cgi?id=841289 https://bugzilla.redhat.com/show_bug.cgi?id=841289 https://bugzilla.redhat.com/show_bug.cgi?id=841300 https://bugzilla.redhat.com/show_bug.cgi?id=841300 https://bugzilla.redhat.com/show_bug.cgi?id=841310 https://bugzilla.redhat.com/show_bug.cgi?id=841310 https://bugzilla.redhat.com/show_bug.cgi?id=841686 https://bugzilla.redhat.com/show_bug.cgi?id=841686 https://bugzilla.redhat.com/show_bug.cgi?id=841691 https://bugzilla.redhat.com/show_bug.cgi?id=841691 https://bugzilla.redhat.com/show_bug.cgi?id=841984 https://bugzilla.redhat.com/show_bug.cgi?id=841984 https://bugzilla.redhat.com/show_bug.cgi?id=841998 https://bugzilla.redhat.com/show_bug.cgi?id=841998 https://bugzilla.redhat.com/show_bug.cgi?id=842003 https://bugzilla.redhat.com/show_bug.cgi?id=842003 https://bugzilla.redhat.com/show_bug.cgi?id=842005 https://bugzilla.redhat.com/show_bug.cgi?id=842005 https://bugzilla.redhat.com/show_bug.cgi?id=842010 https://bugzilla.redhat.com/show_bug.cgi?id=842010 https://bugzilla.redhat.com/show_bug.cgi?id=842252 https://bugzilla.redhat.com/show_bug.cgi?id=842252 https://bugzilla.redhat.com/show_bug.cgi?id=842256 https://bugzilla.redhat.com/show_bug.cgi?id=842256 https://bugzilla.redhat.com/show_bug.cgi?id=842271 https://bugzilla.redhat.com/show_bug.cgi?id=842271 https://bugzilla.redhat.com/show_bug.cgi?id=842569 https://bugzilla.redhat.com/show_bug.cgi?id=842569 https://bugzilla.redhat.com/show_bug.cgi?id=842838 https://bugzilla.redhat.com/show_bug.cgi?id=842838 https://bugzilla.redhat.com/show_bug.cgi?id=842858 https://bugzilla.redhat.com/show_bug.cgi?id=842858 https://bugzilla.redhat.com/show_bug.cgi?id=843059 https://bugzilla.redhat.com/show_bug.cgi?id=843059 https://bugzilla.redhat.com/show_bug.cgi?id=843061 https://bugzilla.redhat.com/show_bug.cgi?id=843061 https://bugzilla.redhat.com/show_bug.cgi?id=843064 https://bugzilla.redhat.com/show_bug.cgi?id=843064 https://bugzilla.redhat.com/show_bug.cgi?id=843161 https://bugzilla.redhat.com/show_bug.cgi?id=843161 https://bugzilla.redhat.com/show_bug.cgi?id=843165 https://bugzilla.redhat.com/show_bug.cgi?id=843165 https://bugzilla.redhat.com/show_bug.cgi?id=843462 https://bugzilla.redhat.com/show_bug.cgi?id=843462 https://bugzilla.redhat.com/show_bug.cgi?id=843529 https://bugzilla.redhat.com/show_bug.cgi?id=843529 https://bugzilla.redhat.com/show_bug.cgi?id=843845 https://bugzilla.redhat.com/show_bug.cgi?id=843845 https://bugzilla.redhat.com/show_bug.cgi?id=844414 https://bugzilla.redhat.com/show_bug.cgi?id=844414 https://bugzilla.redhat.com/show_bug.cgi?id=844417 https://bugzilla.redhat.com/show_bug.cgi?id=844417 https://bugzilla.redhat.com/show_bug.cgi?id=844678 https://bugzilla.redhat.com/show_bug.cgi?id=844678 https://bugzilla.redhat.com/show_bug.cgi?id=844796 https://bugzilla.redhat.com/show_bug.cgi?id=844796 https://bugzilla.redhat.com/show_bug.cgi?id=844806 https://bugzilla.redhat.com/show_bug.cgi?id=844806 https://bugzilla.redhat.com/show_bug.cgi?id=845060 https://bugzilla.redhat.com/show_bug.cgi?id=845060 https://bugzilla.redhat.com/show_bug.cgi?id=845096 https://bugzilla.redhat.com/show_bug.cgi?id=845096 https://bugzilla.redhat.com/show_bug.cgi?id=845198 https://bugzilla.redhat.com/show_bug.cgi?id=845198 https://bugzilla.redhat.com/show_bug.cgi?id=845224 https://bugzilla.redhat.com/show_bug.cgi?id=845224 https://bugzilla.redhat.com/show_bug.cgi?id=845576 https://bugzilla.redhat.com/show_bug.cgi?id=845576 https://bugzilla.redhat.com/show_bug.cgi?id=845580 https://bugzilla.redhat.com/show_bug.cgi?id=845580 https://bugzilla.redhat.com/show_bug.cgi?id=845613 https://bugzilla.redhat.com/show_bug.cgi?id=845613 https://bugzilla.redhat.com/show_bug.cgi?id=845668 https://bugzilla.redhat.com/show_bug.cgi?id=845668 https://bugzilla.redhat.com/show_bug.cgi?id=845995 https://bugzilla.redhat.com/show_bug.cgi?id=845995 https://bugzilla.redhat.com/show_bug.cgi?id=846251 https://bugzilla.redhat.com/show_bug.cgi?id=846251 https://bugzilla.redhat.com/show_bug.cgi?id=846482 https://bugzilla.redhat.com/show_bug.cgi?id=846482 https://bugzilla.redhat.com/show_bug.cgi?id=846719 https://bugzilla.redhat.com/show_bug.cgi?id=846719 https://bugzilla.redhat.com/show_bug.cgi?id=847002 https://bugzilla.redhat.com/show_bug.cgi?id=847002 https://bugzilla.redhat.com/show_bug.cgi?id=847115 https://bugzilla.redhat.com/show_bug.cgi?id=847115 https://bugzilla.redhat.com/show_bug.cgi?id=847858 https://bugzilla.redhat.com/show_bug.cgi?id=847858 https://bugzilla.redhat.com/show_bug.cgi?id=848038 https://bugzilla.redhat.com/show_bug.cgi?id=848038 https://bugzilla.redhat.com/show_bug.cgi?id=849224 https://bugzilla.redhat.com/show_bug.cgi?id=849224 https://bugzilla.redhat.com/show_bug.cgi?id=850342 https://bugzilla.redhat.com/show_bug.cgi?id=850342 https://bugzilla.redhat.com/show_bug.cgi?id=850790 https://bugzilla.redhat.com/show_bug.cgi?id=850790 https://bugzilla.redhat.com/show_bug.cgi?id=851080 https://bugzilla.redhat.com/show_bug.cgi?id=851080 https://bugzilla.redhat.com/show_bug.cgi?id=851142 https://bugzilla.redhat.com/show_bug.cgi?id=851142 https://bugzilla.redhat.com/show_bug.cgi?id=851512 https://bugzilla.redhat.com/show_bug.cgi?id=851512 https://bugzilla.redhat.com/show_bug.cgi?id=852006 https://bugzilla.redhat.com/show_bug.cgi?id=852006 https://bugzilla.redhat.com/show_bug.cgi?id=852119 https://bugzilla.redhat.com/show_bug.cgi?id=852119 https://bugzilla.redhat.com/show_bug.cgi?id=852167 https://bugzilla.redhat.com/show_bug.cgi?id=852167 https://bugzilla.redhat.com/show_bug.cgi?id=852316 https://bugzilla.redhat.com/show_bug.cgi?id=852316 https://bugzilla.redhat.com/show_bug.cgi?id=852388 https://bugzilla.redhat.com/show_bug.cgi?id=852388 https://bugzilla.redhat.com/show_bug.cgi?id=852791 https://bugzilla.redhat.com/show_bug.cgi?id=852791 https://bugzilla.redhat.com/show_bug.cgi?id=852804 https://bugzilla.redhat.com/show_bug.cgi?id=852804 https://bugzilla.redhat.com/show_bug.cgi?id=853056 https://bugzilla.redhat.com/show_bug.cgi?id=853056 https://bugzilla.redhat.com/show_bug.cgi?id=853229 https://bugzilla.redhat.com/show_bug.cgi?id=853229 https://bugzilla.redhat.com/show_bug.cgi?id=853356 https://bugzilla.redhat.com/show_bug.cgi?id=853356 https://bugzilla.redhat.com/show_bug.cgi?id=853445 https://bugzilla.redhat.com/show_bug.cgi?id=853445 https://bugzilla.redhat.com/show_bug.cgi?id=853995 https://bugzilla.redhat.com/show_bug.cgi?id=853995 https://bugzilla.redhat.com/show_bug.cgi?id=854697 https://bugzilla.redhat.com/show_bug.cgi?id=854697 https://bugzilla.redhat.com/show_bug.cgi?id=855184 https://bugzilla.redhat.com/show_bug.cgi?id=855184 https://bugzilla.redhat.com/show_bug.cgi?id=855267 https://bugzilla.redhat.com/show_bug.cgi?id=855267 https://bugzilla.redhat.com/show_bug.cgi?id=855406 https://bugzilla.redhat.com/show_bug.cgi?id=855406 https://bugzilla.redhat.com/show_bug.cgi?id=856220 https://bugzilla.redhat.com/show_bug.cgi?id=856220 https://bugzilla.redhat.com/show_bug.cgi?id=857078 https://bugzilla.redhat.com/show_bug.cgi?id=857078 https://bugzilla.redhat.com/show_bug.cgi?id=857230 https://bugzilla.redhat.com/show_bug.cgi?id=857230 https://bugzilla.redhat.com/show_bug.cgi?id=857274 https://bugzilla.redhat.com/show_bug.cgi?id=857274 https://bugzilla.redhat.com/show_bug.cgi?id=857499 https://bugzilla.redhat.com/show_bug.cgi?id=857499 https://bugzilla.redhat.com/show_bug.cgi?id=857539 https://bugzilla.redhat.com/show_bug.cgi?id=857539 https://bugzilla.redhat.com/show_bug.cgi?id=857550 https://bugzilla.redhat.com/show_bug.cgi?id=857550 https://bugzilla.redhat.com/show_bug.cgi?id=857574 https://bugzilla.redhat.com/show_bug.cgi?id=857574 https://bugzilla.redhat.com/show_bug.cgi?id=857720 https://bugzilla.redhat.com/show_bug.cgi?id=857720 https://bugzilla.redhat.com/show_bug.cgi?id=857727 https://bugzilla.redhat.com/show_bug.cgi?id=857727 https://bugzilla.redhat.com/show_bug.cgi?id=857842 https://bugzilla.redhat.com/show_bug.cgi?id=857842 https://bugzilla.redhat.com/show_bug.cgi?id=858011 https://bugzilla.redhat.com/show_bug.cgi?id=858011 https://bugzilla.redhat.com/show_bug.cgi?id=858013 https://bugzilla.redhat.com/show_bug.cgi?id=858013 https://bugzilla.redhat.com/show_bug.cgi?id=858038 https://bugzilla.redhat.com/show_bug.cgi?id=858038 https://bugzilla.redhat.com/show_bug.cgi?id=858193 https://bugzilla.redhat.com/show_bug.cgi?id=858193 https://bugzilla.redhat.com/show_bug.cgi?id=858277 https://bugzilla.redhat.com/show_bug.cgi?id=858277 https://bugzilla.redhat.com/show_bug.cgi?id=858358 https://bugzilla.redhat.com/show_bug.cgi?id=858358 https://bugzilla.redhat.com/show_bug.cgi?id=858360 https://bugzilla.redhat.com/show_bug.cgi?id=858360 https://bugzilla.redhat.com/show_bug.cgi?id=858363 https://bugzilla.redhat.com/show_bug.cgi?id=858363 https://bugzilla.redhat.com/show_bug.cgi?id=858661 https://bugzilla.redhat.com/show_bug.cgi?id=858661 https://bugzilla.redhat.com/show_bug.cgi?id=858678 https://bugzilla.redhat.com/show_bug.cgi?id=858678 https://bugzilla.redhat.com/show_bug.cgi?id=858682 https://bugzilla.redhat.com/show_bug.cgi?id=858682 https://bugzilla.redhat.com/show_bug.cgi?id=858706 https://bugzilla.redhat.com/show_bug.cgi?id=858706 https://bugzilla.redhat.com/show_bug.cgi?id=858960 https://bugzilla.redhat.com/show_bug.cgi?id=858960 https://bugzilla.redhat.com/show_bug.cgi?id=859329 https://bugzilla.redhat.com/show_bug.cgi?id=859329 https://bugzilla.redhat.com/show_bug.cgi?id=859407 https://bugzilla.redhat.com/show_bug.cgi?id=859407 https://bugzilla.redhat.com/show_bug.cgi?id=859415 https://bugzilla.redhat.com/show_bug.cgi?id=859415 https://bugzilla.redhat.com/show_bug.cgi?id=859442 https://bugzilla.redhat.com/show_bug.cgi?id=859442 https://bugzilla.redhat.com/show_bug.cgi?id=859604 https://bugzilla.redhat.com/show_bug.cgi?id=859604 https://bugzilla.redhat.com/show_bug.cgi?id=859784 https://bugzilla.redhat.com/show_bug.cgi?id=859784 https://bugzilla.redhat.com/show_bug.cgi?id=859963 https://bugzilla.redhat.com/show_bug.cgi?id=859963 https://bugzilla.redhat.com/show_bug.cgi?id=860251 https://bugzilla.redhat.com/show_bug.cgi?id=860251 https://bugzilla.redhat.com/show_bug.cgi?id=860421 https://bugzilla.redhat.com/show_bug.cgi?id=860421 https://bugzilla.redhat.com/show_bug.cgi?id=860702 https://bugzilla.redhat.com/show_bug.cgi?id=860702 https://bugzilla.redhat.com/show_bug.cgi?id=860709 https://bugzilla.redhat.com/show_bug.cgi?id=860709 https://bugzilla.redhat.com/show_bug.cgi?id=862441 https://bugzilla.redhat.com/show_bug.cgi?id=862441 https://bugzilla.redhat.com/show_bug.cgi?id=862997 https://bugzilla.redhat.com/show_bug.cgi?id=862997 https://bugzilla.redhat.com/show_bug.cgi?id=863187 https://bugzilla.redhat.com/show_bug.cgi?id=863187 https://bugzilla.redhat.com/show_bug.cgi?id=863252 https://bugzilla.redhat.com/show_bug.cgi?id=863252 https://bugzilla.redhat.com/show_bug.cgi?id=864216 https://bugzilla.redhat.com/show_bug.cgi?id=864216 https://bugzilla.redhat.com/show_bug.cgi?id=864372 https://bugzilla.redhat.com/show_bug.cgi?id=864372 https://bugzilla.redhat.com/show_bug.cgi?id=864936 https://bugzilla.redhat.com/show_bug.cgi?id=864936 https://bugzilla.redhat.com/show_bug.cgi?id=864999 https://bugzilla.redhat.com/show_bug.cgi?id=864999 https://bugzilla.redhat.com/show_bug.cgi?id=865528 https://bugzilla.redhat.com/show_bug.cgi?id=865528 https://bugzilla.redhat.com/show_bug.cgi?id=865811 https://bugzilla.redhat.com/show_bug.cgi?id=865811 https://bugzilla.redhat.com/show_bug.cgi?id=869575 https://bugzilla.redhat.com/show_bug.cgi?id=869575 https://bugzilla.redhat.com/show_bug.cgi?id=871086 https://bugzilla.redhat.com/show_bug.cgi?id=871086 https://bugzilla.redhat.com/show_bug.cgi?id=872096 https://bugzilla.redhat.com/show_bug.cgi?id=872096 https://bugzilla.redhat.com/show_bug.cgi?id=872305 https://bugzilla.redhat.com/show_bug.cgi?id=872305 https://bugzilla.redhat.com/show_bug.cgi?id=873850 https://bugzilla.redhat.com/show_bug.cgi?id=873850 https://bugzilla.redhat.com/show_bug.cgi?id=874160 https://bugzilla.redhat.com/show_bug.cgi?id=874160 https://bugzilla.redhat.com/show_bug.cgi?id=874185 https://bugzilla.redhat.com/show_bug.cgi?id=874185 https://bugzilla.redhat.com/show_bug.cgi?id=874768 https://bugzilla.redhat.com/show_bug.cgi?id=874768 System Engine for RHEL 6 Server CloudForms Tools for RHEL 6 Server CloudForms Tools for RHEL 5 Server candlepin-0.7.8.1-1.el6cf.src.rpm gofer-0.66.1-2.el5.src.rpm gofer-0.66.1-2.el6cf.src.rpm grinder-0.0.150-1.el6cf.src.rpm katello-1.1.12-22.el6cf.src.rpm katello-agent-1.1.2-1.el5.src.rpm katello-agent-1.1.2-1.el6cf.src.rpm katello-certs-tools-1.1.8-1.el6cf.src.rpm katello-cli-1.1.8-12.el6cf.src.rpm katello-cli-tests-1.1.5-2.el6cf.src.rpm katello-configure-1.1.9-12.el6cf.src.rpm katello-selinux-1.1.1-2.el6cf.src.rpm pulp-1.1.14-1.el6cf.src.rpm quartz-2.1.5-4.el6cf.src.rpm rubygem-apipie-rails-0.0.11-3.el6cf.src.rpm candlepin-0.7.8.1-1.el6cf as a component of System Engine for RHEL 6 Server gofer-0.66.1-2.el6cf as a component of System Engine for RHEL 6 Server grinder-0.0.150-1.el6cf as a component of System Engine for RHEL 6 Server katello-1.1.12-22.el6cf as a component of System Engine for RHEL 6 Server katello-certs-tools-1.1.8-1.el6cf as a component of System Engine for RHEL 6 Server katello-cli-1.1.8-12.el6cf as a component of System Engine for RHEL 6 Server katello-cli-tests-1.1.5-2.el6cf as a component of System Engine for RHEL 6 Server katello-configure-1.1.9-12.el6cf as a component of System Engine for RHEL 6 Server katello-selinux-1.1.1-2.el6cf as a component of System Engine for RHEL 6 Server pulp-1.1.14-1.el6cf as a component of System Engine for RHEL 6 Server quartz-2.1.5-4.el6cf as a component of System Engine for RHEL 6 Server rubygem-apipie-rails-0.0.11-3.el6cf as a component of System Engine for RHEL 6 Server gofer-0.66.1-2.el6cf as a component of CloudForms Tools for RHEL 6 Server katello-agent-1.1.2-1.el6cf as a component of CloudForms Tools for RHEL 6 Server gofer-0.66.1-2.el5 as a component of CloudForms Tools for RHEL 5 Server katello-agent-1.1.2-1.el5 as a component of CloudForms Tools for RHEL 5 Server It was discovered that Pulp logged administrative passwords to a world readable log file. A local attacker could use this flaw to control systems deployed and managed by CloudForms. The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat. 2012-08-27T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-3538 5Server-CloudTools:gofer-0.66.1-2.el5 5Server-CloudTools:katello-agent-1.1.2-1.el5 6Server-CloudTools:gofer-0.66.1-2.el6cf 6Server-CloudTools:katello-agent-1.1.2-1.el6cf 6Server-SystemEngine:candlepin-0.7.8.1-1.el6cf 6Server-SystemEngine:gofer-0.66.1-2.el6cf 6Server-SystemEngine:grinder-0.0.150-1.el6cf 6Server-SystemEngine:katello-1.1.12-22.el6cf 6Server-SystemEngine:katello-certs-tools-1.1.8-1.el6cf 6Server-SystemEngine:katello-cli-1.1.8-12.el6cf 6Server-SystemEngine:katello-cli-tests-1.1.5-2.el6cf 6Server-SystemEngine:katello-configure-1.1.9-12.el6cf 6Server-SystemEngine:katello-selinux-1.1.1-2.el6cf 6Server-SystemEngine:pulp-1.1.14-1.el6cf 6Server-SystemEngine:quartz-2.1.5-4.el6cf 6Server-SystemEngine:rubygem-apipie-rails-0.0.11-3.el6cf Moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1543.html https://www.redhat.com/security/data/cve/CVE-2012-3538.html CVE-2012-3538 https://bugzilla.redhat.com/show_bug.cgi?id=852199 bz#852199: CVE-2012-3538 pulp: admin password logged in plaintext in world-readable katello/production.log This issue was discovered by James Laska of Red Hat. It was discovered that the Pulp configuration file pulp.conf was installed as world readable. A local attacker could use this flaw to view the administrative password, allowing them to control systems deployed and managed by CloudForms. The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat. 2012-11-02T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-4574 5Server-CloudTools:gofer-0.66.1-2.el5 5Server-CloudTools:katello-agent-1.1.2-1.el5 6Server-CloudTools:gofer-0.66.1-2.el6cf 6Server-CloudTools:katello-agent-1.1.2-1.el6cf 6Server-SystemEngine:candlepin-0.7.8.1-1.el6cf 6Server-SystemEngine:gofer-0.66.1-2.el6cf 6Server-SystemEngine:grinder-0.0.150-1.el6cf 6Server-SystemEngine:katello-1.1.12-22.el6cf 6Server-SystemEngine:katello-certs-tools-1.1.8-1.el6cf 6Server-SystemEngine:katello-cli-1.1.8-12.el6cf 6Server-SystemEngine:katello-cli-tests-1.1.5-2.el6cf 6Server-SystemEngine:katello-configure-1.1.9-12.el6cf 6Server-SystemEngine:katello-selinux-1.1.1-2.el6cf 6Server-SystemEngine:pulp-1.1.14-1.el6cf 6Server-SystemEngine:quartz-2.1.5-4.el6cf 6Server-SystemEngine:rubygem-apipie-rails-0.0.11-3.el6cf Moderate 4.9 AV:L/AC:L/Au:N/C:C/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1543.html https://www.redhat.com/security/data/cve/CVE-2012-4574.html CVE-2012-4574 https://bugzilla.redhat.com/show_bug.cgi?id=872487 bz#872487: CVE-2012-4574 pulp /etc/pulp/pulp.conf world readable, contains default admin password This issue was discovered by Kurt Seifried of the Red Hat Security Response Team. It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID. The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat. 2012-05-28T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-5603 5Server-CloudTools:gofer-0.66.1-2.el5 5Server-CloudTools:katello-agent-1.1.2-1.el5 6Server-CloudTools:gofer-0.66.1-2.el6cf 6Server-CloudTools:katello-agent-1.1.2-1.el6cf 6Server-SystemEngine:candlepin-0.7.8.1-1.el6cf 6Server-SystemEngine:gofer-0.66.1-2.el6cf 6Server-SystemEngine:grinder-0.0.150-1.el6cf 6Server-SystemEngine:katello-1.1.12-22.el6cf 6Server-SystemEngine:katello-certs-tools-1.1.8-1.el6cf 6Server-SystemEngine:katello-cli-1.1.8-12.el6cf 6Server-SystemEngine:katello-cli-tests-1.1.5-2.el6cf 6Server-SystemEngine:katello-configure-1.1.9-12.el6cf 6Server-SystemEngine:katello-selinux-1.1.1-2.el6cf 6Server-SystemEngine:pulp-1.1.14-1.el6cf 6Server-SystemEngine:quartz-2.1.5-4.el6cf 6Server-SystemEngine:rubygem-apipie-rails-0.0.11-3.el6cf Important 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1543.html https://www.redhat.com/security/data/cve/CVE-2012-5603.html CVE-2012-5603 https://bugzilla.redhat.com/show_bug.cgi?id=882129 bz#882129: CVE-2012-5603 CloudForms Katello: lack of authorization in proxies_controller.rb This issue was discovered by Lukas Zapletal of Red Hat. It was discovered that grinder used insecure permissions for its cache directory. A local attacker could use this flaw to access or modify files in the cache. The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat. 2012-06-04T00:00:00Z 2012-12-04T00:00:00Z CVE-2012-5605 5Server-CloudTools:gofer-0.66.1-2.el5 5Server-CloudTools:katello-agent-1.1.2-1.el5 6Server-CloudTools:gofer-0.66.1-2.el6cf 6Server-CloudTools:katello-agent-1.1.2-1.el6cf 6Server-SystemEngine:candlepin-0.7.8.1-1.el6cf 6Server-SystemEngine:gofer-0.66.1-2.el6cf 6Server-SystemEngine:grinder-0.0.150-1.el6cf 6Server-SystemEngine:katello-1.1.12-22.el6cf 6Server-SystemEngine:katello-certs-tools-1.1.8-1.el6cf 6Server-SystemEngine:katello-cli-1.1.8-12.el6cf 6Server-SystemEngine:katello-cli-tests-1.1.5-2.el6cf 6Server-SystemEngine:katello-configure-1.1.9-12.el6cf 6Server-SystemEngine:katello-selinux-1.1.1-2.el6cf 6Server-SystemEngine:pulp-1.1.14-1.el6cf 6Server-SystemEngine:quartz-2.1.5-4.el6cf 6Server-SystemEngine:rubygem-apipie-rails-0.0.11-3.el6cf Moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1543.html https://www.redhat.com/security/data/cve/CVE-2012-5605.html CVE-2012-5605 https://bugzilla.redhat.com/show_bug.cgi?id=882138 bz#882138: CVE-2012-5605 CloudForms grinder: /var/lib/pulp/cache/grinder directory is world-writeable This issue was discovered by James Labocki of Red Hat.