[RHSA-2018:3816-01] Important: CloudForms 4.6.6 security, bug fix and enhancement update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Thu Dec 13 15:16:21 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: CloudForms 4.6.6 security, bug fix and enhancement update
Advisory ID:       RHSA-2018:3816-01
Product:           Red Hat CloudForms
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3816
Issue date:        2018-12-13
Cross references:  RHSA-2018:3466
CVE Names:         CVE-2018-1053 CVE-2018-1058 CVE-2018-10915 
                   CVE-2018-10925 
=====================================================================

1. Summary:

An update is now available for CloudForms Management Engine 5.9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.9 - x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* postgresql: Certain host connection parameters defeat client-side
security defenses (CVE-2018-10915)

* postgresql: Missing authorization and memory disclosure in INSERT ... ON
CONFLICT DO UPDATE statements (CVE-2018-10925)

* postgresql: pg_upgrade creates file of sensitive metadata under
prevailing umask (CVE-2018-1053)

* postgresql: Uncontrolled search path element in pg_dump and other client
applications (CVE-2018-1058)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the PostgreSQL project for reporting
CVE-2018-10915, CVE-2018-10925 and CVE-2018-1053. Upstream acknowledges
Andrew Krasichkov as the original reporter of CVE-2018-10915; and Tom Lane
as the original reporter of CVE-2018-1053.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1539619 - CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
1547044 - CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
1609891 - CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
1610547 - [v2v] [RFE] Migrating VM with multiple DPG's fail to get assigned with correct NICs on RHV
1612619 - CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
1618836 - Changing action order in catalog bundle removes resource
1623562 - [RFE] Don't show allocated IPs in dropdown while assigning floating IPs via CloudForms
1634809 - Button enablement and visibility by tag not working for buttons on Ansible services
1635034 - In the self service portal, reconfigure service shows "No Provisioning Dialog Available"
1635255 - Reports do not run when submitted through a UI which does not have reporting role on.
1635759 - Buttons not sorted in button group on Ansible Service
1635788 - Reverting snapshot fails for OpenStack instances
1638501 - Cannot login with an uppercase letter in username
1639351 - WebSocket push notifications no longer work in SUI
1639353 - [URI::InvalidComponentError]: bad component(expected host component):   Method:[block in method_missing]
1639364 - Cannot change appliance name
1640194 - Service Dialogs are slow
1640258 - Update miqssh utilities.
1640629 - Variables field in provisioning a new service catalog item (Ansible playbook) changes when typing information into it
1640631 - User ID for Service Retirement Task Changes During Retires When First Retirement Fails
1641771 - Copying a custom report from a custom report menu changes source report name
1643042 - [RFE][Providers][RHOS] - Some flavors not visible in Instance Type dropdown when creating instance
1643261 - Unable to retire service via Global region
1643263 - Custom button[Template/Image]: after dialog execution not return to Detail page
1643539 - Validation failed: Description is not unique within region 1  Method:[block in method_missing]
1643959 - Custom Operator Role Can Edit Tags from Datastore Tab but not Through Provider > Datastore
1644410 - syncrou.manageiq-automate : Initialize the Workspace failed
1645198 - Unexpected error encountered when trying to cancel SSA scan task
1645204 - Custom Button: Navigation with relationship table breaks button display on destination.
1646435 - Prevent Service Ordering directly from REST-API
1646561 - The Server Name and Zone Name in the configuration page is blank upon visiting.
1646564 - Bad UI after adding a schedule for report
1646571 - Embedded Ansible: Wrong message in Notifications
1646599 - need to choose date two times in timepicker to take effect
1646604 - Button to start an ansible playbook does not work under self service portal
1646605 - Custom buttons that utilize dialogs with dynamic elements not do not populate from service UI
1646606 - Getting CORS error while creating quotas via javascript
1646613 - Extra buttons on Container Provider page
1646629 - Embedded Ansible needs a retry interval. We are currently setting limit and not interval.
1646646 - Azure refresh fails with [NoMethodError]: undefined method `sku'
1647056 - Memory peak usage of allocated for collected intervals (30 day average) field does not generate within report
1647108 - Infrastructure mapping not available shown incorrectly on Migration Plan
1647188 - unable to edit tags on an infrastructure host
1647489 - [Containers] Cannot Validate Metrics Endpoint for OCP Provider
1648674 - Unable to update Cloud Volume using CFME 5.9 with OSP 14
1648948 - Tags responding to `show` with true and having no classification produce 500-level errors for URL of `/api/tags?expand=resources&attributes=category,categorization`
1648955 - No registered resource provider found for location 'germanycentral' and API version '2014-04-01' for type 'virtualMachines'
1648991 - [RFE] Setting Retirement for a Service in Global Region Does Not get Replicated to Local Region
1649033 - Roles with SUI privileges can't access Services, Orders in SUI in empty appliance
1649380 - Dynamic Dropdown Multiselect: Default element is blank when loaded by another element
1649419 - SUI permissions not showing catalogs and not hiding snapshots menu
1650691 - Setting retirement date for Service via Centralized Administration raises InterRegionApiMethodRelayError
1651291 - [Regression] Static Dialogs are not Populated when Submitting API Requests for Service Catalog
1651347 - Amazon API filter limit breaks targeted refresh for more than 200 items
1651391 - Orchestration catalog items cannot be submitted because of tenant error
1653417 - CFME should not assign flavor id in OSP provider.
1653710 - Internet Explorer (IE) not able to login to CloudForms
1654436 - Remove_from_disk method is leaving VMs in an Orphaned State for VMware Provider
1654463 - Memory utilization by node is incorrect in Provider Overview page
1655081 - Catalog bundle resources not retiring
1655143 - cfme upgrade 5.8 --> 5.9 not working as it requires rh-ruby23-ruby(release) < 2.3.7
1655773 - Service not showing VMs belong to
1656168 - ansible tower items are not listed when part of service bundles
1656169 - retirement of the parent service does not retire child catalog items

6. Package List:

CloudForms Management Engine 5.9:

Source:
cfme-5.9.6.5-3.el7cf.src.rpm
cfme-amazon-smartstate-5.9.6.5-2.el7cf.src.rpm
cfme-appliance-5.9.6.5-1.el7cf.src.rpm
cfme-gemset-5.9.6.5-2.el7cf.src.rpm
dbus-api-service-1.0.1-3.1.el7cf.src.rpm
httpd-configmap-generator-0.2.2-1.2.el7cf.src.rpm
postgresql96-9.6.10-1PGDG.el7at.src.rpm

x86_64:
cfme-5.9.6.5-3.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.6.5-2.el7cf.x86_64.rpm
cfme-appliance-5.9.6.5-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.6.5-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.6.5-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.6.5-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.6.5-3.el7cf.x86_64.rpm
cfme-gemset-5.9.6.5-2.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.6.5-2.el7cf.x86_64.rpm
dbus-api-service-1.0.1-3.1.el7cf.x86_64.rpm
httpd-configmap-generator-0.2.2-1.2.el7cf.x86_64.rpm
postgresql96-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-contrib-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-debuginfo-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-devel-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-docs-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-libs-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-plperl-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-plpython-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-pltcl-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-server-9.6.10-1PGDG.el7at.x86_64.rpm
postgresql96-test-9.6.10-1PGDG.el7at.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1053
https://access.redhat.com/security/cve/CVE-2018-1058
https://access.redhat.com/security/cve/CVE-2018-10915
https://access.redhat.com/security/cve/CVE-2018-10925
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXBJ3v9zjgjWX9erEAQgn7w//QV9/32jdjsczOJ1yaHUj+lE5VzAaXBPz
1xEWgJsC1IvAOLSS4sv7X1yoGwxDJcZrYS7rlKYRLLG3ok1GZRH2CstRC3rWSPj4
IRf+hCUhfhc8DYvwCvxreQTUUnHIU2qIasHo60Z0hscHcorjlx9kl/0ItGNPfRUu
YaqLxn4utYDkSgOHNyUJs+cJlt+rDV4WE2/8kuoe/hGVeOopRe0+5ffKTkt0vAqu
TE3masM6WDfbltiSK+LDln4AKZ6MkoMKHOIJdiMFmwq36yR3bk60AEDG0isoXj7B
iq/pu62Y5v7O/eGJqFuCclQsz454CNOADyfcZ5XEcey1XUyN8XV+fwXTe3vumP36
sfAl1KzvT32Fe4XWWj1TgxAwpORwJXOxNQVALaHF2jn0s+QxjrEzQKA1qOJ2XhQX
EAIKzYlWvJs7zUkplOXZxZ3X13MkJW/02pVs0PcI6S9fvuuIA6hOZr1u4DzvZAJP
/byirfUYWs8nRzZtwHHnA1pbHZjlaTSP1q8mi6IgIAzPCkzMym2u+UrisGhAXCov
mMM6oX+X4j88yrRRzghVsNlGWJQa3PDrH1bfdUOrGH2hnNGFyfR24bYymBa828Ig
EV4TLjRaHDanNosxfuM6dB/YcucO+qUAjmlMCcoMazlZE/lhojQfhE5Ij+LgrGxm
wbhz95KnV6Q=
=4y1W
-----END PGP SIGNATURE-----




More information about the RHSA-announce mailing list