CentOS ProjectCESA-2016:2592python, subscription security update
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
3.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.0004 Low
EPSS
Percentile
12.7%
CentOS Errata and Security Advisory CESA-2016:2592
The subscription-manager packages provide programs and libraries to allow users to manage subscriptions and yum repositories from the Red Hat entitlement platform.
The subscription-manager-migration-data package provides certificates for migrating a system from the legacy Red Hat Network Classic (RHN) to Red Hat Subscription Management (RHSM).
The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of a Red Hat Unified Entitlement Platform. The Subscription Management tools use this interface to manage system entitlements, certificates, and access to content.
The following packages have been upgraded to a newer upstream version: subscription-manager (1.17.15), python-rhsm (1.17.9), subscription-manager-migration-data (2.0.31). (BZ#1328553, BZ#1328555, BZ#1328559)
Security Fix(es):
- It was found that subscription-manager set weak permissions on files in /var/lib/rhsm/, causing an information disclosure. A local, unprivileged user could use this flaw to access sensitive data that could potentially be used in a social engineering attack. (CVE-2016-4455)
Red Hat would like to thank Robert Scheck for reporting this issue.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2016-November/029726.html
https://lists.centos.org/pipermail/centos-cr-announce/2016-November/029933.html
Affected packages:
python-rhsm
python-rhsm-certificates
subscription-manager
subscription-manager-gui
subscription-manager-initial-setup-addon
subscription-manager-plugin-container
subscription-manager-plugin-ostree
Upstream details at:
https://access.redhat.com/errata/RHSA-2016:2592
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| CentOS | 7 | x86_64 | python-rhsm | < 1.17.9-1.el7 | python-rhsm-1.17.9-1.el7.x86_64.rpm |
| CentOS | 7 | x86_64 | python-rhsm-certificates | < 1.17.9-1.el7 | python-rhsm-certificates-1.17.9-1.el7.x86_64.rpm |
| CentOS | 7 | x86_64 | subscription-manager | < 1.17.15-1.el7.centos | subscription-manager-1.17.15-1.el7.centos.x86_64.rpm |
| CentOS | 7 | x86_64 | subscription-manager-gui | < 1.17.15-1.el7.centos | subscription-manager-gui-1.17.15-1.el7.centos.x86_64.rpm |
| CentOS | 7 | x86_64 | subscription-manager-initial-setup-addon | < 1.17.15-1.el7.centos | subscription-manager-initial-setup-addon-1.17.15-1.el7.centos.x86_64.rpm |
| CentOS | 7 | x86_64 | subscription-manager-plugin-container | < 1.17.15-1.el7.centos | subscription-manager-plugin-container-1.17.15-1.el7.centos.x86_64.rpm |
| CentOS | 7 | x86_64 | subscription-manager-plugin-ostree | < 1.17.15-1.el7.centos | subscription-manager-plugin-ostree-1.17.15-1.el7.centos.x86_64.rpm |
Related
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
3.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.0004 Low
EPSS
Percentile
12.7%