Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.
It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other usersโ
systems if they knew the target systemโs UUID. (CVE-2012-5603)
It was found that the
โ/usr/share/katello/script/katello-generate-passphraseโ utility, which is
run during the installation and configuration process, set world-readable
permissions on the โ/etc/katello/secure/passphraseโ file. A local attacker
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.
(CVE-2012-5561)
Note: After installing this update, ensure the
โ/etc/katello/secure/passphraseโ file is owned by the root user and group
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.
Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)
It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-5561 was discovered by Aaron Weitekamp of the Red Hat Cloud
Quality Engineering team; and CVE-2013-0162 was discovered by Michael
Scherer of the Red Hat Regional IT team.
These updated Subscription Asset Manager packages include a number of bug
fixes and enhancements. Space precludes documenting all of these changes
in this advisory. Refer to the Red Hat Subscription Asset Manager 1.2
Release Notes for information about these changes:
All users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which fix these issues and add various
enhancements.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | x86_64 | sigar | <ย 1.6.5-0.12.git58097d9h.el6_3 | sigar-1.6.5-0.12.git58097d9h.el6_3.x86_64.rpm |
RedHat | 6 | src | katello-certs-tools | <ย 1.2.1-1h.el6_3 | katello-certs-tools-1.2.1-1h.el6_3.src.rpm |
RedHat | 6 | noarch | katello-certs-tools | <ย 1.2.1-1h.el6_3 | katello-certs-tools-1.2.1-1h.el6_3.noarch.rpm |
RedHat | 6 | x86_64 | sigar-debuginfo | <ย 1.6.5-0.12.git58097d9h.el6_3 | sigar-debuginfo-1.6.5-0.12.git58097d9h.el6_3.x86_64.rpm |
RedHat | 6 | noarch | lucene3 | <ย 3.6.1-10h.el6_3 | lucene3-3.6.1-10h.el6_3.noarch.rpm |
RedHat | 6 | noarch | rubygem-ruby_parser | <ย 2.0.4-6.el6cf | rubygem-ruby_parser-2.0.4-6.el6cf.noarch.rpm |
RedHat | 6 | x86_64 | sigar-java | <ย 1.6.5-0.12.git58097d9h.el6_3 | sigar-java-1.6.5-0.12.git58097d9h.el6_3.x86_64.rpm |
RedHat | 6 | noarch | rubygem-ldap_fluff | <ย 0.1.3-1.el6_3 | rubygem-ldap_fluff-0.1.3-1.el6_3.noarch.rpm |
RedHat | 6 | noarch | katello-cli-common | <ย 1.2.1-12h.el6_3 | katello-cli-common-1.2.1-12h.el6_3.noarch.rpm |
RedHat | 6 | noarch | quartz | <ย 2.1.5-4.el6_3 | quartz-2.1.5-4.el6_3.noarch.rpm |