Release Notes
Product notes, new features, and known bugs for Red Hat Satellite 6.3.
Abstract
Chapter 1. Introduction
Red Hat Satellite is a system management solution that enables you to deploy, configure, and maintain your systems across physical, virtual, and cloud environments. Satellite provides provisioning, remote management and monitoring of multiple Red Hat Enterprise Linux deployments with a single, centralized tool.
Red Hat Satellite Server synchronizes the content from Red Hat Customer Portal and other sources, and provides functionality including fine-grained life cycle management, user and group role-based access control, integrated subscription management, as well as advanced GUI, CLI, or API access.
Red Hat Satellite Capsule Server mirrors content from Red Hat Satellite Server to facilitate content federation across various geographical locations. Host systems can pull content and configuration from the Capsule Server in their location and not from the central Satellite Server. The Capsule Server also provides localized services such as Puppet Master, DHCP, DNS, or TFTP. Capsule Servers assist you in scaling Red Hat Satellite as the number of managed systems increases in your environment.
1.1. Satellite 6 Component Versions
Red Hat Satellite is a combination of a number of upstream projects. For the full details of the major projects included, and the version of those projects included in each major and minor release of Red Hat Satellite, see Satellite 6 Component Versions.
1.2. Red Hat Satellite and Proxy Server Life Cycle
For an overview of the life cycle phases for Red Hat Network Satellite and Red Hat Satellite and the status of support for these products, see Red Hat Satellite and Proxy Server Life Cycle.
1.3. Red Hat Satellite FAQ
For a list of frequently asked questions about Red Hat Satellite 6, see Red Hat Satellite 6 FAQ.
Chapter 2. Content Delivery Network Repositories
This section describes the repositories required to install Red Hat Satellite 6.3.
You can install Red Hat Satellite 6.3 through the Content Delivery Network (CDN). To do so, configure subscription-manager to use the correct repository for your operating system version and variant.
Run the following command to enable a CDN repository:
# subscription-manager repos --enable=[reponame]Run the following command to disable a CDN repository:
# subscription-manager repos --disable=[reponame]The following sections outline the repositories required by Red Hat Satellite 6.3. When one of these repositories is required to install a package, the steps to enable the required repositories are included in the documentation.
2.1. Red Hat Satellite
The following table lists the repositories for Red Hat Satellite Server.
Table 2.1. Red Hat Satellite
| Channel | Repository Name |
|---|---|
| Red Hat Satellite 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
2.2. Red Hat Satellite Capsule
The following table lists the repositories for Red Hat Satellite Capsule Server.
Table 2.2. Red Hat Satellite Capsule
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Capsule 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Capsule 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
2.3. Red Hat Satellite Maintenance
The following table lists the repositories for Red Hat Satellite Maintenance.
Table 2.3. Red Hat Satellite Maintenance
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Maintenance 6 (for RHEL 7 Server) (RPMs) |
|
2.4. Red Hat Satellite Tools
The following table lists the repositories for Red Hat Satellite Tools.
Table 2.4. Red Hat Satellite Tools
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Tools 6.3 (for RHEL 5 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 5 Server - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 5 for System Z - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for System Z) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for System Z - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for IBM Power) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for IBM Power - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 6 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for System Z) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for System Z - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power LE) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 for IBM Power LE - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 (for RHEL 7 Server for ARM) (RPMs) |
|
2.5. Red Hat Satellite Tools - Puppet 4
The following table lists the repositories for Red Hat Satellite Tools - Puppet 4.
Table 2.5. Red Hat Satellite Tools - Puppet 4
| Channel | Repository Name |
|---|---|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 5 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 5 Server - ELS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 6 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Desktop) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server - AUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Workstation) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for Scientific Computing) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for Scientific Computing - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for IBM Power LE) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 for IBM Power LE - EUS) (RPMs) |
|
| Red Hat Satellite Tools 6.3 - Puppet 4 (for RHEL 7 Server for ARM) (RPMs) |
|
Chapter 3. Key Changes to the Documentation Set
Several notable changes were made to the Red Hat Satellite documentation set for this release. The following list outlines and explains these changes.
- Errata Management Guide
- The Errata Management Guide is a new title that describes how to set up patching in a Red Hat Satellite environment.
- Hammer CLI Guide
- A full reference to Hammer commands has now been added. For more information, see Reference in the Hammer CLI Guide.
- Host Configuration Guide
- The Host Configuration Guide included in the Red Hat Satellite 6.2 documentation suite has now been renamed Managing Hosts to more closely reflect the content it contains. Content on configuring provisioning environments and managing content previously found in this guide has been moved to the Provisioning Guide and Content Management Guide respectively.
- Installation Guide
- Content on upgrading and updating Red Hat Satellite has been moved to a standalone title Upgrading and Updating Red Hat Satellitie.
- Server Administration Guide
- The Server Administration Guide included in the Red Hat Satellite 6.2 documentation suite has now been renamed Administering Red Hat Satellite to more closely reflect the content it contains. Content on managing content previously found in this guide has been moved to the Content Management Guide.
Chapter 4. New Features and Enhancements
This chapter introduces new features in Red Hat Satellite 6.3, and links to further information.
- Ansible Tower Integration
- Satellite 6.3 now supports Ansible Tower Integration. Ansible Tower is a web-based graphical interface for automating management tasks such as cloud provisioning, configuration, and application deployment. Red Hat Satellite, with Ansible Tower, provides a dynamic inventory, and provisioning callbacks. Ansible Tower is able to use Red Hat Satellite as a dynamic inventory source, and both products are able to sync inventory. Systems provisioned by Red Hat Satellite are able to ‘callback’ to Tower, allowing Ansible playbooks to run post provisioning.
- Arbitrary Files in Content Views
- Satellite 6.3 provides the ability for custom products to include repositories for custom file types. This provides a generic method to incorporate arbitrary files in a product. Applications range from distributing SSH keys and source code files to larger files such as virtual machine images and ISO files.
- Bulk Subscription Upgrade Tooling
- Satellite 6.3 subscription management now provides the ability to manage subscriptions against multiple systems. This includes the ability to export subscriptions to a file in CSV format, import from a previously exported CSV file, and bulk-attach subscriptions using the API and CLI.
- Cloning Utility
- Satellite 6.3 provides the ability to restore Red Hat Satellite to a bare metal environment by cloning an existing Red Hat Satellite 6.1 or 6.2 backup, and then upgrading the clone to Red Hat Satellite 6.3.
- Content Synchronization Policies
- Red Hat Satellite Capsules now feature their own user selectable download policy for repositories: On Demand, Background, Immediate, and Inherit from Repository.
- EC2 Support
- Satellite 6.3 now supports running on Amazon Elastic Compute Cloud (Amazon EC2).
- Email Setting Configuration
- Satellite 6.3 introduces user configurable email settings by the API and the Administer settings of the web user interface. Settings include Sendmail/SMTP settings, authentication settings, and how emails are sent by Satellite.
- Future-Dated Subscriptions
- Satellite 6.3 introduces the ability to view and attach future dated subscriptions to systems. The Red Hat Customer Portal now has the facility to view and download manifests containing future dated subscriptions.
- Host Name Control
- Satellite 6.3 features improved hostname creation logic for clients with Discovery, providing the ability to set the fact that is used for the hostname of the system.
- Improved Compute Resource Configuration
- Satellite 6.3 introduces user configurable resource allocation within hypervisor environments.
- LDAP User Organization and Location Assignment
- This release adds to Hammer the ability to change the default location or organisation of a user, using the name of the location or organization in addition to the ID.
- Login Page Messages
- This release adds the ability to specify a custom message on the login screen to the Red Hat Satellite Server web user interface.
- Notifications Area
This release adds a notifications area to the Red Hat Satellite Server web user interface. It displays event notifications to inform administrators of important environment changes, such as the following:
- Host discovery
- Host deletion
- Successful provisioning of a system
- Imported host with no owner
- OpenSCAP Tailoring Files
- This release adds the ability to upload and use tailoring files to customize existing OpenSCAP policies.
- Organization Administrator Role
- This release adds a new organization administrator role by default. This role can view the configuration of every element of the Satellite structure, logs, and statistics.
- Parameterized Subnets
- This release adds a method to specify parameters for subnets in a similar way as for domains. From the Infrastructure menu, when you create or edit subnets, there is a new Parameters tab.
- Puppet 4 Support
- This release supports hosts with Puppet version 3.8 or later. You can now update hosts to the Puppet 4 agent.
- Red Hat Virtualization 4.0 Support
- This release adds support for Red Hat Virtualization 4.0 as a compute resource back end.
- Rename Utility
- This release includes a tool for renaming a Satellite or Capsule Server.
- SSH Key Provisioning Support
- This release adds support for the deployment of public SSH keys as part of the provisioning process.
- Static IP Configuration in Bootdisks
- This release adds support for static IP configuration to be included in full host bootdisks.
- Template Enhancements
- This release adds two enhancements to provisioning templates. It is now possible to export templates. The template editor now features a Help tab which contains information about the template syntax.
- Tokenized Authentication for Hammer
- This release adds the ability to initiate a token-based authenticated session with Satellite and avoid storing credentials in plain text. You are only prompted once for credentials at the beginning of a session when running Hammer commands.
- UEFI Support
- This release adds support for PXE booting of UEFI systems.
- User Description Field
- This release adds the ability to specify a custom description for individual users in the Red Hat Satellite Server web user interface.
- virt-who Configuration Utility
-
This release adds a feature which assists the task of creating and deploying virt-who configuration files. For RHEV3, RHV4 and RHEL-Based hypervisors, this release supports the following virt-who configuration types:
rhevmandlibvirt.
Chapter 5. Release Information
These release notes highlight technology preview items, recommended practices, known issues, and deprecated functionality to be taken into consideration when deploying this release of Red Hat Satellite 6.
Notes for updates released during the support lifecycle of this Red Hat Satellite 6 release will appear in the advisory text associated with each update.
5.1. Enhancements
This release of Red Hat Satellite 6 features the following enhancements:
BZ#This content is not included.1329051
Previously, users had to synchronize the Atomic Kickstart Tree content manually through a custom repository. With this release, users can synchronize the Atomic Kickstart Tree content from within the Red Hat Content Delivery Network.
5.2. Technology Preview
The items listed in this section are provided as Technology Previews. For further information on the scope of Technology Preview status, and the associated support implications, see https://access.redhat.com/support/offerings/techpreview/.
- Synchronize Templates from Git Repositories
- Satellite 6.3 introduces a plug-in that allows templates to be pushed to, and pulled from, an external Git repository or filesystem. For more information, see Synchronizing Templates with Git.
- Auto-attach Bootdisk for VMWare
- Satellite 6.3 introduces an auto-attach bootdisk for VMWare as a feature. For more information, see Satellite 6.3 Feature Overview: Auto-attach Bootdisk for VMWare [Tech Preview].
- Tracer
- Satellite 6.3 introduces Tracer, an integration with the Tracer tool that monitors running processes and identifies if they need to be restarted due to package updates or similar activities. For more information, see Satellite 6.3 Feature Overview: Tracer [Tech Preview].
BZ#This content is not included.1376191
Previously, provisioning on IBM POWER was not available. With this release, provisioning clients on IBM POWER via BOOTP is available as a Technology Preview feature.
5.3. Release Notes
This section outlines important details about the release, including recommended practices and notable changes to Red Hat Satellite. You must take this information into account to ensure the best possible outcomes for your deployment.
BZ#This content is not included.1432285
Previously, there was an API JSON field named "enabled_override" for the API at "/api/v2/hosts/1/subscriptions/product_content". With this release, the API JSON field name "enabled_override" has been deprecated in favor of "override" to improve consistency.
BZ#This content is not included.1433458
To synchronize container images from a registry with self-signed certificates, you must either configure certificates manually or disable the SSL Verify option.
BZ#This content is not included.1435007
With this release, the roles included in Red Hat Satellite are now read only. If any of these roles were previously customized, an editable version of those roles with the name "Cuztomized XXXX" is created when you upgrade your environment to this version.
BZ#This content is not included.1469599
Because of security fixes that were introduced with this fix, if you clone templates that contain Ruby's `to-proc` syntax in Satellite 6.2, and then upgrade to Satellite 6.3, you cannot use the template.
As a workaround, write the same code as a full Ruby block, for example, `(1..3).collect(&:to_s)` becomes `(1..3).collect {|num| num.to_s}`.
To find affected code, search the template for `&:`. Replace `…(&:…)` with `…{|i| i.…}`.
Use the following two examples as a guide:
Ruby syntax in 6.2 cloned template:
<% host_param('ssh_authorized_keys').split(',').map(&:strip).each do |ssh_key| -%>
Updated Ruby syntax for Satellite 6.3:
<% host_param('ssh_authorized_keys').split(',').map{ |item| item.strip }.each do |ssh_key| -%>
Ruby syntax in 6.2 cloned template:
nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select(&:present?).join(',')}
Updated Ruby syntax for Satellite 6.3:
nameserver=#{[subnet.dns_primary, subnet.dns_secondary].select{ |item| item.present? }.join(',')}BZ#This content is not included.1552093
Previously, the templates used "<%= foreman_url %>" to notify Satellite that the build is done. In 6.3, the templates use "<%= foreman_url('built') %>", which explicitly calls the 'built' template.BZ#This content is not included.1512959
If you plan to manually upgrade from Satellite 6.2 to Satellite 6.3, and if you previously installed the python-pulp-agent-lib package, you must enable the satellite-tools repository to successfully perform the upgrade. This package was moved into the tools repository for Satellite 6.3.BZ#This content is not included.1560607
Several parameters of thecapsule-certs-generatecommand were changed, and some were added. Those prefixed--capsulewere changed to a--foreman-proxyprefix. New parameters prefixed--resetwere added to allow commonly-used parameters to be reset to their default values. A--certs-resetparameter was added to reset any custom certificates and use the self-signed CA instead.
5.4. Deprecated Functionality
Subscriptions Manager Registration Snippet
In this release, you can no longer use the subscription_manager_registration snippet in a template to enable Satellite Tools repositories. You must configure your repositories to be enabled using an activation key.
Hammer Import Tool
In this release, you can no longer use hammer import functionality. To import hosts, you can use the bootstrap script bootstrap.py. For more information, see Importing Existing Hosts via the Bootstrap Script.
5.5. Known Issues
These known issues exist in Red Hat Satellite 6 at this time.
BZ#This content is not included.1321041
- Known Issue
- Hosts provisioned by Satellite, but not registered, are showing a green icon, indicating they are covered by a subscription. These should show a red icon, indicating they are not covered by a subscription.
BZ#This content is not included.1382090
- Known Issue
- In the Red Hat Subscriptions tab of the user interface, the hyperlinks used in the subscription type "Guests of hypervisor-name" are incorrect and broken. This is due to the hyperlink using the candlepin uuid rather than the host ID.
BZ#This content is not included.1445625
- Known Issue
On Puppet Forge, some Puppet modules are invalid and cannot sync with Satellite.
These invalid Puppet modules cause error messages such as
Invalid propertiesorMissingModulePile.Despite receiving a report of a sync failure, the valid Puppet modules sync from Puppet Forge into Satellite.
BZ#This content is not included.1507848
- Known Issue
- Satellite Installer requires absolute paths. Always provide an absolute path for --certs-tar. For example, /root/new.name-certs.tar. If you run the installer with a relative path, run the installer again with the absolute path and the --scenario parameter to create the last_scenario.yml.
BZ#This content is not included.1518848
- Known Issue
- The command katello-change-hostname creates an error condition when run on Satellite 6.2 during migration and upgrade. This occurs because of a bug in the version of the katello-change-hostname command in the 6.2 release. To avoid this problem, complete the upgrade to Satellite 6.3 before running the katello-change-hostname command.
BZ#This content is not included.1523392
- Known Issue
-
Running the
./install_packagescommand when attempting to set up a disconnected Satellite Server fails and returns NOKEY error. - Workaround
- For more information, see the KCS Solution at https://access.redhat.com/solutions/3275791
BZ#This content is not included.1538597
- Known Issue
- When using image-based provisioning against VMWare, attempting to add additional storage to the new host returns an error.
BZ#This content is not included.1541002
- Known Issue
If you try to delete a subnet that is used to provision a machine, instead of receiving a user-friendly error message, you receive a confusing error message:
| NoMethodError: undefined method `klass' for nil:NilClass | Did you mean? class
BZ#This content is not included.1541481
- Known Issue
- If you have SELinux enabled, using Kerberos (KRB) keys instead of RSA keys can cause remote execution jobs to fail.
BZ#This content is not included.1541885
For ISO-based disconnected Satellite users
- Known Issue
- The RPM script is missing "--local", which makes it search the internet to install the "oauth" gem. For disconnected Satellites, this is a problem.
- Workaround
If Puppet 4 is installed, when
yuminstalls packages using the default Puppet 4 repositories, before you runsatellite-installer, enter the following command:/opt/puppetlabs/puppet/bin/gem install --local /usr/share/foreman-installer/gems/oauth-0.5.1.gem- Workaround
If you upgrade to Puppet 4, before you enter the
--upgrade-puppetcommand, enter the following commands:# yum remove -y puppet-server # yum install puppetserver puppet-agent puppet-agent-oauth /opt/puppetlabs/puppet/bin/gem install --local /usr/share/foreman-installer/gems/oauth-0.5.1.gem
BZ#This content is not included.1544401
- Known Issue
-
Running
katello-backupwith a relative path for the destination, for example `katello-backup .', causes an error. - Workaround
-
Run
katello-backupwith a full path. For example 'katello-backup /backup-destination'.
Chapter 6. Technical Notes
This section contains the summary text for bug fixes and enhancements in Red Hat Satellite errata advisories. The information and procedures in this section are relevant to Red Hat Satellite administrators.
6.1. Red Hat Satellite 6.3.0
This section outlines the errata advisories released for Red Hat Satellite 6.3.0.
6.1.1. RHSA-2018:0336: Important: Satellite 6.3 Release
Information about this advisory is available at This content is not included.https://access.redhat.com/errata/product/250/ver=6.3/rhel---7/x86_64/RHSA-2018:0336.
vulnerability
An integer-overflow flaw was found in V8's Zone class when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges.
It was found that ruby will_paginate is vulnerable to a XSS via malformed input that cause pagination to occur on an improper boundary. This could allow an attacker with the ability to pass data to the will_paginate gem to display arbitrary HTML including scripting code within the web interface.
A flaw was found in the provisioning template handling in foreman. An attacker, with permissions to create templates, can cause internal Rails information to be displayed when it is processed, resulting in potentially sensitive information being disclosed.
Pulp makes unsafe use of Bash's $RANDOM to generate a NSS DB password and seed resulting in insufficient randomness. An attacker could potentially guess the seed used given enough time and compute resources.
It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.
A flaw was found in discovery-debug in foreman. An attacker, with permissions to view the debug results, would be able to view the root password associated with that system, potentially allowing them to access it.
It was found that foreman is vulnerable to a stored XSS via a job template with a malformed name. This could allow an attacker with privileges to set the name in a template to display arbitrary HTML including scripting code within the web interface.
It was found that foreman is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface.
A flaw was found in katello-debug where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
It was found that the hammer_cli command line client disables SSL/TLS certificate verification by default. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.
A flaw was found in foreman's logging during the adding or registering of images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.
It was found that foreman in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.
It was found that the private CA key was created in a directory that is world-readable for a small amount of time. A local user could possibly use this flaw to gain access to the private key information in the file.
A flaw was found in foreman's handling of template previews. An attacker with permissions to preview host templates can access the template preview for any host if they are able to guess the host name, disclosing potentially sensitive information.
A flaw was found in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems.
6.1.2. RHBA-2018:0337: Satellite 6.3 Libraries
Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0337.html.
6.1.3. RHBA-2018:0338: Satellite 6.3 Tools Release
Information about this advisory is available at https://access.redhat.com/errata/RHBA-2018:0338.html.
katello-agent
Under certain conditions, build 19 of the dispatch router can terminate unexpectedly with a segmentation fault. The memory management has been improved to prevent this happening.
You can now manage clients without goferd. This limits the host management functionality only to uploading the package profile after installing, removing, updating packages, and triggering the Satellite tasks such as the applicable errata.
When repeatedly installing and removing a package on the same Content Host, goferd accumulates memory over time. This has been fixed by locally settling down received messages in qpid-proton library.
Reinstalling katello-ca-consumer on a RHEL 7 Content Host did not restart goferd service. Consequently, katello agent did not reconnect to Satellite. This is now fixed.
Restarting the agent on the client forced package applicability calculations which were not necessary. This case has been fixed.
Updating katello-agent did not update dependencies. This is now fixed.
While pushing Errata using the Web UI and katello-agent, goferd terminated with a segmentation fault on some clients. This is now fixed.Several memory usage bugs in goferd and qpid have been resolved.
When removing katello-ca-consumer RPM, the backup of /etc/rhsm/rhsm.conf was not restored. This is now fixed.
Several memory leaks have been fixed in the qpid dispatch router.
Hypervisor names reported by virt-who are now validated on input.
When qdrouterd was not accessible, the goferd process had a memory leak and goferd terminated unexpectedly. This is now fixed.After installing 'katello-hosts-tools' and running the Puppet agent,enabled_repos_upload sent output to stdout after all of the 'yum check-update' had output their data. This caused errors for the Puppet agent on the client.Qpid
During scaling testing of content hosts, qpid consumed huge amounts of memory. This is now fixed.
Previously, Satellite had a hard limit of 64k Content Hosts that can run katello agent. The Qpid Dispatch Router has been improved to remove this limit.
When pausing a Satellite in a VM, any goferd client on a machine registered to a Capsule failed to connect to the Capsule and logged “qd:no-route-to-dest” error. The error persisted after qdrouterd on the Satellite resumed. The qpid dispatch router has been improved to unmap all addresses in a more reliable way.
During scale testing, qdrouterd experienced segmentation faults in libqpid.so. This is now fixed.qdrouterd on Capsule Server was deadlocked and did not react to commands to kill the process. This is now fixed.
When several goferd client connections tried to use qdrouterd on Satellite to link to qpidd, qdrouterd experienced a segmentation fault. This is now fixed.
During an upgrade, theqpidduser could not access or read the/etc/pki/katello/nssdb/nss_db_password-filefile. The qpidd broker attempted to restart, which caused a segmentation fault.
The 'hammer host-collection erratum install` installation failed with a sub-task error. With the latest update to qpid, this is now fixed.