Issued:

2018-02-05

Updated:

2018-02-05

RHSA-2018:0273 - Important: Red Hat Satellite 6 security, bug fix, and enhancement update

Synopsis

Important: Red Hat Satellite 6 security, bug fix, and enhancement update

Type/Severity

Security Advisory Important

Topic

An update is now available for Red Hat Satellite 6.2 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 06 Feb 2018] This advisory has been updated with the correct solution. The packages included in this revised update have not been changed in any way from the packages included in the original advisory.

Description

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too.

Security Fix(es):

• It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-1000111)

Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.

This update fixes the following bugs:

• Upgrades from Satellite 6.2 to Satellite 6.3 were failing due to the use of certificates with custom authorities. These upgrade paths now work. (BZ#1523880, BZ#1527963)

• Additional tooling is provided to support data validation when upgrading from Satellite 6.2 to Satellite 6.3. (BZ#1519904)

• Several memory usage bugs in goferd and qpid have been resolved. (BZ#1319165, BZ#1318015, BZ#1492355, BZ#1491160, BZ#1440235)

• The performance of Puppet reporting and errata applicability has been improved. (BZ#1465146, BZ#1482204)

• Upgrading from 6.2.10 to 6.2.11 without correctly stopping services can cause the upgrade to fail on removing qpid data. This case is now handled properly. (BZ#1482539)

• The cipher suites for the Puppet server can now be configured by the installation process. (BZ#1491363)

• The default cipher suite for the Apache server is now more secure by default. (BZ#1467434)

• The Pulp server contained in Satellite has been enhanced to better handle concurrent processing of errata applicability for a single host and syncing Puppet repositories. (BZ#1515195, BZ#1421594)

• VDC subscriptions create guest pools which are for a single host only. Administrators were attaching these pools to activation keys which was incorrect. The ability to do this has been disabled. (BZ#1369189)

• Satellite was not susceptible to RHSA-2016:1978 but security scanners would incorrectly flag this as an issue. The package from this errata is now delivered in the Satellite channel to avoid these false positives. (BZ#1497337)

• OpenScap report parsing resulted in a memory leak. This leak has been fixed. (BZ#1454743)

• The validation on the length of names for docker containers and repositories was too restrictive. Names can now be longer. (BZ#1424689)

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update this system to include these fixes, ensure your system has access to the latest Red Hat packages, then execute the following steps.

If you are on a self-registered Satellite, download all packages before stopping Satellite Server:

yum update --downloadonly

Stop Katello services:

katello-service stop

Update all packages:

yum update

Perform the update:

satellite-installer --upgrade

For detailed instructions how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/installation_guide/updating_satellite_server_capsule_server_and_content_hosts

Affected Products

Updated Packages

• katello-capsule-3.0.0-33.el7sat.noarch.rpm
• katello-installer-base-3.0.0.101-1.el7sat.noarch.rpm
• python-pulp-puppet-common-2.8.7.2-1.el6sat.noarch.rpm
• foreman-installer-katello-3.0.0.101-1.el7sat.noarch.rpm
• satellite-6.2.14-4.0.el6sat.noarch.rpm
• satellite-cli-6.2.14-4.0.el6sat.noarch.rpm
• satellite-debug-tools-6.2.14-4.0.el7sat.noarch.rpm
• rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.noarch.rpm
• python-pulp-common-2.8.7.18-1.el7sat.noarch.rpm
• qpid-proton-c-0.9-21.el6.x86_64.rpm
• libqpid-dispatch-0.4-27.el6sat.x86_64.rpm
• katello-installer-base-3.0.0.101-1.el6sat.noarch.rpm
• qpid-dispatch-tools-0.4-27.el6sat.x86_64.rpm
• pulp-server-2.8.7.18-1.el7sat.noarch.rpm
• candlepin-0.9.54.26-1.el6.src.rpm
• pulp-nodes-common-2.8.7.18-1.el6sat.noarch.rpm
• katello-common-3.0.0-33.el7sat.noarch.rpm
• python-pulp-agent-lib-2.8.7.18-1.el6sat.noarch.rpm
• foreman-gce-1.11.0.86-1.el7sat.noarch.rpm
• candlepin-0.9.54.26-1.el7.src.rpm
• python-pulp-common-2.8.7.18-1.el6sat.noarch.rpm
• pulp-puppet-2.8.7.2-1.el6sat.src.rpm
• tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el7sat.src.rpm
• python-twisted-web-12.1.0-5.el7_2.x86_64.rpm
• foreman-installer-1.11.0.18-1.el6sat.noarch.rpm
• katello-3.0.0-33.el6sat.noarch.rpm
• pulp-admin-client-2.8.7.18-1.el6sat.noarch.rpm
• pulp-puppet-plugins-2.8.7.2-1.el7sat.noarch.rpm
• foreman-ovirt-1.11.0.86-1.el6sat.noarch.rpm
• qpid-dispatch-debuginfo-0.4-27.el7sat.x86_64.rpm
• foreman-rackspace-1.11.0.86-1.el6sat.noarch.rpm
• tfm-rubygem-katello-3.0.0.162-1.el7sat.noarch.rpm
• python-pulp-repoauth-2.8.7.18-1.el7sat.noarch.rpm
• python-qpid-proton-0.9-21.el7.x86_64.rpm
• candlepin-0.9.54.26-1.el6.noarch.rpm
• tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el6sat.src.rpm
• python-pulp-oid_validation-2.8.7.18-1.el7sat.noarch.rpm
• qpid-dispatch-tools-0.4-27.el7sat.x86_64.rpm
• satellite-6.2.14-4.0.el7sat.src.rpm
• foreman-libvirt-1.11.0.86-1.el6sat.noarch.rpm
• katello-installer-base-3.0.0.101-1.el7sat.src.rpm
• katello-3.0.0-33.el7sat.src.rpm
• qpid-proton-debuginfo-0.9-21.el6.x86_64.rpm
• foreman-rackspace-1.11.0.86-1.el7sat.noarch.rpm
• satellite-cli-6.2.14-4.0.el7sat.noarch.rpm
• katello-3.0.0-33.el7sat.noarch.rpm
• foreman-ec2-1.11.0.86-1.el7sat.noarch.rpm
• libqpid-dispatch-0.4-27.el7sat.x86_64.rpm
• pulp-puppet-admin-extensions-2.8.7.2-1.el6sat.noarch.rpm
• candlepin-0.9.54.26-1.el7.noarch.rpm
• pulp-nodes-parent-2.8.7.18-1.el7sat.noarch.rpm
• tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el6sat.noarch.rpm
• katello-installer-base-3.0.0.101-1.el6sat.src.rpm
• python-twisted-web-12.1.0-5.el7_2.src.rpm
• pulp-selinux-2.8.7.18-1.el7sat.noarch.rpm
• qpid-dispatch-0.4-27.el6sat.src.rpm
• qpid-proton-c-0.9-21.el7.x86_64.rpm
• foreman-postgresql-1.11.0.86-1.el7sat.noarch.rpm
• pulp-nodes-child-2.8.7.18-1.el6sat.noarch.rpm
• satellite-debug-tools-6.2.14-4.0.el6sat.noarch.rpm
• python-pulp-oid_validation-2.8.7.18-1.el6sat.noarch.rpm
• satellite-6.2.14-4.0.el7sat.noarch.rpm
• foreman-1.11.0.86-1.el7sat.noarch.rpm
• foreman-installer-1.11.0.18-1.el7sat.noarch.rpm
• pulp-selinux-2.8.7.18-1.el6sat.noarch.rpm
• katello-debug-3.0.0-33.el7sat.noarch.rpm
• foreman-installer-1.11.0.18-1.el7sat.src.rpm
• qpid-dispatch-router-0.4-27.el7sat.x86_64.rpm
• pulp-2.8.7.18-1.el7sat.src.rpm
• foreman-1.11.0.86-1.el6sat.src.rpm
• foreman-openstack-1.11.0.86-1.el6sat.noarch.rpm
• katello-3.0.0-33.el6sat.src.rpm
• rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.src.rpm
• rubygem-smart_proxy_openscap-0.5.3.9-2.el7sat.src.rpm
• katello-debug-3.0.0-33.el6sat.noarch.rpm
• foreman-debug-1.11.0.86-1.el6sat.noarch.rpm
• foreman-gce-1.11.0.86-1.el6sat.noarch.rpm
• pulp-puppet-tools-2.8.7.2-1.el6sat.noarch.rpm
• python-pulp-streamer-2.8.7.18-1.el7sat.noarch.rpm
• foreman-ovirt-1.11.0.86-1.el7sat.noarch.rpm
• qpid-dispatch-0.4-27.el7sat.src.rpm
• qpid-proton-debuginfo-0.9-21.el7.x86_64.rpm
• pulp-nodes-child-2.8.7.18-1.el7sat.noarch.rpm
• satellite-capsule-6.2.14-4.0.el6sat.noarch.rpm
• pulp-puppet-tools-2.8.7.2-1.el7sat.noarch.rpm
• foreman-openstack-1.11.0.86-1.el7sat.noarch.rpm
• foreman-1.11.0.86-1.el6sat.noarch.rpm
• foreman-vmware-1.11.0.86-1.el7sat.noarch.rpm
• pulp-nodes-parent-2.8.7.18-1.el6sat.noarch.rpm
• pulp-admin-client-2.8.7.18-1.el7sat.noarch.rpm
• tfm-rubygem-foreman_theme_satellite-0.1.47.2-1.el7sat.noarch.rpm
• pulp-2.8.7.18-1.el6sat.src.rpm
• katello-service-3.0.0-33.el6sat.noarch.rpm
• foreman-compute-1.11.0.86-1.el7sat.noarch.rpm
• satellite-capsule-6.2.14-4.0.el7sat.noarch.rpm
• tfm-rubygem-katello_ostree-3.0.0.162-1.el7sat.noarch.rpm
• foreman-installer-katello-3.0.0.101-1.el6sat.noarch.rpm
• foreman-postgresql-1.11.0.86-1.el6sat.noarch.rpm
• python-pulp-agent-lib-2.8.7.18-1.el7sat.noarch.rpm
• foreman-installer-1.11.0.18-1.el6sat.src.rpm
• foreman-ec2-1.11.0.86-1.el6sat.noarch.rpm
• katello-capsule-3.0.0-33.el6sat.noarch.rpm
• qpid-proton-0.9-21.el6.src.rpm
• foreman-compute-1.11.0.86-1.el6sat.noarch.rpm
• foreman-1.11.0.86-1.el7sat.src.rpm
• python-pulp-client-lib-2.8.7.18-1.el7sat.noarch.rpm
• python-qpid-proton-0.9-21.el6.x86_64.rpm
• python-pulp-client-lib-2.8.7.18-1.el6sat.noarch.rpm
• candlepin-selinux-0.9.54.26-1.el6.noarch.rpm
• qpid-dispatch-router-0.4-27.el6sat.x86_64.rpm
• candlepin-selinux-0.9.54.26-1.el7.noarch.rpm
• pulp-server-2.8.7.18-1.el6sat.noarch.rpm
• satellite-6.2.14-4.0.el6sat.src.rpm
• foreman-vmware-1.11.0.86-1.el6sat.noarch.rpm
• python-pulp-streamer-2.8.7.18-1.el6sat.noarch.rpm
• foreman-debug-1.11.0.86-1.el7sat.noarch.rpm
• katello-service-3.0.0-33.el7sat.noarch.rpm
• foreman-libvirt-1.11.0.86-1.el7sat.noarch.rpm
• pulp-nodes-common-2.8.7.18-1.el7sat.noarch.rpm
• katello-common-3.0.0-33.el6sat.noarch.rpm
• pulp-puppet-2.8.7.2-1.el7sat.src.rpm
• tfm-rubygem-katello-3.0.0.162-1.el6sat.noarch.rpm
• tfm-rubygem-katello-3.0.0.162-1.el7sat.src.rpm
• qpid-proton-0.9-21.el7.src.rpm
• qpid-dispatch-debuginfo-0.4-27.el6sat.x86_64.rpm
• python-pulp-repoauth-2.8.7.18-1.el6sat.noarch.rpm
• python-pulp-puppet-common-2.8.7.2-1.el7sat.noarch.rpm
• tfm-rubygem-katello-3.0.0.162-1.el6sat.src.rpm
• python-pulp-bindings-2.8.7.18-1.el6sat.noarch.rpm
• pulp-puppet-admin-extensions-2.8.7.2-1.el7sat.noarch.rpm
• rubygem-smart_proxy_openscap-0.5.3.9-2.el6sat.noarch.rpm
• python-pulp-bindings-2.8.7.18-1.el7sat.noarch.rpm
• pulp-puppet-plugins-2.8.7.2-1.el6sat.noarch.rpm

Fixes

• This content is not included.BZ - 1319165
• This content is not included.BZ - 1357345
• This content is not included.BZ - 1369189
• This content is not included.BZ - 1421594
• This content is not included.BZ - 1424689
• This content is not included.BZ - 1440235
• This content is not included.BZ - 1454743
• This content is not included.BZ - 1465146
• This content is not included.BZ - 1482204
• This content is not included.BZ - 1482539
• This content is not included.BZ - 1491160
• This content is not included.BZ - 1491363
• This content is not included.BZ - 1492355
• This content is not included.BZ - 1497337
• This content is not included.BZ - 1515195
• This content is not included.BZ - 1519904
• This content is not included.BZ - 1531609

CVEs

• CVE-2016-1000111

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/security/cve/CVE-2016-1000111

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.