Explore top 10 tips to secure your open-source projects now. Read More
×
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow
remote attackers to read arbitrary files (CVE-2018-3760)
* cfme: Improper access control in dRuby allows local users to execute
arbitrary commands as root (CVE-2018-10905)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for
reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
https://access.redhat.com/security/cve/CVE-2018-3760 https://access.redhat.com/security/cve/CVE-2018-10905 https://access.redhat.com/security/updates/classification#important
CloudForms Management Engine 5.8:
Source:
cfme-5.8.5.1-1.el7cf.src.rpm
cfme-appliance-5.8.5.1-1.el7cf.src.rpm
cfme-gemset-5.8.5.1-1.el7cf.src.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.src.rpm
x86_64:
ansible-tower-server-3.1.8-1.el7at.x86_64.rpm
ansible-tower-setup-3.1.8-1.el7at.x86_64.rpm
cfme-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-5.8.5.1-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-debuginfo-5.8.5.1-1.el7cf.x86_64.rpm
cfme-gemset-5.8.5.1-1.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-1.2.1-2.el7cf.x86_64.rpm
rh-postgresql95-postgresql-pglogical-debuginfo-1.2.1-2.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key
An update is now available for CloudForms Management Engine 5.8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
CloudForms Management Engine 5.8 - x86_64
1586214 - Notification events are out of order
1590761 - active ansible services are not displaying details on selection
1591443 - [Embedded Ansible] Service Details Page has duplicate tabs
1593058 - CVE-2018-3760 rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files
1593353 - Can't edit selected router at the Networks -> Network Routers page
1593678 - Chargeback scheduled report for the current month shows double rates and values as compared to previous one
1593798 - Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1593914 - Storage profiles causing refresh to exceed 30+ minutes
1594008 - Provisioning to RHV 4.1 Max Memory Size Needs to be Adjusted as Necesary
1594028 - reports do not generate with timeout errors in logs
1594326 - Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
1594387 - Unable to download largest chargeback report on production
1595457 - Wrong Platform Attribute for OpenStack Provisioned Instance Showing Windows instead of Linux
1595462 - During metrics collection for a VMWare provider, SOAP exception occurs during queryAvailablePerfMetric for non-existent VM
1595771 - OSPD 13 Undercloud - Infrastructure Provider Credential validation Failed
1596336 - [Regression] GCE provider refresh fails in CFME 5.9
Get the latest Linux and open source security news straight to your inbox.