Alerts This Week
Warning Icon 1 770
Alerts This Week
Warning Icon 1 770

Red Hat CloudForms Moderate Advisory: RHSA-2018:3466-01 - Security Update

red hat
Calendar Grey November 5, 2018
Dist Redhat Esm H88
Ubuntu releases a substantial security patch for OpenStack 18.4.2 focusing on significant vulnerabilities and errors.
An update is now available for CloudForms Management Engine 5.9

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1000544)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.

Topics%20covered

Topics Covered

security advisory software update bug fix moderate update Ruby on Rails arbitrary file write CloudForms

References

https://access.redhat.com/security/cve/CVE-2018-1000544 https://access.redhat.com/security/updates/classification#moderate

Package List

CloudForms Management Engine 5.9:
Source: ansible-tower-3.2.7-1.el7at.src.rpm cfme-5.9.5.3-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.5.3-1.el7cf.src.rpm cfme-appliance-5.9.5.3-1.el7cf.src.rpm cfme-gemset-5.9.5.3-1.el7cf.src.rpm
x86_64: ansible-tower-3.2.7-1.el7at.x86_64.rpm ansible-tower-server-3.2.7-1.el7at.x86_64.rpm ansible-tower-setup-3.2.7-1.el7at.x86_64.rpm ansible-tower-ui-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-ansible-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-tower-3.2.7-1.el7at.x86_64.rpm cfme-5.9.5.3-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.5.3-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm cfme-gemset-5.9.5.3-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Advisory ID: RHSA-2018:3466-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3466
Issue date: 2018-11-05
Cross references: RHSA-2018:2561

Topic

An update is now available for CloudForms Management Engine 5.9.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory software update bug fix moderate update Ruby on Rails arbitrary file write CloudForms

Relevant Releases Architectures

CloudForms Management Engine 5.9 - x86_64

Bugs Fixed

1592571 - Service Dialog Editor localization in French Incomplete

1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

1599349 - API with an invalid zone name kill the appliance

1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum

1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook

1607438 - Alerts do not trigger and do not send email notification

1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0

1608770 - custom buttom page empty

1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider

1613333 - Couldn't find EmsFolder with 'id'

1613420 - OpenStack deletion gives problem

1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client

1618800 - Open URL Does Not Work When Using a DIalog with a Button

1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it

1618807 - [RFE] Restore VM ownership and retirement during migration

1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9

1619431 - [v2v] Network Missing in Infra Mapping

1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly

1621441 - Change VMware URI to connect directly to ESXi

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here