RedHat: RHSA-2019-0796:01 Important: CloudForms 4.7.3 security,

    Date22 Apr 2019
    CategoryRed Hat
    453
    Posted ByLinuxSecurity Advisories
    An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: CloudForms 4.7.3 security, bug fix and enhancement update
    Advisory ID:       RHSA-2019:0796-01
    Product:           Red Hat CloudForms
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0796
    Issue date:        2019-04-23
    Cross references:  RHBA-2019:40153
    CVE Names:         CVE-2019-5418 CVE-2019-5419 
    =====================================================================
    
    1. Summary:
    
    An update is now available for CloudForms Management Engine 5.10.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    CloudForms Management Engine 5.10 - x86_64
    
    3. Description:
    
    Red Hat CloudForms Management Engine delivers the insight, control, and
    automation needed to address the challenges of managing virtual
    environments. CloudForms Management Engine is built on Ruby on Rails, a
    model-view-controller (MVC) framework for web application development.
    Action Pack implements the controller and the view components.
    
    Security Fix(es):
    
    * rubygem-actionpack: render file directory traversal in Action View
    (CVE-2019-5418)
    
    * rubygem-actionpack: denial of service vulnerability in Action View
    (CVE-2019-5419)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    Additional Changes:
    
    This update fixes various bugs and adds enhancements. Documentation for
    these changes is available from the Release Notes document linked to in the
    References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    If the postgresql service is running, it will be automatically restarted
    after installing this update. After installing the updated packages, the
    httpd daemon will be restarted automatically.
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1678385 - [v2v][OSP][RHV]Migrating over SSH and VDDK transformation method with names containing spaces such as `rhel 7`,  fails to migrate
    1680959 - The displayed elapsed time in the service is wrong
    1686045 - [RFE] Add ability to Download Wrapper Logs from UI
    1686902 - Default worker memory settings in the WebUI are incorrect and do not match the actual configured memory settings
    1688937 - proxy timeout loading list of services post update
    1689159 - CVE-2019-5418 rubygem-actionpack: render file directory traversal in Action View
    1689160 - CVE-2019-5419 rubygem-actionpack: denial of service vulnerability in Action View
    1693714 - [RFE] Add support for including optional flavor and security group fields in CSV file for OSP migration plans
    1693718 - [RFE]  TransformationMapping: API for adding mapping item
    1693719 - User and group values of a report are not honored when importing the report
    1693720 - role with all Product Features checked,  throws RbacPrivilegeException
    1693721 - C&U: Missing memory utilization graphs for ec2 availability zones
    1693722 - Warn when custom attributes contain spaces in their names - they will not work properly in all of reporting
    1693727 - Text attachment generation fails for custom report
    1693728 - Unable to schedule an NFS or Samba Database Backup in CloudForms 5.10
    1693729 - [RFE]UI changes to "Download Logs" list and "Detect Provider Changes"
    1693730 - Clicking on Network -> Topology Produces Error 500 Internal Server Error
    1693731 - [v2v][RHV][UI] Infrastructure mapping page is broken
    1693740 - [VMware] Publish to template and clone VM operations cannot be performed as UI goes blank
    1693741 - [V2V] [RFE] Ability to filter VMs from VMware folders
    1693743 - [RFE] Vertical menu fixes and other enhancements for v2v UI
    1693745 - [RFE] RHV conversion hosts warning depends on CF tags, should use /api/conversion_hosts instead
    1693746 - [RFE] Add new throttling option to the UI for "Maximum concurrent migrations per provider"
    1693747 - [RFE]v2v - Enhanced Error Reporting in UI from virt-v2v logs
    1693748 - Appliance console shows incorrect region id
    1693749 - Cannot access child services from the My Services summary screens
    1693757 - [RFE] possibility to hide Red Hat CloudForms Engine text in top left Corner of OPs and SUI
    1693817 - Errors when submitting VM action from global region
    1694190 - [v2v][OSP] Migration stuck in refresh inventory state when we migrate via SSH transformation method
    1694798 - [RFE] Provide detailed info regarding why clusters/datastores/networks are missing
    1695626 - Remove the deprecated "Discover Cloud Providers" option from CloudForms UI
    1695627 - Retiring an embedded Ansible service always retires the service resources
    1695628 - [RFE] Metrics for memory usage of AWS instances needs to be collected from CloudWatch new Agent
    1695629 - Deleting a disk from a VM in RHV fails in CFME
    1695631 - [RFE] Unable to Utilize Tenancy With Central Admin
    1695897 - State machine for Vm Retirement is using the old values
    1696362 - Different syntax by Service Request in Master region
    1696419 - [v2v] Edit Migration plan shows VM status incorrect
    1696421 - [v2v] : Migration shows blank page if provider is removed from CFME
    1696422 - [RFE]UI change: Migration Plans screen breadcrumbs
    1696456 - v2v job polling interval and timeout values updated
    1696841 - CloudForms allow user to submit disk size change when snapshots are attached
    1698586 - Dynamic Dialogs no longer function
    
    6. Package List:
    
    CloudForms Management Engine 5.10:
    
    Source:
    ansible-tower-3.4.3-1.el7at.src.rpm
    cfme-5.10.3.3-1.el7cf.src.rpm
    cfme-amazon-smartstate-5.10.3.3-1.el7cf.src.rpm
    cfme-appliance-5.10.3.3-1.el7cf.src.rpm
    cfme-gemset-5.10.3.3-1.el7cf.src.rpm
    
    x86_64:
    ansible-tower-3.4.3-1.el7at.x86_64.rpm
    ansible-tower-server-3.4.3-1.el7at.x86_64.rpm
    ansible-tower-setup-3.4.3-1.el7at.x86_64.rpm
    ansible-tower-ui-3.4.3-1.el7at.x86_64.rpm
    ansible-tower-venv-ansible-3.4.3-1.el7at.x86_64.rpm
    ansible-tower-venv-tower-3.4.3-1.el7at.x86_64.rpm
    cfme-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-amazon-smartstate-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-appliance-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-appliance-common-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-appliance-debuginfo-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-appliance-tools-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-debuginfo-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-gemset-5.10.3.3-1.el7cf.x86_64.rpm
    cfme-gemset-debuginfo-5.10.3.3-1.el7cf.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-5418
    https://access.redhat.com/security/cve/CVE-2019-5419
    https://access.redhat.com/security/updates/classification/#important
    https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html/release_notes
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXL7Dh9zjgjWX9erEAQjGDg/+PGCHdrv14ilBl95bMpYubyiidVKlM8xO
    N3QrdsqPaGgIvBoEK4+UZSxXe7iuNp4TDiZpyN49wrQCruaGNNkLDTe18hNgRWRJ
    apHa8n97k2s9mfkPbxhyrafHtYgDw3atHw4aVzWZMqN5U2AcMBIZzeIXNj6uU+6W
    sACYUTA5THxj2BlCxyASrI+AjT/5vnm+zhDbjUOajCH0Vv0TvxvQsZqpV5deaGOX
    1X6yvLwdH94LgTcuGbVukFbixCtZRMpdXcxCO+YmIF3gBPHh5TyCHroyKrvHKiRv
    M4W/npdZw+V/l8abu93akwjxGTxbdccH/YRMDCQn1eempj4stSBmL9p3Hnc6wL3w
    YmsuHHCAqpH/nwdG2G/6xIq79fCvYudyKZX0keA+rBDYTF4WPhfosfzf7IvXlG0o
    mGuF6vgobFeEK3k2Iz/Dwn3ER9G3PaZjreLmSN8j5SFWZG/I8C4RwUKNW6knYuFq
    rH+GA1O5zJTCasM6NrtYC92X7djwtHlBkD9P54vgY85w/xRnsQnd3+m9lykN6T+S
    Wkin2yLxZBGq76NHYRZUsO78pev8aoW3DqPUxbAOMnrSbGDDcFKrxxXzfmfehRqi
    eHAmMFE611SFdIFjZlMAnFciSmh3tG3OYCb3Et6glmQXk6DBlimL6zXDtvrppBZC
    w24Pg0L8uiU=
    =29E0
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    What is your favorite LinuxSecurity.com feature?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    17
    radio
    [{"id":"65","title":"Feature articles","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"66","title":"News","votes":"1","type":"x","order":"2","pct":100,"resources":[]},{"id":"67","title":"HOWTOs","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.