Moderate: Red Hat Network Satellite Server security update
| Advisory: | RHSA-2007:0868-2 |
|---|---|
| Type: | Security Advisory |
| Severity: | Moderate |
| Issued on: | 2007-08-29 |
| Last updated on: | 2007-08-29 |
| Affected Products: | Red Hat Network Satellite (v. 5.0 for RHEL 4) |
| CVEs (cve.mitre.org): |
CVE-2007-4132 |
Details
Red Hat Network Satellite Server version 5.0.1 is now available which fixes
a security issue in version 5.0.0.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
During an internal code audit, a flaw was found in an unused back-end
XMLRPC handler first added to Red Hat Network Satellite Server 5.0.0. A
remote attacker with valid authentication credentials who was able to
connect to a Satellite Server could use this flaw to execute arbitrary code
on the server as the 'apache' user. (CVE-2007-4132)
Users of Red Hat Network Satellite Server 5.0.0 are advised to upgrade to
5.0.1 which removes the unused, vulnerable handler.
Note: This issue did not affect the hosted version of Red Hat Network or
versions of Red Hat Network Satellite Server prior to 5.0.0.
Solution
Red Hat Network to apply this update are available at
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.0.0/html/Installation_Guide/s1-maintenance-update.html
Updated packages
| Red Hat Network Satellite (v. 5.0 for RHEL 4) | |
| IA-32: | |
| rhns-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 9a027fe9d40ac1cc35af2a213f10d099 |
| rhns-app-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: bc7aa5f6ac0012a10dbb5df0c0c48c63 |
| rhns-applet-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 5214a2beb09c92ae093e6fe3e13f0adb |
| rhns-config-files-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 640fc6dcb2c14160726a1ab41bc798d9 |
| rhns-config-files-common-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 517d864248a1a0e5868901e3c025e2c0 |
| rhns-config-files-tool-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 3482b8f97ae7ba65b1fba92cd530bd14 |
| rhns-package-push-server-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 7cffc4e22e90969b2a515d69601379bd |
| rhns-satellite-tools-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: b421d5c0f136b18cf39df6f93b652c97 |
| rhns-server-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 3b9d36bdcd530d25dabc1ccac36d87de |
| rhns-sql-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: d0a40978f7534d4fb81ead1109962685 |
| rhns-xml-export-libs-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 17f3fa0cf68686b63d4b207273a0522a |
| rhns-xmlrpc-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: c26234def2cd023d6304b0c8a1b612b4 |
| rhns-xp-5.0.1-10.noarch.rpm File outdated by: RHBA-2008:1005 |
MD5: 0cf2aa7b700c885c2fcf64305fb1972e |
| (The unlinked packages above are only available from the Red Hat Network) | |
Bugs fixed (see bugzilla for more information)
253239 - CVE-2007-4132 RHN Satellite xmlrpc flaw
References
http://www.redhat.com/security/updates/classification/#moderate
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package
The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/
