Security Advisory Important: Subscription Asset Manager 1.4 security update

Advisory: RHSA-2014:1863-1
Type: Security Advisory
Severity: Important
Issued on: 2014-11-17
Last updated on: 2014-11-17
Affected Products: Red Hat Subscription Asset Manager (v. 1.x for RHEL 6)
CVEs (cve.mitre.org): CVE-2013-1854
CVE-2013-1855
CVE-2013-1857
CVE-2013-4491
CVE-2013-6414
CVE-2013-6415
CVE-2014-0130

Details

Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)

A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)

Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)

It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)

A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)

It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)

Red Hat would like to thank Ruby on Rails upstream for reporting these
issues. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.

All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

Red Hat Subscription Asset Manager (v. 1.x for RHEL 6)

SRPMS:
katello-1.4.3.28-1.el6sam_splice.src.rpm     MD5: f27f984fab2c8085540fec177eb60b11
SHA-256: 0279cc775e8af6e73a6b19f72d209a92a6584f7fa10c178f6a8f53c6c110267b
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm     MD5: 3c6c2e6235da74ad4e78a935f4966f5c
SHA-256: 31ac7954ada99ebc2959b4617fc9b562a61e2ef853f6937a8550ac491216d5b9
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm     MD5: ddd67f03764c7104f18e38cff7c4511f
SHA-256: 5f0eda380b073cdcb874834ac9a6a031296f45dddea72236cf1895c127a68ffa
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm     MD5: 279ef1a0e5a62b59f3fa56fb9dc2cd57
SHA-256: 697d3db637499bc539bdab8110b203b853c3fa8f48a2927edeb75626f1974a52
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm     MD5: ba85a05658f4e14a02848028503b81f6
SHA-256: 59d6532b099561bbfaea5bb3964947c1c1fc8188a868c810d71d7277a3defec8
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm     MD5: 5bc103b3b397a899c0c6669272a02780
SHA-256: 4c894a67dc4fd88a1bc20ffa55c0545af075cfac4b53873c2654e6a00e440cbe
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm     MD5: f872723fb16c7a7e49596c524cb4a3fe
SHA-256: 83bcd2ec4ff54e1117deff7915524ae424b772a62fb60d17453bef89af3d3029
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm     MD5: 71c3fdd0fadea34009cbd4453cdebf0b
SHA-256: c7d638520dc1769b9068346cd9ea938ab548ac39c6820fc442dd73a00114c09c
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm     MD5: aacf6fac79d38bec63a753f841592406
SHA-256: c439e08a32778c73fe2b1cfeb3ab589a2dfeabff00ea7b38b4039468159c5d70
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm     MD5: b9680a15d33a605a87e34ac1c5a28e13
SHA-256: ec6d7d35710eb9cba6f0db5b6367a6fdee4426272fcf1bbbab558460b7cdcf4f
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm     MD5: 13115c0845d2a91e4f39fe9c33f97dfd
SHA-256: af5f65702f430584f685d3556b7b2c566e929f58cf8fe381df37078eaa34a559
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm     MD5: e933f50839390f8e99610329e31796a0
SHA-256: 718e57548b3015994a9e172878b59cea4133dbae08a5450df88e47dde238b980
 
x86_64:
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm     MD5: 30219f4c4bc0729371cb2a33c45eb8f2
SHA-256: 1e6d2d835d5b6daf3001cf8a96c8e041c58ffa94dbdea516603ca3e08ba5d693
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm     MD5: 2a3217e1b60f55b1125a301d0875ad41
SHA-256: 52b095d6d6d09ae9c3bc1ae6a84a5fbb44d245c70b0defea106003d0e1041dc5
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm     MD5: 145f2cb113334624c69738fbea48a0a3
SHA-256: 59d7c9fc2d66a70931afc9408c2dc679c0b421fe1a23f18ad1fcc5b166abefd7
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm     MD5: 6aca2183d826230ac3214fb2726d99d3
SHA-256: c7069784f20ca906d50447f87e970b8dfd0fe0fcc128a3dd3f0969ef7c1aa418
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm     MD5: 5960c65e75e49a3cec5674ac8ce864df
SHA-256: d18a3cf164a6701ea59afaf89f996f8fe7ae3248dfeb7cb88d07646c667ebeaa
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm     MD5: e93f893b8baac73d644663c41eb0b52d
SHA-256: 693707d67adb5950bf9f7dd45dd286450abb014799a9a2995ffbea38a4f60c62
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm     MD5: 14695782e811646842ff17dbae2cf49a
SHA-256: 8edee2c7549ec2d38fd75dc058b2e783ccf47ecaa022b30b4e397c3600adaa4d
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm     MD5: b6e35a3f4fb8498775db34382f919394
SHA-256: 0b47bb7a239592772ee48c76b931a9b78d1ea9e7b5a090d6d9a4fc2552b442da
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm     MD5: 3176ecfba46a224389ad26dd49ded867
SHA-256: 1f8493fad76c2b0087c65d76d66a827c147971df169175d0a5a9650332af06e4
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm     MD5: 54cd6142e9b0bbccea5cdc8dff7f9346
SHA-256: 61837a7a5613a334baaf9392c1540fb77b232f320e2937f096540ce8ccb8eabe
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm     MD5: 35fa3a422e5ff582767101ba01cddf2a
SHA-256: 510433eb0b934be67ec92a3e38691090078eb5503386f101107dfbf29fff0a7e
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm     MD5: 215302c83fc67f4ff1a8908d575952ec
SHA-256: b07e050c19263d47cc05ba81c600948d4d6a2599dec82f46aed1dcafdb3fc5f5
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm     MD5: 1bada22945d1e5e34047701af671117b
SHA-256: 6bca8d7ac0ac5ee455121202a46911021edd6c9d48a032e6d788713977581752
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm     MD5: ea2b5e07fa0829e73ed743b8f322ada9
SHA-256: 972c464003c2b9ddae1c26f2aed054e9515124de16bdb57aa818d3bb7d5b4518
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm     MD5: b939c26f6b2a03d69968b712694f13d8
SHA-256: 93ae0b593afe008d1c7a26cc9a5aa33749e84d191850b550d77d7f7789349004
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm     MD5: 5ad7fb280a1fd8c18946fb362f109b05
SHA-256: d29765d6deb70ae587c8d41907365d5fae2af2c1bacfe7791aa4e9ee31fd7071
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue
921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/