Security Advisory Moderate: spacewalk-java security update

Advisory: RHSA-2015:0957-1
Type: Security Advisory
Severity: Moderate
Issued on: 2015-05-11
Last updated on: 2015-05-11
Affected Products: Red Hat Satellite (v. 5.7 for RHEL 6)
CVEs (cve.mitre.org): CVE-2014-8162

Details

Updated spacewalk packages that fix one security issue are now available
for Red Hat Satellite 5.7.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Red Hat Satellite is a system management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.

It was found that the RPC interface in Satellite would resolve external
entities, allowing an attacker to conduct XML External Entity (XXE)
attacks. A remote attacker could use this flaw to read files accessible to
the user running the Satellite server, and potentially perform other more
advanced XXE attacks. (CVE-2014-8162)

Red Hat would like to thank Travis Emmert for reporting this issue.

All spacewalk users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Satellite (v. 5.7 for RHEL 6)

SRPMS:
spacewalk-java-2.3.8-103.el6sat.src.rpm
File outdated by:  RHBA-2017:0236
    MD5: 261c065be20877c5d24bc910bb32a359
SHA-256: ba8ba855c54e535b35562971539cb96d500a1b22751b74f0d1cd1ad4be6510d0
spacewalk-setup-2.3.0-17.el6sat.src.rpm     MD5: 0601ca733530505845e9b0583e1a2077
SHA-256: 810513b9e3c2ac04f6f8b5cd605ad1e818136f4c8bba65b8714f69e78aa8899c
 
s390x:
spacewalk-java-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 1798a7bc580d6d406e281192399786cb
SHA-256: 0fc968fd92b318142d400ce75fed88175892ec1bb57d9733366def551ee75f4b
spacewalk-java-config-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: d6ee64370d04b58ffa3e7fd2b6f1eb81
SHA-256: 2990914be2ecb00c11eb41a4e88a615a18fdaf2303e9de798f8ce6e150bd5b0d
spacewalk-java-lib-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 743a41c83e0d35078e92770ce3d41b05
SHA-256: de350cafdb9a1db1aedbe3ffc2e2eb8ce84bb8531c73db8bc4ad77c7d9a6efd9
spacewalk-java-oracle-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 870fb24675c5bac93f18c4c2a7896e22
SHA-256: b830f449bf3ac9b2169ad0ca767f1d9fb3cd9736f1375e0ea836dc2978c1cf2e
spacewalk-java-postgresql-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 70782543619b7295d59033898d6587bc
SHA-256: 991e638d8bb21ce28d0b8a2476e6195232e697c34072e9fe55e9178e1476de7f
spacewalk-setup-2.3.0-17.el6sat.noarch.rpm     MD5: 59f901fc2cbd63f2302ab9d43a51e44f
SHA-256: e5a64abedacba43d204c9d44b9f787ac74e550c6007e45ade3f4e7162609dc6d
spacewalk-taskomatic-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: a657d8f6283ff45ad1fc88abad9e4ac1
SHA-256: 81641fc2dd26537fa85dfcfcb079fb5a33b10eabba33f49f05c93c274cc5bc8e
 
x86_64:
spacewalk-java-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 1798a7bc580d6d406e281192399786cb
SHA-256: 0fc968fd92b318142d400ce75fed88175892ec1bb57d9733366def551ee75f4b
spacewalk-java-config-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: d6ee64370d04b58ffa3e7fd2b6f1eb81
SHA-256: 2990914be2ecb00c11eb41a4e88a615a18fdaf2303e9de798f8ce6e150bd5b0d
spacewalk-java-lib-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 743a41c83e0d35078e92770ce3d41b05
SHA-256: de350cafdb9a1db1aedbe3ffc2e2eb8ce84bb8531c73db8bc4ad77c7d9a6efd9
spacewalk-java-oracle-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 870fb24675c5bac93f18c4c2a7896e22
SHA-256: b830f449bf3ac9b2169ad0ca767f1d9fb3cd9736f1375e0ea836dc2978c1cf2e
spacewalk-java-postgresql-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: 70782543619b7295d59033898d6587bc
SHA-256: 991e638d8bb21ce28d0b8a2476e6195232e697c34072e9fe55e9178e1476de7f
spacewalk-setup-2.3.0-17.el6sat.noarch.rpm     MD5: 59f901fc2cbd63f2302ab9d43a51e44f
SHA-256: e5a64abedacba43d204c9d44b9f787ac74e550c6007e45ade3f4e7162609dc6d
spacewalk-taskomatic-2.3.8-103.el6sat.noarch.rpm
File outdated by:  RHBA-2017:0236
    MD5: a657d8f6283ff45ad1fc88abad9e4ac1
SHA-256: 81641fc2dd26537fa85dfcfcb079fb5a33b10eabba33f49f05c93c274cc5bc8e
 
(The unlinked packages above are only available from the Red Hat Network)

References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/