Security Advisory Low: Red Hat Network Proxy spacewalk-backend security and bug fix update

Advisory: RHSA-2012:0102-1
Type: Security Advisory
Severity: Low
Issued on: 2012-02-06
Last updated on: 2012-02-06
Affected Products: Red Hat Network Proxy (v. 5.4 for RHEL 5)
Red Hat Network Proxy (v. 5.4 for RHEL 6)
CVEs (cve.mitre.org): CVE-2012-0059

Details

Updated spacewalk-backend packages that fix one security issue are now
available for Red Hat Network Proxy 5.4.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Network (RHN) Proxy provides a mechanism for caching content, such
as package updates from Red Hat or custom content created for an
organization on an internal, centrally-located server.

If a user submitted a system registration XML-RPC call to an RHN Proxy
server (for example, by running "rhnreg_ks") and that call failed, their
RHN user password was included in plain text in the error messages both
stored in the server log and mailed to the server administrator. With this
update, user passwords are excluded from these error messages to avoid the
exposure of authentication credentials. (CVE-2012-0059)

Users of Red Hat Network Proxy are advised to upgrade to these updated
packages, which correct this issue. For this update to take effect,
Red Hat Network Proxy must be restarted. Refer to the Solution section for
details.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Run the following command to restart the Red Hat Network Proxy server:

# rhn-proxy restart

Updated packages

Red Hat Network Proxy (v. 5.4 for RHEL 5)

SRPMS:
spacewalk-backend-1.2.13-66.el5sat.src.rpm     MD5: fe93806e4eb31fcd54787bf31b86c5ee
SHA-256: 9c0a8aee85ec759a4b956abc66d0f097b149f6c5acbfa60e93b2587d7ea45bc9
 
IA-32:
spacewalk-backend-1.2.13-66.el5sat.noarch.rpm     MD5: 3daa36af918f64dfffa338e7a246acd0
SHA-256: ad47752b48f9d769c0dd9030b58988e837467f1e58374b1828270e5306abb641
spacewalk-backend-libs-1.2.13-66.el5sat.noarch.rpm     MD5: 9ef36cb5845b35ea751bbd08353115fb
SHA-256: 7de7a9a8db249cb5152c6e9e19e62d49f0e3a0150e2ba8cd1cb6a8e000ad3e0e
 
s390x:
spacewalk-backend-1.2.13-66.el5sat.noarch.rpm     MD5: 3daa36af918f64dfffa338e7a246acd0
SHA-256: ad47752b48f9d769c0dd9030b58988e837467f1e58374b1828270e5306abb641
spacewalk-backend-libs-1.2.13-66.el5sat.noarch.rpm     MD5: 9ef36cb5845b35ea751bbd08353115fb
SHA-256: 7de7a9a8db249cb5152c6e9e19e62d49f0e3a0150e2ba8cd1cb6a8e000ad3e0e
 
x86_64:
spacewalk-backend-1.2.13-66.el5sat.noarch.rpm     MD5: 3daa36af918f64dfffa338e7a246acd0
SHA-256: ad47752b48f9d769c0dd9030b58988e837467f1e58374b1828270e5306abb641
spacewalk-backend-libs-1.2.13-66.el5sat.noarch.rpm     MD5: 9ef36cb5845b35ea751bbd08353115fb
SHA-256: 7de7a9a8db249cb5152c6e9e19e62d49f0e3a0150e2ba8cd1cb6a8e000ad3e0e
 
Red Hat Network Proxy (v. 5.4 for RHEL 6)

SRPMS:
spacewalk-backend-1.2.13-66.el6sat.src.rpm     MD5: f546f49132edf5d5a9c9e7ef60150d38
SHA-256: 9a79f020c2462bb7029aeebedc70ca57f932f26d97d6bd0afdfbba82e6ee743c
 
s390x:
spacewalk-backend-1.2.13-66.el6sat.noarch.rpm     MD5: 81c00a01d73fddb906079fcf10c49cca
SHA-256: b9f461c78820d758d46aa9454a30f6b07e413183218ea2ea8e333840413e9bd5
spacewalk-backend-libs-1.2.13-66.el6sat.noarch.rpm     MD5: 4004a01d04dd8abe49e5580241692d8e
SHA-256: 4d1ef8849a2269e84dea83a23b11347c73002ad5d3a3524474c15f090e8e6768
 
x86_64:
spacewalk-backend-1.2.13-66.el6sat.noarch.rpm     MD5: 81c00a01d73fddb906079fcf10c49cca
SHA-256: b9f461c78820d758d46aa9454a30f6b07e413183218ea2ea8e333840413e9bd5
spacewalk-backend-libs-1.2.13-66.el6sat.noarch.rpm     MD5: 4004a01d04dd8abe49e5580241692d8e
SHA-256: 4d1ef8849a2269e84dea83a23b11347c73002ad5d3a3524474c15f090e8e6768
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

782819 - CVE-2012-0059 Satellite, Spacewalk: RHN user password disclosure upon failed system registration


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/