Security Advisory Moderate: CloudForms System Engine 1.1.2 update

Advisory: RHSA-2013:0547-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-02-21
Last updated on: 2013-02-21
Affected Products: Red Hat CloudForms
CVEs ( CVE-2012-5561


CloudForms System Engine 1.1.2 is now available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way. CloudForms System Engine can
be used to configure new systems, subscribe to updates, and maintain
installations in distributed environments.

It was found that the
"/usr/share/katello/script/katello-generate-passphrase" utility, which is
run during the installation and configuration process, set world-readable
permissions on the "/etc/katello/secure/passphrase" file. A local attacker
could use this flaw to obtain the passphrase for Katello, giving them
access to information they would otherwise not have access to.

Note: After installing this update, ensure the
"/etc/katello/secure/passphrase" file is owned by the root user and group
and mode 0750 permissions. Sites should also consider re-creating the
Katello passphrase as this issue exposed it to local users.

One task the katello-configure utility performs is creating an RPM to be
installed on client machines that need to connect to the Katello server. It
was found that this RPM set world-readable and writable permissions on the
pem file (containing the Certificate Authority certificate) used for
trusting the Katello server. An attacker could use this flaw to perform a
man-in-the-middle attack, allowing them to manage (such as installing and
removing software) Katello client systems. (CVE-2012-6116)

The CVE-2012-5561 issue was discovered by Aaron Weitekamp of the Red Hat
Cloud Quality Engineering team, and CVE-2012-6116 was discovered by Dominic
Cleal and James Laska of Red Hat.

This update also fixes the following bugs:

* The CloudForms System Engine command line tool incorrectly parsed
locales, which caused the following error:

"translation missing: de.activerecord.errors.messages.record_invalid"

This update replaces the controller for setting the locale. The translation
error no longer appears. (BZ#896251)

* Certain locales did not properly escape certain UI content for new role
creation. This broke the Save button for some locales. This update corrects
the escape behavior for localized UI content. The Save button now works
for new role creation. (BZ#896252)

* A missing icon stopped users from deleting recent or saved searches. This
update adds the icon and users can now delete recent or saved searches.

* A performance issue in the Candlepin 0.7.8 component caused subscription
responsiveness to decrease as the number of systems subscribed to
CloudForms System Engine increases. This erratum updates to Candlepin
0.7.19, which corrects the performance issues. (BZ#896261)

* CloudForms System Engine would not fetch Extended Update Service (EUS)
entitlements. This blocked the user from seeing and enabling EUS
repositories. This update revises the manifest upload and deletion code,
which also corrects the behavior for fetching entitlements. System Engine
now fetches EUS entitlements. (BZ#896265)

* Issues with menu widths caused the localized UI to not render certain
menu items. This update corrects the style for the System Engine UI. The
Web UI now renders the menu items correctly. (BZ#903702)

Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from

To upgrade, follow the upgrade instructions in the CloudForms Installation
Guide, section "4.1. Upgrading CloudForms System Engine":

Users of CloudForms System Engine are advised to upgrade to these updated


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat CloudForms

candlepin-0.7.19-3.el6cf.src.rpm     MD5: 30d0d5144ba52e9b51f6ee4c6377ae97
SHA-256: f85b2867644863131251b54eebe453dc63750ccbad2909fb319ed06200052b11
katello-     MD5: 18d27124ed2aabfd0450c89aa83fa188
SHA-256: 9a288c0fd90b85bd9c413764c740fbf4976d22a00398a1ab933d78274ee1a380
katello-cli-1.1.8-14.el6cf.src.rpm     MD5: 486a3e324778f0ec3b68b50d4b93fd5c
SHA-256: bc53421bebaef515dcf7a929413e75fe2b037eb0fc467a66de4cd36e3e96ff84
katello-configure-1.1.9-13.el6cf.src.rpm     MD5: 89a8c996fd5c6f99c9ba9183e1d6bbe2
SHA-256: 49a0fc42a381d2b18cdc72984955adfd0f45e6f605e9977b4d37316bf6126d56
katello-selinux-1.1.1-5.el6cf.src.rpm     MD5: fe778710f529e0057f247fea2e36cd4c
SHA-256: 3086d08b555360f31eec675899e4da5f54cfad9c399c1880714e09734d953b4a
candlepin-0.7.19-3.el6cf.noarch.rpm     MD5: 1b83a1a9365c42bd7057d3ee2f810ea9
SHA-256: 62ec426a6b145689c8d1d97627ce0a8d9c2ac20e60f0ac0de235854a88c4b405
candlepin-devel-0.7.19-3.el6cf.noarch.rpm     MD5: c8f6c466895e423338be5ad8c387ebff
SHA-256: b8bbeab4fbc324bc03c2d6e1d39c0545224f6f20be4c4399e413836b05bfb9be
candlepin-selinux-0.7.19-3.el6cf.noarch.rpm     MD5: ca6057624d352234411b7497e3a1a984
SHA-256: c879c006d2d15a9c6554555f2515d7645697f844a96131349270261dbbcf4031
candlepin-tomcat6-0.7.19-3.el6cf.noarch.rpm     MD5: 8da6b7aacaf41eed5e90c7d73c770bc9
SHA-256: 4c2d220fffe217f6626ac1e263ae2a0ed0aa3faf8a8e1e93abe157c67bab9e69
katello-     MD5: a70446f7ee6eb4103af7ea5166c9f77b
SHA-256: 049357813fb4c318605c0e0997715db011b70c91085cc4483d8accea538b4d15
katello-all-     MD5: 547852d1f84269229ea8a50e17212a54
SHA-256: a213aa655f03436cbc6cbb37dd9aef588ba177a27370fc99f8f8241b616003a2
katello-api-docs-     MD5: ed51d78eeae0b34e0f9e73e26c067078
SHA-256: 8d8e604f04cde624870c63428bf26dfba5f978e23d075240329d894a536cfd6b
katello-cli-1.1.8-14.el6cf.noarch.rpm     MD5: fcf1cb0bde06c8a5092c4898e734a521
SHA-256: ae7c109332be287f581b89eef5ef65b534ab8a3390c366f5955ee2b1e4350a3e
katello-cli-common-1.1.8-14.el6cf.noarch.rpm     MD5: 827cbc0d31968cef482e54dac2431012
SHA-256: e04cafbe5d062da23a9db606150836bc6a24018e0957d5afe348354f9ee0c762
katello-common-     MD5: 0afcd85c013c5b5ff8253fd508ce5acb
SHA-256: ac6696635e14a8c94c0a2ea2485ac755a9336ee78300938c49ca3dcc156e609b
katello-configure-1.1.9-13.el6cf.noarch.rpm     MD5: 6080880a461026b12dfb54f2ee6e5737
SHA-256: 4392f6a3417906a22eb45da0e39ce4474c61663ff06fbac99c9eb2e289d274d6
katello-glue-candlepin-     MD5: 40b0a99857d2639a4bc6248b08df372f
SHA-256: edde1d76e849eb226d102ebafbb8699b13a7587bbb4c973f3303b484ae45c8de
katello-glue-pulp-     MD5: 37bed4ea114cd0fb1cdabb8f83a922dd
SHA-256: 435849d63439b6c0d63bb84f2fa0881ded1233d228f377d13a5f6fbbba51c72c
katello-selinux-1.1.1-5.el6cf.noarch.rpm     MD5: c6f2ded287dba639d3c91f90e4de3fe1
SHA-256: 75d0945851e717dc5359efbeb003ba72f0d2983e790665069f66c77509a43deb
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

807455 - Deleted template still available in promoted environment
879094 - CVE-2012-5561 Katello: /etc/katello/secure/passphrase is world readable
896251 - [de_DE][zh_TW][pt_BR][ru_RU][SAM CLI] user module "translation missing: de.activerecord.errors.messages.record_invalid" errors
896253 - Search -- missing ability to remove saved and/or recent search queries -- missing icon
896261 - SCALE: Subscription of systems gets slower and slower as number of subscribed systems increases
896265 - Unable to enable repos for EUS product
903702 - Localized UI hides menu entries
904128 - Unable to save system template
906207 - CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
907250 - translation missing: pt_BR.time.formats.default (I18n::MissingTranslationData)


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at