Skip to navigation

Security Advisory Moderate: CloudForms Common 1.1.2 update

Advisory: RHSA-2013:0548-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-02-21
Last updated on: 2013-02-21
Affected Products: Red Hat CloudForms
CVEs (cve.mitre.org): CVE-2012-6109
CVE-2013-0162
CVE-2013-0183
CVE-2013-0184
CVE-2013-0256

Details

CloudForms Common 1.1.2 is now available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds. It provides self-service computing resources to
users in a managed, governed, and secure way.

Three flaws were found in rubygem-rack. A remote attacker could use these
flaws to perform a denial of service attack against applications using
rubygem-rack. (CVE-2012-6109, CVE-2013-0183, CVE-2013-0184)

It was found that documentation created by rubygem-rdoc was vulnerable to
a cross-site scripting (XSS) attack. If such documentation was accessible
over a network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's session. As rubygem-rdoc is used for creating
documentation for Ruby source files (such as classes, modules, and so on),
it is not a common scenario to make such documentation accessible over the
network. (CVE-2013-0256)

It was found that ruby_parser from rubygem-ruby_parser created a temporary
file in an insecure way. A local attacker could use this flaw to perform a
symbolic link attack, overwriting arbitrary files accessible to the
application using ruby_parser. (CVE-2013-0162)

Red Hat would like to thank Eric Hodel of RDoc upstream for reporting
CVE-2013-0256. Upstream acknowledges Evgeny Ermakov as the original
reporter of CVE-2013-0256. The CVE-2013-0162 issue was discovered by
Michael Scherer of the Red Hat Regional IT team.

Refer to the CloudForms 1.1.2 Release Notes for further information about
this release. The Release Notes will be available shortly from
https://access.redhat.com/knowledge/docs/

Users of CloudForms Common are advised to upgrade to these updated
packages.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat CloudForms

SRPMS:
rubygem-activesupport-3.0.10-10.el6cf.src.rpm     MD5: 4462c25310e526a37d0c2aa5628d3c88
SHA-256: eacda6afd4f5eba8c6ca2f51d93962e4a4d49ac16057f86e621a5e2f94aaf2e9
rubygem-delayed_job-2.1.4-3.el6cf.src.rpm     MD5: 881e8b4ec8d363a62890bc730be8af04
SHA-256: f62def9e34e2b991bc3e27a3eeffc41db684fb4c2595c459f1aaefd62b47045f
rubygem-nokogiri-1.5.0-0.9.beta4.el6cf.src.rpm     MD5: 8416df84b2f80ab29d0e335fb38e776b
SHA-256: 772473df95ae86dfdcea19a3d0d31d31d92ef3e49d0c8b9dbcfd0e29d22aeb4b
rubygem-rack-1.3.0-3.el6cf.src.rpm     MD5: 6aa50ec83cb8b9919667c4842e678ad5
SHA-256: 4b49dbf41fb124da920169a20bf20905509cd456baf4060cdd4786ba0e1a1d60
rubygem-rails_warden-0.5.5-2.el6cf.src.rpm     MD5: 90543592c1a5cc2ec98120981e444016
SHA-256: 5e9e5e6328bbcacf5618552654f353461fb2ca75892c47177eec19791a47325d
rubygem-rdoc-3.8-6.el6cf.src.rpm     MD5: 94ed851683417f0069ceb3846e3e7b8d
SHA-256: 66f4a1f17ae0c67b91f183d7ee20f543957f35da38aaa202050c94dd73099b9c
rubygem-rspec-rails-2.6.1-7.el6cf.src.rpm     MD5: 5dc67b67cc89018a344c37388956c65d
SHA-256: 98b27674b10a1a41e951f85d651f3fd19b59202ada8b6eb89c599fa636c1a4d0
rubygem-ruby_parser-2.0.4-6.el6cf.src.rpm     MD5: 704f5a4f03f6eed75a8cd62457eccfd9
SHA-256: d24d4ca2ad44bb41cff5048e98c4f7ca7ce85f69696a2ddf81ea6c6cea9fd26b
rubygem-shoulda-2.11.3-5.el6cf.src.rpm     MD5: 2530c84822a696b886ba8a72427df535
SHA-256: ead558af59900b899d9cf6f37f2fd51d9ace1ab65e7b8cc7e3b6d0db857311e3
 
x86_64:
ruby-nokogiri-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: 68ed222a017a909bfe999bfc2f02f789
SHA-256: 694af7dd76daaaa54eab7845bf749c459630e4c05a949b8ff4eb6d421314df65
rubygem-activesupport-3.0.10-10.el6cf.noarch.rpm     MD5: beecbd690e31ca9c90e66e6094bcb9e6
SHA-256: 8ab09a4e64b8a2527d3e79372d92c772a695275dbb28b22472877904a18575b0
rubygem-delayed_job-2.1.4-3.el6cf.noarch.rpm     MD5: add48be9fbe2bcfff616934f2847f7de
SHA-256: 637f3143211c71e5c693ea00077d3533b494d6fdb2f64589a296cff4465ba2ec
rubygem-delayed_job-doc-2.1.4-3.el6cf.noarch.rpm     MD5: 1259bcc145da127430739bd449ae270d
SHA-256: 2618bc4d7d82d6fa9cb1145057b7a07a6c291d1f2ca8cfaaa448bd2d21550280
rubygem-nokogiri-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: 0d95288f722504d6d9732b4a4a0da8df
SHA-256: 2284596c7bf2ff29369643b60801b576895a969c6cd567ddaa828487eb27eb5c
rubygem-nokogiri-debuginfo-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: b2bd1100f46583c8cbf862dc316e87ba
SHA-256: dfe52ed08ad520d096a5c9bcbc11d6c7f6f9db0b9ab75c2dc59fec23516351eb
rubygem-nokogiri-doc-1.5.0-0.9.beta4.el6cf.noarch.rpm     MD5: 8fe4927d175318a57b01164bd579e7a8
SHA-256: 365f41ee7f5651812d4a32601309759d518df5d43e2eecc513c2d22a9e375473
rubygem-rack-1.3.0-3.el6cf.noarch.rpm     MD5: 1ac52d098f65f52c3c93cf71bfe9c51d
SHA-256: e70cc385af10a19e9aea9e9a23cdaafc508787ffe7358c46632b4a7a6e722db6
rubygem-rails_warden-0.5.5-2.el6cf.noarch.rpm     MD5: 46c22adc025b47785c1763ee9fd42a0b
SHA-256: 8de7b1b4f83ff37d4e9da059458da6cabe345c9eb538c29c1cc01839fd9a094c
rubygem-rails_warden-doc-0.5.5-2.el6cf.noarch.rpm     MD5: 2f73cffd3668127ec6ea7b52d5cb8ed7
SHA-256: eef9585883ce1dc9ccacdb3a984596237bdb8dfce17ef0c4258f055654127abb
rubygem-rdoc-3.8-6.el6cf.noarch.rpm     MD5: e5b679362f45c5bb9727c30bf3ea4958
SHA-256: 821b01aad5bd9034866fcfa8b0eb37b2f66d9f554914a9b15b5c17de6a4b6ac7
rubygem-rdoc-doc-3.8-6.el6cf.noarch.rpm     MD5: 4cd8c2606f88ff3c3bb8a4c79bebcf79
SHA-256: b6c2a724e4bcf42249521ef1269f14cdd28ebeaf7c5c9b71f9a89ddb88c6e139
rubygem-rspec-rails-2.6.1-7.el6cf.noarch.rpm     MD5: f42330716802fb6dc9af09db7a6e8978
SHA-256: 79e77b8afe1ab2566b3df4f38df40caf4e4e45cf1f5f3a8540cb2e1dd49844ba
rubygem-rspec-rails-doc-2.6.1-7.el6cf.noarch.rpm     MD5: 152cd0e24a237f7b076694ae9d822271
SHA-256: 0bb09dc2c9993ff8f9bf6745c38b38eece684754502fd6739b2d11df72a9bab6
rubygem-ruby_parser-2.0.4-6.el6cf.noarch.rpm     MD5: d1a6137ed045e3d6e6864e00b1301132
SHA-256: ad698211882950fa51c4f4e30fc81e54cb4874ed8d4a485db5333ded811e0306
rubygem-ruby_parser-doc-2.0.4-6.el6cf.noarch.rpm     MD5: 15410740b9ed1cb39ae8b7cbb1637be5
SHA-256: 83e4ea05014c2927d3c3130d43c3b5bf960066f4b62b314653ad33fb2287478f
rubygem-shoulda-2.11.3-5.el6cf.noarch.rpm     MD5: caa15356632336930d23e0424f1b1926
SHA-256: 169dd0f67af6a6f8e1f5d1379cf1bc9f9f41f3fdec29a22db6768a67ee7433ed
rubygem-shoulda-doc-2.11.3-5.el6cf.noarch.rpm     MD5: bc48e70525868c163a9d2aa15aa56832
SHA-256: 6e23d94321bc541746e43f41f77a064bed4edc82fd20fd9d898c7ec717fb0a6d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

892806 - CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage
895277 - CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
895282 - CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
895384 - CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS
907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/