Security Advisory Moderate: Subscription Asset Manager 1.2.1 update

Advisory: RHSA-2013:0686-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-03-26
Last updated on: 2013-03-26
Affected Products: Red Hat Subscription Asset Manager (v. 1.x for RHEL 6)
CVEs ( CVE-2012-6116


Red Hat Subscription Asset Manager 1.2.1, which fixes several security
issues, multiple bugs, and adds various enhancements, is now available.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines.

The latest packages for Subscription Asset Manager include a number of security

When a Subscription Asset Manager instance is created, its configuration
script automatically creates an RPM of the internal subscription service
CA certificate. However, this RPM incorrectly created the CA certificate
with file permissions of 0666. This allowed other users on a client system
to modify the CA certificate used to trust the remote subscription server.
All administrators are advised to update and deploy the subscription
service certificate on all systems which use Subscription Asset Manager
as their subscription service. This procedure is described in:

Manifest signature checking was not implemented for early versions of
Subscription Asset Manager. This meant that a malicious user could edit
a manifest file, insert arbitrary data, and successfully upload the edited
manifest file into the Subscription Asset Manager server. (CVE-2012-6119)

Ruby's documentation generator had a flaw in the way it generated HTML
documentation. When a Ruby application exposed its documentation
on a network (such as a web page), an attacker could use a specially-
crafted URL to open an arbitrary web script or to execute HTML code
within the application's user session. (CVE-2013-0256)

A timing attack flaw was found in the way rubygem-rack and
ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid
an attacker using forged digital signatures to bypass authentication
checks. (CVE-2013-0263)

A flaw in rubygem-json allowed remote attacks by creating different types
of malicious objects. For example, it could initiate a denial of service
(DoS) attack through resource consumption by using a JSON document to
create arbitrary Ruby symbols, which were never garbage collected. It
could also be exploited to create internal objects which could allow a SQL
injection attack. (CVE-2013-0269)

A flaw in ActiveRecord in Ruby on Rails allowed remote attackers to
circumvent attribute protections and to insert their own crafted requests
to change protected attribute values. (CVE-2013-0276)

HTML markup was not properly escaped when filling in the username field in
the Notifications form of the Subscription Asset Manager UI. This meant
that HTML code used in the value was then applied in the UI page when the
entry was viewed. This could have allowed malicious HTML code to be
entered. The field value is now validated and any HTML tags are escaped.

These updated packages also include bug fixes and enhancements:

* Previously, no SELinux policy for the subscription service was included
with the Subscription Asset Manager packages. The candlepin-selinux package
is now included with SELinux policies for the subscription server.

* When attempting to use the subscription service's CA certificate to
validate a manifest during import, the comparison failed. The upstream
subscription service which generated the manifest is a different service
than the local subscription service; thus, they have different CA
certificates. This caused importing a manifest to fail with the error
'archive failed signature'. This has been fixed so that the proper
certificate is used for verification. (BZ#918778)

All users of Subscription Asset Manager are recommended to update to the
latest packages.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat Subscription Asset Manager (v. 1.x for RHEL 6)

File outdated by:  RHBA-2014:1014
    MD5: f821f3e05859a30fb90a2b1156f156bd
SHA-256: e841500ffadb49d4c6e319bb15a7795b1cdc134357e0ae7e07bdd22d04a2a7fa
File outdated by:  RHSA-2014:1863
    MD5: 3eba2dd3c9dd4be13548fd10e4c2a8d8
SHA-256: 3beb8c1288794c9ffa23e5b70946171b43d743ef3875afac0754996af1db94be
File outdated by:  RHSA-2014:1186
    MD5: f21a3045ae3ed9ba3a5a63c538589fc6
SHA-256: a14bce5d439eb7b35401d3aefd5c66a3451546f4586f34744b61d0b991227b85
rubygem-actionpack-3.0.10-12.el6cf.src.rpm     MD5: 1ab7086346c30020a7a7d5c4ba1c4e07
SHA-256: 64c431ed3fb03514fe25a96d770518cbcab5fd33ea2562046c505522508c0a4a
rubygem-delayed_job-2.1.4-3.el6cf.src.rpm     MD5: 881e8b4ec8d363a62890bc730be8af04
SHA-256: f62def9e34e2b991bc3e27a3eeffc41db684fb4c2595c459f1aaefd62b47045f
rubygem-nokogiri-1.5.0-0.9.beta4.el6cf.src.rpm     MD5: 8416df84b2f80ab29d0e335fb38e776b
SHA-256: 772473df95ae86dfdcea19a3d0d31d31d92ef3e49d0c8b9dbcfd0e29d22aeb4b
rubygem-rails_warden-0.5.5-2.el6cf.src.rpm     MD5: 90543592c1a5cc2ec98120981e444016
SHA-256: 5e9e5e6328bbcacf5618552654f353461fb2ca75892c47177eec19791a47325d
rubygem-rdoc-3.8-6.el6cf.src.rpm     MD5: 94ed851683417f0069ceb3846e3e7b8d
SHA-256: 66f4a1f17ae0c67b91f183d7ee20f543957f35da38aaa202050c94dd73099b9c
File outdated by:  RHBA-2014:1014
    MD5: 4a1c313b286fb3407f28f9741e46ad09
SHA-256: ca4765c17caa420493705065a1d20900443372b54102b8396c489396203f2cad
candlepin-devel-0.7.24-1.el6_3.noarch.rpm     MD5: 2d88c6988c2caab19c10be0a1a52a3d5
SHA-256: 73c456736bc66d79e247cbff5ccad39ad5052d54375bc5c749c4ec796bc8c23b
File outdated by:  RHBA-2014:1014
    MD5: 943c63bfb427e6d6574e76298fa35e85
SHA-256: fad6f9edc9a735188c2705518b7864daf8e3a5267dd17b95cd43d6c85062de01
File outdated by:  RHBA-2014:1014
    MD5: 7397d97356f1c465aaf2c7ad0c2118d7
SHA-256: a96d1266495bffd9b5cfb75ce149b4934e29d69873b8649b2a2ff62074353c77
File outdated by:  RHSA-2014:1863
    MD5: 351cc0be5a490f7487d4abd62bd02e53
SHA-256: ad0a5f3ddb51bdb659a034027f024f9a88ed36e7caed28bfb7b1c23c5231412c
File outdated by:  RHSA-2014:1186
    MD5: 1f6cf8a965e76914566f1ad6691b0036
SHA-256: a38861b4004702ab114e9615bbb39e637b1b485aa06d56b56d003a6292214544
File outdated by:  RHSA-2014:1863
    MD5: 9b7ad0d9ff727f9dfd8957482cc67046
SHA-256: c5ed08486d5d0fc849d4bfc88ff3cc23d083cbdb54bd67a7202c28c21e15a84c
File outdated by:  RHSA-2014:1863
    MD5: af27ee017e3099fad66a6b2a1fc843fe
SHA-256: 5dbb602d849fa14c4e80bd0a237e818c356039c7952b0bcafb8eb5d791716c8f
File outdated by:  RHSA-2014:1863
    MD5: 1dc2efc11d4caa70d1482bdc78b85ea9
SHA-256: c43165b07b2fa4b3d145a3ddac8991b85d80ba6af6aa62cf93035e062a8b259b
ruby-nokogiri-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: 68ed222a017a909bfe999bfc2f02f789
SHA-256: 694af7dd76daaaa54eab7845bf749c459630e4c05a949b8ff4eb6d421314df65
rubygem-actionpack-3.0.10-12.el6cf.noarch.rpm     MD5: fa880172aa6a73651e02c16bd5639bda
SHA-256: f7225b67031d6c7865b98a1aa5999434c566cee03402553f9d018a6f6f41968d
rubygem-activemodel-3.0.10-3.el6cf.noarch.rpm     MD5: bcada032afeecc433d148b320bcbbd7a
SHA-256: 41616b9b62d942bd78282738b85a377efa1cac28dba6fdb852aea994ea0d18c1
rubygem-activemodel-doc-3.0.10-3.el6cf.noarch.rpm     MD5: d0ca5b5ba5793d96e6c04c6c39420a72
SHA-256: ebd619e9ee2e786c5776b4e9ba2a6ecc0e70779c5ab3873abd85272a61ef57ec
rubygem-delayed_job-2.1.4-3.el6cf.noarch.rpm     MD5: add48be9fbe2bcfff616934f2847f7de
SHA-256: 637f3143211c71e5c693ea00077d3533b494d6fdb2f64589a296cff4465ba2ec
rubygem-delayed_job-doc-2.1.4-3.el6cf.noarch.rpm     MD5: 1259bcc145da127430739bd449ae270d
SHA-256: 2618bc4d7d82d6fa9cb1145057b7a07a6c291d1f2ca8cfaaa448bd2d21550280
rubygem-json-1.7.3-2.el6_3.x86_64.rpm     MD5: 21a37a8a1eee868726a1ade4cfa5c941
SHA-256: e4ff98c787af308928b8295f3195eec17fa297134d2540f41373585fd1813171
rubygem-json-debuginfo-1.7.3-2.el6_3.x86_64.rpm     MD5: 96c1f94e868f3c30643e3b5063720d9e
SHA-256: 07081cb4d8587b97062968f1295b61bd0055978b04af15aa98bfebee648b04bd
rubygem-nokogiri-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: 0d95288f722504d6d9732b4a4a0da8df
SHA-256: 2284596c7bf2ff29369643b60801b576895a969c6cd567ddaa828487eb27eb5c
rubygem-nokogiri-debuginfo-1.5.0-0.9.beta4.el6cf.x86_64.rpm     MD5: b2bd1100f46583c8cbf862dc316e87ba
SHA-256: dfe52ed08ad520d096a5c9bcbc11d6c7f6f9db0b9ab75c2dc59fec23516351eb
rubygem-nokogiri-doc-1.5.0-0.9.beta4.el6cf.noarch.rpm     MD5: 8fe4927d175318a57b01164bd579e7a8
SHA-256: 365f41ee7f5651812d4a32601309759d518df5d43e2eecc513c2d22a9e375473
rubygem-rack-1.3.0-4.el6cf.noarch.rpm     MD5: 6ce2488b59bec9a65836a1eec40270ed
SHA-256: 9de6ead0063c7936ac3a2a5ab68e24208fa0f25e4713532c5194a969ba38ebd8
rubygem-rails_warden-0.5.5-2.el6cf.noarch.rpm     MD5: 46c22adc025b47785c1763ee9fd42a0b
SHA-256: 8de7b1b4f83ff37d4e9da059458da6cabe345c9eb538c29c1cc01839fd9a094c
rubygem-rails_warden-doc-0.5.5-2.el6cf.noarch.rpm     MD5: 2f73cffd3668127ec6ea7b52d5cb8ed7
SHA-256: eef9585883ce1dc9ccacdb3a984596237bdb8dfce17ef0c4258f055654127abb
rubygem-rdoc-3.8-6.el6cf.noarch.rpm     MD5: e5b679362f45c5bb9727c30bf3ea4958
SHA-256: 821b01aad5bd9034866fcfa8b0eb37b2f66d9f554914a9b15b5c17de6a4b6ac7
rubygem-rdoc-doc-3.8-6.el6cf.noarch.rpm     MD5: 4cd8c2606f88ff3c3bb8a4c79bebcf79
SHA-256: b6c2a724e4bcf42249521ef1269f14cdd28ebeaf7c5c9b71f9a89ddb88c6e139
File outdated by:  RHBA-2014:0901
    MD5: 672eaeb23f8b8ed109834453a4b6410d
SHA-256: 0e460b0983b3c2cf0e58dcf5f9f3a5df708c60697a4b439e322d22f7a79161b9
File outdated by:  RHBA-2014:0901
    MD5: e671c4dc6e7202c1713d9272eac7d3c4
SHA-256: ef7996dc3e3aa029dddb8a96a9be5a0fc5717614142e45aecaf43ae0267c1587
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

906207 - CVE-2012-6116 Candlepin: bootstrap RPM deploys CA certificate file with mode 666
906901 - SAM installation is missing Candlepin SELinux policy
907820 - CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
908613 - CVE-2012-6119 Candlepin: Re-enable manifest signature checking
909029 - CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
909071 - CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
909528 - CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected
918778 - Katello-configure overwrites candlepin-upstream-ca.crt, breaking manifest import
918784 - CVE-2013-1823 Katello: Notifications page Username XSS
922190 - Thumbslug can't read cert v3


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at