Red Hat Security Advisory 2016-1083-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix: An input sanitization flaw was found in the scoped search parameters sort_by and sort_order in the REST API. An authenticated user could use this flaw to perform an SQL injection attack on the Katello back end database.
16c634ffd6be21f4086f926a66feee82da9905f491a151635564f12cd7807517
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ruby193-rubygem-katello security update
Advisory ID: RHSA-2016:1083-01
Product: Red Hat Satellite 6
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1083
Issue date: 2016-05-16
CVE Names: CVE-2016-3072
=====================================================================
1. Summary:
An update for ruby193-rubygem-katello is now available for Red Hat
Satellite 6.1.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Satellite 6.1 - noarch
3. Description:
Red Hat Satellite is a system management solution that allows
organizations to configure and maintain their systems without the
necessity to provide public Internet access to their servers or
other client systems. It performs provisioning and configuration
management of predefined standard operating environments.
Security Fix(es):
* An input sanitization flaw was found in the scoped search parameters
sort_by and sort_order in the REST API. An authenticated user could use
this flaw to perform an SQL injection attack on the Katello back end
database. (CVE-2016-3072)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running applications using the ruby193 collection must be restarted for
this update to take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1322050 - CVE-2016-3072 Katello: Authenticated sql injection via sort_by and sort_order request parameter
6. Package List:
Red Hat Satellite 6.1:
Source:
ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.src.rpm
noarch:
ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.noarch.rpm
Red Hat Satellite 6.1:
Source:
ruby193-rubygem-katello-2.2.0.86-1.el7sat.src.rpm
noarch:
ruby193-rubygem-katello-2.2.0.86-1.el7sat.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-3072
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXOwjCXlSAg2UNWIIRAgtoAJ4xhEN8aoD+t+tpSwumwh9rFrCDkgCfYIVD
XVqXXWyJt+5iCKpF1nVJVho=
=uvbF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce