-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: CFME 5.6.1 security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:1634-02
Product:           Red Hat CloudForms
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-1634.html
Issue date:        2016-08-18
Cross references:  RHBA-2016:22329
CVE Names:         CVE-2016-5383 
=====================================================================

1. Summary:

An update for cfme is now available for Red Hat CloudForms 4.1.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.6 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* It was found that the CloudForms web UI did not properly filter input in
certain fields. A remote, authenticated attacker could use this flaw to
execute arbitrary code on the system running CloudForms. (CVE-2016-5383)

This issue was discovered by Eric Hayes (Red Hat).

Additional Changes:

This update also fixes several bugs and adds various enhancements.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1240443 - Catalog Item : Changing the provider template after filling all tabs shows error
1255389 - [Scale] - Large render time on Configure -> Configuration -> Access Control administration page with large scale environment
1273404 - Optimize Planning does not show duplicate VMs
1278003 - SmartState analysis fails for users Last Logon on RHEL7 hosts
1284084 - Refresh Relationships on SCVMM Provider throws ERROR if any VM contains 2 DVD drives.
1295523 - Editing catalog item when the template used is removed form provider : undefined method `fulltree_arranged' for nil:NilClass [catalog/tree_select]
1316842 - /System/Process/Event should not be displayed as a valid entry point for Automate Simulation
1335669 - Automate | Assertion with failed substitution should raise error
1337676 - Ceilometer events does not work with openstack mitaka
1338754 - Containers -- Providers -- Tile View - Port number is shown incorrectly
1338957 - [RFE] - Changes to the existing Utilisation Reporting for Red Hat products
1340072 - parent tenant name changes are not reflected via the api
1341665 - Error "Invalid input [cloud_volume/create]" on add new cloud volume
1341666 - UI: 'Perform SmartState Analysis' for Datastore shows wrong flash message(No Datastores were selected for Analysis)
1341667 - Smart State Analysis timed out scans are not displayed as "timed out" in CFME
1341668 - After selecting any container's Relationship from Containers List, the path label will show incorrect path
1341669 - remove delete cloud volume if its not supported
1341670 - Dialog content not fully displayed
1341671 - False flash message displayed when clicked on commit while  importing service dialog
1342122 - monitoring button appears after policy button in the containers tab while appears before on all other pages
1342220 - Scale down compute node does not remove nova service from the removed compute node
1342221 - timeline page should not have dashboard and summary view
1342222 - inconsistency on the monitoring button between pages
1343515 - 5.6.0.8 memory usage is ~370MiB higher than 5.5.4.2 when idle
1343720 - Azure Smart State not capturing expected details for Ubuntu VM.
1343721 - missing scroll bar on capacity planning " Reference VM Selection "
1343723 - Remove "Middleware" from the Product features tree in Access control
1344050 - Replication stops if network connection is lost for over 60s
1344327 - Terminate instance term is confusing
1344328 - SSUI - Filters are not working correctly for "Pending" requests
1344329 - Flash message not displayed long enough on widget import/export page
1344330 - [ja_JP] Translation issues on cloud intelligence->reports->edit report menus page
1344331 - [ALL LANG] No fully localized on Clouds -> Providers page.
1346036 - [Bug] Optimize: Utilization by Classification Throws Exception
1346037 - VMware VM Reconfigure Add Disk fails when a new SCSI controller is needed
1346057 - Add container nodes, pods and replicators to Control
1346312 - [RFE] sort flavors by their size
1346443 - [RFE] GCE image not prepared for use on Google Compute Platform
1346909 - Retired instance can be resumed from provider side and it is not powered off.
1346951 - [RFE] "NoMethodError: undefined method `where' for MiqAeMethodService::MiqAeServiceClassification:Class"
1346956 - Tag Control issues on service dialogue imports between appliances
1346968 - Catalog Item : Editing a catalog item after deleting provider shows error
1346991 - [RFE] The OpenShift provider should use the proxy configured in CloudForms
1347018 - When quota source is group display quota exceed message for which the quota is validated for
1347695 - Unexpected error when sorting "instances" column in network manager security groups
1348221 - Apply button enabled after a failed attempt to upload invalid file for importing tags
1348630 - Show cloud Tenant field in cloud image summary page.
1348632 - CFME 4.0 session setting necessary for proper CFME operation in Load Balancer environment is no longer acceptable and causes worker failures
1348636 - [ALL LANG] Unlocalized strings on cloud intelligence->reports->dashboard widgets page.
1348638 - [RFE] - Need default validation for data type on TextBox fields when submitting Dialog (Web UI)
1348645 - [ja_JP] Translation issues on cloud intelligence->reports->import/export page
1348650 - Policy Simulation detail page blank for VM sub lists (i.e. on Provider or Host)
1348651 - Add new Cloud volume fails
1348989 - Start rhevm vm with use_cloud_init flag on first boot
1349060 - [ja_JP] Translation issues on Services -> Workloads -> Templates & Images page
1349061 - [ja_JP] Translation issues on cloud intelligence->chargeback->rates page
1349062 - [Scale] perf_capture_timer message timeout, cycles Generic/Priority Workers
1349063 - [RFE] Set API port to 13000 for SSL enabled Openstack providers
1349410 - Provider name should be included for Chargeback reports for infra and cloud VMs
1349414 - Unexpected error when clicked on upload button in import custom reports
1349417 - Reconfigure instance fails in html error
1349418 - Control/Simulation expand all icon is missing
1349419 - "Expand All" button is broken in container image compliance history
1349421 - memory metric not being rolled up to OSP Availability zones
1349426 - [Ansible Tower] Tower stack cannot be retired
1349427 - Policy profiles actions unclickable
1349482 - Since update cannot obtain tenant inventory data from OpenStack ( NON RH OPENSTACK VERSION! )
1349624 - Error:"no implicit conversion of Symbol into Integer" when clicked on download in VM comparison page
1349625 - Creating provisioning dialog with no type chosen(default used named Choose)
1349626 - Floating IPs have no displayed names in Grid View
1349627 - Hovering on 'Select host to validate against' drop down on Host credential page displays "<Choose&gt"
1349628 - Sorting select form is turn rounded in Virtual Machines
1349630 - "Adress" typo in sorting options
1349631 - Websockets icon missing in diagnostics
1349636 - Default view settings fails for some pages
1349637 - Remove Hand pointer from edit timeprofile page
1349869 - CFME provisioning on RHEV limited to max 4096GB of memory
1349876 - SSUI : Blank virtual machine row is displayed for service with no VM
1349988 - RBAC:Unexpected error when clicked on VM in "EVM: Recently Discovered VMs" widget of tenant user
1349989 - Services: Setting a Retirement Dates/ Retiring for a service shows error in log
1350448 - Azure request remains Active even after instance is fully provisioned
1350449 - CF does not notice RHEV VMs being suspended
1350592 - Error:Uninitialized constant ApplicationHelper in production.log  when clicked on configured system in Red Hat Satellite Provider
1350593 - All Ansible tower provider configured systems are getting listed under satellite provider in accordion
1350594 - Error "uninitialized constant ProviderForemanController.." when downloading summary of inventory group in Ansible tower
1350842 - Warnings about session threshold
1350903 - Service order through API does not auto approve
1350904 - Widget import 'select all' button doesn't work
1350905 - 'Show host events' check box not needed on datastore bottleneck page
1350906 - Suspicious values in Chargeback for Containers
1351176 - Provisioning requests are not been transmitted successfully from the global region to the local region - getting "500 Internal Server Error" message
1351177 - Appliance_console crash
1351178 - RedHat Domain - Change placement methods to avoidA read-only datastores
1351669 - default repo's stored in the appliance are incorrect
1351674 - C&U : Performance metrics collection fails for Azure
1351678 - [Release Candidate] validation skipped on azure when subscription id is populated
1351696 - Unexpected error when clicked on download button in Timelines
1352011 - Cannot specify security_protocol when creating a cloud provider via the API
1352012 - Extra Vars not passed to Ansible Tower when using custom state machines in service catalog
1352014 - [Ansible Tower 3.0] Unsupported media type "application/x-www-form-urlencoded" in request
1352027 - Filters are missing in both cloud and infrastructure providers
1352134 - log: first installation shows git error in evm.log
1353201 - [RFE] Tagging on Ansible Template Jobs
1353228 - Key Pairs: wrong quadicon displayed
1353231 - Automate | Services | Remove ConfigureChildDialog method and state value.
1353233 - ManageIQ Automate domain cleanup
1353234 - Openstack cloud provider not disabled Timelines subbutton when no events available
1353235 - Monitoring button in EC2 cloud provider summary should be disabled
1353237 - Add India, Australia and US Gov regions for Azure
1353239 - Database garbage collection errs with undefined local variable or method `current_db_opts' for #<Class:0x00000003615bb8>
1353240 - Quota enforcement for user as quota source does not work
1353243 - Service : Azure service catalog request fails with error
1353253 - Configuration database pagination is broken for tables and indexes
1353255 - add instance to trigger miqevents from a button
1353258 - When clicked on reload button  it throws an error in log:RoutingError (No route matches [POST] "/miq_capacity/reload")
1353260 - Error"undefined method `length' for nil:NilClass" in download link of template summary page
1353277 - Wrong html markup in SNMP section of an Alert
1353279 - Dashboard widgets menu Minimize/Maximize improper mouseover
1353285 - SCVMM Refresh fails if there is a Recovery Partition or a partition with no drive letter.
1353287 - RubyRep replication in CFME 5.5.3.4 failing in large multi region environment
1353288 - provision_requests call with a request_type "clone_to_vm" fails with undefined method datacenter_name
1353290 - UI Constants need to use delayed translations
1353292 - Tenant Quota widget needs formatting
1353294 - UX: Automate - Configuration button is not present in read-only domains until there is a writeable domain available
1353299 - Clear filter in datastores should lead to All Datastores
1353300 - All datastores add clear link after advanced search open and close
1353302 - Unexpected error encountered during reconfiguration
1353308 - hosts fail to archive upon provider deletion
1353310 - Importing a service dialog should invalidate Service Dialogs tree cache to rebuild it with current dialogs
1353323 - Inventory refresh doesn't work with version 4 of oVirt
1353324 - [ja_JP] Translations are missing in 'Cloud Intel' menu and its sub menu's pages
1353326 - [ja_JP, zh_CN] Many strings on Compute ->Containers -> Overview page are untranslated.
1353587 - New company tags not listed alphabetically
1353646 - In Network Providers are My Filters unclickable
1353647 - Sorting "Total Configured Systems" in Inventory Groups under Ansible Tower Provider fails.
1353651 - Unable to change zone setting of a configuration management provider
1353657 - Inconsistency in NOR values on VM summary page and Right size recommendation page
1353717 - Report listing empty after canceling "Add a new schedule"
1353719 - Azure Hard/Soft Reboot not working.
1353722 - CVE-2016-5383 CloudForms: Lack of field filters on user input
1353974 - Truncate miq_request user_message length.
1354562 - vms deployed in a multi-cluster rhevm environment are tied to the cluster of the template
1355785 - It should be possible to define/modify the relevant hawkular endpoint
1355786 - Incorrect options listed for host related actions while adding a schedule
1355787 - Cloud providers security groups back button redirects me to network manager
1355788 - Unexpected error when Navigating Configuration and clicked on simulate in custom button.
1355789 - Add OpenSCAP failed rules summary
1356133 - Advanced Setting screen only shows the first 24 lines until browser resize
1356251 - User_data is being base64 encoded twice causing init script to fail for Openstack provisioning
1356256 - [RFE] SSUI should be able to set locales separately from Operations UI
1356624 - Relationship links do not work within an OSE project
1356647 - Control Explorer: Error when clicking on Edit assignments for this Alert Profile button
1356659 - Edit report menus list is hiding items, which are not in square
1356703 - CF4.0 to CF4.1 upgrade breaks Networks/Networks UI
1356704 - Errno::ECONNREFUSED: Connection refused when dynamic dialog menus are set to refresh
1356705 - CFME 4.1 appliance fail to perform logrotate for /vmdb/log and postgresql pg_log directory log files
1356973 - Dialogue Input are truncated when submitted
1357519 - Empty Overview Menu
1357520 - Unable to create a new v2_key when the old one is removed
1358037 - Fix gulp ECMDERR on older node, by forcing plato to 1.4
1358303 - Container auto-tagging from labels breaks refresh on labels with empty value
1359075 - Error when clicking on custom buttons item under Automate -> Customization -> Buttons
1359150 - Error when retiring an orchestration stack from list view
1359155 - Summary Screens: Download Summary to PDF toolbar button is missing
1359295 - immediately after upgrade from CFME 4.0 TO cfme 4.1 UI requests to separate VMDB appliance are timing out-
1359785 - Service : Not able to provision more than certain  number of VM's for Google Compute Engine
1359937 - Fields observed with interval send changes multiple times if focused multiple times
1359966 - In Control - Policy & PolicyProfile don't automatically expand *all* the nodes
1360330 - Scheduled reports are emailing ever few seconds rather then just 1
1360364 - Worker nice_delta is not set in 5.6.0.13
1360384 - No cross-linking of OpenShift node to OpenStack instance
1360772 - pods are named 'container groups' in the policy explorer right cell
1360901 - "Load error! (parseerror)" in Policy Profiles and Policies explorers
1361189 - UI: Group editor/summary screen throwing an error when user has more than 5000 tags
1361237 - Watermark VMs per Provider header mismatch
1361308 - [Ansible Tower] Unable to add provider - Add button not clickable
1361610 - RubyRep fails to start after 5.5 -> 5.6 migration
1361844 - Relationship links lead to wrong menu in OSE project
1362181 - Policies explorer is recursive, doesn't show policies
1362228 - Broken image for inactive Control Policy
1362271 - Constant lookup wasn't working properly
1362654 - Azure - Discover Azure provider throws errors.
1363808 - UI: When recovering from timeout parameter page is set to zero, and causes an error in rendering the show_list page.
1364061 - Container dashboard does not show 'Aggregated Node Utilization' unless appliance timezone is UTC
1364063 - Container Image SmartState Analysis duplicate tasks and errors
1365907 - Connection to Ceilometer fails in fog/openstack
1366359 - Missing option to configure smartstate temp space
1366360 - CFME appliance console showing ManageIQ branding

6. Package List:

CloudForms Management Engine 5.6:

Source:
cfme-5.6.1.2-1.el7cf.src.rpm
cfme-appliance-5.6.1.2-1.el7cf.src.rpm
cfme-gemset-5.6.1.2-1.el7cf.src.rpm
google-compute-engine-2.0.0-1.el7cf.src.rpm
google-config-2.0.0-1.el7cf.src.rpm

noarch:
google-compute-engine-2.0.0-1.el7cf.noarch.rpm

x86_64:
cfme-5.6.1.2-1.el7cf.x86_64.rpm
cfme-appliance-5.6.1.2-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.6.1.2-1.el7cf.x86_64.rpm
cfme-debuginfo-5.6.1.2-1.el7cf.x86_64.rpm
cfme-gemset-5.6.1.2-1.el7cf.x86_64.rpm
google-config-2.0.0-1.el7cf.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-5383
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/release-notes/release-notes

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXthL3XlSAg2UNWIIRAkjRAKCdeI4t67GjvxC9AvoPUAMcoV4L6ACgw2p4
VYciMpFRaafl/zcLP33oz5g=
=8FB5
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce