exploit the possibilities

Red Hat Security Advisory 2019-4201-01

Red Hat Security Advisory 2019-4201-01
Posted Dec 13, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-4201-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include a denial of service vulnerability.

tags | advisory, web, denial of service, ruby
systems | linux, redhat
advisories | CVE-2019-16892
MD5 | 08e20393122a6da4e8925ddc027a47b1

Red Hat Security Advisory 2019-4201-01

Change Mirror Download
Hash: SHA256

Red Hat Security Advisory

Synopsis: Moderate: CloudForms 5.0.1 security, bug fix and enhancement update
Advisory ID: RHSA-2019:4201-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4201
Issue date: 2019-12-12
Cross references: RHBA-2019:40571
CVE Names: CVE-2019-16892
1. Summary:

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.11 - noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: rubygem-rubyzip denial of service via crafted ZIP file

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1713400 - [RFE] Cloud Key pair don't have relationships with owner and group that build this key
1730066 - Unable to view AWS keypair list as tenant_administrator
1747179 - [Regression] [ActionView::Template::Error] undefined method `tenant_group?' while setting ownership for key pairs
1767548 - Remove .py extension from calls to virt-v2v-wrapper
1767549 - Run the preflight check of migration task before waiting for a conversion host
1767550 - [RFE] Add ability to remove all snapshots asynchronously
1767645 - [RFE] Hide the Configuration -> Database screen
1767646 - Unassigned buttons of a Service shows when its Catalog Item has custom buttons
1767647 - Unable to access "Automate/Requests" tab for a role without exposing "Service/Requests"
1767648 - Server Error (API) when creating Orchestration Template with duplicate content
1767656 - [Regression] Unable to capture memory metric from Azure instances
1767659 - Chargeback report preview fails
1767660 - Service Requests Requester dropdown not sorted
1767774 - appliance_console_cli returns 0 on failure
1767775 - [RFE] Add AWS Bahrain region to CFME
1767776 - [RFE] - Update Host/Node filter to reflect supported versions of ESX
1767777 - Typo on list of Host/Nodes global filters -- Status / Orphaned
1767783 - [RFE] Dis-allow the addition of ESX hosts directly
1767784 - Unable to receive "generalize" event from Azure after generalizing an instance
1767786 - API should not declare HTTP DELETE verb on pxe_servers collection
1767788 - The UI warning about RSA is deprecated and not true anymore.
1767789 - Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log
1767790 - there are exceptions "rescue in type_cast" in logs in global and remote region appliances
1767791 - Chargeback reports not working
1767796 - Add support for VM conversion host in RHV
1767809 - UI crashes when going to Details of Azure Network Port somehow associated to Load Balancers
1767810 - Traceback when clicking on Overview > Chargeback > Reports
1767811 - [RHV] Last Boot Time is "N/A" for VM if you shutdown guest
1767818 - [Regression] top_output.log only showing ruby and not the process names
1767819 - unable to remove duplicate guest devices due to memory
1767821 - [RFE] Remove list view button on my service sui page if there is no use of it
1767823 - [RFE] Generic Object builder tab cycle missing the add (commit) remove buttons
1767824 - multiple workers start the same retirement when retirement date is reached
1767833 - [UI] Erroneous behavior of spinner and spinner box in advanced search loading
1767834 - Refresh of OpenShift provider in CloudForms happen to panic apiserver
1767835 - Changing groups with a user assigned to multiple groups logs out of appliance
1767836 - Choice in Drop Down that References Category (Tag Control Item) is Incorrect
1767837 - [RFE] Automating the generation of widget content Via RESTAPI
1767880 - evm.log is full of error messages "cannot obtain exclusive access to locked queue"
1767881 - Host creds validation fails if host's ssh key has changed before
1767885 - [RFE] VMware guests are incorrectly marked as linked_clone true, remove attribute
1767886 - [RFE] custom service catalog icons being deleted are not actually deleted
1767895 - [NoMethodError]: undefined method `path' for nil:NilClass Method:[block (2 levels) in <class:LogProxy>] during scheduled NFS backup
1767896 - Lifecycle retirement fails for user that no longer has groups
1767901 - [RFE] automate method to delete a tag from a category
1768456 - Date picker takes a date previous to what is selected in the dialog
1768517 - [RFE] validate infra mappings
1768520 - [v2v] Ordering a migration plan, that contains MIGRATED VM/s, fails with an unclear error message.
1768525 - Remove Automate code for TransformationHost
1768530 - Add conversion host validation for config params
1768576 - Sporadic 404 Error when deleting custom button on generic object class
1768638 - [RFE] Import/export schedules to replicate on other sites
1771298 - CVE-2019-16892 cfme: rubygem-rubyzip denial of service via crafted ZIP file
1771737 - ping endpoint fails with "Error caught: [ActionView::MissingTemplate] Missing template ping/index"
1773666 - [RFE] Custom button: generic class level button deletion not showing a specific flash message
1773667 - Incorrect flash when custom button under generic object class is deleted
1775684 - Need the ability to configure the appliance for SAML using the appliance console CLI.

6. Package List:

CloudForms Management Engine 5.11:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    7 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By