-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: openstack-heat-templates security update Advisory ID: RHSA-2014:0579-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0579.html Issue date: 2014-05-29 CVE Names: CVE-2014-0040 CVE-2014-0041 CVE-2014-0042 ===================================================================== 1. Summary: An updated openstack-heat-templates package that fixes three security issues is now available Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch 3. Description: OpenStack Orchestration (heat) is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. The openstack-heat-templates package provides heat example templates and image building elements for the openstack-heat package. It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0040) It was found that certain heat templates disabled SSL protection for various Yum repositories (sslverify=false). An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0041) It was discovered that certain heat templates disabled GPG signature checking of packages via Yum (gpgcheck=0). An attacker could use this flaw to conduct man-in-the-middle attacks to install arbitrary packages on the system. (CVE-2014-0042) These issues were discovered by Grant Murphy of the Red Hat Product Security Team. All openstack-heat-templates users are advised to upgrade to this updated package, which corrects these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1059514 - CVE-2014-0040 OpenStack openstack-heat-templates: use of HTTP to download signing keys/code 1059515 - CVE-2014-0041 OpenStack openstack-heat-templates: use of HTTPS url and sslverify=false 1059520 - CVE-2014-0042 OpenStack openstack-heat-templates: setting gpgcheck=0 for signed packages 6. Package List: Red Hat Enterprise Linux OpenStack Platform 4.0: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOS/SRPMS/openstack-heat-templates-0-0.3.20140407git.el6ost.src.rpm noarch: openstack-heat-templates-0-0.3.20140407git.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0040.html https://www.redhat.com/security/data/cve/CVE-2014-0041.html https://www.redhat.com/security/data/cve/CVE-2014-0042.html https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTh6TEXlSAg2UNWIIRAksGAKC2niKX/sc3il6xbsd7ScbrZpxIrwCgiO0I S+sPQATQbTSS8Gm6jxXH69M= =m1tU -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce