-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CFME 5.4.4 bug fixes, and enhancement update Advisory ID: RHSA-2015:2620-01 Product: Red Hat CloudForms Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2620.html Issue date: 2015-12-16 Cross references: RHBA-2014:19011 CVE Names: CVE-2015-7502 ===================================================================== 1. Summary: Updated cfme packages that fix a security issue, several bugs, and add various enhancements are now available for Red Hat CloudForms 3.2. Red Hat Product Security has rated this update as having Moderate Security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.4 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information. (CVE-2015-7502) This update also fixes several bugs. Documentation for these changes is available in the Release Notes linked to in the References section. All CFME users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/ 5. Bugs fixed (https://bugzilla.redhat.com/): 1222659 - RHOS: Fleecing an image throws following error in evm.log file 1265757 - Reconfigure service button gives 404 1268320 - VM provision dialog shows incorrect cpu count for RHEV CFME templates 1268905 - Internal DB Password Configuration breaks when password contains non-alphanum characters 1268983 - No root fileystem found when running SSA on images in OSP with Ceph 1269380 - WEB-UI: "Action not implemented [vm_infra/explorer]" when navigating from MySettings page to Virtual Machines page 1270305 - Request: "'nil' is not an ActiveModel-compatible object" error when on approve request screen 1272484 - UI: Missing partial error when trying to view a Request 1273519 - UI: Reports Menu Editor - Does not display flash message to indicate that folder name already in use 1273535 - Changing the default filter settings and navigating to that page displays blank screen. 1275782 - Cloud Provisioning dialogs do not apply RBAC filtering to resources displayed in dialog fields 1276353 - CFME should not use OpenStack adminURL endpoints for any services 1276411 - [RFE] Provide VHD Image for Microsoft SCVMM support 1277624 - DateTime control returns the wrong date/time if the chosen date/time is in less that 1h 1278062 - Wrong breadcrumb path when navigating between Provider screens using dashboard maintab 1280342 - UI exception when sorting Host's users 1281850 - Dashboards are not displayed if a user only has "view" permission on dashboards 1283019 - CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database 1285065 - 5.4.4 missing product cert for rhscl 6. Package List: CloudForms Management Engine 5.4: Source: cfme-5.4.4.2-1.el6cf.src.rpm cfme-gemset-5.4.4.2-1.el6cf.src.rpm x86_64: cfme-5.4.4.2-1.el6cf.x86_64.rpm cfme-appliance-5.4.4.2-1.el6cf.x86_64.rpm cfme-debuginfo-5.4.4.2-1.el6cf.x86_64.rpm cfme-gemset-5.4.4.2-1.el6cf.x86_64.rpm cfme-lib-5.4.4.2-1.el6cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7502 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_CloudForms/3.2/html/Release_Notes/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWcXw6XlSAg2UNWIIRAouGAKCSzSKH/6EFZ+N4cyD/xHPF5O3+XQCdEdtN Nxg24xFxcLthNODHswHbQmY= =jsmA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce