-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ruby193-rubygem-katello security update Advisory ID: RHSA-2016:1083-01 Product: Red Hat Satellite 6 Advisory URL: https://access.redhat.com/errata/RHSA-2016:1083 Issue date: 2016-05-16 CVE Names: CVE-2016-3072 ===================================================================== 1. Summary: An update for ruby193-rubygem-katello is now available for Red Hat Satellite 6.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 6.1 - noarch 3. Description: Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * An input sanitization flaw was found in the scoped search parameters sort_by and sort_order in the REST API. An authenticated user could use this flaw to perform an SQL injection attack on the Katello back end database. (CVE-2016-3072) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running applications using the ruby193 collection must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1322050 - CVE-2016-3072 Katello: Authenticated sql injection via sort_by and sort_order request parameter 6. Package List: Red Hat Satellite 6.1: Source: ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.src.rpm noarch: ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.noarch.rpm Red Hat Satellite 6.1: Source: ruby193-rubygem-katello-2.2.0.86-1.el7sat.src.rpm noarch: ruby193-rubygem-katello-2.2.0.86-1.el7sat.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3072 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXOwjCXlSAg2UNWIIRAgtoAJ4xhEN8aoD+t+tpSwumwh9rFrCDkgCfYIVD XVqXXWyJt+5iCKpF1nVJVho= =uvbF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce