-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: spacewalk-java security and bug fix update Advisory ID: RHSA-2016:1484-01 Product: Red Hat Satellite Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1484.html Issue date: 2016-07-26 CVE Names: CVE-2016-3080 CVE-2016-3097 ===================================================================== 1. Summary: An update for spacewalk-java is now available for Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.7 (RHEL v.6) - noarch 3. Description: Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool. Security Fix(es): * A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed monitoring probes. An attacker can embed HTML and Javascript in the values for RHNMD User or Filesystem parameters in Satellite, allowing them to inject malicious content into the web page that is then displayed with that probe data. (CVE-2016-3080) * A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed group names. An attacker can embed HTML and Javascript in the values for group names in Satellite, allowing them to inject malicious content into the web page that is then displayed when viewing the snapshot data. (CVE-2016-3097) These issues were discovered by Jan HutaA (Red Hat). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For this update to take effect, Red Hat Satellite must be restarted ("/usr/sbin/rhn-satellite restart"). 5. Bugs fixed (https://bugzilla.redhat.com/): 1320942 - CVE-2016-3080 spacewalk-monitoring: XSS issue in monitoring probe 1322710 - XSS when you create group with HTML via SSM or API and checks snapshot with this group join/leave 1322747 - CVE-2016-3097 spacewalk-java: Multiple XSS flaws 6. Package List: Red Hat Satellite 5.7 (RHEL v.6): Source: spacewalk-java-2.3.8-147.el6sat.src.rpm noarch: spacewalk-java-2.3.8-147.el6sat.noarch.rpm spacewalk-java-config-2.3.8-147.el6sat.noarch.rpm spacewalk-java-lib-2.3.8-147.el6sat.noarch.rpm spacewalk-java-oracle-2.3.8-147.el6sat.noarch.rpm spacewalk-java-postgresql-2.3.8-147.el6sat.noarch.rpm spacewalk-taskomatic-2.3.8-147.el6sat.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-3080 https://access.redhat.com/security/cve/CVE-2016-3097 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXlyjlXlSAg2UNWIIRApqsAKCW78XzQ565Q9/lSnGM/5ouXWKpMACeKQMI G0EVlAKbBgmdI0x4boIBCZ8= =lC7I -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce