-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: CloudForms 4.6.5 security, bug fix and enhancement update Advisory ID: RHSA-2018:3466-01 Product: Red Hat CloudForms Advisory URL: https://access.redhat.com/errata/RHSA-2018:3466 Issue date: 2018-11-05 Cross references: RHSA-2018:2561 CVE Names: CVE-2018-1000544 ===================================================================== 1. Summary: An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: CloudForms Management Engine 5.9 - x86_64 3. Description: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1000544) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1592571 - Service Dialog Editor localization in French Incomplete 1593001 - CVE-2018-1000544 rubyzip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file 1599349 - API with an invalid zone name kill the appliance 1603026 - Vim Performance States Table Causing Region to Lock up During a Vacuum 1607409 - The remote_ws_url value does not failover if the appliance is stopped, so "api_url" can be incorrect in an Ansible playbook 1607438 - Alerts do not trigger and do not send email notification 1608368 - Ansible Jobs Causing State Machine to Fail due to Inactivity Threshold Exceeding 0 1608770 - custom buttom page empty 1612905 - internal server error when cloud_tenants or flavors subcollection is requested on infra provider 1613333 - Couldn't find EmsFolder with 'id' 1613420 - OpenStack deletion gives problem 1615465 - Using database wildcard `%25` in VM queries causes exception, returns 500 to client 1618800 - Open URL Does Not Work When Using a DIalog with a Button 1618805 - CloudForms tries to collect metrics from OCP despite not being configured for it 1618807 - [RFE] Restore VM ownership and retirement during migration 1618808 - Migrations linking jobs and miq_tasks could take long time when upgrading to 5.9 1619431 - [v2v] Network Missing in Infra Mapping 1619654 - [v2v] Schedule Unschedule Migration does not seem to work correctly 1621441 - Change VMware URI to connect directly to ESXi 1621445 - Default Dashboard can't be updated 1621449 - Fix displaying disk type of a VM created from template and passing clone parameter to RHV 1622631 - reports using "group by" on date show a total column per vm instead of showing a total at the end of the report 1622652 - Service Retirement runs twice for direct service children 1623557 - virt-v2v Fails with IMS when Using AD Credentials for VMware Provider 1623559 - [RFE] Add state_machine_phase attribute to transformation state machines 1623560 - Dynamic Text Area and Text Box Elements Load Even Though Load on Init is not Marked 1623561 - displaying -Child Orchestration Stacks- throwing UI error 1623563 - unable to generate chargeback based on metering for vms with traceback in logs 1623565 - Add log messages to Chargeback 1623573 - unable to add disk to vm via rest-api vm reconfiguration on vmware [request backport from existing commit] 1623582 - Change in chargeback report logging output 1625249 - Read Action Forbidden When User Tries to Attach Cloud Volume OpenStack 1625323 - UI breaks when viewing instance details. 1625376 - Wrong timezone when selecting retirement time 1626143 - Storage Domain ignored on provisioning 1626219 - nuage refresh fails - undefined method `[]' ... security_groups 1626474 - Handle service retirement date in service dialog 1628348 - Update to Azure Government endpoint 1628657 - Unable to retry Embedded Ansible method in a state machine 1629089 - [RFE] Add more RAM options size to life cycle dialog 1629090 - [SSUI] Able to create snapshot with memory on powered down VM 1629094 - Make the checkbox column in the column view not click-able 1629121 - When a button is for 'single and list' or 'list' and has a visibility expression, the button does not display in the list view even when all VMs in the list meet the expression 1629124 - giving volume name shouldn't be mandatory in case of Openstack instance provisioning 1629125 - OSP domain user seen objects from other domain tenants 1629126 - [RFE] Add support to oVirt provider to set VM memory and CPU 1629127 - UI Monitor Alerts page is slow to load and when clicking on link it shows blank page with no alerts 1629129 - Cannot add Ansible Tower or refresh already added Ansible Tower 1629897 - Memory threshold set from Workers tab doesn't work 1630938 - Refactor restoring VM attributes during migration 1631557 - Unable to provision VM with "choose automatic option" 1631817 - Not able to access Openstack instance console from selfservice portal 1632769 - Triggered Refresh Still Occurs for Dialog After Changing Type to Static 1634032 - To be able to add and create reports, the edit report role is needed. 1634808 - Password hashes in Automate Log 1635038 - VMware vCloud Provider's vApp Provisioning Dialog Cannot be Submitted 1635764 - Power management via API falling into the wrong zone leading to permanently queued requests 1637035 - Add transformation utils methods 1637185 - [RHV] ISO provisioning fails with undefined SDK method 1637720 - Unable to see chargeback rate under rates accordion 1638684 - VMware vCloud Provider's vApp Service Cannot be Fully Retired 1639300 - Unable to perform chargeback assignments for compute 1639413 - When ordering a service via the API the service dialog is not executed 1639877 - Can't change Server's Zone 1641670 - [regression][Custom Button] Unexpected error encountered in infrastructure and datastore object type when method and dialog both attached 1641810 - undefined method `find_tagged_with' for # [miq_request/show_list] 6. Package List: CloudForms Management Engine 5.9: Source: ansible-tower-3.2.7-1.el7at.src.rpm cfme-5.9.5.3-1.el7cf.src.rpm cfme-amazon-smartstate-5.9.5.3-1.el7cf.src.rpm cfme-appliance-5.9.5.3-1.el7cf.src.rpm cfme-gemset-5.9.5.3-1.el7cf.src.rpm x86_64: ansible-tower-3.2.7-1.el7at.x86_64.rpm ansible-tower-server-3.2.7-1.el7at.x86_64.rpm ansible-tower-setup-3.2.7-1.el7at.x86_64.rpm ansible-tower-ui-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-ansible-3.2.7-1.el7at.x86_64.rpm ansible-tower-venv-tower-3.2.7-1.el7at.x86_64.rpm cfme-5.9.5.3-1.el7cf.x86_64.rpm cfme-amazon-smartstate-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-common-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm cfme-appliance-tools-5.9.5.3-1.el7cf.x86_64.rpm cfme-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm cfme-gemset-5.9.5.3-1.el7cf.x86_64.rpm cfme-gemset-debuginfo-5.9.5.3-1.el7cf.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1000544 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html/release_notes 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW+BM7dzjgjWX9erEAQgslw/8DEgNrrVa720mqy/N2URv8ozTMKEbojHN zSTMbDy+uHxz3ei8Qv2dPDgy06tNgz24XAojc2V9S4kGvOLn4+m7vbtgyLgO/S8h JGoEqXn2kRiQLG5S7guM3/jwj5/zkJjxo+wAhm1pZ+/+i/gcdj8ilriU4JRHTDez Cv2qwhoD0/9LZsRirXf3e/BDT3nwGn1hAul1m0fK8AuXKaQx9jUU6pHQ7oFejL8g k05A+Egb6Uko7jPng2AFi0qf79LTS0VdZqJdb4fCTEwA7BnP6KIoYJIxA+ASb1G/ XCnXuLPHgZQUFY+f26xuU7904p/2scN+XOHVgBXg8sVgKL4V1z77LfzvymERRCOZ 8fnkqGNfHFBCKUjnbS6w+qTFZSWB+rimEKMmS9JfJ4MqaRLJ/CS/UbytCJ4yZiqI KwkV9B3gmqJJlcloq7Upeu+W/K+AjCcAVy72OkOjKj8fyCw4fu+zzO5AYMcOou63 QSDah1bZCOIib50L1YL59/i8qSP8Sfw+BdjLc0uuKD9TYkg+ea6FAjew3QsqFfmx /+c+V/q0yfaHJKTuE7qbwu7oT8bD0gqsLpnfL3O0NjrsSNej1BZpBE2zSlGXFRkp RwpgmaCH8CH0MRJ/y6PoGcN1nq1hk27hz6yeQD1bHbBdDzPMgucCirQg31ETmI+K Y82FHX4wIVU= =2gRR -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce