-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Gluster Storage Web Administration security update Advisory ID: RHSA-2019:0265-01 Product: Red Hat Gluster Storage Advisory URL: https://access.redhat.com/errata/RHSA-2019:0265 Issue date: 2019-02-04 CVE Names: CVE-2018-7536 CVE-2018-7537 CVE-2018-14574 ==================================================================== 1. Summary: Updated packages are now available for Red Hat Gluster Storage 3.4 Web Administration Batch Update 3 on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7 - noarch Red Hat Gluster 3.4 Web Administration on RHEL-7 - noarch, x86_64 3. Description: Red Hat Gluster Storage Web Administration includes a fully automated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools by using the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and other components of GlusterFS. Security Fix(es): * django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' (CVE-2018-7536) * django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' (CVE-2018-7537) * django: Open redirect possibility in CommonMiddleware (CVE-2018-14574) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Django project for reporting CVE-2018-7536 and CVE-2018-7537. Users of Red Hat Gluster Storage Web Administration with Red Hat Gluster Storage are advised to upgrade to this updated package to fix these issues. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1549777 - CVE-2018-7536 django: Catastrophic backtracking in regular expressions via 'urlize' and 'urlizetrunc' 1549779 - CVE-2018-7537 django: Catastrophic backtracking in regular expressions via 'truncatechars_html' and 'truncatewords_html' 1609031 - CVE-2018-14574 django: Open redirect possibility in CommonMiddleware 1654338 - tendrl-commons doesn't specify minimal ansible version it requires 1655424 - Need to change graphite db initialization command in tendrl-ansible as per new graphite-web version-1.1.4-1 1655433 - Need to restrict few services port from outside access to web-admin 1658245 - graphite data migration process from graphite-web-0.X.X to graphite-web-1.X.X should done from tendrl-upgrade script 1659678 - Grafana unable to fetch data after updating graphite-web to 1.x.x 1660779 - After migration to graphite-1.1.4 the brick specific dashboards are not visible in grafana 6. Package List: Red Hat Gluster 3.4 Web Administration Node Agent on RHEL-7: Source: tendrl-commons-1.6.3-15.el7rhgs.src.rpm tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm tendrl-selinux-1.5.4-3.el7rhgs.src.rpm noarch: tendrl-collectd-selinux-1.5.4-3.el7rhgs.noarch.rpm tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm Red Hat Gluster 3.4 Web Administration on RHEL-7: Source: graphite-web-1.1.4-1.el7rhgs.src.rpm python-cachetools-1.0.3-1.1.el7rhgs.src.rpm python-carbon-1.1.4-1.el7rhgs.src.rpm python-django-1.11.15-4.el7rhgs.src.rpm python-django-tagging-0.4.6-1.el7rhgs.src.rpm python-scandir-1.3-1.el7rhgs.src.rpm python-whisper-1.1.4-1.el7rhgs.src.rpm tendrl-ansible-1.6.3-11.el7rhgs.src.rpm tendrl-api-1.6.3-10.el7rhgs.src.rpm tendrl-commons-1.6.3-15.el7rhgs.src.rpm tendrl-monitoring-integration-1.6.3-20.el7rhgs.src.rpm tendrl-node-agent-1.6.3-15.el7rhgs.src.rpm tendrl-selinux-1.5.4-3.el7rhgs.src.rpm noarch: carbon-selinux-1.5.4-3.el7rhgs.noarch.rpm graphite-web-1.1.4-1.el7rhgs.noarch.rpm python-cachetools-1.0.3-1.1.el7rhgs.noarch.rpm python-carbon-1.1.4-1.el7rhgs.noarch.rpm python-django-bash-completion-1.11.15-4.el7rhgs.noarch.rpm python-django-tagging-0.4.6-1.el7rhgs.noarch.rpm python-whisper-1.1.4-1.el7rhgs.noarch.rpm python2-django-1.11.15-4.el7rhgs.noarch.rpm python2-django-doc-1.11.15-4.el7rhgs.noarch.rpm tendrl-ansible-1.6.3-11.el7rhgs.noarch.rpm tendrl-api-1.6.3-10.el7rhgs.noarch.rpm tendrl-api-httpd-1.6.3-10.el7rhgs.noarch.rpm tendrl-commons-1.6.3-15.el7rhgs.noarch.rpm tendrl-grafana-plugins-1.6.3-20.el7rhgs.noarch.rpm tendrl-grafana-selinux-1.5.4-3.el7rhgs.noarch.rpm tendrl-monitoring-integration-1.6.3-20.el7rhgs.noarch.rpm tendrl-node-agent-1.6.3-15.el7rhgs.noarch.rpm tendrl-selinux-1.5.4-3.el7rhgs.noarch.rpm x86_64: python-scandir-1.3-1.el7rhgs.x86_64.rpm python-scandir-debuginfo-1.3-1.el7rhgs.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-7536 https://access.redhat.com/security/cve/CVE-2018-7537 https://access.redhat.com/security/cve/CVE-2018-14574 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXFfth9zjgjWX9erEAQjsFg/9GYz6/aM3dHAMscEOTLkotgxUT1bQrKDh CxA253TqL8CklttkS14grxR/BduHMVvf9P2AFbE0jBP6qeAkKs0G+PdUYiZgsOaF wNmTxaWmCHfvBbSWVT9Ol6ar0KvSN8xALqZRVEI0Q53GrrtKkFhCTQItaWI4DG3V mMwh7lY5XDGqA2oQzXIHCJ84Mg2yx7kfjlCNH+b9FEePvZtNhTmRrZMmLJl1uk1k PIwJV2l4eMBRBYwfk5yLS9CrjkdsJQ+JiHeX2fSXsCw+aL4L/dlxwLZeZes/9+pi yTvMWy1SPgtHJJxiaw6nhF/gQUJuV7SJISjIAutW8WugO4P5fNcIadeXHSxD1o0Q M99nNynlnW0M/CSPgsLwPP13AQqIPGyx3gt5hJtFdqSIb7V3AN5WAQoxoJRXD9vA YFpdEgreJUDftiP+SbT3ZiG28vMLBbTpYqtWC1aVi3+n69wOIjd0R76tK8ZrXkTg phwTosIrHDHQW2KSasGpW/tT9AJ0kQlN7WBOocL2z+r+Wb4UxRdPCt7JcW3SWaIg kT+HXjMnl9WTNjkFhjee51vKXXmGPLAbAlGTWCLLD3M3qcQP/MvD1JAhzhwvSHGl vpK/lMCnP0x9GC1Z2lpW5p7DOEDuq629WzVEJZyjVhugCfA7UqL2a+Wp2jonSOWb ybVKKxmz/T4=R4oT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce