[RHSA-2016:1083-01] Important: ruby193-rubygem-katello security update

bugzilla at redhat.com bugzilla at redhat.com
Tue May 17 12:04:43 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: ruby193-rubygem-katello security update
Advisory ID:       RHSA-2016:1083-01
Product:           Red Hat Satellite 6
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:1083
Issue date:        2016-05-16
CVE Names:         CVE-2016-3072 
=====================================================================

1. Summary:

An update for ruby193-rubygem-katello is now available for Red Hat
Satellite 6.1.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Satellite 6.1 - noarch

3. Description:

Red Hat Satellite is a system management solution that allows
organizations to configure and maintain their systems without the
necessity to provide public Internet access to their servers or 
other client systems. It performs provisioning and configuration 
management of predefined standard operating environments.

Security Fix(es):

* An input sanitization flaw was found in the scoped search parameters
sort_by and sort_order in the REST API. An authenticated user could use
this flaw to perform an SQL injection attack on the Katello back end
database. (CVE-2016-3072)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running applications using the ruby193 collection must be restarted for
this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1322050 - CVE-2016-3072 Katello: Authenticated sql injection via sort_by and sort_order request parameter

6. Package List:

Red Hat Satellite 6.1:

Source:
ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.src.rpm

noarch:
ruby193-rubygem-katello-2.2.0.86-1.el6_6sat.noarch.rpm

Red Hat Satellite 6.1:

Source:
ruby193-rubygem-katello-2.2.0.86-1.el7sat.src.rpm

noarch:
ruby193-rubygem-katello-2.2.0.86-1.el7sat.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-3072
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXOwjCXlSAg2UNWIIRAgtoAJ4xhEN8aoD+t+tpSwumwh9rFrCDkgCfYIVD
XVqXXWyJt+5iCKpF1nVJVho=
=uvbF
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list