[Spacewalk-list] CVE-2020-1693

Muhammad Mosleh Uddin mmuddin at gmail.com
Sun Mar 15 21:07:22 UTC 2020 

Hi.

I need to create rhel8 repo on spacewak2.9.
Could you please direct me or provide info.

On Tue, Mar 3, 2020 at 9:40 AM Michael Mraka <michael.mraka at redhat.com>
wrote:

> Laurence Rosen:
> > Was just alerted to this by our security org.  Are there any plans to
> patch
> > this?
> > My seniors are looking into replacing spacewalk with something else if
> not.
> > As I'm not a programmer, I'm not sure how to apply the linked patch.
> Does
> > that patch need to be compiled into a new jar?
>
> Hello,
>
> the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming
> 2.10).
> There's no plan to fix it in 2.9. You can update it manually by
> downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo.
>
> > ########
> > A flaw was found in Spacewalk up to version 2.9 where it was vulnerable
> to
> > XML internal entity attacks via the /rpc/api endpoint. An unauthenticated
> > remote attacker could use this flaw to retrieve the content of certain
> > files and trigger a denial of service, or in certain circumstances,
> execute
> > arbitrary code on the Spacewalk server.
> >
> > This is a 9.8 Critical and needs to be fixed as soon as possible.
> >
> > Please view the links below for information and steps for remediation:
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2020-1693
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
> >
> >
> https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
> >
> > Upsteam Fix:
> >
> https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c
>
> Regards,
>
> --
> Michael Mráka
> System Management Engineering, Red Hat
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list



-- 




Muhammad Mosleh Uddin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20200315/c822d4e5/attachment.htm>

More information about the Spacewalk-list mailing list