Otkivena je sigurnosna ranjivost programskog paketa Red Hat Network Satellite Server. Udaljeni napadač može iskoristiti spomenuti propust za izvođenje napada uskraćivanja usluge.
Paket:
Red Hat Network Satellite Server 5.x
Operacijski sustavi:
Red Hat Enterprise Linux 6
Kritičnost:
6.4
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-1145
Izvorni ID preporuke:
RHSA-2012:0436-01
Izvor:
Red Hat
Problem:
Do propusta dolazi uslijed nepravilne autentikacijske i autorizacijske provjere u komponenti spacewalk-backend.
Posljedica:
Posljedica spomenutog problema je popunjavanje prostora u /var particiji, čime se onemogućava preuzimanje novih zakrpa i paketa.
Rješenje:
Svim se korisnicima navedenog programskog paketa, u svrhu zaštite sigurnosti, savjetuje njegova nadogradnja na novije inačice.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Network Satellite spacewalk-backend
security update
Advisory ID: RHSA-2012:0436-01
Product: Red Hat Network Satellite Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0436.html
Issue date: 2012-03-29
CVE Names: CVE-2012-1145
=====================================================================
1. Summary:
Updated spacewalk-backend packages that fix one security issue are now
available for Red Hat Network Satellite 5.4 on Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Network Satellite Server 5.4 (RHEL v.6) - noarch
3. Description:
Red Hat Network (RHN) Satellite is a systems management tool for
Linux-based infrastructures. It allows for provisioning, monitoring, and
remote management of multiple Linux deployments with a single, centralized
tool.
It was found that a remote attacker could upload packages to an RHN
Satellite server's NULL organization without any authorization or
authentication. (The NULL organization stores packages synced from RHN
Hosted.) Although an attacker cannot put packages into an arbitrary channel
and have client systems download them, they could use the flaw to consume
all the free space in the partition (/var/) used to store synced packages.
With no free space, Satellite would be unable to download updates and new
packages, preventing client systems from obtaining them. (CVE-2012-1145)
All users of Red Hat Network Satellite are advised to upgrade to these
updated packages, which correct this issue. For this update to take effect,
Red Hat Network Satellite must be restarted. Refer to the Solution section
for details.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
Run the following command to restart the Red Hat Network Satellite
server:
# rhn-satellite restart
5. Bugs fixed (http://bugzilla.redhat.com/):
800688 - CVE-2012-1145 satellite: remote package upload without authorization
6. Package List:
Red Hat Network Satellite Server 5.4 (RHEL v.6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHNSAT/SRPMS/spacewalk-backend-1.2.13-66.1.el6sat.src.rpm
noarch:
spacewalk-backend-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-app-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-applet-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-config-files-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-config-files-common-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-config-files-tool-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-iss-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-iss-export-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-libs-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-package-push-server-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-server-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-sql-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-sql-oracle-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-tools-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-upload-server-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-xml-export-libs-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-xmlrpc-1.2.13-66.1.el6sat.noarch.rpm
spacewalk-backend-xp-1.2.13-66.1.el6sat.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1145.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPdKvjXlSAg2UNWIIRAk3kAJ9C19Srj10DCRSnOhOUWDjTMMAb4ACgpJE+
tN6bDmGBYjo4ifGCu5cyFTk=
=o2Kr
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://www.redhat.com/mailman/listinfo/rhsa-announce
Posljednje sigurnosne preporuke