—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: CloudForms 4.6.3 bug fix and enhancement update
Advisory ID: RHSA-2018:2184-01
Product: Red Hat CloudForms
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2184
Issue date: 2018-07-12
Cross references: RHSA-2018:1328
CVE Names: CVE-2018-10855
=====================================================================
1. Summary:
An update is now available for CloudForms Management Engine 5.9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
CloudForms Management Engine 5.9 – noarch, x86_64
3. Description:
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
Security fix(es):
* ansible: Failed tasks do not honour no_log option allowing for secrets to
be disclosed in logs (CVE-2018-10855)
Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting
these issues.
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the
References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1536677 – Simultaneous service catalog request do not honour quotas
1553227 – When editing ansible service catalog item the dialog radio button never appears
1553383 – [RFE] Switch default refresh to graph refresh for RHV provider
1553795 – [RFE] Move database maintenance to the application
1563745 – appliance console showing removed option db maintenance
1565845 – Service buttons do not attach $evm.root[‘service’]
1565925 – The value that is selected in the drop down is not passed to the $evm.root
1566570 – If the external network provider is unavailable CFME network provider throws unfriendly exception
1569170 – Help Documentation is only visible to users with super admin role
1571303 – [Regression] Unexpected error while opening GCE details page
1572760 – OSPD 13 Undercloud – Infrastructure Provider Network Manager does not refreshed
1574154 – Refresh Failing for VMware VIM object is too large
1574569 – OSPD 12 Undercloud – Infrastructure Provider refresh failed
1575713 – Unable to access the Help Documentation page due to “Authorization Error”
1576099 – total costs no longer showing in any chargeback report if they are the only columns in the report
1577247 – ansible-tower-setup installs several new non-Red Hat yum repositories
1578121 – [RHV] SSA is not retrieving file information from VM on RHV
1578124 – Incorrect storage type size in openstack cloud reports
1578125 – Cloud Volume creation error does not raise VM provision error
1578126 – VMDB backup is failing perhaps due to uninitialized constant MiqServer::WorkerManagement::Monitor::Dalli
1578388 – RHOSP11 metric collection stuck with error: Fog::Metric::OpenStack::NotFound
1578393 – Improving the error message of provisioning a VM via rest api with wrong vlan value
1578394 – openstack chargeback based on chargeback per vm does not show storage costs by storage types correctly
1578398 – Openshift container retirement
1578400 – Cannot create or edit report secondary (display) filter
1578856 – Compliance check is greyed out under VM summary screen when VM is selected but not when you click on the VM.
1578865 – Error upon successful SAML login when username contains capital letters
1578954 – Submit/Cancel buttons are not displayed on custom button dialogs for some service types
1578957 – Unable to restore database to any ha node in a cluster
1578964 – Create Volume failed: undefined method `my_zone’
1578972 – [QEDevCollab] C&U: discrepancy in rounding of data for Graphs and Table causing automation failures
1578976 – [Regression][Embedded Ansible] Ansible Catalog Item can be created without the Dialog
1578986 – “Choose” should be shown in ‘tag control’ dropdown default value , instead blank is shown.
1578990 – SUI does not show custom button dialog
1578996 – [RHV] When Graph refresh is ON, RHV provider refresh time is longer
1580520 – Adding interface to a router cause Unexpected error
1580535 – Refresh of a second dynamic dialog does not update the hash passed to $evm.object[‘values’] when another dialog is referenced
1581287 – [RHV] VM snapshot removal cause failure in RHV provider refresh
1581307 – When using dynamic multi select dialog elements the first element is always selected even if nil default is specified and it does not show up as selected in UI
1581386 – Dynamic dropdown doesn’t refresh correctly
1583704 – default selection of dropdown list is not displayed properly but still taken into account
1583710 – Unexpected Error when accessing SERVICE -> REQUESTS (undefined method find_tags_by_grouping)
1583777 – VMware vCloud Provider’s vApp Provisioning Reports Error When vApp Powered Off
1583779 – Tagging Ansible: Incorrect tag page opened for playbooks navigated through repository page
1583784 – xClarity: Wrong credentials and last refresh status when execute refresh cycle against a provider with invalid credentials
1583786 – chargeback reports based on vms with tags assigned show no records on generation
1583788 – UI Worker Exceeding Memory Trying to View Hosts for VMware Provider
1583851 – Ansible Job Times out at 300 seconds causing Automate State Machine to Fail
1584186 – CPU Utilization report graph shows dates on x axis in random order
1584296 – VMware vCloud Provider’s Provisioning dialog should be split in three tabs
1584406 – prov.set_vlan() method didn’t set the vnicprofiles identifier
1584687 – refresh_target_for_ems is not running in one of our environments
1584699 – VMware vCloud Provider’s VM should support hardware reconfigure
1585709 – Service dialog targeted element refresh is refreshing targeted items 22 times
1585745 – automation executed on field refresh are called twice in self service dialogs
1585821 – C&U data collection fails for GCE in 5.9
1586213 – Notification events are out of order
1588038 – RHV Snapshots: Reverting to “Active VM” throws “Cannot preview Active VM snapshot” in evm.log
1588042 – vm.hardware.nics[0].lan nil for RHV VMs
1588855 – CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
1589837 – unable to export all service dialogs
1590346 – 400 Bad Request: When custom button used from infra provider object type with method and dialog both attached
1590353 – dropdown changed from dynamic to static won’t hold values
1590426 – [Embedded Ansible] Service Details Page has duplicate tabs
1590430 – [RFE] Create a built-in policy to prevent source VM from starting if transformation is complete.
1590846 – [RFE] create database.yml when creating a dedicated database to allow local migrations when upgrading
1591422 – Proxy Error when performing advanced search
1591423 – Physical Infrastructure Compliance Policies don’t have default event
1591425 – reading a dialog element from another dialog dynamic element fails until refreshing the dynamic element that reads the other dialog element
1591427 – Slow performance with displaying catalog order dialog
1591429 – CloudForms not collecting node level data from OpenShift
1591450 – unable to migrate from 5.6 to 5.9 due to to a database validation error
1591484 – Reconfigure service fields empty after deploying service
1591939 – Saved Report “2018-04-09 11:18:31 +03” not found, Schedule may have failed
1592414 – Not able to reconfigure VM
1592504 – [Regression] GCE provider refresh fails in CFME 5.9
1592852 – Grey background of grid view is styled differently in 5.9.2
1592913 – Changing number of UI Workers errors when using French or Japanese localization
1592973 – Domain prefix always included for Service Catalog Entry Points
1593677 – Chargeback scheduled report for the current month shows double rates and values as compared to previous one
1593684 – RHV provider full refresh fail on “undefined method `keys’ for “<some guid>”:String
1593797 – Lifecycle VM Provision and Publish VM to Template Unusable/Slow
1594027 – reports do not generate with timeout errors in logs
1594268 – Drop Down Dialog Does Not Honor the Order of Values as they are Inputted
1594275 – Users can see items which they don’t have permissions/access to under services they own
1594324 – Must Refresh UI to see Correct Tags of Datastore of vCenter VMware Provider
1594386 – Unable to download largest chargeback report on production
1594831 – The specify host values textbox is limited to 50 characters
1594833 – User defined custom attributes are deleted by RHV targeted refresh
1594839 – RHV provider target refresh fail on “undefined method `cluster'”, right after VM removal
1595324 – Cloudforms Automation not executing properly when multiple pods are created or killed in a short timeframe.
1595418 – Provisioning embedded ansible service dialog fails
1595734 – Regression Unable to Edit order of Drop Down List Entries when Editing Service Dialog
1596248 – Creating OpenStack Router with user in a Tenant should list shared external networks
1596249 – Normal user cannot select shared OpenStack network during VM provision
1596314 – Openstack Volume Snapshots are appearing when we try to provision a instance via Lifecycle.
6. Package List:
CloudForms Management Engine 5.9:
Source:
ansible-2.4.5.0-1.el7ae.src.rpm
ansible-tower-3.2.5-1.el7at.src.rpm
cfme-5.9.3.4-1.el7cf.src.rpm
cfme-amazon-smartstate-5.9.3.4-1.el7cf.src.rpm
cfme-appliance-5.9.3.4-1.el7cf.src.rpm
cfme-gemset-5.9.3.4-1.el7cf.src.rpm
httpd-configmap-generator-0.2.2-1.1.el7cf.src.rpm
noarch:
ansible-2.4.5.0-1.el7ae.noarch.rpm
ansible-doc-2.4.5.0-1.el7ae.noarch.rpm
x86_64:
ansible-tower-3.2.5-1.el7at.x86_64.rpm
ansible-tower-server-3.2.5-1.el7at.x86_64.rpm
ansible-tower-setup-3.2.5-1.el7at.x86_64.rpm
ansible-tower-ui-3.2.5-1.el7at.x86_64.rpm
ansible-tower-venv-ansible-3.2.5-1.el7at.x86_64.rpm
ansible-tower-venv-tower-3.2.5-1.el7at.x86_64.rpm
cfme-5.9.3.4-1.el7cf.x86_64.rpm
cfme-amazon-smartstate-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-common-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
cfme-appliance-tools-5.9.3.4-1.el7cf.x86_64.rpm
cfme-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
cfme-gemset-5.9.3.4-1.el7cf.x86_64.rpm
cfme-gemset-debuginfo-5.9.3.4-1.el7cf.x86_64.rpm
httpd-configmap-generator-0.2.2-1.1.el7cf.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-10855
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBW0dUcdzjgjWX9erEAQgfIxAApzbwJYyGKIwc7OAqP6qbn9lsVASiQTMT
ufQJx33VaZAYtfdt9GbTlkCcIX6QIojQBKt1nTQrq+ZzdhNVLpNvXF5kHMhrAhbE
sYWflpjnIWMOZe00WraCxUeePxNWatIKhhmnen0J4YhWV8k1mbTLL3sgwK5M+kxA
s3sr1pJtjd9E3OCXxSEOSQGD9LDrgaoW297toJx2zcKeI+Tb4TWy+zhBhsdAEfcW
25kwEIQPTCC764Z5M8wkbMxyWhc7ek/dRns6WpUloOdg+NlhsRvmGQl9DWKzmqob
XVMvdV0C8CtqXY4NHFfscvf3CmOZMGIZzhYJ3bW7uLl765eotAcWeTGbtbZE5eiO
1LAKnTWx44esbPre/7bUce7jibxHEhroq7T/hk0jlvgd02/vPJeY6JKSxKcYxiPn
WWEsruMeI/mKI6OuHbMIpB4Sp5pMPinjqKh/lv8uU1TtyyCxhPk34yJxoyGw7Zsc
Y4XH8yatyyoZnPMM4BygJG+EC2m6lHbUxA84SS75RV9CtFIMAbvtavOtC5xRb8rZ
A4ptn2FZTwz5vjxyfXVYpfc+FgEJReCLyMlw6+zvqPzo2xZe9nOz8FdxdcVLpfEf
xL/g/5QN1I3j7TiCww/XzrXnerSEjikQ9YKcamqEIzbv+IRQSBelZIwVZjiBlIVm
2QNuyZNbBj8=
=dJ6P
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce