[RHSA-2015:0830-01] Important: openstack-foreman-installer security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: openstack-foreman-installer security update

Advisory ID: RHSA-2015:0830-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0830.html

Issue date: 2015-04-16

CVE Names: CVE-2015-1842

=====================================================================

 

1. Summary:

 

Updated Red Hat Enterprise Linux OpenStack Platform Installer packages that

fix one security issue and several bugs are now available for Red Hat

Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.

 

Red Hat Product Security has rated this update as having Important security

impact. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available from the CVE link in the

References section.

 

2. Relevant releases/architectures:

 

OpenStack Foreman - noarch, x86_64

 

3. Description:

 

Red Hat Enterprise OpenStack Platform Installer is a deployment management

tool. It provides a web user interface for managing the installation and

configuration of remote systems. Deployment of changes is performed using

Puppet. Additionally, Dynamic Host Configuration Protocol (DHCP), Domain

Name System (DNS), Preboot Execution Environment (PXE), and Trivial File

Transfer Protocol (TFTP) services can be provided. Controlling these

services also enables provisioning of physical systems that do not yet have

an operating system installed.

 

It was discovered that the puppet manifests, as provided with the

openstack-puppet-modules package, would configure the pcsd daemon with a

known default password. If this password was not changed and an attacker

was able to gain access to pcsd, they could potentially run shell commands

as root. (CVE-2015-1842)

 

Note: This flaw only affects Red Hat Enterprise Linux OpenStack Platform

installations deployed using the HA feature set.

 

For additional information on addressing this flaw see:

https://access.redhat.com/articles/1396123

 

This issue was discovered by Alessandro Vozza of Red Hat.

 

The augeas package has been upgraded to version 1.0.0-7, which provides a

number of bug fixes over the previous version. (BZ#1198236)

 

This update also fixes the following bug:

 

* A problem with cloned constraints for neutron caused RHEL OpenStack

Platform deployments to fail. This update corrects the cloned constraints,

and deployments are now successful. (BZ#1209628)

 

All Red Hat Enterprise Linux OpenStack Platform Installer users are advised

to upgrade to these updated packages, which correct these issues.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1198236 - Update augeas to match 6.6 z-stream

1201875 - CVE-2015-1842 openstack-puppet-modules: pacemaker configured with default password

1209628 - rubygem-staypuft: A4 RHOS5 deployment failed with: /usr/sbin/pcs constraint order start neutron-ovs-cleanup then start neutron-netns-cleanup returned 1 instead of one of [0]

 

6. Package List:

 

OpenStack Foreman:

 

Source:

augeas-1.0.0-7.el6_6.1.src.rpm

openstack-foreman-installer-2.0.34-1.el6ost.src.rpm

openstack-puppet-modules-2014.1.2-1.el6ost.src.rpm

rhel-osp-installer-0.4.7-2.el6ost.src.rpm

ruby193-rubygem-staypuft-0.4.15-1.el6ost.src.rpm

 

noarch:

openstack-foreman-installer-2.0.34-1.el6ost.noarch.rpm

openstack-puppet-modules-2014.1.2-1.el6ost.noarch.rpm

rhel-osp-installer-0.4.7-2.el6ost.noarch.rpm

ruby193-rubygem-staypuft-0.4.15-1.el6ost.noarch.rpm

ruby193-rubygem-staypuft-doc-0.4.15-1.el6ost.noarch.rpm

 

x86_64:

augeas-1.0.0-7.el6_6.1.x86_64.rpm

augeas-debuginfo-1.0.0-7.el6_6.1.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-1842

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2015 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFVMAUBXlSAg2UNWIIRAtpnAJ0RB6jwIPtPWg0bmqovOnAAlDDjWgCeNIIN

KIougE5tJoMkMAIHcTEVBv0=

=VVVn

-----END PGP SIGNATURE-----

 

 

--