You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa CloudForms

Sigurnosni nedostatak programskog paketa CloudForms

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA256

Red Hat Security Advisory

Synopsis: Moderate: CloudForms 5.0.1 security, bug fix and enhancement update
Advisory ID: RHSA-2019:4201-01
Product: Red Hat CloudForms
Advisory URL:
Issue date: 2019-12-12
Cross references: RHBA-2019:40571
CVE Names: CVE-2019-16892

1. Summary:

An update is now available for CloudForms Management Engine 5.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

CloudForms Management Engine 5.11 – noarch, x86_64

3. Description:

Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments. CloudForms Management Engine is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

Security Fix(es):

* cfme: rubygem-rubyzip denial of service via crafted ZIP file

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

If the postgresql service is running, it will be automatically restarted
after installing this update. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (

1713400 – [RFE] Cloud Key pair don’t have relationships with owner and group that build this key
1730066 – Unable to view AWS keypair list as tenant_administrator
1747179 – [Regression] [ActionView::Template::Error] undefined method `tenant_group?’ while setting ownership for key pairs
1767548 – Remove .py extension from calls to virt-v2v-wrapper
1767549 – Run the preflight check of migration task before waiting for a conversion host
1767550 – [RFE] Add ability to remove all snapshots asynchronously
1767645 – [RFE] Hide the Configuration -> Database screen
1767646 – Unassigned buttons of a Service shows when its Catalog Item has custom buttons
1767647 – Unable to access “Automate/Requests” tab for a role without exposing “Service/Requests”
1767648 – Server Error (API) when creating Orchestration Template with duplicate content
1767656 – [Regression] Unable to capture memory metric from Azure instances
1767659 – Chargeback report preview fails
1767660 – Service Requests Requester dropdown not sorted
1767774 – appliance_console_cli returns 0 on failure
1767775 – [RFE] Add AWS Bahrain region to CFME
1767776 – [RFE] – Update Host/Node filter to reflect supported versions of ESX
1767777 – Typo on list of Host/Nodes global filters — Status / Orphaned
1767783 – [RFE] Dis-allow the addition of ESX hosts directly
1767784 – Unable to receive “generalize” event from Azure after generalizing an instance
1767786 – API should not declare HTTP DELETE verb on pxe_servers collection
1767788 – The UI warning about RSA is deprecated and not true anymore.
1767789 – Passwords stored in variables(extra_vars) are visible in clear text in the Appliance evm.log
1767790 – there are exceptions “rescue in type_cast” in logs in global and remote region appliances
1767791 – Chargeback reports not working
1767796 – Add support for VM conversion host in RHV
1767809 – UI crashes when going to Details of Azure Network Port somehow associated to Load Balancers
1767810 – Traceback when clicking on Overview > Chargeback > Reports
1767811 – [RHV] Last Boot Time is “N/A” for VM if you shutdown guest
1767818 – [Regression] top_output.log only showing ruby and not the process names
1767819 – unable to remove duplicate guest devices due to memory
1767821 – [RFE] Remove list view button on my service sui page if there is no use of it
1767823 – [RFE] Generic Object builder tab cycle missing the add (commit) remove buttons
1767824 – multiple workers start the same retirement when retirement date is reached
1767833 – [UI] Erroneous behavior of spinner and spinner box in advanced search loading
1767834 – Refresh of OpenShift provider in CloudForms happen to panic apiserver
1767835 – Changing groups with a user assigned to multiple groups logs out of appliance
1767836 – Choice in Drop Down that References Category (Tag Control Item) is Incorrect
1767837 – [RFE] Automating the generation of widget content Via RESTAPI
1767880 – evm.log is full of error messages “cannot obtain exclusive access to locked queue”
1767881 – Host creds validation fails if host’s ssh key has changed before
1767885 – [RFE] VMware guests are incorrectly marked as linked_clone true, remove attribute
1767886 – [RFE] custom service catalog icons being deleted are not actually deleted
1767895 – [NoMethodError]: undefined method `path’ for nil:NilClass Method:[block (2 levels) in <class:LogProxy>] during scheduled NFS backup
1767896 – Lifecycle retirement fails for user that no longer has groups
1767901 – [RFE] automate method to delete a tag from a category
1768456 – Date picker takes a date previous to what is selected in the dialog
1768517 – [RFE] validate infra mappings
1768520 – [v2v] Ordering a migration plan, that contains MIGRATED VM/s, fails with an unclear error message.
1768525 – Remove Automate code for TransformationHost
1768530 – Add conversion host validation for config params
1768576 – Sporadic 404 Error when deleting custom button on generic object class
1768638 – [RFE] Import/export schedules to replicate on other sites
1771298 – CVE-2019-16892 cfme: rubygem-rubyzip denial of service via crafted ZIP file
1771737 – ping endpoint fails with “Error caught: [ActionView::MissingTemplate] Missing template ping/index”
1773666 – [RFE] Custom button: generic class level button deletion not showing a specific flash message
1773667 – Incorrect flash when custom button under generic object class is deleted
1775684 – Need the ability to configure the appliance for SAML using the appliance console CLI.

6. Package List:

CloudForms Management Engine 5.11:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2019 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorToni Vugdelija
Cert idNCERT-REF-2019-12-0001-ADV
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci jezgre operacijskog sustava openSUSE. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju izazivanje DoS stanja, izvršavanje proizvoljnog programskog...