Bug 1063915

Summary: Apply RHSA-2014-0148 fixes to Spacewalk
Product: [Community] Spacewalk Reporter: Grant Gainey <ggainey>
Component: ServerAssignee: Grant Gainey <ggainey>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.1Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-java-2.1.148-1, spacewalk-web-2.1.55-1, spacewalk-branding-2.1.27-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-04 12:37:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1069560    

Description Grant Gainey 2014-02-11 16:01:36 UTC 
Satellite security-errata RHSA-2014-0148 was released on 10-FEB to fix the following Satellite BZs:

882000 CVE-2012-6149 Satellite, Spacewalk: XSS in system.addNote XML-RPC call due improper sanitization of note's subject and content

1022687 CVE-2012-6149 Server: Satellite, Spacewalk (spacewalk-java): XSS in system.addNote XML-RPC call due improper sanitization of note's subject and content

915467 vulnerabilities in satellite server web interface

923464 CVE-2013-1869 Satellite/Spacewalk: header injection flaw

923467 CVE-2013-1871 Satellite/Spacewalk: XSS in EditAddress page

979452 CVE-2013-4415 Red Hat Satellite, Spacewalk: PAGE_SIZE_LABEL_SELECTED cross-site scripting (XSS)

1022683 CVE-2013-4415 Server: Red Hat Satellite, Spacewalk: PAGE_SIZE_LABEL_SELECTED cross-site scripting (XSS)

This BZ tracks applying the pertinent patches to Spacewalk.
Comment 1 Grant Gainey 2014-02-11 16:57:16 UTC 
Fixed by the following commits:

1d0f4b4a78ea03d9f2d05fbd52236b1f2ab68e85
041c2dd067f91f22087c9be6bb264d00c9ffdd0b
c41c87a9dc9dac771eb761dd63ada05b2f9104f9
6727a332466ef4339747b35fe5a639afefb8e584
431663ba6b2d1631afc4bca018c31f1661fe1263
cfda69feffd04cb3280ed4c87e420ef446777839
13351dd38339ae3635196894ae73c5dbb9058b99
Comment 2 Grant Gainey 2014-02-11 19:36:21 UTC 
Perl-side commit: 
a1447d9a892756af6d90f9c6d7454c9630ca03d6
Comment 3 Matej Kollar 2014-03-04 13:08:40 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21
Comment 4 Matej Kollar 2014-03-04 13:09:10 UTC 
Spacewalk 2.1 has been released.
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21