Bug 2000613

Summary: The login page exposes version of the satellite
Product: Red Hat Satellite Reporter: Jaroslav Henner <jhenner>
Component: SecurityAssignee: Anna Vitova <avitova>
Status: CLOSED ERRATA QA Contact: Shweta Singh <shwsingh>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.10.0CC: egolov, ehelms, ekohlvan, lzap, mhulan, pdragun, sshtein, tbrisker
Target Milestone: 6.12.0Keywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-foreman_theme_satellite-10.0.0.3-1,foreman-3.2.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-16 13:32:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaroslav Henner 2021-09-02 13:55:26 UTC 
Description of problem:
The login page displays the version of the Satellite. That simplifies the search for the unpatched - vulnerable systems in the organization by unauthenticated user.

Version-Release number of selected component (if applicable):
6.10

How reproducible:
take a look on login page of the running satellite.

Steps to Reproduce:
1. Deploy satellite
2. Go to the login page
3.

Actual results:
version number on the login page

Expected results:
version number on the About page that is available at trough top-right corner menu.

Additional info:
Comment 1 Lukas Zapletal 2021-09-03 10:18:02 UTC 
We can probably add a setting to hide the version.
Comment 2 Brad Buckingham 2021-09-17 19:38:04 UTC 
Ref: Bug 1929827 was created in the past requesting the same thing.  It is a duplicate; however, it was closed.
Comment 3 Jaroslav Henner 2021-11-22 10:00:46 UTC 
Please let me note the default should be to hide it because of the so called "power of defaults"
Comment 4 Lukas Zapletal 2021-11-23 09:34:22 UTC 
After a very long discussion, we are going for a patch that will allow users to modify the text on the page. The default version will be something like "This is Satellite $VERSION" as our QA department needs to have the version visible on the login page for some tests. Users will be able to modify this as needed and it will survive upgrades (meaning they will only need to set this once).
Comment 5 Bryan Kearney 2021-12-18 20:05:34 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/33417 has been resolved.
Comment 9 Shweta Singh 2022-08-18 09:10:38 UTC 
FailedQA

Tested Version: Satellite 6.12 Snap 4

Incorrect version displayed on login page showing foreman version but it expects to display Satellite Version on it to make it backward compatible with previous Satellite versions.

Actual Result: 3.3.0

Expected Result: Satellite 6.12
Comment 10 Shweta Singh 2022-09-06 06:48:29 UTC 
FailedQA

Tested Version: Satellite 6.12 Snap 9

Fix is not available in current snap. It expects to display Satellite Version on it to make it backward compatible with previous Satellite versions.

Actual Result: 3.3.0.6

Expected Result: Satellite 6.12
Comment 14 Shweta Singh 2022-09-19 08:52:46 UTC 
Verified.

Version Tested: Satellite 6.12 Snap 11.0 
Foreman version: foreman-3.3.0.8-1.el8sat

Verification Steps:
1. Verify satellite latest version is displayed on login page of satellite UI by default.

Result:
"Version 6.12.0" displayed on login page.
Comment 15 Ron Lavi 2022-09-19 10:55:43 UTC 
*** Bug 2105949 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2022-11-16 13:32:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506