RHN Satellite incorrectly exposed an obsolete XML-RPC API for configuring package group (comps.xml) files for channels. An authenticated user could use this flaw to gain access to arbitrary files accessible to the RHN Satellite server process, and prevent clients from performing certain yum operations.
This issue affects all Satellite 5.x releases (5.0, 5.1, 5.2, and 5.3).
The preliminary embargo date for this issue has been set up to Monday, 9-th of May, 2011.
(In reply to comment #37) The preliminary embargo date for this issue has been moved to earlier date, Monday, 11-th of April, 2011.
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.3 Red Hat Network Satellite Server v 5.4 Via RHSA-2011:0434 https://rhn.redhat.com/errata/RHSA-2011-0434.html
Created spacewalk-backend tracking bugs for this issue Affects: fedora-all [bug 695494]