Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1105369 - (CVE-2014-0007) CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
CVE-2014-0007 foreman-proxy: smart-proxy remote command injection
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1105413 1109016 1111008
Blocks: 1105370
  Show dependency treegraph
Reported: 2014-06-05 21:04 EDT by Kurt Seifried
Modified: 2016-04-26 15:17 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-08 19:06:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0770 normal SHIPPED_LIVE Critical: foreman-proxy security update 2014-06-19 13:18:14 EDT

  None (edit)
Description Kurt Seifried 2014-06-05 21:04:02 EDT
Lukas Zap of Red Hat reports:

The smart proxy contains a check in tftp.rb to ensure that a specific web URL 
exists and is valid, this check is vulnerable to a command injection 
Comment 3 Garth Mollett 2014-06-18 22:13:05 EDT
Public via: http://projects.theforeman.org/issues/6086
Comment 4 Murray McAllister 2014-06-18 23:52:10 EDT

This issue was discovered by Lukas Zapletal of Red Hat.
Comment 6 errata-xmlrpc 2014-06-19 09:18:25 EDT
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6
  OpenStack 3 for RHEL 6

Via RHSA-2014:0770 https://rhn.redhat.com/errata/RHSA-2014-0770.html

Note You need to log in before you can comment on or make changes to this bug.