It was reported that when making an SSL connection to an LDAP authentication source in Foreman, the remote server certificate is accepted without any verification against known certificate authorities. This can allow the LDAP connection between Foreman and the LDAP server to be attacked, and a different LDAP server could be contacted to authenticate users to Foreman. Initial report: https://bugzilla.redhat.com/show_bug.cgi?id=1194393 Upstream bug: http://projects.theforeman.org/issues/9858
Created attachment 1010546 [details] CVE-2015-1816 patch
Created attachment 1010547 [details] CVE-2015-1816 monkey patch for older versions
Pull request: https://github.com/theforeman/foreman/pull/2265
This issue has been addressed in the following products: Red Hat Satellite 6.1 Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
This issue has been addressed in the following products: Red Hat Satellite 6.1 Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592