Re: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk

[Stefan Bluhm]

Hello Chen, 

the field GPG key on the channel setup is information for the package installer 
on the CLIENT. 

It tells the package installer on the client where to find the GPG key for 
these packages. You have to enter it from the client point of view (in the same 
format the client would use it). So no URL. It must be a client local file 
location. 

Best wishes, 

Stefan 


Von: "Wenkai Chen"  
An: "spacewalk-list"  
Gesendet: Mittwoch, 4. März 2020 04:19:56 
Betreff: [Spacewalk-list] GPG keys for CentOS channels in Spacewalk 



HI Spacewalk users, 



Sorry just would like to confirm. 



When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced? 



If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check? 

If clients are registered to this channel on Spacewalk, will there be a 
gpg-check? 



Thank you. 







Chen Wenkai 

Infrastructure Security Engineer 

[ https://www.linkedin.com/company/ensign-infosecurity/ ] [ 
https://youtu.be/9J7FkhXpb-4 ] [ https://www.facebook.com/EnsignGlobal ] 



E: wenkai_c...@ensigninfosecurity.com 

A: 30A Kallang Place, Level 9 Right Wing, Singapore 339213 









CONFIDENTIALITY NOTICE: “This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you.” 

___ 
Spacewalk-list mailing list 
Spacewalk-list@redhat.com 
https://www.redhat.com/mailman/listinfo/spacewalk-list 
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

[Spacewalk-list] GPG keys for CentOS channels in Spacewalk

[Wenkai Chen]

HI Spacewalk users,

Sorry just would like to confirm.

When we enter GPG key into a channel on Spacewalk, does it mean that whenever 
we do a repo-sync, it does a gpg-check on all the packages downloaded and 
synced?

If there is no GPG key entered for a channel in Spacewalk, will there be a 
gpg-check?
If clients are registered to this channel on Spacewalk, will there be a 
gpg-check?

Thank you.

[A close up of a sign  Description generated with very high confidence]

Chen Wenkai
Infrastructure Security Engineer

   [A picture containing building  Description generated with high 
confidence]   [A 
picture containing tableware  Description generated with high confidence] 
  [A close up of a sign  Description 
generated with high confidence] 

  E:  wenkai_c...@ensigninfosecurity.com
  A:  30A Kallang Place, Level 9 Right Wing, Singapore 339213





CONFIDENTIALITY NOTICE: "This email is confidential and may also be privileged. 
If this email has been sent to you in error, please delete it immediately and 
notify us. Please do not copy, distribute or disseminate part or whole of this 
email if you are not the intended recipient or if you have not been authorized 
to do so. We reserve the right, to the extent and under circumstances permitted 
by applicable laws, to monitor, retain, intercept and block email messages to 
and from our systems. Thank you."

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] CVE-2020-1693

[Michael Mraka]

Laurence Rosen:
> Was just alerted to this by our security org.  Are there any plans to patch
> this?
> My seniors are looking into replacing spacewalk with something else if not.
> As I'm not a programmer, I'm not sure how to apply the linked patch.  Does
> that patch need to be compiled into a new jar?

Hello,

the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming 2.10).
There's no plan to fix it in 2.9. You can update it manually by
downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo.

> 
> A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to
> XML internal entity attacks via the /rpc/api endpoint. An unauthenticated
> remote attacker could use this flaw to retrieve the content of certain
> files and trigger a denial of service, or in certain circumstances, execute
> arbitrary code on the Spacewalk server.
> 
> This is a 9.8 Critical and needs to be fixed as soon as possible.
> 
> Please view the links below for information and steps for remediation:
> 
> https://nvd.nist.gov/vuln/detail/CVE-2020-1693
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
> 
> https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
> 
> Upsteam Fix:
> https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c

Regards,

--
Michael Mráka
System Management Engineering, Red Hat

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] CVE-2020-1693

[Lewis Donofrio]

 There are 50 people in the #spacewalk and 8 people in #spacewalk-devel on
irc.freenode.net ask your question there and lurk for a few hours and
someone will have a answer for you.
(tinyurl.com/donofrioworkremmina2020 - you can see irc, hexchat is on both
of my desktops)
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] CVE-2020-1693

[Elsever Sadigov]

We have same after last scan, plus ciphers and etc. vulnerabilities
Is there anyone who working on security side of this product?

--
*Best Regards,*
***Elsevar ***Sadigov**

On 3/3/2020 03:10, Laurence Rosen wrote:


Was just alerted to this by our security org.  Are there any plans to 
patch this?
My seniors are looking into replacing spacewalk with something else if 
not.
As I'm not a programmer, I'm not sure how to apply the linked patch.  
Does that patch need to be compiled into a new jar?



A flaw was found in Spacewalk up to version 2.9 where it was 
vulnerable to XML internal entity attacks via the /rpc/api endpoint. 
An unauthenticated remote attacker could use this flaw to retrieve the 
content of certain files and trigger a denial of service, or in 
certain circumstances, execute arbitrary code on the Spacewalk server.


This is a 9.8 Critical and needs to be fixed as soon as possible.

Please view the links below for information and steps for remediation:

https://nvd.nist.gov/vuln/detail/CVE-2020-1693

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693

https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/

Upsteam Fix: 
https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c



***

This e-mail and any of its attachments may contain Interactions LLC 
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Interactions LLC. This e-mail is 
intended solely for the use of the individual or entity to which it is 
addressed. If you are not the intended recipient of this e-mail, you 
are hereby notified that any dissemination, distribution, copying, or 
action taken in relation to the contents of and attachments to this 
e-mail is strictly prohibited and may be unlawful. If you have 
received this e-mail in error, please notify the sender immediately 
and permanently delete the original and any copy of this e-mail and 
any printout. Thank You.


***

--
This email was Malware checked by Security Department

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

**

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list