Re: [Spacewalk-list] CVE-2020-1693
Hi. I need to create rhel8 repo on spacewak2.9. Could you please direct me or provide info. On Tue, Mar 3, 2020 at 9:40 AM Michael Mraka wrote: > Laurence Rosen: > > Was just alerted to this by our security org. Are there any plans to > patch > > this? > > My seniors are looking into replacing spacewalk with something else if > not. > > As I'm not a programmer, I'm not sure how to apply the linked patch. > Does > > that patch need to be compiled into a new jar? > > Hello, > > the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming > 2.10). > There's no plan to fix it in 2.9. You can update it manually by > downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo. > > > > > A flaw was found in Spacewalk up to version 2.9 where it was vulnerable > to > > XML internal entity attacks via the /rpc/api endpoint. An unauthenticated > > remote attacker could use this flaw to retrieve the content of certain > > files and trigger a denial of service, or in certain circumstances, > execute > > arbitrary code on the Spacewalk server. > > > > This is a 9.8 Critical and needs to be fixed as soon as possible. > > > > Please view the links below for information and steps for remediation: > > > > https://nvd.nist.gov/vuln/detail/CVE-2020-1693 > > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693 > > > > > https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/ > > > > Upsteam Fix: > > > https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c > > Regards, > > -- > Michael Mráka > System Management Engineering, Red Hat > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list -- Muhammad Mosleh Uddin ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] CVE-2020-1693
Laurence Rosen: > Was just alerted to this by our security org. Are there any plans to patch > this? > My seniors are looking into replacing spacewalk with something else if not. > As I'm not a programmer, I'm not sure how to apply the linked patch. Does > that patch need to be compiled into a new jar? Hello, the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming 2.10). There's no plan to fix it in 2.9. You can update it manually by downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo. > > A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to > XML internal entity attacks via the /rpc/api endpoint. An unauthenticated > remote attacker could use this flaw to retrieve the content of certain > files and trigger a denial of service, or in certain circumstances, execute > arbitrary code on the Spacewalk server. > > This is a 9.8 Critical and needs to be fixed as soon as possible. > > Please view the links below for information and steps for remediation: > > https://nvd.nist.gov/vuln/detail/CVE-2020-1693 > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693 > > https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/ > > Upsteam Fix: > https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c Regards, -- Michael Mráka System Management Engineering, Red Hat ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] CVE-2020-1693
There are 50 people in the #spacewalk and 8 people in #spacewalk-devel on irc.freenode.net ask your question there and lurk for a few hours and someone will have a answer for you. (tinyurl.com/donofrioworkremmina2020 - you can see irc, hexchat is on both of my desktops) ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] CVE-2020-1693
We have same after last scan, plus ciphers and etc. vulnerabilities Is there anyone who working on security side of this product? -- *Best Regards,* ***Elsevar ***Sadigov** On 3/3/2020 03:10, Laurence Rosen wrote: Was just alerted to this by our security org. Are there any plans to patch this? My seniors are looking into replacing spacewalk with something else if not. As I'm not a programmer, I'm not sure how to apply the linked patch. Does that patch need to be compiled into a new jar? A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. This is a 9.8 Critical and needs to be fixed as soon as possible. Please view the links below for information and steps for remediation: https://nvd.nist.gov/vuln/detail/CVE-2020-1693 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693 https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/ Upsteam Fix: https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c *** This e-mail and any of its attachments may contain Interactions LLC proprietary information, which is privileged, confidential, or subject to copyright belonging to the Interactions LLC. This e-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender immediately and permanently delete the original and any copy of this e-mail and any printout. Thank You. *** -- This email was Malware checked by Security Department ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ** ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
[Spacewalk-list] CVE-2020-1693
Was just alerted to this by our security org. Are there any plans to patch this? My seniors are looking into replacing spacewalk with something else if not. As I'm not a programmer, I'm not sure how to apply the linked patch. Does that patch need to be compiled into a new jar? A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. This is a 9.8 Critical and needs to be fixed as soon as possible. Please view the links below for information and steps for remediation: https://nvd.nist.gov/vuln/detail/CVE-2020-1693 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693 https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/ Upsteam Fix: https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c -- *** This e-mail and any of its attachments may contain Interactions LLC proprietary information, which is privileged, confidential, or subject to copyright belonging to the Interactions LLC. This e-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender immediately and permanently delete the original and any copy of this e-mail and any printout. Thank You. *** ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list