Laurence Rosen: > Was just alerted to this by our security org. Are there any plans to patch > this? > My seniors are looking into replacing spacewalk with something else if not. > As I'm not a programmer, I'm not sure how to apply the linked patch. Does > that patch need to be compiled into a new jar?
Hello, the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming 2.10). There's no plan to fix it in 2.9. You can update it manually by downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo. > ######## > A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to > XML internal entity attacks via the /rpc/api endpoint. An unauthenticated > remote attacker could use this flaw to retrieve the content of certain > files and trigger a denial of service, or in certain circumstances, execute > arbitrary code on the Spacewalk server. > > This is a 9.8 Critical and needs to be fixed as soon as possible. > > Please view the links below for information and steps for remediation: > > https://nvd.nist.gov/vuln/detail/CVE-2020-1693 > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693 > > https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/ > > Upsteam Fix: > https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c Regards, -- Michael Mráka System Management Engineering, Red Hat _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list