exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2020-3936-01

Red Hat Security Advisory 2020-3936-01
Posted Sep 30, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-3936-01 - Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. Issues addressed include code execution, cross site scripting, denial of service, and memory leak vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution, xss, memory leak
systems | linux, redhat
advisories | CVE-2015-9251, CVE-2016-10735, CVE-2018-14040, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-11358, CVE-2019-8331, CVE-2020-11022, CVE-2020-1722
SHA-256 | fb7b7047d457ad583f093c18959aceb2b9772c606448e0fab65dc5bef723ecbd

Red Hat Security Advisory 2020-3936-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: ipa security, bug fix, and enhancement update
Advisory ID: RHSA-2020:3936-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3936
Issue date: 2020-09-29
CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040
CVE-2018-14042 CVE-2018-20676 CVE-2018-20677
CVE-2019-8331 CVE-2019-11358 CVE-2020-1722
CVE-2020-11022
====================================================================
1. Summary:

An update for ipa is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments.

The following packages have been upgraded to a later upstream version: ipa
(4.6.8). (BZ#1819725)

Security Fix(es):

* js-jquery: Cross-site scripting via cross-domain ajax requests
(CVE-2015-9251)

* bootstrap: XSS in the data-target attribute (CVE-2016-10735)

* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent
attribute (CVE-2018-14040)

* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip. (CVE-2018-14042)

* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)

* bootstrap: XSS in the affix configuration target property
(CVE-2018-20677)

* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)

* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)

* ipa: No password length restriction leads to denial of service
(CVE-2020-1722)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
1404770 - ID Views: do not allow custom Views for the masters
1545755 - ipa-replica-prepare should not update pki admin password.
1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip.
1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6
1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
1756568 - ipa-server-certinstall man page does not match built-in help.
1758406 - KRA authentication fails when IPA CA has custom Subject DN
1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements
1771356 - Default client configuration breaks ssh in FIPS mode.
1780548 - Man page ipa-cacert-manage does not display correctly on RHEL
1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas
1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
1788907 - Renewed certs are not picked up by IPA CAs
1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service
1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA
1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems
1817886 - ipa group-add-member: prevent adding IPA objects as external members
1817918 - Secure tomcat AJP connector
1817919 - Enable compat tree to provide information about AD users and groups on trust agents
1817922 - covscan memory leaks report
1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None."
1817927 - host-add --password logs cleartext userpassword to Apache error log
1819725 - Rebase IPA to latest 4.6.x version
1825829 - ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1829787 - ipa service-del deletes the required principal when specified in lower/upper case
1834385 - Man page syntax issue detected by rpminspect
1842950 - ipa-adtrust-install fails when replica is offline

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

ppc64:
ipa-client-4.6.8-5.el7.ppc64.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64.rpm

ppc64le:
ipa-client-4.6.8-5.el7.ppc64le.rpm
ipa-debuginfo-4.6.8-5.el7.ppc64le.rpm

s390x:
ipa-client-4.6.8-5.el7.s390x.rpm
ipa-debuginfo-4.6.8-5.el7.s390x.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ipa-4.6.8-5.el7.src.rpm

noarch:
ipa-client-common-4.6.8-5.el7.noarch.rpm
ipa-common-4.6.8-5.el7.noarch.rpm
ipa-python-compat-4.6.8-5.el7.noarch.rpm
ipa-server-common-4.6.8-5.el7.noarch.rpm
ipa-server-dns-4.6.8-5.el7.noarch.rpm
python2-ipaclient-4.6.8-5.el7.noarch.rpm
python2-ipalib-4.6.8-5.el7.noarch.rpm
python2-ipaserver-4.6.8-5.el7.noarch.rpm

x86_64:
ipa-client-4.6.8-5.el7.x86_64.rpm
ipa-debuginfo-4.6.8-5.el7.x86_64.rpm
ipa-server-4.6.8-5.el7.x86_64.rpm
ipa-server-trust-ad-4.6.8-5.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-9251
https://access.redhat.com/security/cve/CVE-2016-10735
https://access.redhat.com/security/cve/CVE-2018-14040
https://access.redhat.com/security/cve/CVE-2018-14042
https://access.redhat.com/security/cve/CVE-2018-20676
https://access.redhat.com/security/cve/CVE-2018-20677
https://access.redhat.com/security/cve/CVE-2019-8331
https://access.redhat.com/security/cve/CVE-2019-11358
https://access.redhat.com/security/cve/CVE-2020-1722
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX3Of/9zjgjWX9erEAQjmHBAAi+u4CgMbaduuYvMAMbNKqT/0X8Y02udQ
maW4rfZ6udfHWJ21h1VlD/INXHB3sBFC2vpXsgJD7dTkUsZYIx73LrQFkakTzIWc
xSQalxNs+Fjh/ot/JMiKQzQUmZeu/vUYgVB81y+hczg5dys3q1mnu42GWe18sJIc
FCY2R3mBTnFUZoc/3JDHeVRJU8eq51oqRgNaz+Fl+CoFkR81P6mD8wybIIAsBx14
Ykya/awQf+OuBCe5tqfTV1+KS2U4+tqiqapzALt7dhjfA9Jayc9/UvQjGCyrmGvP
+BBBPSqGOS81jpPo0ouM3OtadWrGAWERMwtrR+POUp1rnMxy2kI0EpebnzSOtJy2
xExPZtcTjjgWvIMDdrJJ5DXG6cP5j3GjyvFknmCtCqvXzo90gw73psi6roG+g/a8
UyML+be8jnJK7571X3dz6OCYBExaHqM21ukUEfdvddszhw92J3fxmDm5+picETB9
dZ++VtV1lCBOlKW1SDG/ggk7PeSRGTDL5IkekopO1w89r3QsfqyFudlsNT0dDgk7
8Kzn8YpCWln1Kp0UbVushKRT+KllZRTKzXTBfiEWiYtQiwyL9zj/DrxagXXbiPe7
5mZnk62sAdKya3On4ejgPQ8Nq8oKHzRfaig/CNaNiB00HgZcRdQokPQ9+DRnkdNS
UR3S5ZAZvb8=SWQt
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close