Headline
CVE-2013-1871: Red Hat Customer Portal - Access to 24x7 support and knowledge
Cross-site scripting (XSS) vulnerability in account/EditAddress.do in Spacewalk and Red Hat Network (RHN) Satellite 5.6 allows remote attackers to inject arbitrary web script or HTML via the type parameter.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2014-02-10
Updated:
2014-02-10
RHSA-2014:0148 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: spacewalk-java, spacewalk-web and satellite-branding security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated spacewalk-java, spacewalk-web, and satellite-branding packages that
fix multiple security issues are now available for Red Hat Satellite 5.6.
The Red Hat Security Response Team has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Description
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, remote management and
monitoring of multiple Linux deployments with a single, centralized tool.
A cross-site scripting (XSS) flaw was found in the way the Red Hat
Satellite web interface performed sanitization of notes for registered
systems. A remote authenticated Red Hat Satellite user could create a
malicious note that, when viewed by a victim, could execute arbitrary web
script with the privileges of the user viewing that note. (CVE-2012-6149)
Multiple cross-site scripting (XSS) flaws were found in the Red Hat
Satellite web interface. A remote attacker could provide a specially
crafted link that, when visited by an authenticated Red Hat Satellite user,
would lead to arbitrary web script execution in the context of the user’s
web interface session. (CVE-2013-1871, CVE-2013-4415)
An HTTP header injection flaw was found in the way the Red Hat Satellite
web interface processed the return URL parameter for all HTTP GET requests.
A remote attacker could use this flaw to conduct cross-site scripting (XSS)
and HTTP response splitting attacks against users visiting the site.
(CVE-2013-1869)
Red Hat would like to thank Ben Ford of Puppet Labs for reporting
CVE-2012-6149, Ryan Giobbi of UPMC for reporting CVE-2013-1869 and
CVE-2013-1871, and Adam Willard and Jose Carlos de Arriba of Foreground
Security for reporting CVE-2013-4415.
Users of Red Hat Satellite 5.6 are advised to upgrade to these updated
packages, which resolve these issues. For this update to take effect, Red
Hat Satellite must be restarted. Refer to the Solution section for details.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
Run the following command to restart the Red Hat Satellite server:
# rhn-satellite restart
Affected Products
- Red Hat Satellite 5.6 for RHEL 6 x86_64
- Red Hat Satellite 5.6 for RHEL 6 s390x
- Red Hat Satellite 5.6 for RHEL 5 x86_64
- Red Hat Satellite 5.6 for RHEL 5 s390x
- Red Hat Satellite 5 Managed DB 5.6 for RHEL 6 x86_64
- Red Hat Satellite 5 Managed DB 5.6 for RHEL 6 s390x
- Red Hat Satellite 5 Managed DB 5.6 for RHEL 5 x86_64
- Red Hat Satellite 5 Managed DB 5.6 for RHEL 5 s390x
Fixes
- BZ - 882000 - CVE-2012-6149 Satellite, Spacewalk (spacewalk-java): XSS in system.addNote XML-RPC call due improper sanitization of note’s subject and content
- BZ - 923464 - CVE-2013-1869 Satellite/Spacewalk: header injection flaw
- BZ - 923467 - CVE-2013-1871 Satellite/Spacewalk: XSS in EditAddress page
- BZ - 979452 - CVE-2013-4415 Red Hat Satellite, Spacewalk: PAGE_SIZE_LABEL_SELECTED cross-site scripting (XSS)
CVEs
- CVE-2012-6149
- CVE-2013-1869
- CVE-2013-4415
- CVE-2013-1871
Red Hat Satellite 5.6 for RHEL 6
SRPM
satellite-branding-5.6.0.23-1.el6sat.src.rpm
SHA-256: 5b70c8c29e1fc752aef5fa2a2a6c7c3a993b79f6a5f87708f04b7cde39895541
spacewalk-java-2.0.2-58.el6sat.src.rpm
SHA-256: b55c5af7fdb7312e41851c99ea62156903fbfb088900c56880ddd707fcbafa60
spacewalk-web-2.0.3-19.el6sat.src.rpm
SHA-256: e935706c15bb0c987110911669b7a4b7c51c9a081c71cadbb3f19a142de0c4d0
x86_64
satellite-branding-5.6.0.23-1.el6sat.noarch.rpm
SHA-256: 708ca0007a510b565b51aaa22916d47338267c8fee8ff087df4d5f73eff0eb48
spacewalk-base-2.0.3-19.el6sat.noarch.rpm
SHA-256: dbd6904a5a8a30411383a6e4ce18d4b4dfa6c9dff27a025c61f2510c3e425151
spacewalk-base-minimal-2.0.3-19.el6sat.noarch.rpm
SHA-256: bdc3995071172eaec282cd21ddb13082b6e6e923105b99b4e3a066e70d3f5078
spacewalk-base-minimal-config-2.0.3-19.el6sat.noarch.rpm
SHA-256: 8d2eecf17ae2b4c9158b07715d4ce59a538221a12c65fd85400111e9bc79aec3
spacewalk-dobby-2.0.3-19.el6sat.noarch.rpm
SHA-256: 3c437d97152ef021d4951c0cc0aa1d62dfbcdb03a0ece2fff6086f8842431abd
spacewalk-grail-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9ffde5cfc7386efa9e9d37005fd7ab0dc12a0dd0d02efe0e347282ec47594dc8
spacewalk-html-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9780a9788f688aa80eb751bb8b45f1ca5607e37c901e66f4dc097ec045dcdd7b
spacewalk-java-2.0.2-58.el6sat.noarch.rpm
SHA-256: d1f2a6097b62382782f59a54e9779c3f37847779476cdb851ad92563b9ee6179
spacewalk-java-config-2.0.2-58.el6sat.noarch.rpm
SHA-256: efda3bbf7b9803529916b66d5f6507889fe8073862cbe4b0a76566055821a57d
spacewalk-java-lib-2.0.2-58.el6sat.noarch.rpm
SHA-256: 8df456ed9dd1e45d08c1032785964cdf8344be1a2d4e202deca9362c32daa114
spacewalk-java-oracle-2.0.2-58.el6sat.noarch.rpm
SHA-256: 2b371c974bd28568eedce276e0966bc9e0f4f1f335d28f038c4ca8d0f135ce56
spacewalk-java-postgresql-2.0.2-58.el6sat.noarch.rpm
SHA-256: f8ac405ba34e032ee98dc106e7df32bb6e0d4b9e188df9c504e2750661d4ac42
spacewalk-pxt-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9baba7747e49d7ef41eafafefd681b36225bcd3d33bb7e7e892139d16ba6b09f
spacewalk-sniglets-2.0.3-19.el6sat.noarch.rpm
SHA-256: 71e29eec657eab5d19d18f89f87d351dd54b8ca429c6fad6b3ea4f98d99b1f0a
spacewalk-taskomatic-2.0.2-58.el6sat.noarch.rpm
SHA-256: 17642a88e50853cb575e0267481b9f0819418c27f350b66b21999e0c11b29654
s390x
satellite-branding-5.6.0.23-1.el6sat.noarch.rpm
SHA-256: 708ca0007a510b565b51aaa22916d47338267c8fee8ff087df4d5f73eff0eb48
spacewalk-base-2.0.3-19.el6sat.noarch.rpm
SHA-256: dbd6904a5a8a30411383a6e4ce18d4b4dfa6c9dff27a025c61f2510c3e425151
spacewalk-base-minimal-2.0.3-19.el6sat.noarch.rpm
SHA-256: bdc3995071172eaec282cd21ddb13082b6e6e923105b99b4e3a066e70d3f5078
spacewalk-base-minimal-config-2.0.3-19.el6sat.noarch.rpm
SHA-256: 8d2eecf17ae2b4c9158b07715d4ce59a538221a12c65fd85400111e9bc79aec3
spacewalk-dobby-2.0.3-19.el6sat.noarch.rpm
SHA-256: 3c437d97152ef021d4951c0cc0aa1d62dfbcdb03a0ece2fff6086f8842431abd
spacewalk-grail-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9ffde5cfc7386efa9e9d37005fd7ab0dc12a0dd0d02efe0e347282ec47594dc8
spacewalk-html-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9780a9788f688aa80eb751bb8b45f1ca5607e37c901e66f4dc097ec045dcdd7b
spacewalk-java-2.0.2-58.el6sat.noarch.rpm
SHA-256: d1f2a6097b62382782f59a54e9779c3f37847779476cdb851ad92563b9ee6179
spacewalk-java-config-2.0.2-58.el6sat.noarch.rpm
SHA-256: efda3bbf7b9803529916b66d5f6507889fe8073862cbe4b0a76566055821a57d
spacewalk-java-lib-2.0.2-58.el6sat.noarch.rpm
SHA-256: 8df456ed9dd1e45d08c1032785964cdf8344be1a2d4e202deca9362c32daa114
spacewalk-java-oracle-2.0.2-58.el6sat.noarch.rpm
SHA-256: 2b371c974bd28568eedce276e0966bc9e0f4f1f335d28f038c4ca8d0f135ce56
spacewalk-java-postgresql-2.0.2-58.el6sat.noarch.rpm
SHA-256: f8ac405ba34e032ee98dc106e7df32bb6e0d4b9e188df9c504e2750661d4ac42
spacewalk-pxt-2.0.3-19.el6sat.noarch.rpm
SHA-256: 9baba7747e49d7ef41eafafefd681b36225bcd3d33bb7e7e892139d16ba6b09f
spacewalk-sniglets-2.0.3-19.el6sat.noarch.rpm
SHA-256: 71e29eec657eab5d19d18f89f87d351dd54b8ca429c6fad6b3ea4f98d99b1f0a
spacewalk-taskomatic-2.0.2-58.el6sat.noarch.rpm
SHA-256: 17642a88e50853cb575e0267481b9f0819418c27f350b66b21999e0c11b29654
Red Hat Satellite 5.6 for RHEL 5
SRPM
satellite-branding-5.6.0.23-1.el5sat.src.rpm
SHA-256: bd26a477fcc820670ad320dd288a1770b8c28f297e2be48353f2500d140d17a3
spacewalk-java-2.0.2-58.el5sat.src.rpm
SHA-256: d3ed55b958de52bd595cfcb00cc951761ce0bb3ef3e3283265e6ee791c4faaaa
spacewalk-web-2.0.3-19.el5sat.src.rpm
SHA-256: 5a0e733a79b212fdda8cec461227d0e134483ea4866ac71d154c08c0736344ea
x86_64
satellite-branding-5.6.0.23-1.el5sat.noarch.rpm
SHA-256: 2e1762577958ef581703ad0b5db23d0bb11ae2519169f81a44c1c6ea54f9a4bf
spacewalk-base-2.0.3-19.el5sat.noarch.rpm
SHA-256: d67a7725f12dc1509b795ebcd15beb8628a0a8883578e49dcb8f16d6105bcd24
spacewalk-base-minimal-2.0.3-19.el5sat.noarch.rpm
SHA-256: 74380e7572faffbe7a3086cb8636201c0e4d4e22eac872d313065644bbd98657
spacewalk-base-minimal-config-2.0.3-19.el5sat.noarch.rpm
SHA-256: fae6acc8c02754ce1398d5df19546a45d662bfb6dc6bf07e80e714b3eca988ee
spacewalk-dobby-2.0.3-19.el5sat.noarch.rpm
SHA-256: 64bafa87186a01ada0ac994427b5f2629ec41fb302d89368c121adff7602cee0
spacewalk-grail-2.0.3-19.el5sat.noarch.rpm
SHA-256: bc6204331c6da453e00857073f1accd16415bb3016608d42890ee36f2c7ff2fe
spacewalk-html-2.0.3-19.el5sat.noarch.rpm
SHA-256: 362d7f22a932de3cca6194471e9d37b92249b3d45bb9a0da291e1a4183d39792
spacewalk-java-2.0.2-58.el5sat.noarch.rpm
SHA-256: 32a7bdaacb31442308003f48b970243932eec3f30f4c9984fa18400b8647d18d
spacewalk-java-config-2.0.2-58.el5sat.noarch.rpm
SHA-256: 5809851cd5372ccc608c36ed66fbd36e5eb1d42d73a92e3ec371650750d8b2b0
spacewalk-java-lib-2.0.2-58.el5sat.noarch.rpm
SHA-256: b156ef1a55a162fc8b403684cea9c750b85d684e54ac514c3918f9a453a6159f
spacewalk-java-oracle-2.0.2-58.el5sat.noarch.rpm
SHA-256: 8c8035c84439fd0effc9dd67c0137c868c0829083de5a9005ddd5c664c0a8b4c
spacewalk-java-postgresql-2.0.2-58.el5sat.noarch.rpm
SHA-256: 1c2193b0b7ebf1971051381677c86a90203a0037c401289a149f1a9f700376ce
spacewalk-pxt-2.0.3-19.el5sat.noarch.rpm
SHA-256: 208de37ff48bd4f87ca896f0894c00cf7612f4d4b3c0221f926912ca34970cb9
spacewalk-sniglets-2.0.3-19.el5sat.noarch.rpm
SHA-256: 526e17b96c6adad39305223fbcfcd79d6c145a2e0c15ec1e2bfa1438d52076a5
spacewalk-taskomatic-2.0.2-58.el5sat.noarch.rpm
SHA-256: 38ac4d5a1f53be30f6bfc52c508125bc9adea8f8388327006c1349727b6a4984
s390x
satellite-branding-5.6.0.23-1.el5sat.noarch.rpm
SHA-256: 2e1762577958ef581703ad0b5db23d0bb11ae2519169f81a44c1c6ea54f9a4bf
spacewalk-base-2.0.3-19.el5sat.noarch.rpm
SHA-256: d67a7725f12dc1509b795ebcd15beb8628a0a8883578e49dcb8f16d6105bcd24
spacewalk-base-minimal-2.0.3-19.el5sat.noarch.rpm
SHA-256: 74380e7572faffbe7a3086cb8636201c0e4d4e22eac872d313065644bbd98657
spacewalk-base-minimal-config-2.0.3-19.el5sat.noarch.rpm
SHA-256: fae6acc8c02754ce1398d5df19546a45d662bfb6dc6bf07e80e714b3eca988ee
spacewalk-dobby-2.0.3-19.el5sat.noarch.rpm
SHA-256: 64bafa87186a01ada0ac994427b5f2629ec41fb302d89368c121adff7602cee0
spacewalk-grail-2.0.3-19.el5sat.noarch.rpm
SHA-256: bc6204331c6da453e00857073f1accd16415bb3016608d42890ee36f2c7ff2fe
spacewalk-html-2.0.3-19.el5sat.noarch.rpm
SHA-256: 362d7f22a932de3cca6194471e9d37b92249b3d45bb9a0da291e1a4183d39792
spacewalk-java-2.0.2-58.el5sat.noarch.rpm
SHA-256: 32a7bdaacb31442308003f48b970243932eec3f30f4c9984fa18400b8647d18d
spacewalk-java-config-2.0.2-58.el5sat.noarch.rpm
SHA-256: 5809851cd5372ccc608c36ed66fbd36e5eb1d42d73a92e3ec371650750d8b2b0
spacewalk-java-lib-2.0.2-58.el5sat.noarch.rpm
SHA-256: b156ef1a55a162fc8b403684cea9c750b85d684e54ac514c3918f9a453a6159f
spacewalk-java-oracle-2.0.2-58.el5sat.noarch.rpm
SHA-256: 8c8035c84439fd0effc9dd67c0137c868c0829083de5a9005ddd5c664c0a8b4c
spacewalk-java-postgresql-2.0.2-58.el5sat.noarch.rpm
SHA-256: 1c2193b0b7ebf1971051381677c86a90203a0037c401289a149f1a9f700376ce
spacewalk-pxt-2.0.3-19.el5sat.noarch.rpm
SHA-256: 208de37ff48bd4f87ca896f0894c00cf7612f4d4b3c0221f926912ca34970cb9
spacewalk-sniglets-2.0.3-19.el5sat.noarch.rpm
SHA-256: 526e17b96c6adad39305223fbcfcd79d6c145a2e0c15ec1e2bfa1438d52076a5
spacewalk-taskomatic-2.0.2-58.el5sat.noarch.rpm
SHA-256: 38ac4d5a1f53be30f6bfc52c508125bc9adea8f8388327006c1349727b6a4984
Red Hat Satellite 5 Managed DB 5.6 for RHEL 6
SRPM
spacewalk-web-2.0.3-19.el6sat.src.rpm
SHA-256: e935706c15bb0c987110911669b7a4b7c51c9a081c71cadbb3f19a142de0c4d0
x86_64
spacewalk-base-minimal-2.0.3-19.el6sat.noarch.rpm
SHA-256: bdc3995071172eaec282cd21ddb13082b6e6e923105b99b4e3a066e70d3f5078
spacewalk-dobby-2.0.3-19.el6sat.noarch.rpm
SHA-256: 3c437d97152ef021d4951c0cc0aa1d62dfbcdb03a0ece2fff6086f8842431abd
s390x
spacewalk-base-minimal-2.0.3-19.el6sat.noarch.rpm
SHA-256: bdc3995071172eaec282cd21ddb13082b6e6e923105b99b4e3a066e70d3f5078
spacewalk-dobby-2.0.3-19.el6sat.noarch.rpm
SHA-256: 3c437d97152ef021d4951c0cc0aa1d62dfbcdb03a0ece2fff6086f8842431abd
Red Hat Satellite 5 Managed DB 5.6 for RHEL 5
SRPM
spacewalk-web-2.0.3-19.el5sat.src.rpm
SHA-256: 5a0e733a79b212fdda8cec461227d0e134483ea4866ac71d154c08c0736344ea
x86_64
spacewalk-base-minimal-2.0.3-19.el5sat.noarch.rpm
SHA-256: 74380e7572faffbe7a3086cb8636201c0e4d4e22eac872d313065644bbd98657
spacewalk-dobby-2.0.3-19.el5sat.noarch.rpm
SHA-256: 64bafa87186a01ada0ac994427b5f2629ec41fb302d89368c121adff7602cee0
s390x
spacewalk-base-minimal-2.0.3-19.el5sat.noarch.rpm
SHA-256: 74380e7572faffbe7a3086cb8636201c0e4d4e22eac872d313065644bbd98657
spacewalk-dobby-2.0.3-19.el5sat.noarch.rpm
SHA-256: 64bafa87186a01ada0ac994427b5f2629ec41fb302d89368c121adff7602cee0
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.