The foreman-proxy package provides a RESTful API to manage DNS, DHCP, TFTP,
and Puppet settings, and can be used as part of Foreman.
A shell command injection flaw was found in the way foreman-proxy verified
URLs in the TFTP module. A remote attacker could use this flaw to execute
arbitrary shell commands on the system with the privileges of the user
running foreman-proxy. (CVE-2014-0007)
This issue was discovered by Lukas Zapletal of Red Hat.
Note that for Red Hat Enterprise Linux OpenStack Platform 3.0, Foreman was
released as a Technology Preview. More information about Red Hat Technology
Previews is available at
https://access.redhat.com/site/support/offerings/techpreview/
All foreman-proxy users are advised to upgrade to this updated package,
which corrects this issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | ruby193-foreman-proxy | < 1.1.10001-7.el6ost | ruby193-foreman-proxy-1.1.10001-7.el6ost.noarch.rpm |
RedHat | 6 | src | ruby193-foreman-proxy | < 1.1.10001-7.el6ost | ruby193-foreman-proxy-1.1.10001-7.el6ost.src.rpm |
RedHat | 6 | noarch | foreman-proxy | < 1.3.0-5.el6sat | foreman-proxy-1.3.0-5.el6sat.noarch.rpm |
RedHat | 6 | src | foreman-proxy | < 1.3.0-5.el6sat | foreman-proxy-1.3.0-5.el6sat.src.rpm |