manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

![Red Hat Customer Portal](https://access.redhat.com/chrome_themes/nimbus/img/red-hat-customer-portal.svg)

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus
*   Red Hat CodeReady Studio

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2008-08-13

Updated:

2008-08-13

**RHSA-2008:0630 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Low: Red Hat Network Satellite Server security update

**Type/Severity**

Security Advisory: Low

**Topic**

Red Hat Network Satellite Server version 5.1.1 is now available. This  
update includes fixes for a number of security issues in Red Hat Network  
Satellite Server components.  

This update has been rated as having low security impact by the Red Hat  
Security Response Team.

**Description**

During an internal security audit, it was discovered that Red Hat Network  
Satellite Server shipped with an XML-RPC script, manzier.pxt, which had a  
single hard-coded authentication key. A remote attacker who is able to  
connect to the Satellite Server XML-RPC service could use this flaw to  
obtain limited information about Satellite Server users, such as login  
names, associated email addresses, internal user IDs, and partial  
information about entitlements. (CVE-2008-2369)  

This release also corrects several security vulnerabilities in various  
components shipped as part of Red Hat Network Satellite Server 5.1. In a  
typical operating environment, these components are not exposed to users  
of Satellite Server in a vulnerable manner. These security updates will  
reduce risk in unique Satellite Server environments.  

A denial-of-service flaw was fixed in mod\_perl. (CVE-2007-1349)  

Multiple cross-site scripting flaws were fixed in the image map feature in  
the JFreeChart package. (CVE-2007-6306)  

A flaw which could result in weak encryption was fixed in the  
perl-Crypt-CBC package. (CVE-2006-0898)  

Multiple flaws were fixed in the Apache Tomcat package. (CVE-2005-4838,  
CVE-2006-0254, CVE-2007-1355, CVE-2007-1358, CVE-2007-2449, CVE-2007-5461,  
CVE-2008-0128)  

Users of Red Hat Network Satellite Server 5.1 are advised to upgrade to  
5.1.1, which resolves these issues.

**Affected Products**

*   Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390x
*   Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390
*   Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 x86\_64
*   Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 i386

**Fixes**

*   BZ - 238401 - CVE-2005-4838 tomcat manager example DoS
*   BZ - 240423 - CVE-2007-1349 mod\_perl PerlRun denial of service
*   BZ - 244803 - CVE-2007-1358 tomcat accept-language xss flaw
*   BZ - 244804 - CVE-2007-2449 tomcat examples jsp XSS
*   BZ - 253166 - CVE-2007-1355 tomcat XSS in samples
*   BZ - 333791 - CVE-2007-5461 Absolute path traversal Apache Tomcat WEBDAV
*   BZ - 421081 - CVE-2007-6306 JFreeChart: XSS vulnerabilities in the image map feature
*   BZ - 429821 - CVE-2008-0128 tomcat5 SSO cookie login information disclosure
*   BZ - 430522 - CVE-2006-0898 perl-Crypt-CBC weaker encryption with some ciphers
*   BZ - 430646 - CVE-2006-0254 tomcat examples XSS
*   BZ - 452461 - CVE-2008-2369 RHN Satellite: information disclosure via manzier.pxt RPC script

**CVEs**

*   CVE-2008-2369
*   CVE-2006-0898
*   CVE-2008-0128
*   CVE-2007-1355
*   CVE-2007-6306
*   CVE-2007-5461
*   CVE-2007-2449
*   CVE-2007-1358
*   CVE-2007-1349
*   CVE-2005-4838
*   CVE-2006-0254

**Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1**

SRPM

s390x

s390

**Red Hat Network Satellite 5.1 (for RHEL Server) 5.1**

SRPM

x86\_64

i386

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2008-2369: Red Hat Customer Portal - Access to 24x7 support and knowledge

Opera 9 drops DNS pins based on failed connections to irrelevant TCP ports, which makes it easier for remote attackers to conduct DNS rebinding attacks, as demonstrated by a port 81 URL in an IMG SRC, when the DNS pin had been established for a session on port 80.

Tag

#nodejs