Quinteros-2, CVE-2024-43191, CVE-2023-46175
ManageIQ Quinteros-2 is now available. This release includes security fixes, which will also be included in upcoming Radjabov-1 GA release.
Security Issues
High severity
-
CVE-2024-43191 - OS Command Injection via Policy Import.
Thanks to @divyesh-0x01 for finding and reporting this issue.
Medium severity
-
CVE-2023-46175 - Credentials logged in plaintext for some providers.
Thanks to @sigbjornaib for finding and reporting this issue.
Upgrade Notes
Due to the vaulting of CentOS Stream 8[1][2], the existing RPM repo files are pointing to a mirrorlist that no longer exists. As such, when doing an RPM upgrade to quinteros-2, there are some manual steps that need to be done first. Run the following 2 commands before upgrading, which will point the CentOS repo files to the new vault location.
sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-*.repo
sed -i 's/#baseurl=http:\/\/mirror/baseurl=http:\/\/vault/g' /etc/yum.repos.d/CentOS-*.repo
Note that for the upcoming Radjabov release we will be upgrading to CentOS Stream 9, so these changes are a one-time step for upgrading to Quinteros-2.
There are a handful of other smaller updates, including some package updates to resolve CVEs in those packages, and you can read through them all in the full changelog. Many thanks goes to all of the community members for their contributions!