Red Hat Satellite 6.11.5 Critical: RHSA-2023-1151-01 RCE Bug Fix
red hat
March 8, 2023
Updated Satellite 6.11 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.
Security fix(es):
tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with
Serialized Columns in Active Record (CVE-2022-32224)
This update fixes the following bugs:
2153877 - The "Documentation" button on Satellite 6.11 for "Provisioning
Templates" page is pointing to 404 Page Not Found link
2161929 - Locale change caused by RHEL upgrade results in database index
corruption "get() returned more than one Modulemd -- it returned 2!"
2166747 - unable to install satellite 6.11 on rhel8.8 - ansible-core
version is too new
2166748 - Entitlement certificate is missing content section for a custom
product
2166749 - Sync container images of existing docker type repositories fail
with 404 - Not found
2166750 - Another deadlock issue when syncing repos with high concurrency
2166756 - Inspecting an image with skopeo no longer works on Capsules
2166757 - Content view filter included errata not in the filter date range
2166759 - Content view filter will include module streams of other
repos/arches if the errata contain rpms in different repos/arches.
2166760 - Even in 6.11.1, sync summary email notification shows the
incorrect summary for newly added errata.
2166761 - Content view publish fails when the content view and repository
both have a large name with : Error message: the server returns an error
HTTP status code: 500
2166762 - Insights recommendation sync failing in Satelliite
2170874 - Satellite-clone not working if ansible-core 2.13 is installed
Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2022-32224 https://access.redhat.com/security/updates/classification/#critical
Package List
Red Hat Satellite 6.11 for RHEL 7:
Source:
candlepin-4.1.19-1.el7sat.src.rpm
foreman-3.1.1.26-1.el7sat.src.rpm
rubygem-foreman_maintain-1.0.19-1.el7sat.src.rpm
satellite-6.11.5-1.el7sat.src.rpm
tfm-pulpcore-python-naya-1.1.1-1.1.el7pc.src.rpm
tfm-pulpcore-python-pulp-container-2.9.9-1.el7pc.src.rpm
tfm-pulpcore-python-pulpcore-3.16.15-1.el7pc.src.rpm
tfm-rubygem-actioncable-6.0.6-2.el7sat.src.rpm
tfm-rubygem-actionmailbox-6.0.6-2.el7sat.src.rpm
tfm-rubygem-actionmailer-6.0.6-2.el7sat.src.rpm
tfm-rubygem-actionpack-6.0.6-2.el7sat.src.rpm
tfm-rubygem-actiontext-6.0.6-2.el7sat.src.rpm
tfm-rubygem-actionview-6.0.6-2.el7sat.src.rpm
tfm-rubygem-activejob-6.0.6-2.el7sat.src.rpm
tfm-rubygem-activemodel-6.0.6-2.el7sat.src.rpm
tfm-rubygem-activerecord-6.0.6-2.el7sat.src.rpm
tfm-rubygem-activestorage-6.0.6-2.el7sat.src.rpm
tfm-rubygem-activesupport-6.0.6-1.el7sat.src.rpm
tfm-rubygem-foreman_rh_cloud-5.0.44-1.el7sat.src.rpm
tfm-rubygem-foreman_theme_satellite-9.0.0.12-1.el7sat.src.rpm
tfm-rubygem-katello-4.3.0.52-1.el7sat.src.rpm
tfm-rubygem-rails-6.0.6-2.el7sat.src.rpm
tfm-rubygem-railties-6.0.6-2.el7sat.src.rpm
tfm-rubygem-smart_proxy_container_gateway-1.0.7-1.el7sat.src.rpm
noarch:
candlepin-4.1.19-1.el7sat.noarch.rpm
candlepin-selinux-4.1.19-1.el7sat.noarch.rpm
Read the Full Advisory
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2023:1151-01
Product: Red Hat Satellite 6
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1151
Issue date: 2023-03-07
Topic
Updated Satellite 6.11 packages that fixes critical security bugs andseveralregular bugs are now available for Red Hat Satellite.
Topics Covered
Relevant Releases Architectures
Red Hat Satellite 6.11 for RHEL 7 - noarch
Red Hat Satellite 6.11 for RHEL 8 - noarch
Bugs Fixed
2108997 - CVE-2022-32224 activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
2153877 - The "Documentation" button on Satellite 6.11 for "Provisioning Templates" page is pointing to 404 Page Not Found link
2161929 - Locale change caused by RHEL upgrade results in database index corruption "get() returned more than one Modulemd -- it returned 2!"
2166747 - unable to install satellite 6.11 on rhel8.8 - ansible-core version is too new
2166748 - Entitlement certificate is missing content section for a custom product
2166749 - Sync container images of existing docker type repositories fail with 404 - Not found
2166750 - Another deadlock issue when syncing repos with high concurrency
2166756 - Inspecting an image with skopeo no longer works on Capsules
2166757 - Content view filter included errata not in the filter date range
2166759 - Content view filter will include module streams of other repos/arches if the errata contain rpms in different repos/arches.
2166760 - Even in 6.11.1, sync summary email notification shows the incorrect summary for newly added errata.
2166761 - Content view publish fails when the content view and repository both have a large name with : Error message: the server returns an error HTTP status code: 500
2166762 - Insights recommendation sync failing in Satelliite
2170874 - Satellite-clone not working if ansible-core 2.13 is installed
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!