Alerts This Week
Warning Icon 1 485
Alerts This Week
Warning Icon 1 485

Red Hat Satellite 6.13 RHSA-2023:2097-03 Critical: Security Flaws

red hat
Calendar Grey May 3, 2023
Dist Redhat Esm H88
The launch of Red Hat Satellite 6.13 brings significant improvements along with multiple security patches aimed at optimizing system administration.
An update is now available for Red Hat Satellite 6.13

Solution

For Red Hat Satellite 6.13, see the following documentation for the release. https://docs.redhat.com/en/documentation/red_hat_satellite/6.13

The important instructions on how to upgrade are available below. https://docs.redhat.com/en/documentation/red_hat_satellite/6.13/html/upgrading_and_updating_red_hat_satellite/index

Summary

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.
Security Fix(es): * CVE-2022-1471 CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 candlepin and puppetserver: various flaws * CVE-2022-22577 tfm-rubygem-actionpack: rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack * CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service * CVE-2022-23515 rubygem-loofah: rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting * CVE-2022-23516 rubygem-loofah: Uncontrolled Recursion leading to denial of service * CVE-2022-23517 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service * CVE-2022-23518 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting * CVE-2022-23519 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations * CVE-2022-23520 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations * CVE-2022-27777 tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers* CVE-2022-31163 rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution * CVE-2022-32224 tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record * CVE-2022-33980 candlepin: apache-commons-configuration2: Apache Commons Configuration insecure interpolation defaults * CVE-2022-41323 satellite-capsule:el8/python-django: Potential denial-of-service vulnerability in internationalized URLs * CVE-2022-41946 candlepin: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions * CVE-2022-42003 CVE-2022-42004 candlepin: various flaws * CVE-2022-42889 candlepin: apache-commons-text: variable interpolation RCE * CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service * CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers* CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
The items above are not a complete list of changes. This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document.

References

https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-22577 https://access.redhat.com/security/cve/CVE-2022-23514 https://access.redhat.com/security/cve/CVE-2022-23515 https://access.redhat.com/security/cve/CVE-2022-23516 https://access.redhat.com/security/cve/CVE-2022-23517 https://access.redhat.com/security/cve/CVE-2022-23518 https://access.redhat.com/security/cve/CVE-2022-23519 https://access.redhat.com/security/cve/CVE-2022-23520 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-27777 https://access.redhat.com/security/cve/CVE-2022-31163 https://access.redhat.com/security/cve/CVE-2022-32224 https://access.redhat.com/security/cve/CVE-2022-33980 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41323 https://access.redhat.com/security/cve/CVE-2022-41946 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42889 Read the Full Advisory

Package List

Red Hat Satellite 6.13 for RHEL 8:
Source: ansible-collection-redhat-satellite-3.9.0-2.el8sat.src.rpm ansible-collection-redhat-satellite_operations-1.3.0-2.el8sat.src.rpm ansible-lint-5.0.8-4.el8pc.src.rpm ansible-runner-2.2.1-3.el8sat.src.rpm ansiblerole-foreman_scap_client-0.2.0-2.el8sat.src.rpm ansiblerole-insights-client-1.7.1-2.el8sat.src.rpm candlepin-4.2.13-1.el8sat.src.rpm cjson-1.7.14-5.el8sat.src.rpm createrepo_c-0.20.1-1.el8pc.src.rpm dynflow-utils-1.6.3-1.el8sat.src.rpm foreman-3.5.1.14-1.el8sat.src.rpm foreman-bootloaders-redhat-202102220000-1.el8sat.src.rpm foreman-discovery-image-4.1.0-10.el8sat.src.rpm foreman-discovery-image-service-1.0.0-4.1.el8sat.src.rpm foreman-installer-3.5.2.1-1.el8sat.src.rpm foreman-obsolete-packages-1.1-1.el8sat.src.rpm foreman-proxy-3.5.1-1.el8sat.src.rpm foreman-selinux-3.5.1-1.el8sat.src.rpm katello-4.7.0-1.el8sat.src.rpm katello-certs-tools-2.9.0-1.el8sat.src.rpm katello-client-bootstrap-1.7.9-1.el8sat.src.rpm katello-selinux-4.0.2-2.el8sat.src.rpm libcomps-0.1.18-4.el8pc.src.rpm libsodium-1.0.17-3.el8sat.src.rpm libsolv-0.7.22-4.el8pc.src.rpm libwebsockets-2.4.2-2.el8.src.rpm mosquitto-2.0.14-1.el8sat.src.rpm postgresql-evr-0.0.2-1.el8sat.src.rpm pulpcore-selinux-1.3.2-1.el8pc.src.rpm

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:2097-03
Product: Red Hat Satellite 6
Issue date: 2023-05-03

Topic

An update is now available for Red Hat Satellite 6.13. The release containsanew version of Satellite and important security fixes for variouscomponents.

Relevant Releases Architectures

Red Hat Satellite 6.13 for RHEL 8 - noarch, x86_64

Bugs Fixed

1225819 - [RFE] Ability to sync from closest CDN mirror for Capsule

1266407 - IPA (external users) not able to authenticate using hammer CLI: invalid user / SSO failed

1630294 - [RFE] Remote execution overview dashboard should be more interactive like the Monitor Dashboard

1638226 - [RFE] Show difference in errata between ContentViewVersions

1650468 - [RFE] Allow to export Docker images from content views or as repository as part ISS

1761012 - [RFE] Ability to generate a report for ansible/remote execution task result.

1786358 - [RFE] Ability to make persistent changes in "ansible.cfg" on Satellite Server.

1787456 - [RFE] Candlepin log rotation settings should be user-configurable

1813274 - [RFE] Allow customers to be able to add more columns to 'All Hosts' page in Red Hat Satellite 6 webui.

1826648 - [RFE] new report template to list all the installed packages

1837767 - Errata search filtered with ID does not work in Web UI

1841534 - Provide support for "Privileged User" session when host console is being taken via cockpit from Satellite 6.7 UI

1845489 - Audit page shows "auditable id / Host2" for "Host1" but Host2 does not exist or deleted from the all hosts

1880947 - Satellite fails with "HTTP error (500 - Internal Server Error): PG::UniqueViolation: ERROR: duplicate key value violates unique constraint" while running concurrent registrations

1888667 - "Applied Errata" report template does not consider input "Up to" and "Since" in WebUI, hammer works

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here