Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat RHUI 4.5.0 Moderate Advisory: Multiple Bug Fixes and Enhancements

red hat
Calendar Grey August 9, 2023
Dist Redhat Esm H88
Standard safety notice for RHUI version 4.5.0 launch containing various corrections and improvements.
An updated version of Red Hat Update Infrastructure (RHUI) is now available

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For detailed instructions on how to apply this update, see: https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure

For other information, see the product documentation: https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4

Summary

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.
Security Fix(es): * Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047)
* sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)
This RHUI update fixes the following bugs:
* Previously, the `rhui-manager` command used the `logname` command to obtain the login name. However, when `rhui-manager` is run using the `rhui-repo-sync` cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message `logname: no login name`. With this update, `rhui-manager` does not obtain the login name using the `logname` command and the error message is no longer generated.
* Previously, when an invalid repository ID was used with the `rhui-manager` command to synchronize or delete a repository, the command failed with following error: `An unexpected error has occurred during the last operation.` Additionally, a traceback was also logged. With this update, the error message has been improved and failure to run no longer logs a traceback.
This RHUI update introduces the following enhancements:
* With this update, the client configuration RPMs in `rhui-manager` prevent subscription manager from automatically enabling `yum` plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871)
* With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command: `rhui-manager --non-interactive status --repo_json ` (BZ#2079391)
* With this update, the `rhui-manager` CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the `/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.

Topics%20covered

Topics Covered

security advisory moderate bug fix Red Hat Update Infrastructure operational enhancement

References

https://access.redhat.com/security/cve/CVE-2023-30608 https://access.redhat.com/security/cve/CVE-2023-31047 https://access.redhat.com/security/updates/classification#moderate

Package List

RHUI 4 for RHEL 8:
Source: python-django-3.2.19-1.0.1.el8ui.src.rpm python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm rhui-installer-4.5.0.1-1.el8ui.src.rpm rhui-tools-4.5.0.5-1.el8ui.src.rpm
noarch: python39-django-3.2.19-1.0.1.el8ui.noarch.rpm python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm rhui-installer-4.5.0.1-1.el8ui.noarch.rpm rhui-tools-4.5.0.5-1.el8ui.noarch.rpm rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Advisory ID: RHSA-2023:4591-01
Product: Red Hat Update Infrastructure
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4591
Issue date: 2023-08-09

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is nowavailable. RHUI 4.5 fixes several security and operational bugs and alsoadds several new features.

Topics%20covered

Topics Covered

security advisory moderate bug fix Red Hat Update Infrastructure operational enhancement

Relevant Releases Architectures

RHUI 4 for RHEL 8 - noarch

Bugs Fixed

1957871 - [RFE} Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins

2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring

2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)

2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field

6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

RHUI-217 - [RFE] Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins

RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring

RHUI-356 - "logname: no login name" appears, twice, in e-mails sent by the rhui-repo-sync cron job

RHUI-395 - Change error reporting of rhui-manager to be configurable

RHUI-424 - repo deletion for an un-added repo results in a traceback

RHUI-430 - Installation fails on RHEL 8.9

RHUI-75 - repo sync for an un-added repo results in a traceback

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here