Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2023:2101 - Security Advisory
Issued:
2023-05-03
Updated:
2023-05-03

RHSA-2023:2101 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.

Description

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fix(es):

  • Django: Potential denial-of-service vulnerability due to large Accept-Language header values (CVE-2023-23969)
  • Django: Potential denial-of-service vulnerability when uploading multiple files (CVE-2023-24580)
  • Future: Remote attackers can cause denial-of-service using crafted Set-Cookie header from a malicious web server (CVE-2022-40899)

This RHUI update fixes the following bugs:

  • Previously, when the `rhui-services-restart` command was run, it restarted only those `pulpcore-worker` services that were already running and ignored services that were not running. With this update, the `rhui-services-restart` command restarts all `pulpcore-worker` services irrespective of their status.
  • Previously, the `rhui-manager status` command returned an incorrect exit status when there was a problem. With this update, the issue has been fixed and the command now returns the correct exit status. (BZ#2174633)
  • Previously, `rhui-installer` ignored the `--rhua-mount-options` parameter and only used the read-write (`rw`) mount option to set up RHUI remote share. With this update, `rhui-installer` uses the `--rhua-mount-options` parameter. However, `rhui-installer` still uses the read-write (`rw`) option by default. (BZ#2174316)
  • Previously, when you ran `rhui-installer`, it rewrote the `/etc/rhui/rhui-tools.conf` file, resetting all container-related settings. With this update, the command saves the container-related settings from the `/etc/rhui/rhui-tools.conf` file and restores them after the file is rewritten.

This RHUI update introduces the following enhancements:

  • The `rhui-installer` command now supports the `--pulp-workers _COUNT_` argument. RHUI administrators can use this argument to set up a number of Pulp workers. (BZ#2036408)
  • You can now configure CDS nodes to never fetch non-exported content from the RHUA node. To configure the node, rerun the `rhui-installer` command with the `--fetch-missing-symlinks False` argument, and then apply this configuration to all CDS nodes. If you configure your CDS nodes this way, ensure that the content has been exported before RHUI clients start consuming it. (BZ#2084950)
  • Support for containers in RHUI is disabled by default. If you want to use containers, you must manually enable container support by rerunning `rhui-installer` with the `--container-support-enabled True` argument, and then applying this configuration to all CDS nodes.
  • Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security (HSTS) is now enabled in RHUI. This update improves overall RHUI security and also removes unsafe ciphers from the `nginx` configuration on CDS nodes. (BZ#1887903)
  • You can now remove packages from custom repositories using the text user interface (TUI) as well as the command line. For more information, see the release notes or the product documentation.(BZ#2165444)
  • You can now set up the Alternate Content Source (ACS) configuration in RHUI to quickly synchronize new repositories and content by substituting remote content with matching content that is available locally or geographically closer to your instance of RHUI. For more information, see the release notes or the product documentation. (BZ#2001087)
  • You can now use a custom prefix, or no prefix at all, when naming your RHUI repositories. You can change the prefix by rerunning the `rhui-installer` command with the `--client-repo-prefix <prefix>` argument. To remove the prefix entirely, use two quotation marks ("") as the `<prefix>` parameter. For more information, see the release notes or the product documentation.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Update Infrastructure 4 x86_64

Fixes

  • BZ - 2036408 - Change default pulp workers if RHUA has lower cpu count
  • BZ - 2084950 - RHUIv4 does not function when RHUA is unavailable
  • BZ - 2165444 - [RFE] No way to remove specific packages in custom repositories
  • BZ - 2165866 - CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server
  • BZ - 2166457 - CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
  • BZ - 2169402 - CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
  • BZ - 2174316 - rhui-installer ignores --rhua-mount-options option in rhui4.
  • BZ - 2174633 - 'rhui-manager status' returns an exist code 0 even if pulp-workers are down
  • RHUI-134 - [RFE] Satellite w/ Pulp 3 ACS: Generate a cert, headers, a base URL, and subpaths for a list of repositories
  • RHUI-148 - Enable remove RPM functionality from custom repo
  • RHUI-199 - Remove unsafe ciphers from default setup of NGinx
  • RHUI-230 - Bug 1887903 - TLS testing tool on CDS certificate
  • RHUI-342 - Make client repo ID prefix optional
  • RHUI-354 - Container support should be "opt-in" and not enabled by default
  • RHUI-362 - rhui-installer --rerun wipes container registry configuration
  • RHUI-368 - Update Django to address CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
  • RHUI-370 - rhui-installer ignores --rhua-mount-options option in rhui4
  • RHUI-371 - 'rhui-manager status' returns an exist code 0 even if pulp-workers are down
  • RHUI-372 - Allow CDS to be configured without requesting RHUA creating missing symlinks.
  • RHUI-376 - rhui-services-restart doesn't start workers if they're down
  • RHUI-377 - Create a rhui-installer argument to change the number of pulp-workers

CVEs

  • CVE-2022-40899
  • CVE-2023-23969
  • CVE-2023-24580

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Update Infrastructure 4

SRPM
python-django-3.2.18-1.0.1.el8ui.src.rpm SHA-256: a523ae91d53a6c8fde7f0e31e1e685b9152f8e2d7757a2e1baeba90d25f7441f
python-future-0.18.3-1.0.1.el8ui.src.rpm SHA-256: f8608ca6e6edc0dc0365b66e2b8e75bcd21a613381afd23543b45de6359ef9e8
rhui-installer-4.4.0.5-1.el8ui.src.rpm SHA-256: cac8bf536dc3c040f0fd7fbf708e726e2a80bc6add099b3403f54c5cdb2cecdb
rhui-tools-4.4.0.5-1.el8ui.src.rpm SHA-256: ec1ba08d270ee55a2b732bc0138196782b4bd36bb016b0fd352f5abf9a79acb6
x86_64
python39-django-3.2.18-1.0.1.el8ui.noarch.rpm SHA-256: fcde9a22046227ab8417e9121eb9f394e6fa007ac14b85743e4065c12e193a01
python39-future-0.18.3-1.0.1.el8ui.noarch.rpm SHA-256: ab35b3b4f6eb5c98177a12426c32ebf85714aead7c9b7a715778b98e8c844133
rhui-installer-4.4.0.5-1.el8ui.noarch.rpm SHA-256: 2e7b80b6290e0e9b3b89cb4c9127b12b5de4c7c0f6505eb86ffcdb7916b469f9
rhui-tools-4.4.0.5-1.el8ui.noarch.rpm SHA-256: 68ca8ef75a5940f5628bba0f9abf3f94ae29fe146d60aa955109bea76bc9d624
rhui-tools-libs-4.4.0.5-1.el8ui.noarch.rpm SHA-256: f096cd461ef126c8d815716e7e9f8cd382c79a2086f1b73be156ebb0059a5477

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Twitter Facebook