- Issued:
- 2023-10-19
- Updated:
- 2023-10-19
RHSA-2023:5931 - Security Advisory
Synopsis
Important: Satellite 6.13.5 Async Security Update
Type/Severity
Security Advisory: Important
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
Security fix(es):
- Yggdrasil-worker-forwarder (gRPC): Rapid Reset Attack through HTTP/2 enabled web service which leads to DDoS attack (CVE-2023-44487 & CVE-2023-39325)
A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.
- Foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)
- Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)
- GitPython: Remote code execution and improper input validation vulnerability (CVE-2022-24439 & CVE-2023-40267)
- Ruby-git & tfm-rubygem-git: Code injection vulnerability (CVE-2022-47318 & CVE-2022-46648)
- Python-django: Multiple flaws (CVE-2023-31047 & CVE-2023-36053)
- Puppet-agent (openssl): Multiple flaws (CVE-2022-1292 CVE-2022-2068)
This update fixes the following bugs:
2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given template
2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with permission issues
2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration template.
2238359 - Capsule redundantly synces *-Export-Library repos
2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn
2238363 - katello-certs-check does not cause the installer to halt execution on failure
2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from the new option "Manage columns".
2238369 - Content-export incremental with syncable format based does not include productid file into repodata directory
2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t
2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because they are referenced through protected foreign keys: 'ContentArtifact.artifact'."
2238353 - The "hammer export" command using single thread encryption causes a performance bottleneck.
2240781 - Remediation from CRC via Satellite shows "Failed" status even after successful remediation of Insights recommendations.
2241914 - "NoMethodError: undefined method `fact_values'" while trying to perform inventory upload
Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat Satellite 6.13 x86_64
- Red Hat Satellite Capsule 6.13 x86_64
- Red Hat Enterprise Linux for x86_64 8 x86_64
Fixes
- BZ - 2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection
- BZ - 2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection
- BZ - 2140577 - CVE-2022-3874 foreman: OS command injection via ct_command and fcct_command
- BZ - 2151583 - CVE-2022-24439 GitPython: improper user input validation leads into a RCE
- BZ - 2159672 - CVE-2022-47318 ruby-git: code injection vulnerability
- BZ - 2162970 - CVE-2023-0462 Satellite/Foreman: Arbitrary code execution through yaml global parameters
- BZ - 2169385 - CVE-2022-46648 ruby-git: code injection vulnerability
- BZ - 2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field
- BZ - 2218004 - CVE-2023-36053 python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
- BZ - 2231474 - CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blocked
- BZ - 2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given template
- BZ - 2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with permission issues
- BZ - 2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration template.
- BZ - 2238353 - The "hammer export" command using single thread encryption causes a performance bottleneck.
- BZ - 2238359 - Capsule redundantly synces *-Export-Library repos
- BZ - 2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn
- BZ - 2238363 - katello-certs-check does not cause the installer to halt execution on failure
- BZ - 2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from the new option "Manage columns".
- BZ - 2238369 - Content-export incremental with syncable format based does not include productid file into repodata directory
- BZ - 2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t
- BZ - 2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because they are referenced through protected foreign keys: 'ContentArtifact.artifact'."
- BZ - 2240781 - Remediation from CRC via Satellite shows "Failed" status even after successful remediation of Insights recommendations.
- BZ - 2241914 - "NoMethodError: undefined method `fact_values'" while trying to perform inventory upload
- BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
- BZ - 2243296 - CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Satellite 6.13
| SRPM | |
|---|---|
| foreman-3.5.1.23-1.el8sat.src.rpm | SHA-256: 96085dcf86b81edb832f88e2aa313545965dc7d6a0a595cc1be44b1d33bc4d5a |
| foreman-installer-3.5.2.4-1.el8sat.src.rpm | SHA-256: c6c3236a7322084f8588e922efa21d192ec9ce7e25e3a9fae8ee33be5f470919 |
| pulpcore-selinux-1.3.3-1.el8pc.src.rpm | SHA-256: 1615350542bf357d5b092910bbb3fd0b6f1e326bd860039319405f0e29fbb9a6 |
| puppet-agent-7.26.0-3.el8sat.src.rpm | SHA-256: b74e9a66ede61765c6e831331ea39b231079b654c81e6f3bf7516a246cf6fcca |
| python-django-3.2.21-1.el8pc.src.rpm | SHA-256: 873b7da154f744c5cad8e452678bb8eb3346d7c97325e38d2887d55e3a8a15fc |
| python-gitpython-3.1.32-1.el8pc.src.rpm | SHA-256: 2ba1cea3d5c2fc9ee24643262fdf27d4fc8d734b6dc5283f02508d7072aa056b |
| python-pulpcore-3.21.18-1.el8pc.src.rpm | SHA-256: d0fb49636029b285ccb795ffd444bfcc217d9bf3b461f3174443eefbbcaa6675 |
| rubygem-foreman_maintain-1.2.12-1.el8sat.src.rpm | SHA-256: 8321b2a313796704e926c9703b320eccd8eeb8e51d5d777365b9509ee075c6e1 |
| rubygem-foreman_rh_cloud-7.0.48-1.el8sat.src.rpm | SHA-256: 7f47014e01deca4a314e99d2ec2cfa334002981be70934611a1a4480a40994cc |
| rubygem-foreman_theme_satellite-11.0.0.6-1.el8sat.src.rpm | SHA-256: 59691b0b33b4a639124e2e37373efcea54401b7927a92d73b901d48b346d6db3 |
| rubygem-git-1.18.0-1.el8sat.src.rpm | SHA-256: 819b91cef0d6d90e09bd877fb9ada246e9d81a34c2ee47f7dc2780cf6a94a63f |
| rubygem-katello-4.7.0.33-1.el8sat.src.rpm | SHA-256: 8ac0b43e9b9047f7d050a7f838cfdf0901ae5fadec8f7072c6d4c61847266936 |
| satellite-6.13.5-1.el8sat.src.rpm | SHA-256: 45f6b46307212bf427fceca2311eedc5a52f2be84f4acad244e8f2fdd6d7f6e5 |
| yggdrasil-worker-forwarder-0.0.3-1.el8sat.src.rpm | SHA-256: 45854be1e160d0056c61e509c3463beaf4aafbdef825ea9d10e6699fab906d6e |
| x86_64 | |
| foreman-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 1dd7653e893a946c496cd6b55424613d91da8bf379d2eb028d211306da8c6e15 |
| foreman-cli-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 43df8a49db47e709596e49159792b33942f72df2e6398a25212531ea9932740e |
| foreman-debug-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: fc61cf84b452c0851bc07f48a576047e6c842d0380be4e45d178732b784ca543 |
| foreman-dynflow-sidekiq-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 995f124bd4c6559a1678ad66ebab2181a784de64bf6a78e866fddff614c0655f |
| foreman-ec2-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 30e505dc20e82fc79e2e76de707e2372aab32bc00bbe224c579cf109fe223ad1 |
| foreman-installer-3.5.2.4-1.el8sat.noarch.rpm | SHA-256: eb79202f8c16fee9202f07a599016f00cc6cf6ceb231347e45b6cdf1cadde590 |
| foreman-installer-katello-3.5.2.4-1.el8sat.noarch.rpm | SHA-256: dfe32d815ef424ceff57ea54723905a6fad4821b5a70c3088179b9b7fe2c3a67 |
| foreman-journald-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 7a1238cf607e7086ba0e7bce8b2bb0ee8e03da3181ac21cf3229e67a203fdb2d |
| foreman-libvirt-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: a477fe9e8d871cc7e9f42401bbef0eee4ff5c20d2af01e45482232c30cd8ee41 |
| foreman-openstack-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 99030ed07008dcd3c836ca062810fe25c80d577ebbdc6d540688b1a91a139c15 |
| foreman-ovirt-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: d2c1ec4feb52d7edf1bf91cfe8b38f8f4ffb80b98f99fd3b9a435ada451631ac |
| foreman-postgresql-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 9e7309bc34843d4122b5f10ab6a84a0d23771b22cd3ab4be51a567cf49ea9567 |
| foreman-service-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: bcf13d98dd1d27de6a4669dcd109578f656afe16eb762e77961b797fda65e030 |
| foreman-telemetry-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 3a4fb040419bac8e611767e0746718ca68bf27d5f033dab3d8a5b8c3491e1ebe |
| foreman-vmware-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: f8c507db5afcfb0a2d5d024caaa416433d08becbc2ead0c5c02ebd5a1db175fd |
| pulpcore-selinux-1.3.3-1.el8pc.x86_64.rpm | SHA-256: 21f61165122e901a0bd1780500def6aa0fda5cbc6d77fea3793748ca3e2bf5ee |
| puppet-agent-7.26.0-3.el8sat.x86_64.rpm | SHA-256: cc4bf1c0903e4e5c32eb7842fef51b10a8554883e3db5ed5214ec9003b2c400d |
| python39-django-3.2.21-1.el8pc.noarch.rpm | SHA-256: 74cd02c31d8e89ba87a79aafca43d7a6481e92ca17b1578bd8b4a6c9fd1033d2 |
| python39-gitpython-3.1.32-1.el8pc.noarch.rpm | SHA-256: 82d25304ba90d22161411688dd2e7c8e111b02c44174eee2956e7892ca9ceaba |
| python39-pulpcore-3.21.18-1.el8pc.noarch.rpm | SHA-256: 8c95cce5efb360ac56ef093156ec77a3f81a833872f25da5867f08584ae61ee2 |
| rubygem-foreman_maintain-1.2.12-1.el8sat.noarch.rpm | SHA-256: e6e953ce313b1fbe29e3c6634a448ba1f9e33d2bf10df3a0deecd578b00b6d0c |
| rubygem-foreman_rh_cloud-7.0.48-1.el8sat.noarch.rpm | SHA-256: 28ece4b9d0b01d78c833f83ad81def5f4c738012306a270fab8843e5846bdd01 |
| rubygem-foreman_theme_satellite-11.0.0.6-1.el8sat.noarch.rpm | SHA-256: 54e87cfb7a22efabc0ecc94b7332db4192b2f366f6b7694c3e38db40c4aa307e |
| rubygem-git-1.18.0-1.el8sat.noarch.rpm | SHA-256: 0359bc46b15f333b347aa93a709ba1c58c40432789c33cd5892a0db809456322 |
| rubygem-katello-4.7.0.33-1.el8sat.noarch.rpm | SHA-256: 9729109730aa1b889f0b2f5c6f39b185966294ac158c34f3d694e51fdf90bc80 |
| satellite-6.13.5-1.el8sat.noarch.rpm | SHA-256: 18a86057466465cefadadeda28637e8a92e9f8231775a167d16787d6f1f08c73 |
| satellite-cli-6.13.5-1.el8sat.noarch.rpm | SHA-256: 3c80c68417a2c0f166f5cf2dc619ae142d5d9417c1b39ff33d216167f9ac1c20 |
| satellite-common-6.13.5-1.el8sat.noarch.rpm | SHA-256: bcf9e4ea16e567c1990a7baf5eced2adc21bf40658feff14efb9ed2df39b0147 |
| yggdrasil-worker-forwarder-0.0.3-1.el8sat.x86_64.rpm | SHA-256: 083c3b580f7053ddc97446dd7b64f97d6874c5d5e4448bc9c66f98b58f8a5afc |
Red Hat Satellite Capsule 6.13
| SRPM | |
|---|---|
| foreman-3.5.1.23-1.el8sat.src.rpm | SHA-256: 96085dcf86b81edb832f88e2aa313545965dc7d6a0a595cc1be44b1d33bc4d5a |
| foreman-installer-3.5.2.4-1.el8sat.src.rpm | SHA-256: c6c3236a7322084f8588e922efa21d192ec9ce7e25e3a9fae8ee33be5f470919 |
| pulpcore-selinux-1.3.3-1.el8pc.src.rpm | SHA-256: 1615350542bf357d5b092910bbb3fd0b6f1e326bd860039319405f0e29fbb9a6 |
| puppet-agent-7.26.0-3.el8sat.src.rpm | SHA-256: b74e9a66ede61765c6e831331ea39b231079b654c81e6f3bf7516a246cf6fcca |
| python-django-3.2.21-1.el8pc.src.rpm | SHA-256: 873b7da154f744c5cad8e452678bb8eb3346d7c97325e38d2887d55e3a8a15fc |
| python-gitpython-3.1.32-1.el8pc.src.rpm | SHA-256: 2ba1cea3d5c2fc9ee24643262fdf27d4fc8d734b6dc5283f02508d7072aa056b |
| python-pulpcore-3.21.18-1.el8pc.src.rpm | SHA-256: d0fb49636029b285ccb795ffd444bfcc217d9bf3b461f3174443eefbbcaa6675 |
| rubygem-foreman_maintain-1.2.12-1.el8sat.src.rpm | SHA-256: 8321b2a313796704e926c9703b320eccd8eeb8e51d5d777365b9509ee075c6e1 |
| satellite-6.13.5-1.el8sat.src.rpm | SHA-256: 45f6b46307212bf427fceca2311eedc5a52f2be84f4acad244e8f2fdd6d7f6e5 |
| x86_64 | |
| foreman-debug-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: fc61cf84b452c0851bc07f48a576047e6c842d0380be4e45d178732b784ca543 |
| foreman-installer-3.5.2.4-1.el8sat.noarch.rpm | SHA-256: eb79202f8c16fee9202f07a599016f00cc6cf6ceb231347e45b6cdf1cadde590 |
| foreman-installer-katello-3.5.2.4-1.el8sat.noarch.rpm | SHA-256: dfe32d815ef424ceff57ea54723905a6fad4821b5a70c3088179b9b7fe2c3a67 |
| pulpcore-selinux-1.3.3-1.el8pc.x86_64.rpm | SHA-256: 21f61165122e901a0bd1780500def6aa0fda5cbc6d77fea3793748ca3e2bf5ee |
| puppet-agent-7.26.0-3.el8sat.x86_64.rpm | SHA-256: cc4bf1c0903e4e5c32eb7842fef51b10a8554883e3db5ed5214ec9003b2c400d |
| python39-django-3.2.21-1.el8pc.noarch.rpm | SHA-256: 74cd02c31d8e89ba87a79aafca43d7a6481e92ca17b1578bd8b4a6c9fd1033d2 |
| python39-gitpython-3.1.32-1.el8pc.noarch.rpm | SHA-256: 82d25304ba90d22161411688dd2e7c8e111b02c44174eee2956e7892ca9ceaba |
| python39-pulpcore-3.21.18-1.el8pc.noarch.rpm | SHA-256: 8c95cce5efb360ac56ef093156ec77a3f81a833872f25da5867f08584ae61ee2 |
| rubygem-foreman_maintain-1.2.12-1.el8sat.noarch.rpm | SHA-256: e6e953ce313b1fbe29e3c6634a448ba1f9e33d2bf10df3a0deecd578b00b6d0c |
| satellite-capsule-6.13.5-1.el8sat.noarch.rpm | SHA-256: 78e067e40ef0e27b64ec5ded0352eeaaf63a0e8cdbd91f981a48afa6ff04a4cd |
| satellite-common-6.13.5-1.el8sat.noarch.rpm | SHA-256: bcf9e4ea16e567c1990a7baf5eced2adc21bf40658feff14efb9ed2df39b0147 |
Red Hat Enterprise Linux for x86_64 8
| SRPM | |
|---|---|
| foreman-3.5.1.23-1.el8sat.src.rpm | SHA-256: 96085dcf86b81edb832f88e2aa313545965dc7d6a0a595cc1be44b1d33bc4d5a |
| rubygem-foreman_maintain-1.2.12-1.el8sat.src.rpm | SHA-256: 8321b2a313796704e926c9703b320eccd8eeb8e51d5d777365b9509ee075c6e1 |
| satellite-6.13.5-1.el8sat.src.rpm | SHA-256: 45f6b46307212bf427fceca2311eedc5a52f2be84f4acad244e8f2fdd6d7f6e5 |
| x86_64 | |
| foreman-cli-3.5.1.23-1.el8sat.noarch.rpm | SHA-256: 43df8a49db47e709596e49159792b33942f72df2e6398a25212531ea9932740e |
| rubygem-foreman_maintain-1.2.12-1.el8sat.noarch.rpm | SHA-256: e6e953ce313b1fbe29e3c6634a448ba1f9e33d2bf10df3a0deecd578b00b6d0c |
| satellite-cli-6.13.5-1.el8sat.noarch.rpm | SHA-256: 3c80c68417a2c0f166f5cf2dc619ae142d5d9417c1b39ff33d216167f9ac1c20 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
