- Issued:
- 2024-03-27
- Updated:
- 2024-03-27
RHSA-2024:1536 - Security Advisory
Synopsis
Moderate: Satellite 6.14.3 Async Security Update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update is now available for Red Hat Satellite 6.14 for RHEL 8.
Red Hat Product Security has rated this update as having a security impact
of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Description
Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.
Security Fix(es):
- automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
- python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
- python-aiohttp: http request smuggling (CVE-2024-23829)
- python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
- python-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
- python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
- python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
Bug Fix(es):
2266107 - hammer host list does not print parameters even if they are present in the fields list like LCE and CVs.
2266110 - Incremental update of *multiple* CVs with same repo of different content generates wrong katello content
2266139 - Failed incremental CV import shows error: duplicate key value violates unique constraint "rpm_updatecollectionname_name_update_record_id_6ef33bed_uniq"
2266140 - wrong links to provisioning guide in CR help
2266142 - When using the customer data (json) with 13 diff conf files, we can see some weird behavior when updating the hypervisors
2266144 - Promoting a composite content view to environment with registry name as "<%= lifecycle_environment.label %>/<%= repository.name %>" on Red Hat Satellite 6 fails with "'undefined method '#label' for NilClass::Jail (NilClass)'"
2266145 - CertificateCleanupJob fails with foreign key constraint violation on table cp_certificate
2266146 - katello:reimport fails with "TypeError: no implicit conversion of String into Integer" when there are product contents to move
2266147 - Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "katello_available_module_streams_name_stream_context"
2266148 - Adding a CV to a CCV lists CV versions disorderly
2266149 - 'Remove orphans' task fails on DeleteOrphanAlternateContentSources step
2266413 - [RFE] "Add content view" window and "Update version" window should display content view version, description and publishing date
2266113 - [RFE] To make customers aware about satellite versions going EOL by adding warning banner on the Login page or on the Dashboard page.
2266141 - wrong link to scap content documentation
Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For detailed instructions how to apply this update, refer to:
Affected Products
- Red Hat Satellite 6.14 x86_64
- Red Hat Satellite Capsule 6.14 x86_64
- Red Hat Enterprise Linux for x86_64 8 x86_64
Fixes
- BZ - 2234387 - CVE-2023-5189 Ansible Automation Hub: insecure galaxy-importer tarfile extraction
- BZ - 2241046 - CVE-2023-43665 python-django: Denial-of-service possibility in django.utils.text.Truncator
- BZ - 2249825 - CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing
- BZ - 2252235 - CVE-2023-49081 aiohttp: HTTP request modification
- BZ - 2257854 - CVE-2024-22195 jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
- BZ - 2261887 - CVE-2024-23334 aiohttp: follow_symlinks directory traversal vulnerability
- BZ - 2261909 - CVE-2024-23829 python-aiohttp: http request smuggling
- BZ - 2266107 - hammer host list does not print parameters even if they are present in the fields list like LCE and CVs.
- BZ - 2266110 - Incremental update of *multiple* CVs with same repo of different content generates wrong katello content
- BZ - 2266113 - [RFE] To make customers aware about satellite versions going EOL by adding warning banner on the Login page or on the Dashboard page.
- BZ - 2266139 - Failed incremental CV import shows error: duplicate key value violates unique constraint "rpm_updatecollectionname_name_update_record_id_6ef33bed_uniq"
- BZ - 2266140 - wrong links to provisioning guide in CR help
- BZ - 2266141 - wrong link to scap content documentation
- BZ - 2266142 - When using the customer data (json) with 13 diff conf files, we can see some weird behavior when updating the hypervisors
- BZ - 2266144 - Promoting a composite content view to environment with registry name as "<%= lifecycle_environment.label %>/<%= repository.name %>" on Red Hat Satellite 6 fails with "'undefined method '#label' for NilClass::Jail (NilClass)'"
- BZ - 2266145 - CertificateCleanupJob fails with foreign key constraint violation on table cp_certificate
- BZ - 2266146 - katello:reimport fails with "TypeError: no implicit conversion of String into Integer" when there are product contents to move
- BZ - 2266147 - Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "katello_available_module_streams_name_stream_context"
- BZ - 2266148 - Adding a CV to a CCV lists CV versions disorderly
- BZ - 2266149 - 'Remove orphans' task fails on DeleteOrphanAlternateContentSources step
- BZ - 2266413 - [RFE] "Add content view" window and "Update version" window should display content view version, description and publishing date
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Satellite 6.14
| SRPM | |
|---|---|
| candlepin-4.3.12-1.el8sat.src.rpm | SHA-256: 3db6b29073e09be1fce851c895e42ac39b0f51343e837e1e3b437dc8b9217505 |
| python-aiohttp-3.9.2-0.1.el8pc.src.rpm | SHA-256: fe0f59871ee07ec1500379bcd896c78e87f6ee5558203811b4ac55c4de772f7c |
| python-ansible-builder-1.2.0-1.el8pc.src.rpm | SHA-256: 07a2ad6d7f02b4d46e77ef9514e480d106418773db51415451f89306268c2394 |
| python-async-timeout-4.0.3-0.1.el8pc.src.rpm | SHA-256: b4b0f73263562a2430bc9ce41b6b1489a446a1ff1740f55b0c51679c00cbbe5c |
| python-django-3.2.22-1.el8pc.src.rpm | SHA-256: 7f110c87418a2df9c1b38a47ab13b028a98ff64bfad047bd7c33b97b20c9e6ca |
| python-flake8-5.0.0-0.1.el8pc.src.rpm | SHA-256: 2a3176eeeae00110da9b5b021138a2c863c3d0d6719a8a70f9447f486f32777b |
| python-galaxy-importer-0.4.18-2.el8pc.src.rpm | SHA-256: b73c11da1527866938eaf12e4bf8b6772b66a8980ed6e3da3df7018cb8284dff |
| python-jinja2-3.1.3-0.1.el8pc.src.rpm | SHA-256: 4ee69b9f81ff159f7dd7dc66fc19ca7c2de606dccbdde5c10b6eb257f38a7675 |
| python-mccabe-0.7.0-0.1.el8pc.src.rpm | SHA-256: 46a61e2639bd8b2d7597db20d85343b111df91cf5d5998049525bb1f402dc420 |
| python-pulp-rpm-3.19.12-1.el8pc.src.rpm | SHA-256: 1409a3e967e7117887e3303785c6b9647b0f93c7a4e0153c422203b47238c406 |
| python-pulpcore-3.22.22-2.el8pc.src.rpm | SHA-256: 62a1ac47fac394001de7e824ced562860ca9ba0123c5fe1d514f1d47d576b996 |
| python-pycodestyle-2.9.1-0.1.el8pc.src.rpm | SHA-256: 27407c67c0120d14f0c1ecab0f79cefa5022dc425e00f69758171e81ae8f9b2d |
| python-pyflakes-2.5.0-0.1.el8pc.src.rpm | SHA-256: 4a43dd666385c50d12914645f1bb558d01281608249bf3e2740d77051058281c |
| rubygem-foreman_theme_satellite-12.0.0.8-1.el8sat.src.rpm | SHA-256: 7bb8c35f1f7d6bcc4031a80634963088f3ef2f088441779d56ab7037502cd793 |
| rubygem-foreman_virt_who_configure-0.5.19-1.el8sat.src.rpm | SHA-256: bffdb1ec7c0e3635265243f8806dbe395348b95f2e185e8de2b7ac848fa9302a |
| rubygem-hammer_cli_katello-1.9.1.3-1.el8sat.src.rpm | SHA-256: 607c4a99d5f16d7e2b33c6d0a15dfc3d29c9f18cc822c23674ca79a2d487e62a |
| rubygem-katello-4.9.0.23-1.el8sat.src.rpm | SHA-256: 538ae1b8150194e40764092a97b96dcb327cb7cfac920884ac7294a7da0307b2 |
| satellite-6.14.3-1.el8sat.src.rpm | SHA-256: 5e2f768d2969bdedd149c4edfb19ccbc587b57427e4dea1fb325737c74bca041 |
| satellite-lifecycle-0.0.0.1-1.src.rpm | SHA-256: c10945cf9a257a6fa8ebf9b6dcf4ed752d194ea17a10a82aaabba13f67a18187 |
| x86_64 | |
| candlepin-4.3.12-1.el8sat.noarch.rpm | SHA-256: 22fb6fc0b74a5b621799cb4fe0b4bd6cbb3008abfedbccd380e218ebdec505ea |
| candlepin-selinux-4.3.12-1.el8sat.noarch.rpm | SHA-256: 10e6f6140f4dd8c7289d9d3a48a91935e996870d4f6301f1ad638e8254d3c72a |
| python-aiohttp-debugsource-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 78628275d18691c1efeab5e24aa02b4d3d828a6e3d9920c40b74e4f83747d0ba |
| python39-aiohttp-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 5fed11550bad947f377df6212838036114b7eba4e94f9f2a3a92c9c52e8079a1 |
| python39-aiohttp-debuginfo-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 370ac67591adba8140dc9352f4820413d440a5278d26c604010ee9575afd6478 |
| python39-ansible-builder-1.2.0-1.el8pc.noarch.rpm | SHA-256: 9b274a5480ade1dbe700fa3584c1fb44957412f488a04fb32b4446aed95bc8d0 |
| python39-async-timeout-4.0.3-0.1.el8pc.noarch.rpm | SHA-256: c3de87e77141c499ec26f6d2ee318b6334f39bdd7f95d528c5011eb3930f183c |
| python39-django-3.2.22-1.el8pc.noarch.rpm | SHA-256: 02eeeb475245e839a5dc29437d06e28fb223eb47fb456d55bf0df9e7efd814a4 |
| python39-flake8-5.0.0-0.1.el8pc.noarch.rpm | SHA-256: f8855144e456cf778faa27a787b6b9f35ea4e606f8ea67a0fb1aecc2ce4da363 |
| python39-galaxy-importer-0.4.18-2.el8pc.noarch.rpm | SHA-256: 7f01f4690a318b9fcde94b43bfc2dde7f029f5b85605914f9c5b5cefc3f0e518 |
| python39-jinja2-3.1.3-0.1.el8pc.noarch.rpm | SHA-256: 309cd9569293df025744dba1120d8ff8ca461b69f3e3c6285a43d083cee3e1b3 |
| python39-mccabe-0.7.0-0.1.el8pc.noarch.rpm | SHA-256: 09e179c6e5a5ade9d8976be89c586e13dc748039cfe58546a0908d5a8259105e |
| python39-pulp-rpm-3.19.12-1.el8pc.noarch.rpm | SHA-256: 73655faab75991ca35140c746ad136639196074f2fe65fb38d6f2a77f3be2e75 |
| python39-pulpcore-3.22.22-2.el8pc.noarch.rpm | SHA-256: 4e88e69c246d9ae581088d64b6fabff63c8f87cb3ce7f5e0c498076eba78c0d5 |
| python39-pycodestyle-2.9.1-0.1.el8pc.noarch.rpm | SHA-256: bb821a77a359ae3db5aac7ba1af1ce11d8e25347cee7f268f15168c2d58955c7 |
| python39-pyflakes-2.5.0-0.1.el8pc.noarch.rpm | SHA-256: 6372a35dfa46714c65b0afdc815bb4b85a00630ed726599d5fbd0ecd60fab2d5 |
| rubygem-foreman_theme_satellite-12.0.0.8-1.el8sat.noarch.rpm | SHA-256: 0c21aefdddce5bdb444bd854f66f72af5d82185a7b9f16fe82d3f62028df6b95 |
| rubygem-foreman_virt_who_configure-0.5.19-1.el8sat.noarch.rpm | SHA-256: 2a490d7b31d42b3f2530cfcc7a427206c81fb51827392af35f8a7a4a40dbbd92 |
| rubygem-hammer_cli_katello-1.9.1.3-1.el8sat.noarch.rpm | SHA-256: 4b8e3c950fa5f8ebabdacd3d30e3fd278aaa20b16635c22d8184562e61320ebe |
| rubygem-katello-4.9.0.23-1.el8sat.noarch.rpm | SHA-256: d597163e1072ce4365eeeaacd22f99edc39a40435fd4f08567120a03056bf913 |
| satellite-6.14.3-1.el8sat.noarch.rpm | SHA-256: 4993b924ae189b6bd321067035d277c7cda424afddf2d2d278137fc6a4205b6c |
| satellite-cli-6.14.3-1.el8sat.noarch.rpm | SHA-256: 361d7957e9f514b79e701ef2d26f98d0355fa0b95aa4de9e9b531e0414847721 |
| satellite-common-6.14.3-1.el8sat.noarch.rpm | SHA-256: efae048a695bebb70067009e5cd96de4a5aa5dc8dc0b9215ae73fedd97c0171c |
| satellite-lifecycle-0.0.0.1-1.noarch.rpm | SHA-256: 7bc76ed9455ea3311f4f6dd088c57136eb3b4f31eb84d2857a4a6f2e03b22a26 |
Red Hat Satellite Capsule 6.14
| SRPM | |
|---|---|
| python-aiohttp-3.9.2-0.1.el8pc.src.rpm | SHA-256: fe0f59871ee07ec1500379bcd896c78e87f6ee5558203811b4ac55c4de772f7c |
| python-ansible-builder-1.2.0-1.el8pc.src.rpm | SHA-256: 07a2ad6d7f02b4d46e77ef9514e480d106418773db51415451f89306268c2394 |
| python-async-timeout-4.0.3-0.1.el8pc.src.rpm | SHA-256: b4b0f73263562a2430bc9ce41b6b1489a446a1ff1740f55b0c51679c00cbbe5c |
| python-django-3.2.22-1.el8pc.src.rpm | SHA-256: 7f110c87418a2df9c1b38a47ab13b028a98ff64bfad047bd7c33b97b20c9e6ca |
| python-flake8-5.0.0-0.1.el8pc.src.rpm | SHA-256: 2a3176eeeae00110da9b5b021138a2c863c3d0d6719a8a70f9447f486f32777b |
| python-galaxy-importer-0.4.18-2.el8pc.src.rpm | SHA-256: b73c11da1527866938eaf12e4bf8b6772b66a8980ed6e3da3df7018cb8284dff |
| python-jinja2-3.1.3-0.1.el8pc.src.rpm | SHA-256: 4ee69b9f81ff159f7dd7dc66fc19ca7c2de606dccbdde5c10b6eb257f38a7675 |
| python-mccabe-0.7.0-0.1.el8pc.src.rpm | SHA-256: 46a61e2639bd8b2d7597db20d85343b111df91cf5d5998049525bb1f402dc420 |
| python-pulp-rpm-3.19.12-1.el8pc.src.rpm | SHA-256: 1409a3e967e7117887e3303785c6b9647b0f93c7a4e0153c422203b47238c406 |
| python-pulpcore-3.22.22-2.el8pc.src.rpm | SHA-256: 62a1ac47fac394001de7e824ced562860ca9ba0123c5fe1d514f1d47d576b996 |
| python-pycodestyle-2.9.1-0.1.el8pc.src.rpm | SHA-256: 27407c67c0120d14f0c1ecab0f79cefa5022dc425e00f69758171e81ae8f9b2d |
| python-pyflakes-2.5.0-0.1.el8pc.src.rpm | SHA-256: 4a43dd666385c50d12914645f1bb558d01281608249bf3e2740d77051058281c |
| satellite-6.14.3-1.el8sat.src.rpm | SHA-256: 5e2f768d2969bdedd149c4edfb19ccbc587b57427e4dea1fb325737c74bca041 |
| x86_64 | |
| python-aiohttp-debugsource-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 78628275d18691c1efeab5e24aa02b4d3d828a6e3d9920c40b74e4f83747d0ba |
| python39-aiohttp-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 5fed11550bad947f377df6212838036114b7eba4e94f9f2a3a92c9c52e8079a1 |
| python39-aiohttp-debuginfo-3.9.2-0.1.el8pc.x86_64.rpm | SHA-256: 370ac67591adba8140dc9352f4820413d440a5278d26c604010ee9575afd6478 |
| python39-ansible-builder-1.2.0-1.el8pc.noarch.rpm | SHA-256: 9b274a5480ade1dbe700fa3584c1fb44957412f488a04fb32b4446aed95bc8d0 |
| python39-async-timeout-4.0.3-0.1.el8pc.noarch.rpm | SHA-256: c3de87e77141c499ec26f6d2ee318b6334f39bdd7f95d528c5011eb3930f183c |
| python39-django-3.2.22-1.el8pc.noarch.rpm | SHA-256: 02eeeb475245e839a5dc29437d06e28fb223eb47fb456d55bf0df9e7efd814a4 |
| python39-flake8-5.0.0-0.1.el8pc.noarch.rpm | SHA-256: f8855144e456cf778faa27a787b6b9f35ea4e606f8ea67a0fb1aecc2ce4da363 |
| python39-galaxy-importer-0.4.18-2.el8pc.noarch.rpm | SHA-256: 7f01f4690a318b9fcde94b43bfc2dde7f029f5b85605914f9c5b5cefc3f0e518 |
| python39-jinja2-3.1.3-0.1.el8pc.noarch.rpm | SHA-256: 309cd9569293df025744dba1120d8ff8ca461b69f3e3c6285a43d083cee3e1b3 |
| python39-mccabe-0.7.0-0.1.el8pc.noarch.rpm | SHA-256: 09e179c6e5a5ade9d8976be89c586e13dc748039cfe58546a0908d5a8259105e |
| python39-pulp-rpm-3.19.12-1.el8pc.noarch.rpm | SHA-256: 73655faab75991ca35140c746ad136639196074f2fe65fb38d6f2a77f3be2e75 |
| python39-pulpcore-3.22.22-2.el8pc.noarch.rpm | SHA-256: 4e88e69c246d9ae581088d64b6fabff63c8f87cb3ce7f5e0c498076eba78c0d5 |
| python39-pycodestyle-2.9.1-0.1.el8pc.noarch.rpm | SHA-256: bb821a77a359ae3db5aac7ba1af1ce11d8e25347cee7f268f15168c2d58955c7 |
| python39-pyflakes-2.5.0-0.1.el8pc.noarch.rpm | SHA-256: 6372a35dfa46714c65b0afdc815bb4b85a00630ed726599d5fbd0ecd60fab2d5 |
| satellite-capsule-6.14.3-1.el8sat.noarch.rpm | SHA-256: 358f8317fb4f378f43e7a3cfb03414dd7631e5108fe05ec8afc202562b7e1f12 |
| satellite-common-6.14.3-1.el8sat.noarch.rpm | SHA-256: efae048a695bebb70067009e5cd96de4a5aa5dc8dc0b9215ae73fedd97c0171c |
Red Hat Enterprise Linux for x86_64 8
| SRPM | |
|---|---|
| rubygem-hammer_cli_katello-1.9.1.3-1.el8sat.src.rpm | SHA-256: 607c4a99d5f16d7e2b33c6d0a15dfc3d29c9f18cc822c23674ca79a2d487e62a |
| satellite-6.14.3-1.el8sat.src.rpm | SHA-256: 5e2f768d2969bdedd149c4edfb19ccbc587b57427e4dea1fb325737c74bca041 |
| x86_64 | |
| rubygem-hammer_cli_katello-1.9.1.3-1.el8sat.noarch.rpm | SHA-256: 4b8e3c950fa5f8ebabdacd3d30e3fd278aaa20b16635c22d8184562e61320ebe |
| satellite-cli-6.14.3-1.el8sat.noarch.rpm | SHA-256: 361d7957e9f514b79e701ef2d26f98d0355fa0b95aa4de9e9b531e0414847721 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
