Red Hat Product Errata RHSA-2026:14835 - Security Advisory
Issued:
2026-05-07
Updated:
2026-05-07

RHSA-2026:14835 - Security Advisory

Synopsis

Important: Satellite 6.18.5 Async Update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

A new release is now available for Red Hat Satellite 6.18 for RHEL 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.

Security Fix(es):

  • python3.12-django: Django: SQL Injection via crafted column aliases

(CVE-2026-1287)

  • python3.12-django: Django: SQL Injection via RasterField band index

parameter (CVE-2026-1207)

  • python3.12-django: Django: SQL injection via crafted column aliases in

QuerySet.order_by() (CVE-2026-1312)

  • python3.12-django: Django: Denial of Service via crafted HTML inputs

(CVE-2026-1285)

  • python3.12-django: Django: Denial of Service via crafted request with

duplicate headers (CVE-2025-14550)

  • python3.12-markdown: markdown: Denial of Service via malformed

HTML-like sequences (CVE-2025-69534)

  • python3.12-pyOpenSSL: pyOpenSSL: DTLS cookie callback buffer overflow

(CVE-2026-27459)

  • rubygem-activesupport: Active Support: Denial of Service via large

scientific notation strings (CVE-2026-33176)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For detailed instructions how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index

Affected Products

  • Red Hat Satellite 6.18 x86_64
  • Red Hat Satellite Capsule 6.18 x86_64
  • Red Hat Enterprise Linux for x86_64 9 x86_64

Fixes

  • SAT-37836 - Impossible to generate registration command via REST API in isolated networks managed by external capsules
  • SAT-43946 - Satellite manifest consumer profile cert and key found in satellite client rhsm cache
  • SAT-43947 - Ability to change Log Level for IoP core engine through satellite-installer
  • SAT-43948 - Ability to change Log Level for IoP related services through satellite-installer
  • SAT-43949 - The hammer command executes successfully on Satellite 6.17, but it fails on Satellite 6.18.
  • SAT-43950 - BIOS info is not populated in All hosts page and in Host Details tab
  • SAT-43951 - Puppet fact parser can't create OS entry blocking Satellite leapp upgrades
  • SAT-43952 - Revoking registry token does not prevent access to registry
  • SAT-43953 - Revoking registry token does not prevent access to registry
  • SAT-43954 - After update to 6.17 "Login delegation logout URL" fails to redirect to external auth source
  • SAT-43955 - All communication should happen only over https during global registration execution
  • SAT-43956 - Search is cleared when using bottom pagination on All Hosts page
  • SAT-43958 - Non-admin users on Satellite with viewer role, unable to see the hostgroup.
  • SAT-43959 - Find what we can add to foreman-maintain report generate for rh_cloud
  • SAT-43960 - Content > Subscriptions stuck in loading state if organization GET ends with 403
  • SAT-43962 - Proxy password shown in clear text in the Overview page of Virt-who Configuration
  • SAT-43963 - Executing the 'katello::clean_backend_objects' rake task takes a long time to complete
  • SAT-44062 - Use certs for primary identification for hosts on katello registry
  • SAT-44760 - Flatpak registry static index returns 500 after pulpcore 3.85.15 upgrade (set not JSON serializable)
  • SAT-44761 - Concurrent registration fails with "PG::UniqueViolation: ERROR: duplicate key value violates unique constraint \"index_operatingsystems_on_title\"
  • SAT-44762 - [regression] Unable to access Compute Resource in Satellite6

Red Hat Satellite 6.18

SRPM
candlepin-4.6.5-1.el9sat.src.rpm SHA-256: 1e981a08166e62fc074528f70c01b65e794d64114c9009e96599760f4c070fb9
foreman-3.16.0.16-1.el9sat.src.rpm SHA-256: b8e291e85faade03e5bbda6ffbb8c900f4c0c9c0f1eec73247ab02047ec7f699
foreman-installer-3.16.0.8-1.el9sat.src.rpm SHA-256: ca340def8375b3eabb0f0cbb8dbcc9c0672603ad5491d13e01fc8a244d435beb
python3.12-cffi-2.0.0-1.el9pc.src.rpm SHA-256: 1b0092e03a603969ce3d7a5d68869c999e4e0c817522302b0da10bde1b6fa9c2
python3.12-cryptography-46.0.6-1.el9pc.src.rpm SHA-256: 8e36d525a7b2ef2c5be9bbe260af39013b2f529439f6b4b6491d74202b8de775
python3.12-django-4.2.30-1.el9pc.src.rpm SHA-256: 93c305c57518a0b5b072a354564071059095634110c98533be18f125be0396e6
python3.12-markdown-3.8.2-1.el9pc.src.rpm SHA-256: 6e80842c05360eec25fa383649fb8cf648dc1bfb27c62efb06f3b2ad6b63b924
python3.12-pulp-container-2.24.5-2.el9pc.src.rpm SHA-256: 0855ac9d0d58862cd93753471e74fceec5f625e39105f25cabcf65900a224b75
python3.12-pulpcore-3.73.30-1.el9pc.src.rpm SHA-256: 8d2ddde73d05a5d835864745f4d5f3876eadad6e574fe046a0fb1c96e3efe5ab
python3.12-pyOpenSSL-26.0.0-2.el9pc.src.rpm SHA-256: f3a639095bf07b1100e19736d17e5b55de9cca6e91c22b20d08f4d0b00024d0d
rubygem-activesupport-7.0.8.7-2.el9sat.src.rpm SHA-256: c16e5e04d10682363bddea507e852141d100b29ef83fe808b6b8cf817e84d04c
rubygem-foreman_maintain-1.13.8-1.el9sat.src.rpm SHA-256: 0a457cf3f4418e602a5a0720145ab5bd59db4793b4bf28d26ddf81ac37bb7859
rubygem-foreman_rh_cloud-12.2.18-1.el9sat.src.rpm SHA-256: d102fe08cccd0a1255c091e2a3d70e874b6e00adb203005eda9cbee319f7a1b4
rubygem-foreman_virt_who_configure-0.5.29-1.el9sat.src.rpm SHA-256: ac96ae8b8495a7ebe4f7da6401b61db61d7d4b23e4c0435e67f8b8ad0806c2fa
rubygem-katello-4.18.0.12-1.el9sat.src.rpm SHA-256: c213aa2e9de9f76fb28b7416c3d13c8dd7d90851526e4e5034523cc8f805a738
satellite-6.18.5-1.el9sat.src.rpm SHA-256: d7b38a117c18d3bfcb4944a26569e7e193a097fb8682e306602e108605d57222
x86_64
candlepin-4.6.5-1.el9sat.noarch.rpm SHA-256: 28e56d9ce28d75ba986939ed93d571b3ebd88b3dcc5008d0c77728837f00ce54
candlepin-selinux-4.6.5-1.el9sat.noarch.rpm SHA-256: 6486208de90820266fef308aa3a1da4528792bf16535d460217af0aaf5ecd2cb
foreman-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 11f237427f379553115b2e1293c8eaff647916fa7d502d8685a50375e2ec721f
foreman-cli-3.16.0.16-1.el9sat.noarch.rpm SHA-256: a1e61d8562660f51318f7dd9713e7c0c03d6a1dee38880a59e5c782ed2259fb6
foreman-debug-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 12803157a794c9cd4dc65b070bf7a2645f95dab278ad3129ccf42827345b1476
foreman-dynflow-sidekiq-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 9ea054205d2679fc2016088e301c014329bd78aa2a6b09969e3e734341f26b40
foreman-ec2-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 721afba9f2e03cd8356f96c251232bd76067a70649c041f2e7fb6cf7316afa58
foreman-installer-3.16.0.8-1.el9sat.noarch.rpm SHA-256: ba85a8aa118c77550a0257a20c9be686e8f68ec37e0136afba368341cfc11457
foreman-installer-katello-3.16.0.8-1.el9sat.noarch.rpm SHA-256: 6e30f120cd1b29d94b5a664e3b058050fe23fb3528a13d677583d66aaa75c41c
foreman-journald-3.16.0.16-1.el9sat.noarch.rpm SHA-256: a86691d8fb3a54d7053b8c8c835d96ef21730ccd8922b746f896c59565498e2b
foreman-libvirt-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 169afe88815eef1b931d545012b88cd229abae8e48982f1909b76ded02809621
foreman-openstack-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 25a9af97fc1254e83cee79f5149f5c5c8958c38eaf692c3d227c73baac45f210
foreman-pcp-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 4b2a98bee3adeeb631b9c528818c62dee7f9913e7e202d2fd1b2948448ba6ecf
foreman-postgresql-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 7aa60cc16fe570c8a2964b390b37adc082ce872dbf21df39acd32e067d73f91f
foreman-redis-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 006409116e0625d357b7127dac88182ff40aa898ebfba740b57e7dc2fa75dada
foreman-service-3.16.0.16-1.el9sat.noarch.rpm SHA-256: bb164ddc5603ed5d72c277e5f4fc6f6747b5bd100e0c659e0031d6cf95551b28
foreman-telemetry-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 6454b545d11acb6701dedfd98e200849d4097bb4df2889f795080293846a3fe4
foreman-vmware-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 921fca8295e0cd996123a99229b674b3a7f6f5d6b9fe50fc1b03e50a85aee563
python3.12-cffi-2.0.0-1.el9pc.x86_64.rpm SHA-256: 4d790e60bff4d6bdb8a69170f4a340a182e891e00e84ac1274174dba77a9efc3
python3.12-cffi-debuginfo-2.0.0-1.el9pc.x86_64.rpm SHA-256: 92edfd7688350e4e258d3712ce1e808907327ef07831b04ce55b61234e9169ed
python3.12-cffi-debugsource-2.0.0-1.el9pc.x86_64.rpm SHA-256: cdd387d35cfe403175304b4e87cb4bc19fd0409fdc63aaecc50bf535ed8fcc33
python3.12-cryptography-46.0.6-1.el9pc.x86_64.rpm SHA-256: a8ba3e13eecc6f54faadbd794669b93f4f8324033e0bec6d4f47d866ee6526f7
python3.12-django-4.2.30-1.el9pc.noarch.rpm SHA-256: 6d2666e32670e08a7aede1d5d0f3a4ff5734e40607c950aac9fb20366392760b
python3.12-markdown-3.8.2-1.el9pc.noarch.rpm SHA-256: 4c3c8b1467fb46f23b384b918828cb3cf1bc3bd96e3952d2bf4d5cda02055843
python3.12-pulp-container-2.24.5-2.el9pc.noarch.rpm SHA-256: 3e02b9bf042262b52cd4224d73c7f776f661609fac6abbffd379d611ceb12348
python3.12-pulpcore-3.73.30-1.el9pc.noarch.rpm SHA-256: ea789a81c8297cc55b51c4775b0f9afeeffbff44af7d0c27a0268d0352717c0c
python3.12-pyOpenSSL-26.0.0-2.el9pc.noarch.rpm SHA-256: c555d25b45261ba1523c2fb05a0b5e5a4df965cd5251ca31973b21daa649cb83
rubygem-activesupport-7.0.8.7-2.el9sat.noarch.rpm SHA-256: 87c649ce1e8f0bb217b9b7aad15630502e0a8d0956e0d2961156f9afa01f9d3e
rubygem-foreman_maintain-1.13.8-1.el9sat.noarch.rpm SHA-256: 4bd148c8cd65106aa5ba9628e2cfe4378262fb9508e6c37358295c4c81781bf1
rubygem-foreman_rh_cloud-12.2.18-1.el9sat.noarch.rpm SHA-256: a768a20487aee700923805c7d4eb337a8127b07fd4365b1d4a07c0cdaa12eb07
rubygem-foreman_virt_who_configure-0.5.29-1.el9sat.noarch.rpm SHA-256: f2d68f87df5e7f54be3b2e3a444f8d937b96d4ffe27f2743505ed341245e8eba
rubygem-katello-4.18.0.12-1.el9sat.noarch.rpm SHA-256: ca4cff7167a27b7a5b485c1b95d3b2d939aa06ca2793b4f703e866db2d4c9a00
satellite-6.18.5-1.el9sat.noarch.rpm SHA-256: 97b416a69f9aa2f6d2708fa9283aaaebcba28c4786a350853d74bd7c9b2ab125
satellite-cli-6.18.5-1.el9sat.noarch.rpm SHA-256: 7c36b5a5dd468e6242666197b27fbadb42a5c8754e20f7ce9444ec6ffa82b6be
satellite-common-6.18.5-1.el9sat.noarch.rpm SHA-256: 99a60fd470dfab4bf2fb04e4e040f0f943897fe0ae5a58ce80a2a96bea2975b6
satellite-obsolete-packages-6.18.5-1.el9sat.noarch.rpm SHA-256: b2ad2af794d9bd86c49ea1665b1c72dc516722fe5e2038f79b2ad57a3bcd93e9

Red Hat Satellite Capsule 6.18

SRPM
foreman-3.16.0.16-1.el9sat.src.rpm SHA-256: b8e291e85faade03e5bbda6ffbb8c900f4c0c9c0f1eec73247ab02047ec7f699
foreman-installer-3.16.0.8-1.el9sat.src.rpm SHA-256: ca340def8375b3eabb0f0cbb8dbcc9c0672603ad5491d13e01fc8a244d435beb
python3.12-cffi-2.0.0-1.el9pc.src.rpm SHA-256: 1b0092e03a603969ce3d7a5d68869c999e4e0c817522302b0da10bde1b6fa9c2
python3.12-cryptography-46.0.6-1.el9pc.src.rpm SHA-256: 8e36d525a7b2ef2c5be9bbe260af39013b2f529439f6b4b6491d74202b8de775
python3.12-django-4.2.30-1.el9pc.src.rpm SHA-256: 93c305c57518a0b5b072a354564071059095634110c98533be18f125be0396e6
python3.12-markdown-3.8.2-1.el9pc.src.rpm SHA-256: 6e80842c05360eec25fa383649fb8cf648dc1bfb27c62efb06f3b2ad6b63b924
python3.12-pulp-container-2.24.5-2.el9pc.src.rpm SHA-256: 0855ac9d0d58862cd93753471e74fceec5f625e39105f25cabcf65900a224b75
python3.12-pulpcore-3.73.30-1.el9pc.src.rpm SHA-256: 8d2ddde73d05a5d835864745f4d5f3876eadad6e574fe046a0fb1c96e3efe5ab
python3.12-pyOpenSSL-26.0.0-2.el9pc.src.rpm SHA-256: f3a639095bf07b1100e19736d17e5b55de9cca6e91c22b20d08f4d0b00024d0d
rubygem-activesupport-7.0.8.7-2.el9sat.src.rpm SHA-256: c16e5e04d10682363bddea507e852141d100b29ef83fe808b6b8cf817e84d04c
rubygem-foreman_maintain-1.13.8-1.el9sat.src.rpm SHA-256: 0a457cf3f4418e602a5a0720145ab5bd59db4793b4bf28d26ddf81ac37bb7859
satellite-6.18.5-1.el9sat.src.rpm SHA-256: d7b38a117c18d3bfcb4944a26569e7e193a097fb8682e306602e108605d57222
x86_64
foreman-debug-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 12803157a794c9cd4dc65b070bf7a2645f95dab278ad3129ccf42827345b1476
foreman-installer-3.16.0.8-1.el9sat.noarch.rpm SHA-256: ba85a8aa118c77550a0257a20c9be686e8f68ec37e0136afba368341cfc11457
foreman-installer-katello-3.16.0.8-1.el9sat.noarch.rpm SHA-256: 6e30f120cd1b29d94b5a664e3b058050fe23fb3528a13d677583d66aaa75c41c
foreman-pcp-3.16.0.16-1.el9sat.noarch.rpm SHA-256: 4b2a98bee3adeeb631b9c528818c62dee7f9913e7e202d2fd1b2948448ba6ecf
python3.12-cffi-2.0.0-1.el9pc.x86_64.rpm SHA-256: 4d790e60bff4d6bdb8a69170f4a340a182e891e00e84ac1274174dba77a9efc3
python3.12-cffi-debuginfo-2.0.0-1.el9pc.x86_64.rpm SHA-256: 92edfd7688350e4e258d3712ce1e808907327ef07831b04ce55b61234e9169ed
python3.12-cffi-debugsource-2.0.0-1.el9pc.x86_64.rpm SHA-256: cdd387d35cfe403175304b4e87cb4bc19fd0409fdc63aaecc50bf535ed8fcc33
python3.12-cryptography-46.0.6-1.el9pc.x86_64.rpm SHA-256: a8ba3e13eecc6f54faadbd794669b93f4f8324033e0bec6d4f47d866ee6526f7
python3.12-django-4.2.30-1.el9pc.noarch.rpm SHA-256: 6d2666e32670e08a7aede1d5d0f3a4ff5734e40607c950aac9fb20366392760b
python3.12-markdown-3.8.2-1.el9pc.noarch.rpm SHA-256: 4c3c8b1467fb46f23b384b918828cb3cf1bc3bd96e3952d2bf4d5cda02055843
python3.12-pulp-container-2.24.5-2.el9pc.noarch.rpm SHA-256: 3e02b9bf042262b52cd4224d73c7f776f661609fac6abbffd379d611ceb12348
python3.12-pulpcore-3.73.30-1.el9pc.noarch.rpm SHA-256: ea789a81c8297cc55b51c4775b0f9afeeffbff44af7d0c27a0268d0352717c0c
python3.12-pyOpenSSL-26.0.0-2.el9pc.noarch.rpm SHA-256: c555d25b45261ba1523c2fb05a0b5e5a4df965cd5251ca31973b21daa649cb83
rubygem-activesupport-7.0.8.7-2.el9sat.noarch.rpm SHA-256: 87c649ce1e8f0bb217b9b7aad15630502e0a8d0956e0d2961156f9afa01f9d3e
rubygem-foreman_maintain-1.13.8-1.el9sat.noarch.rpm SHA-256: 4bd148c8cd65106aa5ba9628e2cfe4378262fb9508e6c37358295c4c81781bf1
satellite-capsule-6.18.5-1.el9sat.noarch.rpm SHA-256: 33572aea26e015025f9d69ee370ca750c87f55b5296812d510fe8f28b9b30679
satellite-common-6.18.5-1.el9sat.noarch.rpm SHA-256: 99a60fd470dfab4bf2fb04e4e040f0f943897fe0ae5a58ce80a2a96bea2975b6
satellite-obsolete-packages-6.18.5-1.el9sat.noarch.rpm SHA-256: b2ad2af794d9bd86c49ea1665b1c72dc516722fe5e2038f79b2ad57a3bcd93e9

Red Hat Enterprise Linux for x86_64 9

SRPM
foreman-3.16.0.16-1.el9sat.src.rpm SHA-256: b8e291e85faade03e5bbda6ffbb8c900f4c0c9c0f1eec73247ab02047ec7f699
python3.12-cffi-2.0.0-1.el9pc.src.rpm SHA-256: 1b0092e03a603969ce3d7a5d68869c999e4e0c817522302b0da10bde1b6fa9c2
python3.12-cryptography-46.0.6-1.el9pc.src.rpm SHA-256: 8e36d525a7b2ef2c5be9bbe260af39013b2f529439f6b4b6491d74202b8de775
rubygem-foreman_maintain-1.13.8-1.el9sat.src.rpm SHA-256: 0a457cf3f4418e602a5a0720145ab5bd59db4793b4bf28d26ddf81ac37bb7859
satellite-6.18.5-1.el9sat.src.rpm SHA-256: d7b38a117c18d3bfcb4944a26569e7e193a097fb8682e306602e108605d57222
x86_64
foreman-cli-3.16.0.16-1.el9sat.noarch.rpm SHA-256: a1e61d8562660f51318f7dd9713e7c0c03d6a1dee38880a59e5c782ed2259fb6
python3.12-cffi-2.0.0-1.el9pc.x86_64.rpm SHA-256: 4d790e60bff4d6bdb8a69170f4a340a182e891e00e84ac1274174dba77a9efc3
python3.12-cffi-debuginfo-2.0.0-1.el9pc.x86_64.rpm SHA-256: 92edfd7688350e4e258d3712ce1e808907327ef07831b04ce55b61234e9169ed
python3.12-cffi-debugsource-2.0.0-1.el9pc.x86_64.rpm SHA-256: cdd387d35cfe403175304b4e87cb4bc19fd0409fdc63aaecc50bf535ed8fcc33
python3.12-cryptography-46.0.6-1.el9pc.x86_64.rpm SHA-256: a8ba3e13eecc6f54faadbd794669b93f4f8324033e0bec6d4f47d866ee6526f7
rubygem-foreman_maintain-1.13.8-1.el9sat.noarch.rpm SHA-256: 4bd148c8cd65106aa5ba9628e2cfe4378262fb9508e6c37358295c4c81781bf1
satellite-cli-6.18.5-1.el9sat.noarch.rpm SHA-256: 7c36b5a5dd468e6242666197b27fbadb42a5c8754e20f7ce9444ec6ffa82b6be

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.