Issued:: 2026-03-26
Updated:: 2026-03-26

RHSA-2026:5970 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Satellite 6.17.7 Async Update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

A new release is now available for Red Hat Satellite 6.17 for RHEL 9.

Description

Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.

Security Fix(es):

python-django: Django: SQL Injection via crafted column aliases (CVE-2026-1287)
python-django: Django: SQL Injection via RasterField band index parameter (CVE-2026-1207)
python-django: Django: Denial of Service via crafted HTML inputs (CVE-2026-1285)
python-django: Django: SQL injection via crafted column aliases in QuerySet.order_by() (CVE-2026-1312)
python-django: Django: Denial of Service via crafted request with duplicate headers (CVE-2025-14550)
python-brotli: Brotli decompression bomb DoS in scrapy/scrapy (CVE-2025-6176)
rubygem-foreman_kubevirt: foreman_kubevirt: Man-in-the-Middle due to insecure default SSL verification (CVE-2026-1531)
rubygem-fog-kubevirt: fog-kubevirt: Man-in-the-Middle vulnerability due to disabled certificate validation (CVE-2026-1530)
rubygem-rubyipmi: Red Hat Satellite: Remote Code Execution in rubyipmi via malicious BMC username (CVE-2026-0980)
foreman: Foreman: Remote Code Execution via command injection in WebSocket proxy (CVE-2026-1961)
yggdrasil-worker-forwarder: Unexpected session resumption in crypto/tls (CVE-2025-68121)
Katello: Denial of Service and potential information disclosure via SQL injection (CVE-2026-4324)

Bug Fix(es):

High memory usage of postgres processes on scaled Capsule (SAT-42871)
AttributeError: 'NoneType' object has no attribute '_artifacts' when running pulpcore-container-handle-image-metadata in the post-upgrade step for Satellite 6.17 (SAT-42873)
Lifecycle Environment shows 2 Library options (SAT-42881)
Executing foreman-rake command in the satellite, prints warning "W, [2025-08-28T14:25:04.030121 #11656] WARN -- : Scoped order is ignored, it's forced to be batch order." (SAT-42882)
Upgrade to Sat 6.16 does not cleanup Postgresql12 which is reported as security risk/vulnerability by the scanners on Sat 6.17 & 6.18. (SAT-43118)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For detailed instructions how to apply this update, refer to:

https://docs.redhat.com/en/documentation/red_hat_satellite/6.17/html/updating_red_hat_satellite/index

Affected Products

Red Hat Satellite 6.17 x86_64
Red Hat Satellite Capsule 6.17 x86_64
Red Hat Enterprise Linux for x86_64 9 x86_64

Fixes

BZ - 2408762 - CVE-2025-6176 Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
BZ - 2429874 - CVE-2026-0980 rubyipmi: Red Hat Satellite: Remote Code Execution in rubyipmi via malicious BMC username
BZ - 2433784 - CVE-2026-1530 fog-kubevirt: fog-kubevirt: Man-in-the-Middle vulnerability due to disabled certificate validation
BZ - 2433786 - CVE-2026-1531 foreman-kubevirt: foreman_kubevirt: Man-in-the-Middle due to insecure default SSL verification
BZ - 2436338 - CVE-2026-1207 Django: Django: SQL Injection via RasterField band index parameter
BZ - 2436339 - CVE-2026-1287 Django: Django: SQL Injection via crafted column aliases
BZ - 2436340 - CVE-2026-1285 Django: Django: Denial of Service via crafted HTML inputs
BZ - 2436341 - CVE-2025-14550 Django: Django: Denial of Service via crafted request with duplicate headers
BZ - 2436342 - CVE-2026-1312 Django: Django: SQL injection via crafted column aliases in QuerySet.order_by()
BZ - 2437036 - CVE-2026-1961 forman: Foreman: Remote Code Execution via command injection in WebSocket proxy
BZ - 2437111 - CVE-2025-68121 crypto/tls: Unexpected session resumption in crypto/tls
BZ - 2448349 - CVE-2026-4324 rubygem-katello: Katello: Denial of Service and potential information disclosure via SQL injection
SAT-42871 - High memory usage of postgres processes on scaled Capsule [rhn_satellite_6.17]
SAT-42873 - AttributeError: 'NoneType' object has no attribute '_artifacts' when running pulpcore-container-handle-image-metadata in the post-upgrade step for Satellite 6.17 [rhn_satellite_6.17]
SAT-42881 - Lifecycle Environment shows 2 Library options [rhn_satellite_6.17]
SAT-42882 - Executing foreman-rake command in the satellite, prints warning "W, [2025-08-28T14:25:04.030121 #11656] WARN -- : Scoped order is ignored, it's forced to be batch order." [rhn_satellite_6.17]

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Satellite 6.17

SRPM
foreman-3.14.0.14-1.el9sat.src.rpm	SHA-256: c9a51d31551a88e937f0dd54d67096e49b30d7321472a25b109d9d4aefeaf070
libcomps-0.1.23-0.3.el9pc.src.rpm	SHA-256: 9764d0ad86061f037c2fe733e6d52f99d312a84b9a5906f658925d3aae96009e
python-brotli-1.2.0-0.1.el9pc.src.rpm	SHA-256: c3c267bddd5b241a90dec131bba8126acdaa06f77aa390b4500c688a8e81791e
python-django-4.2.28-0.1.el9pc.src.rpm	SHA-256: 2b16518feac796595970beef8c748f0ea926a904287716de1f0519743566e1a0
python-pulp-container-2.22.3-1.el9pc.src.rpm	SHA-256: cbc5a8f8c0e5b8f0f4747e70b0753351fe761e64ffe6df61f9ac4a4cefde2509
python-pulp-rpm-3.27.10-2.el9pc.src.rpm	SHA-256: 2e6bc54cd933e3e6c25bdb80a37f2f6192af1a0d54f0012f691f2b438e1f8389
rubygem-fog-kubevirt-1.5.1-1.el9sat.src.rpm	SHA-256: 86d661ac78f15f0ae589837d90949af76782d457d377ec792ba1e422ea9b5237
rubygem-foreman_kubevirt-0.4.3-1.el9sat.src.rpm	SHA-256: f24a41aace4cbbf02db6dd69d21c2deeeb358b72e48a33a2af3979e00072b15b
rubygem-katello-4.16.0.14-1.el9sat.src.rpm	SHA-256: 3c4b82a2071b5555380ba35ec4fb81141caef65c30bd25a0cdd53a58cea6284a
rubygem-rubyipmi-0.13.0-1.el9sat.src.rpm	SHA-256: cba98c5f4c5c672ca59600ce281b24042374e71f2b668549abdb57d1f645b8a7
satellite-6.17.7-1.el9sat.src.rpm	SHA-256: 6ad8b3655dfb4161064d2068ec43d3a1ab4d31d4856c38fea37ebc8ee25a819d
yggdrasil-worker-forwarder-0.0.3-4.el9sat.src.rpm	SHA-256: 50257bfa9cb372f3106ef14fe9a5d2d95601be993f17c03f75d60a5fd31d895c
x86_64
foreman-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 66c8f9dbb559dce8cd6c9a0b97f7fe5921c578729dd2ffc81f8522af41bdf47f
foreman-cli-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 359f8ea417116b1c70d7bde0e4479dacc3be3f098ecf04a1c623aa7934af2393
foreman-debug-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: c1243d7f8c96116cee5ca22e5a538271b286e426917ce266117dce0179d767ee
foreman-dynflow-sidekiq-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: cd78b389dc5d21d9aebd742c9d516c148dbd81f171fcfadf4c8a0773d03af807
foreman-ec2-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 8624d344d7d44ad296a5b2ea6bbc25571e40f9868c9fd92040a8f147166b236d
foreman-journald-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: ed3d50f36f6a1bc9f5f677f86e95eafe52b59c7ee08e14314a846be361fbb2b5
foreman-libvirt-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 734ee7148bd2d657d70440df19ff155ee169eaaf7e146fb97d06b6fc614db4cc
foreman-openstack-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 77484672c6ad1dc71a927a3a6d5f7b34317e63d2812edc0257dc7e4a86eeb94a
foreman-ovirt-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 14d5b7f5645c42087bcee1547022f841dfc1df2cdb9f1ffa3c20f626624aadc9
foreman-pcp-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 1c87b1fe29fab527dfe2d62aa69320b605b19cee672ef689edde9c63bc3eb6e4
foreman-postgresql-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 3613d9956da436bba01930b58a0795d9695b1dc01c65d9c99abea8a74520bd8d
foreman-redis-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 08825689dccb4cbb0b35bd621565bbebbd8941a0d9439a9617e16012736f2e79
foreman-service-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 773c29703aed53ee532e64d4c6d112fac1be8ff0e790a8a4f41bce51508c1472
foreman-telemetry-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 51a553be49b247fe85e443587588da546cfb7ce323f58ebb8329be6d728be5b2
foreman-vmware-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: f0446a5e47da5f0a88e5b1efb32c1ea195a006a6a2a28847da50bdaa2ca84f3b
libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: a5bf98dc6d51ab8da28605a598972e3ca433b06c14213f5704c5c94072ea699a
libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 175a40df8c0a9029ce5d22e1e1d4878ed33d5fddbdf9a53d77b0d4bd4c65b9b9
libcomps-debugsource-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 54ab5807acb38f10de7bab5c21c6fc2848320336d8674c1e31d0e8b93b794ba0
python-brotli-debugsource-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: b5c3e732820460cbe4a442e8ed0db9000ed63fca861a15139a3ccbacdfd54ad7
python3-libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: cdeb02a8b51942f3fd8c0d6e0f8a66124056982c955ef15ba9c332df29b4dca7
python3-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: eb323aecfacfd89cb52ff338e82da843aa0507500b7718e1900ff1a5c1ab3f07
python3.11-brotli-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: 94a8a44529a7fa6c05deea2050b4d5da7aac554a097e3b46aae8a2b0bdd3120b
python3.11-brotli-debuginfo-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: a1307e727ea1779a96e711554f4773ad561e52e121a02b495e3238ce33f4d5ac
python3.11-django-4.2.28-0.1.el9pc.noarch.rpm	SHA-256: 9f004bb1816a87e475a3d89ef8e535dd5619222929a6fd71c60acfb3996c7306
python3.11-libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: f35e34dd43994a5a9bcbf0f7bec55f5a8737f547d3e492550f00a7e65edd6ff0
python3.11-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 9e60436850e64f6dcfcdf4b27fc3c4c151bc6cf4a58a1e04ad675126164b825a
python3.11-pulp-container-2.22.3-1.el9pc.noarch.rpm	SHA-256: f30fbba3d1440a987ca4f313b0538b22a952957ef03cc94790c75551a2561cee
python3.11-pulp-rpm-3.27.10-2.el9pc.noarch.rpm	SHA-256: 17f53de90b214624abfd0aea4f2f7ac4388dad21eef15ff7ff9b84ba1dd21d25
rubygem-fog-kubevirt-1.5.1-1.el9sat.noarch.rpm	SHA-256: a9dad804e187c86e56ea7271bb4ecb55e6f75142b5d75306cd81fdada5cd2771
rubygem-foreman_kubevirt-0.4.3-1.el9sat.noarch.rpm	SHA-256: 276b5883cc2cfdeb3f5ca134151e042debc97b5fc6da0fe18629d57a5f84f1f3
rubygem-katello-4.16.0.14-1.el9sat.noarch.rpm	SHA-256: 28006f141cecb01ba64ed49db562257bf016c83e69d4289db1c2bfb3d407f96f
rubygem-rubyipmi-0.13.0-1.el9sat.noarch.rpm	SHA-256: 408a2a8c4e209629dd63ceb8b5bdf7a0e8aba4eb24f79267c6031fa9d7219906
satellite-6.17.7-1.el9sat.noarch.rpm	SHA-256: e377d336a4bccf894d2bd4f392a49cf256559e18b4a81b2507d5da6031e8f342
satellite-cli-6.17.7-1.el9sat.noarch.rpm	SHA-256: 64329e54fad1f98170405c43d260da176acf55303e9117e56f630dc2e7a5042b
satellite-common-6.17.7-1.el9sat.noarch.rpm	SHA-256: ae2168b814434c35e05f8890d25da9703e18351524648e8c066da495f9b5b90b
satellite-obsolete-packages-6.17.7-1.el9sat.noarch.rpm	SHA-256: 1dd7c55d621bc8af81fc95263a9231d1abae6387cb639a38d6476bff5a327cc9
yggdrasil-worker-forwarder-0.0.3-4.el9sat.x86_64.rpm	SHA-256: d2dd7a63734e89b99367c50721eff4392126326faa9f7f64aa2523398cd75751

Red Hat Satellite Capsule 6.17

SRPM
foreman-3.14.0.14-1.el9sat.src.rpm	SHA-256: c9a51d31551a88e937f0dd54d67096e49b30d7321472a25b109d9d4aefeaf070
libcomps-0.1.23-0.3.el9pc.src.rpm	SHA-256: 9764d0ad86061f037c2fe733e6d52f99d312a84b9a5906f658925d3aae96009e
python-brotli-1.2.0-0.1.el9pc.src.rpm	SHA-256: c3c267bddd5b241a90dec131bba8126acdaa06f77aa390b4500c688a8e81791e
python-django-4.2.28-0.1.el9pc.src.rpm	SHA-256: 2b16518feac796595970beef8c748f0ea926a904287716de1f0519743566e1a0
python-pulp-container-2.22.3-1.el9pc.src.rpm	SHA-256: cbc5a8f8c0e5b8f0f4747e70b0753351fe761e64ffe6df61f9ac4a4cefde2509
python-pulp-rpm-3.27.10-2.el9pc.src.rpm	SHA-256: 2e6bc54cd933e3e6c25bdb80a37f2f6192af1a0d54f0012f691f2b438e1f8389
rubygem-rubyipmi-0.13.0-1.el9sat.src.rpm	SHA-256: cba98c5f4c5c672ca59600ce281b24042374e71f2b668549abdb57d1f645b8a7
satellite-6.17.7-1.el9sat.src.rpm	SHA-256: 6ad8b3655dfb4161064d2068ec43d3a1ab4d31d4856c38fea37ebc8ee25a819d
x86_64
foreman-debug-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: c1243d7f8c96116cee5ca22e5a538271b286e426917ce266117dce0179d767ee
foreman-pcp-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 1c87b1fe29fab527dfe2d62aa69320b605b19cee672ef689edde9c63bc3eb6e4
libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: a5bf98dc6d51ab8da28605a598972e3ca433b06c14213f5704c5c94072ea699a
libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 175a40df8c0a9029ce5d22e1e1d4878ed33d5fddbdf9a53d77b0d4bd4c65b9b9
libcomps-debugsource-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 54ab5807acb38f10de7bab5c21c6fc2848320336d8674c1e31d0e8b93b794ba0
python-brotli-debugsource-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: b5c3e732820460cbe4a442e8ed0db9000ed63fca861a15139a3ccbacdfd54ad7
python3-libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: cdeb02a8b51942f3fd8c0d6e0f8a66124056982c955ef15ba9c332df29b4dca7
python3-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: eb323aecfacfd89cb52ff338e82da843aa0507500b7718e1900ff1a5c1ab3f07
python3.11-brotli-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: 94a8a44529a7fa6c05deea2050b4d5da7aac554a097e3b46aae8a2b0bdd3120b
python3.11-brotli-debuginfo-1.2.0-0.1.el9pc.x86_64.rpm	SHA-256: a1307e727ea1779a96e711554f4773ad561e52e121a02b495e3238ce33f4d5ac
python3.11-django-4.2.28-0.1.el9pc.noarch.rpm	SHA-256: 9f004bb1816a87e475a3d89ef8e535dd5619222929a6fd71c60acfb3996c7306
python3.11-libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: f35e34dd43994a5a9bcbf0f7bec55f5a8737f547d3e492550f00a7e65edd6ff0
python3.11-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 9e60436850e64f6dcfcdf4b27fc3c4c151bc6cf4a58a1e04ad675126164b825a
python3.11-pulp-container-2.22.3-1.el9pc.noarch.rpm	SHA-256: f30fbba3d1440a987ca4f313b0538b22a952957ef03cc94790c75551a2561cee
python3.11-pulp-rpm-3.27.10-2.el9pc.noarch.rpm	SHA-256: 17f53de90b214624abfd0aea4f2f7ac4388dad21eef15ff7ff9b84ba1dd21d25
rubygem-rubyipmi-0.13.0-1.el9sat.noarch.rpm	SHA-256: 408a2a8c4e209629dd63ceb8b5bdf7a0e8aba4eb24f79267c6031fa9d7219906
satellite-capsule-6.17.7-1.el9sat.noarch.rpm	SHA-256: f9a6137903b97e9f333e6b33fd07dfff5f074c6a57b8303f64661e7ee41d121c
satellite-common-6.17.7-1.el9sat.noarch.rpm	SHA-256: ae2168b814434c35e05f8890d25da9703e18351524648e8c066da495f9b5b90b
satellite-obsolete-packages-6.17.7-1.el9sat.noarch.rpm	SHA-256: 1dd7c55d621bc8af81fc95263a9231d1abae6387cb639a38d6476bff5a327cc9

Red Hat Enterprise Linux for x86_64 9

SRPM
foreman-3.14.0.14-1.el9sat.src.rpm	SHA-256: c9a51d31551a88e937f0dd54d67096e49b30d7321472a25b109d9d4aefeaf070
libcomps-0.1.23-0.3.el9pc.src.rpm	SHA-256: 9764d0ad86061f037c2fe733e6d52f99d312a84b9a5906f658925d3aae96009e
satellite-6.17.7-1.el9sat.src.rpm	SHA-256: 6ad8b3655dfb4161064d2068ec43d3a1ab4d31d4856c38fea37ebc8ee25a819d
x86_64
foreman-cli-3.14.0.14-1.el9sat.noarch.rpm	SHA-256: 359f8ea417116b1c70d7bde0e4479dacc3be3f098ecf04a1c623aa7934af2393
libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: a5bf98dc6d51ab8da28605a598972e3ca433b06c14213f5704c5c94072ea699a
libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 175a40df8c0a9029ce5d22e1e1d4878ed33d5fddbdf9a53d77b0d4bd4c65b9b9
libcomps-debugsource-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 54ab5807acb38f10de7bab5c21c6fc2848320336d8674c1e31d0e8b93b794ba0
python3-libcomps-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: cdeb02a8b51942f3fd8c0d6e0f8a66124056982c955ef15ba9c332df29b4dca7
python3-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: eb323aecfacfd89cb52ff338e82da843aa0507500b7718e1900ff1a5c1ab3f07
python3.11-libcomps-debuginfo-0.1.23-0.3.el9pc.x86_64.rpm	SHA-256: 9e60436850e64f6dcfcdf4b27fc3c4c151bc6cf4a58a1e04ad675126164b825a
satellite-cli-6.17.7-1.el9sat.noarch.rpm	SHA-256: 64329e54fad1f98170405c43d260da176acf55303e9117e56f630dc2e7a5042b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation