Headline
Red Hat Security Advisory 2023-2101-01
Red Hat Security Advisory 2023-2101-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include denial of service and remote shell upload vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update
Advisory ID: RHSA-2023:2101-01
Product: Red Hat Update Infrastructure
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2101
Issue date: 2023-05-03
CVE Names: CVE-2022-40899 CVE-2023-23969 CVE-2023-24580
=====================================================================
- Summary:
An updated version of Red Hat Update Infrastructure (RHUI) is now
available. RHUI 4.4 fixes several security and operational bugs, and
introduces multiple new features.
- Relevant releases/architectures:
RHUI 4 for RHEL 8 - noarch
- Description:
Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly
redundant framework that enables you to manage repositories and content. It
also enables cloud providers to deliver content and updates to Red Hat
Enterprise Linux (RHEL) instances.
Security Fix(es):
Django: Potential denial-of-service vulnerability due to large
Accept-Language header values (CVE-2023-23969)Django: Potential denial-of-service vulnerability when uploading multiple
files (CVE-2023-24580)Future: Remote attackers can cause denial-of-service using crafted
Set-Cookie header from a malicious web server (CVE-2022-40899)
This RHUI update fixes the following bugs:
Previously, when the
rhui-services-restart
command was run, it
restarted only thosepulpcore-worker
services that were already running
and ignored services that were not running. With this update, the
rhui-services-restart
command restarts allpulpcore-worker
services
irrespective of their status.Previously, the
rhui-manager status
command returned an incorrect exit
status when there was a problem. With this update, the issue has been fixed
and the command now returns the correct exit status. (BZ#2174633)Previously,
rhui-installer
ignored the--rhua-mount-options
parameter
and only used the read-write (rw
) mount option to set up RHUI remote
share. With this update,rhui-installer
uses the--rhua-mount-options
parameter. However,rhui-installer
still uses the read-write (rw
)
option by default. (BZ#2174316)Previously, when you ran
rhui-installer
, it rewrote the
/etc/rhui/rhui-tools.conf
file, resetting all container-related settings.
With this update, the command saves the container-related settings from the
/etc/rhui/rhui-tools.conf
file and restores them after the file is
rewritten.
This RHUI update introduces the following enhancements:
The
rhui-installer
command now supports the--pulp-workers _COUNT_
argument. RHUI administrators can use this argument to set up a number of
Pulp workers. (BZ#2036408)You can now configure CDS nodes to never fetch non-exported content from
the RHUA node. To configure the node, rerun therhui-installer
command
with the--fetch-missing-symlinks False
argument, and then apply this
configuration to all CDS nodes. If you configure your CDS nodes this way,
ensure that the content has been exported before RHUI clients start
consuming it. (BZ#2084950)Support for containers in RHUI is disabled by default. If you want to use
containers, you must manually enable container support by rerunning
rhui-installer
with the--container-support-enabled True
argument, and
then applying this configuration to all CDS nodes.Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security
(HSTS) is now enabled in RHUI. This update improves overall RHUI security
and also removes unsafe ciphers from thenginx
configuration on CDS
nodes. (BZ#1887903)You can now remove packages from custom repositories using the text user
interface (TUI) as well as the command line. For more information, see the
release notes or the product documentation.(BZ#2165444)You can now set up the Alternate Content Source (ACS) configuration in
RHUI to quickly synchronize new repositories and content by substituting
remote content with matching content that is available locally or
geographically closer to your instance of RHUI. For more information, see
the release notes or the product documentation. (BZ#2001087)You can now use a custom prefix, or no prefix at all, when naming your
RHUI repositories. You can change the prefix by rerunning the
rhui-installer
command with the--client-repo-prefix <prefix>
argument.
To remove the prefix entirely, use two quotation marks (“”) as the
<prefix>
parameter. For more information, see the release notes or the
product documentation.
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2036408 - Change default pulp workers if RHUA has lower cpu count
2084950 - RHUIv4 does not function when RHUA is unavailable
2165444 - [RFE] No way to remove specific packages in custom repositories
2165866 - CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server
2166457 - CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
2169402 - CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
2174316 - rhui-installer ignores --rhua-mount-options option in rhui4.
2174633 - ‘rhui-manager status’ returns an exist code 0 even if pulp-workers are down
- JIRA issues fixed (https://issues.jboss.org/):
RHUI-134 - [RFE] Satellite w/ Pulp 3 ACS: Generate a cert, headers, a base URL, and subpaths for a list of repositories
RHUI-148 - Enable remove RPM functionality from custom repo
RHUI-199 - Remove unsafe ciphers from default setup of NGinx
RHUI-230 - Bug 1887903 - TLS testing tool on CDS certificate
RHUI-342 - Make client repo ID prefix optional
RHUI-354 - Container support should be “opt-in” and not enabled by default
RHUI-362 - rhui-installer --rerun wipes container registry configuration
RHUI-368 - Update Django to address CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
RHUI-370 - rhui-installer ignores --rhua-mount-options option in rhui4
RHUI-371 - ‘rhui-manager status’ returns an exist code 0 even if pulp-workers are down
RHUI-372 - Allow CDS to be configured without requesting RHUA creating missing symlinks.
RHUI-376 - rhui-services-restart doesn’t start workers if they’re down
RHUI-377 - Create a rhui-installer argument to change the number of pulp-workers
- Package List:
RHUI 4 for RHEL 8:
Source:
python-django-3.2.18-1.0.1.el8ui.src.rpm
python-future-0.18.3-1.0.1.el8ui.src.rpm
rhui-installer-4.4.0.5-1.el8ui.src.rpm
rhui-tools-4.4.0.5-1.el8ui.src.rpm
noarch:
python39-django-3.2.18-1.0.1.el8ui.noarch.rpm
python39-future-0.18.3-1.0.1.el8ui.noarch.rpm
rhui-installer-4.4.0.5-1.el8ui.noarch.rpm
rhui-tools-4.4.0.5-1.el8ui.noarch.rpm
rhui-tools-libs-4.4.0.5-1.el8ui.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-40899
https://access.redhat.com/security/cve/CVE-2023-23969
https://access.redhat.com/security/cve/CVE-2023-24580
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZFKfqNzjgjWX9erEAQic5w/7BLmNq2O/sL5buYUMSGyq0FOVpHNs4Gme
GUhezPB1yPgskJojImfLXaw1z/fAQ0vHlVbqtbxm2RjjycKPccbhf2OMWyeqk6nl
NpWbvUTvnORjxq+8ytPw/BOErmaXP/pkEnMQ9MYYhjX0mnZpa27Hqg5ZaGYrZKR2
z3ubR/O9IasaeB852DtLbZYMGtKSG/dOQCqFUbowox6nhw1iaDlpty4Rx1gNM691
4nANykTsg6SFZKm3Q9Ie6di5UjaKZ3p0Y2ibNMAlSuDSqC3P1CkBxjmjjTYn8+JH
FRhRuUFBnuexFuZu5eMsJAw3GjwkvLfg0h4vmtBiL6YJxIhLNNcXuD3RtDjvt3Le
J1iln27dJzrW0uhHHDP403q2XjVTyZoXOUfPWuVRQdq3QU4Jw92OWHOZXxOAhxoi
st3SlHV0AtE25dtibzWgdtuLm5KQeOeROa3HxgCOCpIGK1PNUx4jHOdSCNQcGVue
HNbFvJCneh8lh//kZVaQjymGReG4UcIotXFRvdWtbRSnFkkhXCEOteUHP+4RwtFd
xFxXN3qO38cjAttCjkdMXYewsbmGyeu25x31fzYvi0UOvolJZ4TcCr82fwvcz9gE
FxD9+zFcLv56pSVk+KxFC1wu9+vT2Sx1mg3t4rB9iY62kS1vkxpOnkIPdlTFYik+
ayeXSCdH7a0=
=wa8K
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-4692-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include cross site request forgery, denial of service, and remote shell upload vulnerabilities.
An update is now available for Red Hat Ansible Automation Platform 2.4 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service. * CVE-2023-36053: A regular expression denial of service vulnerability has been found in Django. Email and URL validators are vulnerable to this flaw when processing a very large number o...
Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. * CVE-2023-23969: A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent. * CVE-2023-24580: A memory exhaustion flaw was found in the python-django package....
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Ubuntu Security Notice 5868-1 - Jakob Ackermann discovered that Django incorrectly handled certain file uploads. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Ubuntu Security Notice 5837-2 - USN-5837-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 16.04 ESM. Nick Pope discovered that Django incorrectly handled certain Accept-Language headers. A remote attacker could possibly use this issue to cause Django to consume memory, leading to a denial of service.
Ubuntu Security Notice 5837-1 - Nick Pope discovered that Django incorrectly handled certain Accept-Language headers. A remote attacker could possibly use this issue to cause Django to consume memory, leading to a denial of service.
Ubuntu Security Notice 5833-1 - Sebastian Chnelik discovered that python-future incorrectly handled certain HTTP header field. An attacker could possibly use this issue to cause a denial of service.
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.