Headline
Red Hat Security Advisory 2023-4591-01
Red Hat Security Advisory 2023-4591-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include bypass and denial of service vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements
Advisory ID: RHSA-2023:4591-01
Product: Red Hat Update Infrastructure
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4591
Issue date: 2023-08-09
CVE Names: CVE-2023-30608 CVE-2023-31047
=====================================================================
- Summary:
An updated version of Red Hat Update Infrastructure (RHUI) is now
available. RHUI 4.5 fixes several security and operational bugs and also
adds several new features.
- Relevant releases/architectures:
RHUI 4 for RHEL 8 - noarch
- Description:
Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly
redundant framework that enables you to manage repositories and content. It
also enables cloud providers to deliver content and updates to Red Hat
Enterprise Linux (RHEL) instances.
Security Fix(es):
Django: Potential bypass of validation when uploading multiple files
using a single form field (CVE-2023-31047)sqlparse: Parser contains a regular expression that is vulnerable to
ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)
This RHUI update fixes the following bugs:
Previously, the
rhui-managercommand used thelognamecommand to
obtain the login name. However, whenrhui-manageris run using the
rhui-repo-synccron job, a login name is not defined. Consequently,
emails sent by the cron job contained the error messagelogname: no login name. With this update,rhui-managerdoes not obtain the login name
using thelognamecommand and the error message is no longer generated.Previously, when an invalid repository ID was used with the
rhui-managercommand to synchronize or delete a repository, the command
failed with following error:
An unexpected error has occurred during the last operation.
Additionally, a traceback was also logged.
With this update, the error message has been improved and failure to run no
longer logs a traceback.
This RHUI update introduces the following enhancements:
With this update, the client configuration RPMs in
rhui-managerprevent
subscription manager from automatically enablingyumplugins. As a
result, RHUI repository users will no longer see irrelevant messages from
subscription manager. (BZ#1957871)With this update, you can generate machine-readable files with the status
of each RHUI repository. To use this feature, run the following command:
rhui-manager --non-interactive status --repo_json <output file>
(BZ#2079391)With this update, the
rhui-managerCLI command uses a variety of unique
exit codes to indicate different types of errors. For example, if you
attempt to add a Red Hat repository that has already been added, the
command will exit with a status of 245. However, if you attempt to add a
Red Hat repository that does not exist in the RHUI entitlement, the command
will exit with a status of 246. For a complete list of codes, see the
/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.pyfile.
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For detailed instructions on how to apply this update, see:
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure
For other information, see the product documentation:
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4
- Bugs fixed (https://bugzilla.redhat.com/):
1957871 - [RFE} Client rpms created in RHUI don’t prevent auto-enable of subscription manager plugins
2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field
- JIRA issues fixed (https://issues.redhat.com/):
RHUI-217 - [RFE] Client rpms created in RHUI don’t prevent auto-enable of subscription manager plugins
RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
RHUI-356 - “logname: no login name” appears, twice, in e-mails sent by the rhui-repo-sync cron job
RHUI-395 - Change error reporting of rhui-manager to be configurable
RHUI-424 - repo deletion for an un-added repo results in a traceback
RHUI-430 - Installation fails on RHEL 8.9
RHUI-75 - repo sync for an un-added repo results in a traceback
- Package List:
RHUI 4 for RHEL 8:
Source:
python-django-3.2.19-1.0.1.el8ui.src.rpm
python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm
rhui-installer-4.5.0.1-1.el8ui.src.rpm
rhui-tools-4.5.0.5-1.el8ui.src.rpm
noarch:
python39-django-3.2.19-1.0.1.el8ui.noarch.rpm
python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm
rhui-installer-4.5.0.1-1.el8ui.noarch.rpm
rhui-tools-4.5.0.5-1.el8ui.noarch.rpm
rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2023-30608
https://access.redhat.com/security/cve/CVE-2023-31047
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJk0/U2AAoJENzjgjWX9erEb/8P/jYIo/4EGwCzZUR1npbmdew7
5p4Lb3Nun23gnBGKDLrbbQqQjyjNbzbzlmjxVAfYnNTNqDHurCZ8SCsLitXR7CN6
fQrMMCN7xAXjfTLNHl/w9QANqKGkfRa9pf5rRSvufgrh9XSvzlzPpzuihtUsBRjH
MFEtA3QOiuvyJKXzqWTdWqt0NPCycSfJnm5MhI94C8UeVlFAdm0yEYMDfhV6iRFE
RJx/LITiaks4FQ1RxAumkqoUrmfk+jsim0a5unfq+5hWubBFAvDo6VXpMPL20pcZ
MJyVkay6aQQg7dmCzXyXW8kGy/ZwYfjCML1qabh6aLW4dTz5saj6G8UbZiMeKfrh
SPTEMJbJU0pH7UIGgB2/v2xffsdmTkxgCY0xu75eokcWa4PSRE3UsZ7HRy5aAJRk
uEWizCXHjQw9HkPnlTcOaQKLS3Fv9qG2tn6XWxmHlo2VrL88rDlmylyL/1euFDHQ
ihaDj5AuHNWrZgBgghKPr89BkO6AiPAoYvg2Ld2bxXtMUohTVdxM00EVTmZImR1M
N0NxrpFqQJPFfiN2MFmdl90pzLvwLYcMM7TTyBGxb6J9bSuP2/gEHsDBth7+m17n
dmwym0w5xv9Z+yMF9KgdcDffBXnzkFdv/tSSh6sFzqpFGtMvKfyGbFAzkx3SG9MG
SXC8b0Et+9GnN9s7cg/K
=UP7R
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30608: A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS). * CVE-2023-31047: A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30608: A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS). * CVE-2023-31047: A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.
Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploiting this flaw, a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. This issue has been patched in version 12.3.
Ubuntu Security Notice 6054-2 - USN-6054-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.
Ubuntu Security Notice 6064-1 - It was discovered that SQL parse incorrectly handled certain regular expression. An attacker could possibly use this issue to cause a denial of service.
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Ubuntu Security Notice 6054-1 - Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.
### Impact The SQL parser contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS). ### Patches This issues has been fixed in sqlparse 0.4.4. ### Workarounds None. ### References This issue was discovered and reported by GHSL team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh). - Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.