Headline
RHSA-2023:3387: Red Hat Security Advisory: Satellite 6.13.1 Async Security Update
Updated Satellite 6.13 packages that fixes important security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-0119: A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user’s session, make requests on behalf of the user, and obtain user credentials.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-31
Updated:
2023-05-31
RHSA-2023:3387 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Satellite 6.13.1 Async Security Update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated Satellite 6.13 packages that fixes important security bugs and several regular bugs are now available for Red Hat Satellite.
Description
Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.
Security fix(es):
foreman: Stored cross-site scripting in host tab(CVE-2023-0119)
This update fixes the following bugs:
2190469 - CVE-2023-0119 foreman: Stored cross-site scripting in host tab [rhn_satellite_6.13]
2190460 - Navigating to Capsules page on Satellite WebUI displays error “Pulp plugin missing for synchronizable content types: . Repositories containing these content types will not be synced.” for few seconds
2190470 - Host Detail button landed to old Host UI page
2190472 - wrong metadata if uploaded rpm have different name than name in rpm
2190473 - Getting “NoMethodError undefined method `get_status’ for nil:NilClass” when publishing content view
2190509 - Incremental update of the content view takes long time to complete
2190512 - Error importing repositories with GPG key
2190513 - Satellite showing errata from module streams not installed on client as upgradable/installable when content is imported (not synced)
2191657 - Importing Red Hat Repository Import on Disconnected Red Hat Satellite taking huge time around 5 hours
2191659 - Misleading job status in the new host UI when running jobs in bulk
2196242 - Upgrade to Satellite 6.13 fails on db:seed step with error GraphQL::InvalidNameError: Names must match /^[_a-zA-Z][_a-zA-Z0-9]*$/ but ‘RHEL OpenStack Platform’ does not
2208642 - Support satellite-clone with Ansible running on Python 3.11 in RHEL 8.8
Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Satellite 6.13 x86_64
- Red Hat Enterprise Linux for x86_64 8 x86_64
Fixes
- BZ - 2159104 - CVE-2023-0119 Foreman: Stored cross-site scripting in host tab
- BZ - 2190460 - Navigating to Capsules page on Satellite WebUI displays error “Pulp plugin missing for synchronizable content types: . Repositories containing these content types will not be synced.” for few seconds
- BZ - 2190464 - job invocation shows wrong info after remote execution job (regression from 6.11)
- BZ - 2190470 - Host Detail button landed to old Host UI page
- BZ - 2190472 - wrong metadata if uploaded rpm have different name than name in rpm
- BZ - 2190473 - Getting “NoMethodError undefined method `get_status’ for nil:NilClass” when publishing content view
- BZ - 2190509 - Incremental update of the content view takes long time to complete
- BZ - 2190512 - Error importing repositories with GPG key
- BZ - 2190513 - Satellite showing errata from module streams not installed on client as upgradable/installable when content is imported (not synced)
- BZ - 2191657 - Importing Red Hat Repository Import on Disconnected Red Hat Satellite taking huge time around 5 hours
- BZ - 2191659 - Misleading job status in the new host UI when running jobs in bulk
- BZ - 2196242 - Upgrade to Satellite 6.13 fails on db:seed step with error GraphQL::InvalidNameError: Names must match /^[_a-zA-Z][_a-zA-Z0-9]*$/ but ‘RHEL OpenStack Platform’ does not
- BZ - 2208642 - Support satellite-clone with Ansible running on Python 3.11 in RHEL 8.8
Red Hat Satellite 6.13
SRPM
foreman-3.5.1.17-1.el8sat.src.rpm
SHA-256: 1440b1c9a6033e28933c97e3d54ff6afea3e3dfa0f4a9354c58f36a3d346b794
python-pulp-rpm-3.18.14-1.el8pc.src.rpm
SHA-256: 053328b0eb9996677aec240e8c0e3ebdb59ecaf984735bdd7a7cc0cd06f5349c
rubygem-dynflow-1.6.11-1.el8sat.src.rpm
SHA-256: 6c46a531db34b35721e07ae1002f46f8250244d9192bafa82c1be0989a22a060
rubygem-foreman_remote_execution-8.3.0-1.el8sat.src.rpm
SHA-256: 96d6b0f1450213df90c9cd584c850db51e51baffb044bce3e6d67c6e28720a01
rubygem-katello-4.7.0.25-1.el8sat.src.rpm
SHA-256: 89c9a12d7f9d07b58696ddeff3f7636d8e8635d35b6ab9e8a49c3cc860326252
rubygem-smart_proxy_ansible-3.5.4-1.el8sat.src.rpm
SHA-256: 4675d4a52a734eb3d623f5bd42d22d6ea6de4125ec74a8b4cb6198a8591e6d5d
satellite-6.13.1-1.el8sat.src.rpm
SHA-256: 8051fc34f05b0d319c6cfe72eab58d4a8a1825496ceda840bc785290dc463008
x86_64
foreman-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 414050e36f7e39232ddd585e8621e66f383a272b4a577718a511d117962d8919
foreman-cli-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 9449a604b959367e65223dbd2db48d588d628af3cf240567140822ebadbd20ea
foreman-debug-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 91826f40fd1e8deee9d748a942e10ebb57861d27108e48ad7ea9564c5d2d9f9e
foreman-dynflow-sidekiq-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 35bfedd261e5e4925a3ecfa0c75e7fcc9201eb7199be3fd89716102de7c5b5c4
foreman-ec2-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: d18ffe19af69bc736f1dfe27c05ceb4b39e243a8a7841dae9850f42d455fd4a4
foreman-journald-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: ec0587737163472c42715fb9adeb4c161fd611c7477876fb10e9d216cf3b6ac5
foreman-libvirt-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 43cc2a071a8f6e6a04d085483df0e0ba94b5a6d990042c4127eb64e7cab97ab2
foreman-openstack-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: b46383ee37e8b367d6d8013bb9f005b1a673d78b775a65972faad46587dcdacc
foreman-ovirt-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 5957a9d6d2f758bee3ba522fac4156fe87b2b63c99af5a35220acfa716977976
foreman-postgresql-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: dac13bf91cb13ef4f124ea0ba39162cf300ebf48fc3aa5602ff5efc8ac4a7808
foreman-service-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 6480000554562105182b8ce1435ef7d33f78b54f8762610bb726bab857309468
foreman-telemetry-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 7b98b611694517216a0278e54d5eaa2e457a8673fc390c9c5a5ab9f6c4f2166a
foreman-vmware-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 6406cc195db84fe5ecb46215aaa372fb3ded3f4b5b9a755200f0770b849582e7
python39-pulp-rpm-3.18.14-1.el8pc.noarch.rpm
SHA-256: 5a28a818e94f675ab298767105325691d017d1c7fba2c400de56d4db93e58af6
rubygem-dynflow-1.6.11-1.el8sat.noarch.rpm
SHA-256: ef1d3fea6e853f2f0aa5fe8dc6493a8838d879340bce4fa6910c2b1ee6a29ddf
rubygem-foreman_remote_execution-8.3.0-1.el8sat.noarch.rpm
SHA-256: 21bb9e568367d5d10687e0df07822c6558a4f61a4d844e06794062ce45ccbb89
rubygem-foreman_remote_execution-cockpit-8.3.0-1.el8sat.noarch.rpm
SHA-256: d80a3ad136f97b0fb0c72860ef405c22b19d7b23f1bc652edfdaa612d59e1f17
rubygem-katello-4.7.0.25-1.el8sat.noarch.rpm
SHA-256: f98e0951606cd2c85d1690621487adc1413cdae8afd0b0a639d94c0de3db2659
rubygem-smart_proxy_ansible-3.5.4-1.el8sat.noarch.rpm
SHA-256: 85fc9e315bbea9006e61ac6356c68f14c8db49ad115f13c5f152d42f1269189f
satellite-6.13.1-1.el8sat.noarch.rpm
SHA-256: ea8d8cde49b6cf828d84105b948509c87ffe28e744cdc234966a37b7969788e4
satellite-cli-6.13.1-1.el8sat.noarch.rpm
SHA-256: 8f4e3fd2c18301d314a38bc237b00005e9600c5bfa7d4511c90498fda84e8fb1
satellite-common-6.13.1-1.el8sat.noarch.rpm
SHA-256: 300a8a6cfc2463c114235752db9ae6aa6419460012d5a3397ab0cf8c6b760e60
Red Hat Satellite Capsule 6.13
SRPM
foreman-3.5.1.17-1.el8sat.src.rpm
SHA-256: 1440b1c9a6033e28933c97e3d54ff6afea3e3dfa0f4a9354c58f36a3d346b794
python-pulp-rpm-3.18.14-1.el8pc.src.rpm
SHA-256: 053328b0eb9996677aec240e8c0e3ebdb59ecaf984735bdd7a7cc0cd06f5349c
rubygem-dynflow-1.6.11-1.el8sat.src.rpm
SHA-256: 6c46a531db34b35721e07ae1002f46f8250244d9192bafa82c1be0989a22a060
rubygem-smart_proxy_ansible-3.5.4-1.el8sat.src.rpm
SHA-256: 4675d4a52a734eb3d623f5bd42d22d6ea6de4125ec74a8b4cb6198a8591e6d5d
satellite-6.13.1-1.el8sat.src.rpm
SHA-256: 8051fc34f05b0d319c6cfe72eab58d4a8a1825496ceda840bc785290dc463008
x86_64
Red Hat Enterprise Linux for x86_64 8
SRPM
foreman-3.5.1.17-1.el8sat.src.rpm
SHA-256: 1440b1c9a6033e28933c97e3d54ff6afea3e3dfa0f4a9354c58f36a3d346b794
satellite-6.13.1-1.el8sat.src.rpm
SHA-256: 8051fc34f05b0d319c6cfe72eab58d4a8a1825496ceda840bc785290dc463008
satellite-clone-3.3.0-2.el8sat.src.rpm
SHA-256: 12b60762da55a19bac5050fa0dc2f33367acc8b0928b4ec7bc3aa5967b40c3d7
x86_64
foreman-cli-3.5.1.17-1.el8sat.noarch.rpm
SHA-256: 9449a604b959367e65223dbd2db48d588d628af3cf240567140822ebadbd20ea
satellite-cli-6.13.1-1.el8sat.noarch.rpm
SHA-256: 8f4e3fd2c18301d314a38bc237b00005e9600c5bfa7d4511c90498fda84e8fb1
satellite-clone-3.3.0-2.el8sat.noarch.rpm
SHA-256: f0d195b646e1d3bda4c6187331867bbde82dfa02cf512ac9460f178ed84a665e
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials.
Red Hat Security Advisory 2023-3387-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Issues addressed include a cross site scripting vulnerability.