Headline
RHSA-2022:8532: Red Hat Security Advisory: Satellite 6.9.10 Async Security Update
Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-24790: puma-5.6.4: http request smuggling vulnerabilities
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-17
Updated:
2022-11-17
RHSA-2022:8532 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Satellite 6.9.10 Async Security Update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.
Description
Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
Security Fix(es):
- tfm-rubygem-puma: http request smuggling vulnerabilities (CVE-2022-24790)
This update fixes the following bugs:
- 2038995: When executing the content migration (pre-upgrade process), there is a PG query created by pulp that will be sitting forever
- 2074099: The errata migration continues to fail with “pymongo.errors.DocumentTooLarge: BSON document too large” error even after upgrading to Satellite 6.9.8
- 2081560: ForeignKeyViolation Error with docker_meta_tags
- 2091438: Use of content.count() in app/models/repository.py seems to hit an error
- 2093829: ‘foreman-maintain content migration-stats’ command stucks and consume all memory
- 2098221: Pulp 3 migration stats timing is too low for very large deployments
- 2141348: It appears that the egg is downloaded every time
Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.
Affected Products
- Red Hat Satellite 6.9 x86_64
- Red Hat Satellite Capsule 6.9 x86_64
Fixes
- BZ - 2038995 - When executing the content migration (pre-upgrade process), there is a PG query created by pulp that will be sitting forever
- BZ - 2071616 - CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities
- BZ - 2074099 - The errata migration continues to fail with “pymongo.errors.DocumentTooLarge: BSON document too large” error even after upgrading to Satellite 6.9.8
- BZ - 2081560 - ForeignKeyViolation Error with docker_meta_tags
- BZ - 2091438 - Use of content.count() in app/models/repository.py seems to hit an error
- BZ - 2093829 - ‘foreman-maintain content migration-stats’ command stucks and consume all memory
- BZ - 2098221 - Pulp 3 migration stats timing is too low for very large deployments
- BZ - 2141348 - It appears that the egg is downloaded every time
Red Hat Satellite 6.9
SRPM
python-pulp_2to3_migration-0.11.13-1.el7pc.src.rpm
SHA-256: 9ce535cc7b1546e7b4e6f1ddd4ac8e980e84fe135f7d091c38842bc3f18a52c1
satellite-6.9.10-1.el7sat.src.rpm
SHA-256: 29359c192d42a76bdb585641523d39a9d568639987fabaf8ad3b00510d571cc3
tfm-rubygem-foreman_rh_cloud-3.0.33-1.el7sat.src.rpm
SHA-256: 83cdd2ffe49872cffba1120e3696f271bc31d31332a37ab75a2a6a37e300d392
tfm-rubygem-katello-3.18.1.55-1.el7sat.src.rpm
SHA-256: f4683743c5afa0628146b3ef5bafc3d053712bb5cc60eb44954d97798de9a8ca
tfm-rubygem-puma-4.3.12-1.el7sat.src.rpm
SHA-256: e76f3c8f841ae13ca6da4d078859b8d0952cbf2b9e3e36d2a15a8bd492814f2c
x86_64
python3-pulp-2to3-migration-0.11.13-1.el7pc.noarch.rpm
SHA-256: 039fc3cc16ea94c33136934d0038187046fe005100a09a9d5e9b594a8b3d4138
satellite-6.9.10-1.el7sat.noarch.rpm
SHA-256: 9c5faf26a1501e74eb821ce5666f4d4fa8ab3784d7cb2ea655c44d0101b7ce19
satellite-cli-6.9.10-1.el7sat.noarch.rpm
SHA-256: 8443d7627f033588401bf907d54cd5c22d616fec5522807fccc7d276dff7a94d
satellite-common-6.9.10-1.el7sat.noarch.rpm
SHA-256: 60e2738293179ed76e19a9ead8cf12de0e21477400b9cc1e0b6544f76dbdedbe
satellite-debug-tools-6.9.10-1.el7sat.noarch.rpm
SHA-256: 6890c8b3768214a14fb3b7149d44de92c3e42b17d407ae68ba06dfa2a732efd6
tfm-rubygem-foreman_rh_cloud-3.0.33-1.el7sat.noarch.rpm
SHA-256: 5482be5ec32e61b40a82277cc026c17d98bbb0a00d03198f0e9f0e486a924958
tfm-rubygem-katello-3.18.1.55-1.el7sat.noarch.rpm
SHA-256: 2df88ee0bdbd8cd48c794fe6024c2b84fe9fc7169090c128ff9dfd3e3b01c60f
tfm-rubygem-puma-4.3.12-1.el7sat.x86_64.rpm
SHA-256: caed91e3c2ccccac7b0259c6ae53814329cb02b8bf534085c73eaab313a08483
tfm-rubygem-puma-debuginfo-4.3.12-1.el7sat.x86_64.rpm
SHA-256: 3d05853c5aa89c910e07d45560d87feeb281327e7d42a5652653823ec4396856
Red Hat Satellite Capsule 6.9
SRPM
satellite-6.9.10-1.el7sat.src.rpm
SHA-256: 29359c192d42a76bdb585641523d39a9d568639987fabaf8ad3b00510d571cc3
x86_64
satellite-capsule-6.9.10-1.el7sat.noarch.rpm
SHA-256: e32d9eae49acd87f545ca3510d1d7775806b6b47a238528e1e2b19b6ef438329
satellite-common-6.9.10-1.el7sat.noarch.rpm
SHA-256: 60e2738293179ed76e19a9ead8cf12de0e21477400b9cc1e0b6544f76dbdedbe
satellite-debug-tools-6.9.10-1.el7sat.noarch.rpm
SHA-256: 6890c8b3768214a14fb3b7149d44de92c3e42b17d407ae68ba06dfa2a732efd6
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6682-1 - ZeddYu Lu discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS. It was discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS.
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
Red Hat Security Advisory 2022-8532-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Issues addressed include a HTTP request smuggling vulnerability.
Gentoo Linux Security Advisory 202208-28 - Multiple vulnerabilities have been discovered in Puma, the worst of which could result in denial of service. Versions less than 5.6.4 are affected.
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.