Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4591: Red Hat Security Advisory: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-30608: A flaw was found in sqlparse. The SQL parser contains a regular expression vulnerable to a Regular Expression Denial of Service (ReDoS). The vulnerability may lead to a denial of service (DoS).
  • CVE-2023-31047: A bypass of validation flaw was found in python-django. When uploading multiple files using one form field, an attacker could upload multiple files without validation due to the server only validating the last file uploaded.
Red Hat Security Data
#sql#vulnerability#web#mac#linux#red_hat#dos#nodejs#js#kubernetes#aws#rpm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-08-09

Updated:

2023-08-09

RHSA-2023:4591 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.5 fixes several security and operational bugs and also adds several new features.

Description

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fix(es):

  • Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047)
  • sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

This RHUI update fixes the following bugs:

  • Previously, the `rhui-manager` command used the `logname` command to obtain the login name. However, when `rhui-manager` is run using the `rhui-repo-sync` cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message `logname: no login name`. With this update, `rhui-manager` does not obtain the login name using the `logname` command and the error message is no longer generated.
  • Previously, when an invalid repository ID was used with the `rhui-manager` command to synchronize or delete a repository, the command failed with following error:

`An unexpected error has occurred during the last operation.`
Additionally, a traceback was also logged.
With this update, the error message has been improved and failure to run no longer logs a traceback.

This RHUI update introduces the following enhancements:

  • With this update, the client configuration RPMs in `rhui-manager` prevent subscription manager from automatically enabling `yum` plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871)
  • With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command:

`rhui-manager --non-interactive status --repo_json <output file>`
(BZ#2079391)

  • With this update, the `rhui-manager` CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the `/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.

Affected Products

  • Red Hat Update Infrastructure 4 x86_64

Fixes

  • BZ - 1957871 - [RFE} Client rpms created in RHUI don’t prevent auto-enable of subscription manager plugins
  • BZ - 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
  • BZ - 2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
  • BZ - 2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field
  • RHUI-217 - [RFE] Client rpms created in RHUI don’t prevent auto-enable of subscription manager plugins
  • RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
  • RHUI-356 - “logname: no login name” appears, twice, in e-mails sent by the rhui-repo-sync cron job
  • RHUI-395 - Change error reporting of rhui-manager to be configurable
  • RHUI-424 - repo deletion for an un-added repo results in a traceback
  • RHUI-75 - repo sync for an un-added repo results in a traceback
  • RHUI-430 - Installation fails on RHEL 8.9

Red Hat Update Infrastructure 4

SRPM

python-django-3.2.19-1.0.1.el8ui.src.rpm

SHA-256: ba79e2dbecce056295b67151047bc240633b0e34d910db454ef23b955c20a35d

python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm

SHA-256: 7556563b06379b18838c45768ca6929b067229139251754fe2367f6c920ae890

rhui-installer-4.5.0.1-1.el8ui.src.rpm

SHA-256: 7f5cddf8a344cbded353b2cc41c043074a6c31a5ec1faab1f855f07012b29e07

rhui-tools-4.5.0.5-1.el8ui.src.rpm

SHA-256: 7ca5ddfbb65cd9cbbff949dad7fcc685beca97f6e4484a26915fa9566ec8710f

x86_64

python39-django-3.2.19-1.0.1.el8ui.noarch.rpm

SHA-256: 0f47a09c5c143fd6aca1624724762ddddba43aa2cad2a73113912915841c4507

python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm

SHA-256: e8f958c9fab6fa858cebd318d9b22042dd99eb9c7676e55a74e465fb2c1c60ab

rhui-installer-4.5.0.1-1.el8ui.noarch.rpm

SHA-256: 1cebb10c7abc7fe48c77b921fb409aca0645ea6187b88c2c72ca19643ec67b85

rhui-tools-4.5.0.5-1.el8ui.noarch.rpm

SHA-256: a6b3bdff481aa047dc770e8c7d6dd6409884efe1575d4d983bf5c5ef33ff5b4f

rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm

SHA-256: b63de417479fc957aebae15effdc4ed60fa8478ae4752021370459a4af4be82a

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

Red Hat Security Advisory 2023-4591-01

Red Hat Security Advisory 2023-4591-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include bypass and denial of service vulnerabilities.

Debian Security Advisory 5465-1

Debian Linux Security Advisory 5465-1 - Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.

CVE-2023-32686: Kiwi TCMS 12.3

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploiting this flaw, a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. This issue has been patched in version 12.3.

Ubuntu Security Notice USN-6054-2

Ubuntu Security Notice 6054-2 - USN-6054-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.

Ubuntu Security Notice USN-6064-1

Ubuntu Security Notice 6064-1 - It was discovered that SQL parse incorrectly handled certain regular expression. An attacker could possibly use this issue to cause a denial of service.

GHSA-r3xc-prgr-mg9p: Django bypasses validation when using one form field to upload multiple files

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

CVE-2023-31047: Django security releases issued: 4.2.1, 4.1.9, and 3.2.19

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Ubuntu Security Notice USN-6054-1

Ubuntu Security Notice 6054-1 - Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.

GHSA-rrm6-wvj7-cwh2: sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service

### Impact The SQL parser contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). The vulnerability may lead to Denial of Service (DoS). ### Patches This issues has been fixed in sqlparse 0.4.4. ### Workarounds None. ### References This issue was discovered and reported by GHSL team member [@erik-krogh (Erik Krogh Kristensen)](https://github.com/erik-krogh). - Commit that introduced the vulnerability: e75e35869473832a1eb67772b1adfee2db11b85a

CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.