[Apollo] Advisories Statistics light light Login

RLSA-2023:6818

Security Mirrored from RHSA-2023:6818
Issued at: 2023-11-11
Updated at: 2023-11-11

Synopsis

Important: Satellite 6.14 security and bug fix update



Description

Rocky Enterprise Software Foundation Satellite is a systems management tool for Linux-based

infrastructure. It allows for provisioning, remote management, and

monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

* kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)

* foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

* ruby-git: code injection vulnerability (CVE-2022-46648)

* ruby-git: code injection vulnerability (CVE-2022-47318)

* Foreman: Arbitrary code execution through templates (CVE-2023-0118)

* rubygem-activerecord: SQL Injection (CVE-2023-22794)

* openssl: c_rehash script allows command injection (CVE-2022-1292)

* openssl: the c_rehash script allows command injection (CVE-2022-2068)

* Pulp:Tokens stored in plaintext (CVE-2022-3644)

* satellite: Blind SSRF via Referer header (CVE-2022-4130)

* python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server (CVE-2022-40899)

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

* rubygem-activerecord: Denial of Service (CVE-2022-44566)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44570)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44571)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44572)

* Foreman: Stored cross-site scripting in host tab (CVE-2023-0119)

* puppet: Puppet Server ReDoS (CVE-2023-1894)

* rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22792)

* rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22795)

* rubygem-activesupport: Regular Expression Denial of Service (CVE-2023-22796)

* rubygem-globalid: ReDoS vulnerability (CVE-2023-22799)

* rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

* sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

* python-django: Potential bypass of validation when uploading multiple files using one form field (CVE-2023-31047)

* python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)

* python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.



Affected products

Rocky Linux 8 x86_64

Fixes

1265120 1726504 1735722 1813953 1859112 1872414 1885552 1904201 1922972 1925532 1944710 1947095 1949960 1950836 1955046 1967030 1972308 1980277 1992283 1995783 2000215 2002202 2009069 2013759 2043089 2044537 2053421 2055790 2058404 2060613 2069324 2069666 2073535 2077081 2077633 2080386 2081494 2081777 2082001 2088559 2090620 2094301 2096942 2097310 2103424 2105676 2106473 2116369 2117760 2122872 2123306 2124658 2125366 2127134 2129432 2130173 2130871 2131990 2134436 2135215 2135498 2135722 2138172 2140577 2140636 2143051 2143290 2145254 2152951 2154917 2156522 2158510 2158526 2158702 2158780 2159104 2159105 2159291 2159672 2159839 2161209 2161274 2161993 2164359 2164400 2164714 2164719 2164722 2164730 2164736 2164785 2164789 2164799 2164800 2165107 2165866 2165906 2166404 2166435 2166466 2166640 2167097 2167146 2167371 2167396 2168414 2169322 2169385 2169682 2169847 2170125 2170127 2170485 2170535 2170917 2171180 2172355 2172564 2173159 2173199 2173535 2173671 2173692 2173757 2174367 2174912 2176214 2176368 2176477 2176870 2178133 2178176 2178307 2178645 2178734 2178775 2179574 2179649 2179721 2179725 2180490 2180760 2180865 2180954 2181226 2181254 2181602 2182353 2183172 2183357 2184278 2186713 2186765 2187599 2187613 2187903 2187967 2188504 2188721 2192565 2192583 2192841 2193088 2193451 2196076 2196085 2196436 2196540 2196775 2203093 2203183 2207782 2208161 2208535 2209037 2209469 2209938 2210284 2210297 2211210 2211394 2211437 2211484 2211502 2211711 2211966 2212148 2212523 2212630 2212740 2212756 2212812 2212996 2213088 2213128 2213190 2213246 2213281 2213486 2213515 2213579 2213582 2213768 2213777 2213804 2214261 2214272 2214274 2214290 2214578 2215081 2215093 2215238 2215294 2215426 2215954 2215986 2216194 2216461 2216564 2216757 2216907 2217942 2218004 2218307 2218625 2218878 2218930 2218932 2219648 2220965 2220969 2220978 2221291 2221407 2221621 2221983 2222167 2222444 2222446 2222447 2222705 2222839 2222890 2222907 2222979 2223048 2223050 2223618 2223707 2223891 2223996 2224031 2224113 2224334 2224494 2224498 2225090 2225141 2225333 2225383 2225402 2225406 2225409 2226950 2227028 2227093 2227271 2227338 2228287 2229788 2229897 2230584 2230934 2231363 2231474 2232370 2232775 2234444 2235231 2236685 2239115 2242803 2243296 2245056 2245930

CVEs

CVE-2022-0759 CVE-2022-1292 CVE-2022-2068 CVE-2022-3644 CVE-2022-3874 CVE-2022-40899 CVE-2022-4130 CVE-2022-41717 CVE-2022-44566 CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 CVE-2022-46648 CVE-2022-47318 CVE-2023-0118 CVE-2023-0119 CVE-2023-1894 CVE-2023-22792 CVE-2023-22794 CVE-2023-22795 CVE-2023-22796 CVE-2023-22799 CVE-2023-27530 CVE-2023-27539 CVE-2023-29406 CVE-2023-30608 CVE-2023-31047 CVE-2023-32681 CVE-2023-36053 CVE-2023-39325 CVE-2023-40267 CVE-2023-44487

Affected packages

Rocky Linux 8 x86_64 - PowerTools

libdb-cxx-0:5.3.28-42.el8_4.x86_64.rpm libdb-cxx-debuginfo-0:5.3.28-42.el8_4.x86_64.rpm libdb-sql-debuginfo-0:5.3.28-42.el8_4.x86_64.rpm libdb-sql-devel-debuginfo-0:5.3.28-42.el8_4.x86_64.rpm

Rocky Linux 8 x86_64 - BaseOS

libdb-debuginfo-0:5.3.28-42.el8_4.x86_64.rpm libdb-debugsource-0:5.3.28-42.el8_4.x86_64.rpm libdb-utils-debuginfo-0:5.3.28-42.el8_4.x86_64.rpm