The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1536.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff




====================================================================
Red Hat Security Advisory

Synopsis:           Moderate: Satellite 6.14.3 Async Security Update
Advisory ID:        RHSA-2024:1536-03
Product:            Red Hat Satellite 6
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1536
Issue date:         2024-03-27
Revision:           03
CVE Names:          CVE-2023-5189
====================================================================

Summary: 

An update is now available for Red Hat Satellite 6.14 for RHEL 8.

Red Hat Product Security has rated this update as having a security impact
of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.




Description:

Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.
Security Fix(es):

* automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
* python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
* python-aiohttp: http request smuggling (CVE-2024-23829)
* python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
* python-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
* python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
* python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

Bug Fix(es):
2266107 - hammer host list does not print parameters even if they are present in the fields list like LCE and CVs.
2266110 - Incremental update of *multiple* CVs with same repo of different content generates wrong katello content
2266139 - Failed incremental CV import shows error: duplicate key value violates unique constraint \"rpm_updatecollectionname_name_update_record_id_6ef33bed_uniq\"
2266140 - wrong links to provisioning guide in CR help
2266142 - When using the customer data (json) with 13 diff conf files, we can see some weird behavior when updating the hypervisors
2266144 - Promoting a composite content view to environment with registry name as \"<%= lifecycle_environment.label %>/<%= repository.name %>\" on Red Hat Satellite 6 fails with \"'undefined method '#label' for NilClass::Jail (NilClass)'\"
2266145 - CertificateCleanupJob fails with foreign key constraint violation on table cp_certificate
2266146 - katello:reimport fails with \"TypeError: no implicit conversion of String into Integer\" when there are product contents to move
2266147 - Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique constraint \"katello_available_module_streams_name_stream_context\"
2266148 - Adding a CV to a CCV lists CV versions disorderly
2266149 - 'Remove orphans' task fails on DeleteOrphanAlternateContentSources step
2266413 - [RFE] \"Add content view\" window and \"Update version\" window should display content view version, description and publishing date 
2266113 - [RFE] To make customers aware about satellite versions going EOL by adding warning banner on the Login page or on the Dashboard page.
2266141 - wrong link to scap content documentation 
Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.


Solution:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/upgrading_and_updating_red_hat_satellite/index



CVEs:

CVE-2023-5189

References:

https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/upgrading_and_updating_red_hat_satellite/index
https://bugzilla.redhat.com/show_bug.cgi?id=2234387
https://bugzilla.redhat.com/show_bug.cgi?id=2241046
https://bugzilla.redhat.com/show_bug.cgi?id=2249825
https://bugzilla.redhat.com/show_bug.cgi?id=2252235
https://bugzilla.redhat.com/show_bug.cgi?id=2257854
https://bugzilla.redhat.com/show_bug.cgi?id=2261887
https://bugzilla.redhat.com/show_bug.cgi?id=2261909
https://bugzilla.redhat.com/show_bug.cgi?id=2266107
https://bugzilla.redhat.com/show_bug.cgi?id=2266110
https://bugzilla.redhat.com/show_bug.cgi?id=2266113
https://bugzilla.redhat.com/show_bug.cgi?id=2266139
https://bugzilla.redhat.com/show_bug.cgi?id=2266140
https://bugzilla.redhat.com/show_bug.cgi?id=2266141
https://bugzilla.redhat.com/show_bug.cgi?id=2266142
https://bugzilla.redhat.com/show_bug.cgi?id=2266144
https://bugzilla.redhat.com/show_bug.cgi?id=2266145
https://bugzilla.redhat.com/show_bug.cgi?id=2266146
https://bugzilla.redhat.com/show_bug.cgi?id=2266147
https://bugzilla.redhat.com/show_bug.cgi?id=2266148
https://bugzilla.redhat.com/show_bug.cgi?id=2266149
https://bugzilla.redhat.com/show_bug.cgi?id=2266413