Lucene search

K
redhatRedHatRHSA-2023:2097
HistoryMay 03, 2023 - 1:09 p.m.

(RHSA-2023:2097) Important: Satellite 6.13 Release

2023-05-0313:09:51
access.redhat.com
116
red hat satellite
linux-based infrastructure
cve-2022-1471
puppetserver
cve-2022-23514
cve-2022-23515
cve-2022-32224
cve-2022-33980
cve-2022-41323
cve-2022-42003
cve-2023-23969
cve-2023-24580
security fixes
enhancements
documentation.

0.972 High

EPSS

Percentile

99.8%

Red Hat Satellite is a systems management tool for Linux-based
infrastructure. It allows for provisioning, remote management, and
monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

  • CVE-2022-1471 CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 candlepin and puppetserver: various flaws
  • CVE-2022-22577 tfm-rubygem-actionpack: rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
  • CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
  • CVE-2022-23515 rubygem-loofah: rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
  • CVE-2022-23516 rubygem-loofah: Uncontrolled Recursion leading to denial of service
  • CVE-2022-23517 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service
  • CVE-2022-23518 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting
  • CVE-2022-23519 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
  • CVE-2022-23520 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
  • CVE-2022-27777 tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
  • CVE-2022-31163 rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution
  • CVE-2022-32224 tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
  • CVE-2022-33980 candlepin: apache-commons-configuration2: Apache Commons Configuration insecure interpolation defaults
  • CVE-2022-41323 satellite-capsule:el8/python-django: Potential denial-of-service vulnerability in internationalized URLs
  • CVE-2022-41946 candlepin: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
  • CVE-2022-42003 CVE-2022-42004 candlepin: various flaws
  • CVE-2022-42889 candlepin: apache-commons-text: variable interpolation RCE
  • CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
  • CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
  • CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

The items above are not a complete list of changes. This update also fixes
several bugs and adds various enhancements. Documentation for these changes
is available from the Release Notes document.