Lucene search

K
redhatRedHatRHSA-2023:4591
HistoryAug 09, 2023 - 2:15 p.m.

(RHSA-2023:4591) Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements

2023-08-0914:15:00
CWE-1333
access.redhat.com
38
red hat update infrastructure
highly scalable
highly redundant
content management
cloud providers
security fixes
bug fixes
django
sqlparse
rhui manager
repository synchronization
enhancement
subscription manager
unique exit codes
machine-readable files

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.7%

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fix(es):

  • Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047)

  • sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

This RHUI update fixes the following bugs:

  • Previously, the rhui-manager command used the logname command to obtain the login name. However, when rhui-manager is run using the rhui-repo-sync cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message logname: no login name. With this update, rhui-manager does not obtain the login name using the logname command and the error message is no longer generated.

  • Previously, when an invalid repository ID was used with the rhui-manager command to synchronize or delete a repository, the command failed with following error:
    An unexpected error has occurred during the last operation.
    Additionally, a traceback was also logged.
    With this update, the error message has been improved and failure to run no longer logs a traceback.

This RHUI update introduces the following enhancements:

  • With this update, the client configuration RPMs in rhui-manager prevent subscription manager from automatically enabling yum plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871)

  • With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command:
    rhui-manager --non-interactive status --repo_json <output file>
    (BZ#2079391)

  • With this update, the rhui-manager CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the /usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py file.

Affected configurations

Vulners
Node
redhatpython-django-0Range3.2.21-1.el8pc
OR
redhatpython-django-0Range3.2.19-1.0.1.el8ui
OR
redhatpython-sqlparse-0Range0.4.4-1.el8pc
OR
redhatpython-sqlparse-0Range0.4.4-1.0.1.el8ui
VendorProductVersionCPE
redhatpython-django-0*cpe:2.3:a:redhat:python-django-0:*:*:*:*:*:*:*:*
redhatpython-sqlparse-0*cpe:2.3:a:redhat:python-sqlparse-0:*:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

73.7%