Satellite 6.13 Release

An update is available for libdb.
This update affects Rocky Linux 8.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list
Rocky Enterprise Software Foundation Satellite is a systems management tool for Linux-based
infrastructure. It allows for provisioning, remote management, and
monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

• CVE-2022-1471 CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 candlepin and puppetserver: various flaws
• CVE-2022-22577 tfm-rubygem-actionpack: rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
• CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
• CVE-2022-23515 rubygem-loofah: rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
• CVE-2022-23516 rubygem-loofah: Uncontrolled Recursion leading to denial of service
• CVE-2022-23517 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service
• CVE-2022-23518 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting
• CVE-2022-23519 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• CVE-2022-23520 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• CVE-2022-27777 tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
• CVE-2022-31163 rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution
• CVE-2022-32224 tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
• CVE-2022-33980 candlepin: apache-commons-configuration2: Apache Commons Configuration insecure interpolation defaults
• CVE-2022-41323 satellite-capsule:el8/python-django: Potential denial-of-service vulnerability in internationalized URLs
• CVE-2022-41946 candlepin: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
• CVE-2022-42003 CVE-2022-42004 candlepin: various flaws
• CVE-2022-42889 candlepin: apache-commons-text: variable interpolation RCE
• CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
• CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
• CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

The items above are not a complete list of changes. This update also fixes
several bugs and adds various enhancements. Documentation for these changes
is available from the Release Notes document.