Red Hat Satellite is a systems management tool for Linux-based
infrastructure. It allows for provisioning, remote management, and
monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

* kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)

* foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

* ruby-git: code injection vulnerability (CVE-2022-46648)

* ruby-git: code injection vulnerability (CVE-2022-47318)

* Foreman: Arbitrary code execution through templates (CVE-2023-0118)

* rubygem-activerecord: SQL Injection (CVE-2023-22794)

* openssl: c_rehash script allows command injection (CVE-2022-1292)

* openssl: the c_rehash script allows command injection (CVE-2022-2068)

* Pulp:Tokens stored in plaintext (CVE-2022-3644)

* satellite: Blind SSRF via Referer header (CVE-2022-4130)

* python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server (CVE-2022-40899)

* golang: net/https: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

* rubygem-activerecord: Denial of Service (CVE-2022-44566)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44570)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44571)

* rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44572)

* Foreman: Stored cross-site scripting in host tab (CVE-2023-0119)

* puppet: Puppet Server ReDoS (CVE-2023-1894)

* rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22792)

* rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22795)

* rubygem-activesupport: Regular Expression Denial of Service (CVE-2023-22796)

* rubygem-globalid: ReDoS vulnerability (CVE-2023-22799)

* rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* golang: net/https: insufficient sanitization of Host header (CVE-2023-29406)

* sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

* python-django: Potential bypass of validation when uploading multiple files using one form field (CVE-2023-31047)

* python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)

* python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.Read More