-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: RHUI 4.5.0 release - Security, Bug Fixes, and Enhancements
Advisory ID:       RHSA-2023:4591-01
Product:           Red Hat Update Infrastructure
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4591
Issue date:        2023-08-09
CVE Names:         CVE-2023-30608 CVE-2023-31047 
=====================================================================

1. Summary:

An updated version of Red Hat Update Infrastructure (RHUI) is now
available. RHUI 4.5 fixes several security and operational bugs and also
adds several new features.

2. Relevant releases/architectures:

RHUI 4 for RHEL 8 - noarch

3. Description:

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly
redundant framework that enables you to manage repositories and content. It
also enables cloud providers to deliver content and updates to Red Hat
Enterprise Linux (RHEL) instances.

Security Fix(es):
* Django: Potential bypass of validation when uploading multiple files
using a single form field (CVE-2023-31047)

* sqlparse: Parser contains a regular expression that is vulnerable to
ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)

This RHUI update fixes the following bugs:

* Previously, the `rhui-manager` command used the `logname` command to
obtain the login name. However, when `rhui-manager` is run using the
`rhui-repo-sync` cron job, a login name is not defined. Consequently,
emails sent by the cron job contained the error message `logname: no login
name`. With this update, `rhui-manager` does not obtain the login name
using the `logname` command and the error message is no longer generated.

* Previously, when an invalid repository ID was used with the
`rhui-manager` command to synchronize or delete a repository, the command
failed with following error:
`An unexpected error has occurred during the last operation.`
Additionally, a traceback was also logged. 
With this update, the error message has been improved and failure to run no
longer logs a traceback.

This RHUI update introduces the following enhancements:

* With this update, the client configuration RPMs in `rhui-manager` prevent
subscription manager from automatically enabling `yum` plugins. As a
result, RHUI repository users will no longer see irrelevant messages from
subscription manager. (BZ#1957871)

* With this update, you can generate machine-readable files with the status
of each RHUI repository. To use this feature, run the following command:
`rhui-manager --non-interactive status --repo_json `
 (BZ#2079391)

* With this update, the `rhui-manager` CLI command uses a variety of unique
exit codes to indicate different types of errors. For example, if you
attempt to add a Red Hat repository that has already been added, the
command will exit with a status of 245. However, if you attempt to add a
Red Hat repository that does not exist in the RHUI entitlement, the command
will exit with a status of 246. For a complete list of codes, see the
`/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For detailed instructions on how to apply this update, see:
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure

For other information, see the product documentation:
https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4

5. Bugs fixed (https://bugzilla.redhat.com/):

1957871 - [RFE} Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins
2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field

6. JIRA issues fixed (https://issues.redhat.com/):

RHUI-217 - [RFE] Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins
RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring
RHUI-356 - "logname: no login name" appears, twice, in e-mails sent by the rhui-repo-sync cron job
RHUI-395 - Change error reporting of rhui-manager to be configurable
RHUI-424 - repo deletion for an un-added repo results in a traceback
RHUI-430 - Installation fails on RHEL 8.9
RHUI-75 - repo sync for an un-added repo results in a traceback

7. Package List:

RHUI 4 for RHEL 8:

Source:
python-django-3.2.19-1.0.1.el8ui.src.rpm
python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm
rhui-installer-4.5.0.1-1.el8ui.src.rpm
rhui-tools-4.5.0.5-1.el8ui.src.rpm

noarch:
python39-django-3.2.19-1.0.1.el8ui.noarch.rpm
python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm
rhui-installer-4.5.0.1-1.el8ui.noarch.rpm
rhui-tools-4.5.0.5-1.el8ui.noarch.rpm
rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2023-30608
https://access.redhat.com/security/cve/CVE-2023-31047
https://access.redhat.com/security/updates/classification/#moderate

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk0/U2AAoJENzjgjWX9erEb/8P/jYIo/4EGwCzZUR1npbmdew7
5p4Lb3Nun23gnBGKDLrbbQqQjyjNbzbzlmjxVAfYnNTNqDHurCZ8SCsLitXR7CN6
fQrMMCN7xAXjfTLNHl/w9QANqKGkfRa9pf5rRSvufgrh9XSvzlzPpzuihtUsBRjH
MFEtA3QOiuvyJKXzqWTdWqt0NPCycSfJnm5MhI94C8UeVlFAdm0yEYMDfhV6iRFE
RJx/LITiaks4FQ1RxAumkqoUrmfk+jsim0a5unfq+5hWubBFAvDo6VXpMPL20pcZ
MJyVkay6aQQg7dmCzXyXW8kGy/ZwYfjCML1qabh6aLW4dTz5saj6G8UbZiMeKfrh
SPTEMJbJU0pH7UIGgB2/v2xffsdmTkxgCY0xu75eokcWa4PSRE3UsZ7HRy5aAJRk
uEWizCXHjQw9HkPnlTcOaQKLS3Fv9qG2tn6XWxmHlo2VrL88rDlmylyL/1euFDHQ
ihaDj5AuHNWrZgBgghKPr89BkO6AiPAoYvg2Ld2bxXtMUohTVdxM00EVTmZImR1M
N0NxrpFqQJPFfiN2MFmdl90pzLvwLYcMM7TTyBGxb6J9bSuP2/gEHsDBth7+m17n
dmwym0w5xv9Z+yMF9KgdcDffBXnzkFdv/tSSh6sFzqpFGtMvKfyGbFAzkx3SG9MG
SXC8b0Et+9GnN9s7cg/K
=UP7R
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4591:01 Moderate: RHUI 4.5.0 release - Security,

An updated version of Red Hat Update Infrastructure (RHUI) is now available

Summary

Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.
Security Fix(es): * Django: Potential bypass of validation when uploading multiple files using a single form field (CVE-2023-31047)
* sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) (CVE-2023-30608)
This RHUI update fixes the following bugs:
* Previously, the `rhui-manager` command used the `logname` command to obtain the login name. However, when `rhui-manager` is run using the `rhui-repo-sync` cron job, a login name is not defined. Consequently, emails sent by the cron job contained the error message `logname: no login name`. With this update, `rhui-manager` does not obtain the login name using the `logname` command and the error message is no longer generated.
* Previously, when an invalid repository ID was used with the `rhui-manager` command to synchronize or delete a repository, the command failed with following error: `An unexpected error has occurred during the last operation.` Additionally, a traceback was also logged. With this update, the error message has been improved and failure to run no longer logs a traceback.
This RHUI update introduces the following enhancements:
* With this update, the client configuration RPMs in `rhui-manager` prevent subscription manager from automatically enabling `yum` plugins. As a result, RHUI repository users will no longer see irrelevant messages from subscription manager. (BZ#1957871)
* With this update, you can generate machine-readable files with the status of each RHUI repository. To use this feature, run the following command: `rhui-manager --non-interactive status --repo_json ` (BZ#2079391)
* With this update, the `rhui-manager` CLI command uses a variety of unique exit codes to indicate different types of errors. For example, if you attempt to add a Red Hat repository that has already been added, the command will exit with a status of 245. However, if you attempt to add a Red Hat repository that does not exist in the RHUI entitlement, the command will exit with a status of 246. For a complete list of codes, see the `/usr/lib/python3.6/site-packages/rhui/common/rhui_exit_codes.py` file.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For detailed instructions on how to apply this update, see: https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure
For other information, see the product documentation: https://access.redhat.com/documentation/en-us/red_hat_update_infrastructure/4

References

https://access.redhat.com/security/cve/CVE-2023-30608 https://access.redhat.com/security/cve/CVE-2023-31047 https://access.redhat.com/security/updates/classification/#moderate

Package List

RHUI 4 for RHEL 8:
Source: python-django-3.2.19-1.0.1.el8ui.src.rpm python-sqlparse-0.4.4-1.0.1.el8ui.src.rpm rhui-installer-4.5.0.1-1.el8ui.src.rpm rhui-tools-4.5.0.5-1.el8ui.src.rpm
noarch: python39-django-3.2.19-1.0.1.el8ui.noarch.rpm python39-sqlparse-0.4.4-1.0.1.el8ui.noarch.rpm rhui-installer-4.5.0.1-1.el8ui.noarch.rpm rhui-tools-4.5.0.5-1.el8ui.noarch.rpm rhui-tools-libs-4.5.0.5-1.el8ui.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:4591-01
Product: Red Hat Update Infrastructure
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4591
Issued Date: : 2023-08-09
CVE Names: CVE-2023-30608 CVE-2023-31047

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is nowavailable. RHUI 4.5 fixes several security and operational bugs and alsoadds several new features.


Topic


 

Relevant Releases Architectures

RHUI 4 for RHEL 8 - noarch


Bugs Fixed

1957871 - [RFE} Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins

2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring

2187903 - CVE-2023-30608 sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)

2192565 - CVE-2023-31047 python-django: Potential bypass of validation when uploading multiple files using one form field

6. JIRA issues fixed (https://issues.redhat.com/):

RHUI-217 - [RFE] Client rpms created in RHUI don't prevent auto-enable of subscription manager plugins

RHUI-263 - [RFE] Bug 2079391 - Feature request to provide sync/repo status of each repo in a JSON file for automated monitoring

RHUI-356 - "logname: no login name" appears, twice, in e-mails sent by the rhui-repo-sync cron job

RHUI-395 - Change error reporting of rhui-manager to be configurable

RHUI-424 - repo deletion for an un-added repo results in a traceback

RHUI-430 - Installation fails on RHEL 8.9

RHUI-75 - repo sync for an un-added repo results in a traceback


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved