-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update Advisory ID: RHSA-2023:2101-01 Product: Red Hat Update Infrastructure Advisory URL: https://access.redhat.com/errata/RHSA-2023:2101 Issue date: 2023-05-03 CVE Names: CVE-2022-40899 CVE-2023-23969 CVE-2023-24580 ===================================================================== 1. Summary: An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features. 2. Relevant releases/architectures: RHUI 4 for RHEL 8 - noarch 3. Description: Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances. Security Fix(es): * Django: Potential denial-of-service vulnerability due to large Accept-Language header values (CVE-2023-23969) * Django: Potential denial-of-service vulnerability when uploading multiple files (CVE-2023-24580) * Future: Remote attackers can cause denial-of-service using crafted Set-Cookie header from a malicious web server (CVE-2022-40899) This RHUI update fixes the following bugs: * Previously, when the `rhui-services-restart` command was run, it restarted only those `pulpcore-worker` services that were already running and ignored services that were not running. With this update, the `rhui-services-restart` command restarts all `pulpcore-worker` services irrespective of their status. * Previously, the `rhui-manager status` command returned an incorrect exit status when there was a problem. With this update, the issue has been fixed and the command now returns the correct exit status. (BZ#2174633) * Previously, `rhui-installer` ignored the `--rhua-mount-options` parameter and only used the read-write (`rw`) mount option to set up RHUI remote share. With this update, `rhui-installer` uses the `--rhua-mount-options` parameter. However, `rhui-installer` still uses the read-write (`rw`) option by default. (BZ#2174316) * Previously, when you ran `rhui-installer`, it rewrote the `/etc/rhui/rhui-tools.conf` file, resetting all container-related settings. With this update, the command saves the container-related settings from the `/etc/rhui/rhui-tools.conf` file and restores them after the file is rewritten. This RHUI update introduces the following enhancements: * The `rhui-installer` command now supports the `--pulp-workers _COUNT_` argument. RHUI administrators can use this argument to set up a number of Pulp workers. (BZ#2036408) * You can now configure CDS nodes to never fetch non-exported content from the RHUA node. To configure the node, rerun the `rhui-installer` command with the `--fetch-missing-symlinks False` argument, and then apply this configuration to all CDS nodes. If you configure your CDS nodes this way, ensure that the content has been exported before RHUI clients start consuming it. (BZ#2084950) * Support for containers in RHUI is disabled by default. If you want to use containers, you must manually enable container support by rerunning `rhui-installer` with the `--container-support-enabled True` argument, and then applying this configuration to all CDS nodes. * Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security (HSTS) is now enabled in RHUI. This update improves overall RHUI security and also removes unsafe ciphers from the `nginx` configuration on CDS nodes. (BZ#1887903) * You can now remove packages from custom repositories using the text user interface (TUI) as well as the command line. For more information, see the release notes or the product documentation.(BZ#2165444) * You can now set up the Alternate Content Source (ACS) configuration in RHUI to quickly synchronize new repositories and content by substituting remote content with matching content that is available locally or geographically closer to your instance of RHUI. For more information, see the release notes or the product documentation. (BZ#2001087) * You can now use a custom prefix, or no prefix at all, when naming your RHUI repositories. You can change the prefix by rerunning the `rhui-installer` command with the `--client-repo-prefix ` argument. To remove the prefix entirely, use two quotation marks ("") as the `` parameter. For more information, see the release notes or the product documentation. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2036408 - Change default pulp workers if RHUA has lower cpu count 2084950 - RHUIv4 does not function when RHUA is unavailable 2165444 - [RFE] No way to remove specific packages in custom repositories 2165866 - CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server 2166457 - CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers 2169402 - CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads 2174316 - rhui-installer ignores --rhua-mount-options option in rhui4. 2174633 - 'rhui-manager status' returns an exist code 0 even if pulp-workers are down 6. JIRA issues fixed (https://issues.jboss.org/): RHUI-134 - [RFE] Satellite w/ Pulp 3 ACS: Generate a cert, headers, a base URL, and subpaths for a list of repositories RHUI-148 - Enable remove RPM functionality from custom repo RHUI-199 - Remove unsafe ciphers from default setup of NGinx RHUI-230 - Bug 1887903 - TLS testing tool on CDS certificate RHUI-342 - Make client repo ID prefix optional RHUI-354 - Container support should be "opt-in" and not enabled by default RHUI-362 - rhui-installer --rerun wipes container registry configuration RHUI-368 - Update Django to address CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads RHUI-370 - rhui-installer ignores --rhua-mount-options option in rhui4 RHUI-371 - 'rhui-manager status' returns an exist code 0 even if pulp-workers are down RHUI-372 - Allow CDS to be configured without requesting RHUA creating missing symlinks. RHUI-376 - rhui-services-restart doesn't start workers if they're down RHUI-377 - Create a rhui-installer argument to change the number of pulp-workers 7. Package List: RHUI 4 for RHEL 8: Source: python-django-3.2.18-1.0.1.el8ui.src.rpm python-future-0.18.3-1.0.1.el8ui.src.rpm rhui-installer-4.4.0.5-1.el8ui.src.rpm rhui-tools-4.4.0.5-1.el8ui.src.rpm noarch: python39-django-3.2.18-1.0.1.el8ui.noarch.rpm python39-future-0.18.3-1.0.1.el8ui.noarch.rpm rhui-installer-4.4.0.5-1.el8ui.noarch.rpm rhui-tools-4.4.0.5-1.el8ui.noarch.rpm rhui-tools-libs-4.4.0.5-1.el8ui.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2022-40899 https://access.redhat.com/security/cve/CVE-2023-23969 https://access.redhat.com/security/cve/CVE-2023-24580 https://access.redhat.com/security/updates/classification/#moderate 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFKfqNzjgjWX9erEAQic5w/7BLmNq2O/sL5buYUMSGyq0FOVpHNs4Gme GUhezPB1yPgskJojImfLXaw1z/fAQ0vHlVbqtbxm2RjjycKPccbhf2OMWyeqk6nl NpWbvUTvnORjxq+8ytPw/BOErmaXP/pkEnMQ9MYYhjX0mnZpa27Hqg5ZaGYrZKR2 z3ubR/O9IasaeB852DtLbZYMGtKSG/dOQCqFUbowox6nhw1iaDlpty4Rx1gNM691 4nANykTsg6SFZKm3Q9Ie6di5UjaKZ3p0Y2ibNMAlSuDSqC3P1CkBxjmjjTYn8+JH FRhRuUFBnuexFuZu5eMsJAw3GjwkvLfg0h4vmtBiL6YJxIhLNNcXuD3RtDjvt3Le J1iln27dJzrW0uhHHDP403q2XjVTyZoXOUfPWuVRQdq3QU4Jw92OWHOZXxOAhxoi st3SlHV0AtE25dtibzWgdtuLm5KQeOeROa3HxgCOCpIGK1PNUx4jHOdSCNQcGVue HNbFvJCneh8lh//kZVaQjymGReG4UcIotXFRvdWtbRSnFkkhXCEOteUHP+4RwtFd xFxXN3qO38cjAttCjkdMXYewsbmGyeu25x31fzYvi0UOvolJZ4TcCr82fwvcz9gE FxD9+zFcLv56pSVk+KxFC1wu9+vT2Sx1mg3t4rB9iY62kS1vkxpOnkIPdlTFYik+ ayeXSCdH7a0= =wa8K -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce