rhsa-2023_2101
Vulnerability from csaf_redhat
Published
2023-05-03 14:58
Modified
2024-11-06 02:50
Summary
Red Hat Security Advisory: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update
Notes
Topic
An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.
Details
Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.
Security Fix(es):
* Django: Potential denial-of-service vulnerability due to large Accept-Language header values (CVE-2023-23969)
* Django: Potential denial-of-service vulnerability when uploading multiple files (CVE-2023-24580)
* Future: Remote attackers can cause denial-of-service using crafted Set-Cookie header from a malicious web server (CVE-2022-40899)
This RHUI update fixes the following bugs:
* Previously, when the `rhui-services-restart` command was run, it restarted only those `pulpcore-worker` services that were already running and ignored services that were not running. With this update, the `rhui-services-restart` command restarts all `pulpcore-worker` services irrespective of their status.
* Previously, the `rhui-manager status` command returned an incorrect exit status when there was a problem. With this update, the issue has been fixed and the command now returns the correct exit status. (BZ#2174633)
* Previously, `rhui-installer` ignored the `--rhua-mount-options` parameter and only used the read-write (`rw`) mount option to set up RHUI remote share. With this update, `rhui-installer` uses the `--rhua-mount-options` parameter. However, `rhui-installer` still uses the read-write (`rw`) option by default. (BZ#2174316)
* Previously, when you ran `rhui-installer`, it rewrote the `/etc/rhui/rhui-tools.conf` file, resetting all container-related settings. With this update, the command saves the container-related settings from the `/etc/rhui/rhui-tools.conf` file and restores them after the file is rewritten.
This RHUI update introduces the following enhancements:
* The `rhui-installer` command now supports the `--pulp-workers _COUNT_` argument. RHUI administrators can use this argument to set up a number of Pulp workers. (BZ#2036408)
* You can now configure CDS nodes to never fetch non-exported content from the RHUA node. To configure the node, rerun the `rhui-installer` command with the `--fetch-missing-symlinks False` argument, and then apply this configuration to all CDS nodes. If you configure your CDS nodes this way, ensure that the content has been exported before RHUI clients start consuming it. (BZ#2084950)
* Support for containers in RHUI is disabled by default. If you want to use containers, you must manually enable container support by rerunning `rhui-installer` with the `--container-support-enabled True` argument, and then applying this configuration to all CDS nodes.
* Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security (HSTS) is now enabled in RHUI. This update improves overall RHUI security and also removes unsafe ciphers from the `nginx` configuration on CDS nodes. (BZ#1887903)
* You can now remove packages from custom repositories using the text user interface (TUI) as well as the command line. For more information, see the release notes or the product documentation.(BZ#2165444)
* You can now set up the Alternate Content Source (ACS) configuration in RHUI to quickly synchronize new repositories and content by substituting remote content with matching content that is available locally or geographically closer to your instance of RHUI. For more information, see the release notes or the product documentation. (BZ#2001087)
* You can now use a custom prefix, or no prefix at all, when naming your RHUI repositories. You can change the prefix by rerunning the `rhui-installer` command with the `--client-repo-prefix <prefix>` argument. To remove the prefix entirely, use two quotation marks ("") as the `<prefix>` parameter. For more information, see the release notes or the product documentation.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features.", "title": "Topic" }, { "category": "general", "text": "Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.\n\nSecurity Fix(es):\n* Django: Potential denial-of-service vulnerability due to large Accept-Language header values (CVE-2023-23969)\n\n* Django: Potential denial-of-service vulnerability when uploading multiple files (CVE-2023-24580)\n\n* Future: Remote attackers can cause denial-of-service using crafted Set-Cookie header from a malicious web server (CVE-2022-40899)\n\nThis RHUI update fixes the following bugs:\n\n* Previously, when the `rhui-services-restart` command was run, it restarted only those `pulpcore-worker` services that were already running and ignored services that were not running. With this update, the `rhui-services-restart` command restarts all `pulpcore-worker` services irrespective of their status.\n\n* Previously, the `rhui-manager status` command returned an incorrect exit status when there was a problem. With this update, the issue has been fixed and the command now returns the correct exit status. (BZ#2174633)\n\n* Previously, `rhui-installer` ignored the `--rhua-mount-options` parameter and only used the read-write (`rw`) mount option to set up RHUI remote share. With this update, `rhui-installer` uses the `--rhua-mount-options` parameter. However, `rhui-installer` still uses the read-write (`rw`) option by default. (BZ#2174316)\n\n* Previously, when you ran `rhui-installer`, it rewrote the `/etc/rhui/rhui-tools.conf` file, resetting all container-related settings. With this update, the command saves the container-related settings from the `/etc/rhui/rhui-tools.conf` file and restores them after the file is rewritten.\n\nThis RHUI update introduces the following enhancements:\n\n* The `rhui-installer` command now supports the `--pulp-workers _COUNT_` argument. RHUI administrators can use this argument to set up a number of Pulp workers. (BZ#2036408)\n\n* You can now configure CDS nodes to never fetch non-exported content from the RHUA node. To configure the node, rerun the `rhui-installer` command with the `--fetch-missing-symlinks False` argument, and then apply this configuration to all CDS nodes. If you configure your CDS nodes this way, ensure that the content has been exported before RHUI clients start consuming it. (BZ#2084950)\n\n* Support for containers in RHUI is disabled by default. If you want to use containers, you must manually enable container support by rerunning `rhui-installer` with the `--container-support-enabled True` argument, and then applying this configuration to all CDS nodes.\n\n* Transport Layer Security (TLS) 1.3 and HTTP Strict Transport Security (HSTS) is now enabled in RHUI. This update improves overall RHUI security and also removes unsafe ciphers from the `nginx` configuration on CDS nodes. (BZ#1887903)\n\n* You can now remove packages from custom repositories using the text user interface (TUI) as well as the command line. For more information, see the release notes or the product documentation.(BZ#2165444)\n\n* You can now set up the Alternate Content Source (ACS) configuration in RHUI to quickly synchronize new repositories and content by substituting remote content with matching content that is available locally or geographically closer to your instance of RHUI. For more information, see the release notes or the product documentation. (BZ#2001087)\n\n* You can now use a custom prefix, or no prefix at all, when naming your RHUI repositories. You can change the prefix by rerunning the `rhui-installer` command with the `--client-repo-prefix \u003cprefix\u003e` argument. To remove the prefix entirely, use two quotation marks (\"\") as the `\u003cprefix\u003e` parameter. For more information, see the release notes or the product documentation.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:2101", "url": "https://access.redhat.com/errata/RHSA-2023:2101" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2036408", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2036408" }, { "category": "external", "summary": "2084950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084950" }, { "category": "external", "summary": "2165444", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165444" }, { "category": "external", "summary": "2165866", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165866" }, { "category": "external", "summary": "2166457", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166457" }, { "category": "external", "summary": "2169402", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169402" }, { "category": "external", "summary": "2174316", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174316" }, { "category": "external", "summary": "2174633", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174633" }, { "category": "external", "summary": "RHUI-134", "url": "https://issues.redhat.com/browse/RHUI-134" }, { "category": "external", "summary": "RHUI-148", "url": "https://issues.redhat.com/browse/RHUI-148" }, { "category": "external", "summary": "RHUI-199", "url": "https://issues.redhat.com/browse/RHUI-199" }, { "category": "external", "summary": "RHUI-230", "url": "https://issues.redhat.com/browse/RHUI-230" }, { "category": "external", "summary": "RHUI-342", "url": "https://issues.redhat.com/browse/RHUI-342" }, { "category": "external", "summary": "RHUI-354", "url": "https://issues.redhat.com/browse/RHUI-354" }, { "category": "external", "summary": "RHUI-362", "url": "https://issues.redhat.com/browse/RHUI-362" }, { "category": "external", "summary": "RHUI-368", "url": "https://issues.redhat.com/browse/RHUI-368" }, { "category": "external", "summary": "RHUI-370", "url": "https://issues.redhat.com/browse/RHUI-370" }, { "category": "external", "summary": "RHUI-371", "url": "https://issues.redhat.com/browse/RHUI-371" }, { "category": "external", "summary": "RHUI-372", "url": "https://issues.redhat.com/browse/RHUI-372" }, { "category": "external", "summary": "RHUI-376", "url": "https://issues.redhat.com/browse/RHUI-376" }, { "category": "external", "summary": "RHUI-377", "url": "https://issues.redhat.com/browse/RHUI-377" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2101.json" } ], "title": "Red Hat Security Advisory: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update", "tracking": { "current_release_date": "2024-11-06T02:50:23+00:00", "generator": { "date": "2024-11-06T02:50:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2023:2101", "initial_release_date": "2023-05-03T14:58:45+00:00", "revision_history": [ { "date": "2023-05-03T14:58:45+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-05-03T14:58:45+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T02:50:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHUI 4 for RHEL 8", "product": { "name": "RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhui:4::el8" } } } ], "category": "product_family", "name": "Red Hat Update Infrastructure" }, { "branches": [ { "category": "product_version", "name": "python-future-0:0.18.3-1.0.1.el8ui.src", "product": { "name": "python-future-0:0.18.3-1.0.1.el8ui.src", "product_id": "python-future-0:0.18.3-1.0.1.el8ui.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/python-future@0.18.3-1.0.1.el8ui?arch=src" } } }, { "category": "product_version", "name": "rhui-installer-0:4.4.0.5-1.el8ui.src", "product": { "name": "rhui-installer-0:4.4.0.5-1.el8ui.src", "product_id": "rhui-installer-0:4.4.0.5-1.el8ui.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhui-installer@4.4.0.5-1.el8ui?arch=src" } } }, { "category": "product_version", "name": "rhui-tools-0:4.4.0.5-1.el8ui.src", "product": { "name": "rhui-tools-0:4.4.0.5-1.el8ui.src", "product_id": "rhui-tools-0:4.4.0.5-1.el8ui.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhui-tools@4.4.0.5-1.el8ui?arch=src" } } }, { "category": "product_version", "name": "python-django-0:3.2.18-1.0.1.el8ui.src", "product": { "name": "python-django-0:3.2.18-1.0.1.el8ui.src", "product_id": "python-django-0:3.2.18-1.0.1.el8ui.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/python-django@3.2.18-1.0.1.el8ui?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "python39-future-0:0.18.3-1.0.1.el8ui.noarch", "product": { "name": "python39-future-0:0.18.3-1.0.1.el8ui.noarch", "product_id": "python39-future-0:0.18.3-1.0.1.el8ui.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python39-future@0.18.3-1.0.1.el8ui?arch=noarch" } } }, { "category": "product_version", "name": "rhui-installer-0:4.4.0.5-1.el8ui.noarch", "product": { "name": "rhui-installer-0:4.4.0.5-1.el8ui.noarch", "product_id": "rhui-installer-0:4.4.0.5-1.el8ui.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhui-installer@4.4.0.5-1.el8ui?arch=noarch" } } }, { "category": "product_version", "name": "rhui-tools-0:4.4.0.5-1.el8ui.noarch", "product": { "name": "rhui-tools-0:4.4.0.5-1.el8ui.noarch", "product_id": "rhui-tools-0:4.4.0.5-1.el8ui.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhui-tools@4.4.0.5-1.el8ui?arch=noarch" } } }, { "category": "product_version", "name": "rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch", "product": { "name": "rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch", "product_id": "rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhui-tools-libs@4.4.0.5-1.el8ui?arch=noarch" } } }, { "category": "product_version", "name": "python39-django-0:3.2.18-1.0.1.el8ui.noarch", "product": { "name": "python39-django-0:3.2.18-1.0.1.el8ui.noarch", "product_id": "python39-django-0:3.2.18-1.0.1.el8ui.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/python39-django@3.2.18-1.0.1.el8ui?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python-django-0:3.2.18-1.0.1.el8ui.src as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src" }, "product_reference": "python-django-0:3.2.18-1.0.1.el8ui.src", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "python-future-0:0.18.3-1.0.1.el8ui.src as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src" }, "product_reference": "python-future-0:0.18.3-1.0.1.el8ui.src", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "python39-django-0:3.2.18-1.0.1.el8ui.noarch as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" }, "product_reference": "python39-django-0:3.2.18-1.0.1.el8ui.noarch", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "python39-future-0:0.18.3-1.0.1.el8ui.noarch as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch" }, "product_reference": "python39-future-0:0.18.3-1.0.1.el8ui.noarch", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "rhui-installer-0:4.4.0.5-1.el8ui.noarch as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch" }, "product_reference": "rhui-installer-0:4.4.0.5-1.el8ui.noarch", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "rhui-installer-0:4.4.0.5-1.el8ui.src as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src" }, "product_reference": "rhui-installer-0:4.4.0.5-1.el8ui.src", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "rhui-tools-0:4.4.0.5-1.el8ui.noarch as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch" }, "product_reference": "rhui-tools-0:4.4.0.5-1.el8ui.noarch", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "rhui-tools-0:4.4.0.5-1.el8ui.src as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src" }, "product_reference": "rhui-tools-0:4.4.0.5-1.el8ui.src", "relates_to_product_reference": "8Base-RHUI-4" }, { "category": "default_component_of", "full_product_name": { "name": "rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch as a component of RHUI 4 for RHEL 8", "product_id": "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" }, "product_reference": "rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch", "relates_to_product_reference": "8Base-RHUI-4" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-40899", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2165866" } ], "notes": [ { "category": "description", "text": "A denial of service flaw was found in Python Charmers Future. This flaw allows an attacker to send a specially crafted Set-Cookie header in an HTTP request, resulting in a loss of system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch" ], "known_not_affected": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40899" }, { "category": "external", "summary": "RHBZ#2165866", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2165866" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40899", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40899" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40899", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40899" } ], "release_date": "2022-12-21T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-03T14:58:45+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2101" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server" }, { "cve": "CVE-2023-23969", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-02-01T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2166457" } ], "notes": [ { "category": "description", "text": "A flaw was found in python-django. The parsed values of the Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial of service vector via excessive memory usage if large header values are sent.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-django: Potential denial-of-service via Accept-Language headers", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ], "known_not_affected": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-23969" }, { "category": "external", "summary": "RHBZ#2166457", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166457" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-23969", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23969" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969" }, { "category": "external", "summary": "https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95", "url": "https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95" }, { "category": "external", "summary": "https://github.com/django/django/commit/8a7b22d4a623bcd95190d2f5a958472fb41e576d", "url": "https://github.com/django/django/commit/8a7b22d4a623bcd95190d2f5a958472fb41e576d" }, { "category": "external", "summary": "https://github.com/django/django/commit/8c660fb59239828583f17cdede3b64f208b8752c", "url": "https://github.com/django/django/commit/8c660fb59239828583f17cdede3b64f208b8752c" }, { "category": "external", "summary": "https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942", "url": "https://github.com/django/django/commit/9d7bd5a56b1ce0576e8e07a8001373576d277942" }, { "category": "external", "summary": "https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a", "url": "https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a" }, { "category": "external", "summary": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/", "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/" } ], "release_date": "2023-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-03T14:58:45+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2101" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-django: Potential denial-of-service via Accept-Language headers" }, { "cve": "CVE-2023-24580", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-02-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2169402" } ], "notes": [ { "category": "description", "text": "A memory exhaustion flaw was found in the python-django package. This issue occurs when passing certain inputs, leading to a system crash and denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "python-django: Potential denial-of-service vulnerability in file uploads", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ], "known_not_affected": [ "8Base-RHUI-4:python-future-0:0.18.3-1.0.1.el8ui.src", "8Base-RHUI-4:python39-future-0:0.18.3-1.0.1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-installer-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.noarch", "8Base-RHUI-4:rhui-tools-0:4.4.0.5-1.el8ui.src", "8Base-RHUI-4:rhui-tools-libs-0:4.4.0.5-1.el8ui.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-24580" }, { "category": "external", "summary": "RHBZ#2169402", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169402" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24580", "url": "https://www.cve.org/CVERecord?id=CVE-2023-24580" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24580", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24580" }, { "category": "external", "summary": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/", "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/" } ], "release_date": "2023-02-14T09:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-03T14:58:45+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2101" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHUI-4:python-django-0:3.2.18-1.0.1.el8ui.src", "8Base-RHUI-4:python39-django-0:3.2.18-1.0.1.el8ui.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "python-django: Potential denial-of-service vulnerability in file uploads" } ] }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.