Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant
framework that enables you to manage repositories and content. It also enables
cloud providers to deliver content and updates to Red Hat Enterprise Linux
(RHEL) instances.
Security Fix(es):
python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)
python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
python-django: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri()
(CVE-2023-41164)
python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
aiohttp: HTTP request modification (CVE-2023-49081)
python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)
python-aiohttp: http request smuggling (CVE-2024-23829)
Django: denial-of-service in intcomma
template filter (CVE-2024-24680)
python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)
aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
This RHUI update fixes the following bugs:
This RHUI update introduces the following enhancements:
A native Ansible module is now used to update the packages on the RHUA server when the RHUI installer is run for the first time or rerun at any time. This update can be prevented by using the --ignore-newer-rhel-packages flag on the rhui-installer command line.
PulpCore has been updated to version 3.39.