The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7851.json

Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Satellite 6.14.1 Async Security Update
Advisory ID: RHSA-2023:7851-03
Product: Red Hat Satellite 6
Advisory URL: https://access.redhat.com/errata/RHSA-2023:7851
Issue date: 2023-12-14
Revision: 03
CVE Names: CVE-2023-4886
====================================================================

Summary:

Updated Satellite 6.14 packages that fixes Important security bugs and several
regular bugs are now available for Red Hat Satellite.

Description:

Red Hat Satellite is a system management solution that allows organizations
to configure and maintain their systems without the necessity to provide
public Internet access to their servers or other client systems. It
performs provisioning and configuration management of predefined standard
operating environments.

Security fix(es):

* rubygem-actionpack: actionpack: Possible XSS via User Supplied Values to redirect_to [rhn_satellite_6.14] (CVE-2023-28362)

* foreman: World readable file containing secrets [rhn_satellite_6.14] (CVE-2023-4886)

* python-urllib3: urllib3: Request body not stripped after redirect from 303 status changes request method to GET [rhn_satellite_6-default] (CVE-2023-45803 )

* python-gitpython: GitPython: Blind local file inclusion [rhn_satellite_6-default] (CVE-2023-41040)

This update fixes the following bugs:

2250342 - REX job finished with exit code 0 but the script failed on client side due to no space.
2250343 - Selinux denials are reported after following \"Chapter 13. Managing Custom File Type Content\" chapter step by step
2250344 - Long running postgres threads during content-export
2250345 - Upgrade django-import-export package to at least 3.1.0
2250349 - After upstream repo switched to zst compression, Satellite 6.12.5.1 unable to sync
2250350 - Slow generate applicability for Hosts with multiple modulestreams installed
2250352 - Recalculate button for Errata is not available on Satellite 6.13/ Satellite 6.14 if no errata is present
2250351 - Actions::ForemanLeapp::PreupgradeJob fails with null value in column \"preupgrade_report_id\" violates not-null constraint when run with non-admin user
2251799 - REX Template for 'convert2rhel analyze' command
2254085 - Getting '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] ERROR while trying to upgrade Satellite 6.13 to 6.14
2254080 - satellite-convert2rhel-toolkit rpm v1.0.0 in 6.14.z

Users of Red Hat Satellite are advised to upgrade to these updated
packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-4886

References:

https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/upgrading_red_hat_satellite_to_6.14/index
https://bugzilla.redhat.com/show_bug.cgi?id=2217785
https://bugzilla.redhat.com/show_bug.cgi?id=2230135
https://bugzilla.redhat.com/show_bug.cgi?id=2246840
https://bugzilla.redhat.com/show_bug.cgi?id=2247040
https://bugzilla.redhat.com/show_bug.cgi?id=2250342
https://bugzilla.redhat.com/show_bug.cgi?id=2250343
https://bugzilla.redhat.com/show_bug.cgi?id=2250344
https://bugzilla.redhat.com/show_bug.cgi?id=2250345
https://bugzilla.redhat.com/show_bug.cgi?id=2250349
https://bugzilla.redhat.com/show_bug.cgi?id=2250350
https://bugzilla.redhat.com/show_bug.cgi?id=2250351
https://bugzilla.redhat.com/show_bug.cgi?id=2250352
https://bugzilla.redhat.com/show_bug.cgi?id=2251799
https://bugzilla.redhat.com/show_bug.cgi?id=2254080
https://bugzilla.redhat.com/show_bug.cgi?id=2254085