Issued:

2025-02-12

Updated:

2025-02-12

RHSA-2025:1335 - Important: RHUI 4.11 security, bugfix, and enhancement update

Synopsis

Important: RHUI 4.11 security, bugfix, and enhancement update

Type/Severity

Security Advisory Important

Topic

An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.11 updates Pulp to a newer upstream version, fixes several issues, and adds an enhancement.

Description

Red Hat Update Infrastructure (RHUI) provides a highly scalable and redundant framework for managing repositories and content. It also allows cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fixes:

• Cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override (CVE-2024-26130)

• Gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers (CVE-2024-1135)

• Aiohttp: aiohttp: XSS on index pages for static file handling (CVE-2024-27306)

• Aiohttp: aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)

• Sqlparse: sqlparse: parsing heavily nested list leads to denial of service (CVE-2024-4340)

• Jinja2: jinja2: accepts keys containing non-attribute characters (CVE-2024-34064)

• Django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)

• Django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)

• Django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)

• Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990)

• Django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)

• Grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)

• Requests: subsequent requests to the same host ignore cert verification (CVE-2024-35195)

For detailed information on other changes in this release, see the Red Hat Update Infrastructure Release Notes linked from the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For detailed instructions on how to apply this update, see: https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure

For other information, see the product documentation: https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4

Affected Products

Updated Packages

• python3.11-cryptography-debuginfo-42.0.8-1.el8ui.x86_64.rpm
• rhui-tools-4.11.0.4-1.el8ui.noarch.rpm
• python-rhsm-1.19.2-7.0.1.el8ui.src.rpm
• python3.11-pyrsistent-0.18.1-6.el8ui.x86_64.rpm
• python3.11-solv-0.7.28-1.el8ui.x86_64.rpm
• python-pyrsistent-debugsource-0.18.1-6.el8ui.x86_64.rpm
• python-uritemplate-4.1.1-6.el8ui.src.rpm
• libcomps-0.1.21-1.el8ui.x86_64.rpm
• python-pyOpenSSL-24.1.0-1.el8ui.src.rpm
• python-psycopg_c-debugsource-3.2.3-1.el8ui.x86_64.rpm
• python-pulp-container-2.20.3-1.el8ui.src.rpm
• python-json-stream-rs-tokenizer-0.4.25-4.el8ui.src.rpm
• python-brotli-debugsource-1.0.9-6.el8ui.x86_64.rpm
• python-uuid6-2023.5.2-5.el8ui.src.rpm
• python-psycopg-3.2.3-1.el8ui.src.rpm
• python-attrs-21.4.0-6.el8ui.src.rpm
• python-pulpcore-3.49.22-1.el8ui.src.rpm
• python3.11-charset-normalizer-2.1.1-5.el8ui.noarch.rpm
• python3.11-django-readonly-field-1.1.2-4.el8ui.noarch.rpm
• python3.11-dynaconf-3.1.12-4.el8ui.noarch.rpm
• python3.11-rhsm-1.19.2-7.0.1.el8ui.x86_64.rpm
• python3.11-tablib-3.3.0-5.el8ui.noarch.rpm
• python3.11-django-4.2.15-1.el8ui.noarch.rpm
• python-tablib-3.3.0-5.el8ui.src.rpm
• python3.11-createrepo_c-1.1.3-1.0.1.el8ui.x86_64.rpm
• python3.11-pycares-4.1.2-6.el8ui.x86_64.rpm
• python3.11-urllib3-2.2.3-1.el8ui.noarch.rpm
• rhui-cds-plugin-mirror-2.0.0-1.el8ui.noarch.rpm
• python3.11-psycopg_c-3.2.3-1.el8ui.x86_64.rpm
• rhui-cds-plugin-mirror-2.0.0-1.el8ui.src.rpm
• python-django-lifecycle-1.0.0-4.el8ui.src.rpm
• python3-createrepo_c-debuginfo-1.1.3-1.0.1.el8ui.x86_64.rpm
• python3.11-pyrsistent-debuginfo-0.18.1-6.el8ui.x86_64.rpm
• m2crypto-0.40.1-1.0.2.el8ui.src.rpm
• python-pyparsing-3.1.1-4.el8ui.src.rpm
• python3.11-yarl-1.8.2-5.el8ui.x86_64.rpm
• python-pycares-debugsource-4.1.2-6.el8ui.x86_64.rpm
• python-pyyaml-5.4.1-8.0.1.el8ui.src.rpm
• createrepo_c-libs-debuginfo-1.1.3-1.0.1.el8ui.x86_64.rpm
• python-pyrsistent-0.18.1-6.el8ui.src.rpm
• python3.11-defusedxml-0.7.1-7.el8ui.noarch.rpm
• python3.11-frozenlist-debuginfo-1.3.3-5.el8ui.x86_64.rpm
• python3.11-createrepo_c-debuginfo-1.1.3-1.0.1.el8ui.x86_64.rpm
• python3.11-markuppy-1.14-7.el8ui.noarch.rpm
• rhui-cds-plugin-authorizer-2.0.0-1.el8ui.noarch.rpm
• python-requests-2.32.3-2.el8ui.src.rpm
• python-rhsm-debugsource-1.19.2-7.0.1.el8ui.x86_64.rpm
• python3.11-wrapt-1.14.1-5.el8ui.x86_64.rpm
• python-redis-4.3.4-5.el8ui.src.rpm
• python3.11-drf-access-policy-1.3.0-4.el8ui.noarch.rpm
• python-jq-1.6.0-4.el8ui.src.rpm
• python3.11-aiodns-3.0.0-7.el8ui.noarch.rpm
• python-protobuf-4.21.6-5.el8ui.src.rpm
• python3-pulp-container-client-2.21.0-1.el8ui.noarch.rpm
• python3.11-xlrd-2.0.1-9.el8ui.noarch.rpm
• rhui-cds-plugin-authorizer-2.0.0-1.el8ui.src.rpm
• python3.11-pulp-glue-0.29.2-2.el8ui.noarch.rpm
• python-aiohttp-3.9.4-1.el8ui.src.rpm
• python3.11-django-guid-3.3.0-5.el8ui.noarch.rpm
• python3.11-uuid6-2023.5.2-5.el8ui.noarch.rpm
• python3.11-uritemplate-4.1.1-6.el8ui.noarch.rpm
• python3.11-m2crypto-debuginfo-0.40.1-1.0.2.el8ui.x86_64.rpm
• python-frozenlist-debugsource-1.3.3-5.el8ui.x86_64.rpm
• ansible-collection-community-crypto-2.21.1-1.el8ui.src.rpm
• python-productmd-1.33-7.el8ui.src.rpm
• python3.11-protobuf-4.21.6-5.el8ui.noarch.rpm
• python-async-timeout-4.0.2-6.el8ui.src.rpm
• python-types-cryptography-3.3.23.2-5.el8ui.src.rpm
• python-markuppy-1.14-7.el8ui.src.rpm
• python3.11-typing-extensions-4.7.1-5.el8ui.noarch.rpm
• python3.11-wrapt-debuginfo-1.14.1-5.el8ui.x86_64.rpm
• python-gnupg-0.5.0-5.el8ui.src.rpm
• python3.11-deprecated-1.2.13-5.el8ui.noarch.rpm
• python-iniparse-0.4-40.0.1.el8ui.src.rpm
• python3.11-pyparsing-3.1.1-4.el8ui.noarch.rpm
• python-dateutil-2.8.2-7.el8ui.src.rpm
• python3.11-asyncio-throttle-1.0.2-7.el8ui.noarch.rpm
• libcomps-debugsource-0.1.21-1.el8ui.x86_64.rpm
• python-pulpcore-client-3.49.19-1.0.2.el8ui.src.rpm
• python3.11-asgiref-3.6.0-5.el8ui.noarch.rpm
• python3.11-gunicorn-22.0.0-1.0.1.el8ui.noarch.rpm
• python3.11-iniparse-0.4-40.0.1.el8ui.noarch.rpm
• python3-pulp-rpm-client-3.25.4-1.0.1.el8ui.noarch.rpm
• python3.11-pycares-debuginfo-4.1.2-6.el8ui.x86_64.rpm
• python3.11-pytz-2022.2.1-6.el8ui.noarch.rpm
• python-pyjwkest-1.4.2-9.el8ui.src.rpm
• python3.11-odfpy-1.4.1-10.el8ui.noarch.rpm
• python-brotli-1.0.9-6.el8ui.src.rpm
• python3.11-packaging-21.3-6.el8ui.noarch.rpm
• python3.11-markupsafe-2.1.2-5.el8ui.x86_64.rpm
• python3.11-et-xmlfile-1.1.0-6.el8ui.noarch.rpm
• python3.11-psycopg_c-debuginfo-3.2.3-1.el8ui.x86_64.rpm
• python3.11-importlib-metadata-6.0.1-5.el8ui.noarch.rpm
• python3-libcomps-0.1.21-1.el8ui.x86_64.rpm
• python-pulp-rpm-3.26.1-1.el8ui.src.rpm
• ansible-collection-community-crypto-2.21.1-1.el8ui.noarch.rpm
• python3.11-certifi-2022.12.7-5.0.1.el8ui.noarch.rpm
• python-cryptography-debugsource-42.0.8-1.el8ui.x86_64.rpm
• python3.11-drf-spectacular-0.26.5-5.el8ui.noarch.rpm
• python3.11-libcomps-debuginfo-0.1.21-1.el8ui.x86_64.rpm
• python3.11-zipp-3.4.0-8.el8ui.noarch.rpm
• rhui-cds-plugin-authorizer-cert-2.0.0-1.el8ui.src.rpm
• python3-pyyaml-5.4.1-8.0.1.el8ui.x86_64.rpm
• python3.11-pyjwkest-1.4.2-9.el8ui.noarch.rpm
• python-charset-normalizer-2.1.1-5.el8ui.src.rpm
• python-pytz-2022.2.1-6.el8ui.src.rpm
• python-inflection-0.5.1-7.el8ui.src.rpm
• python-urllib3-2.2.3-1.el8ui.src.rpm
• python3.11-pygtrie-2.5.0-5.el8ui.noarch.rpm
• python-pycryptodomex-3.20.0-1.el8ui.src.rpm
• python-pulp-rpm-client-3.25.4-1.0.1.el8ui.src.rpm
• python3.11-multidict-debuginfo-6.0.4-5.el8ui.x86_64.rpm
• python3.11-django-filter-23.2-4.el8ui.noarch.rpm
• python-deprecated-1.2.13-5.el8ui.src.rpm
• python3.11-brotli-debuginfo-1.0.9-6.el8ui.x86_64.rpm
• python-pycryptodomex-debugsource-3.20.0-1.el8ui.x86_64.rpm
• python3.11-jq-1.6.0-4.el8ui.x86_64.rpm
• python3.11-productmd-1.33-7.el8ui.noarch.rpm
• python3.11-whitenoise-6.0.0-5.el8ui.noarch.rpm
• python3.11-json_stream_rs_tokenizer-0.4.25-4.el8ui.x86_64.rpm
• python3.11-redis-4.3.4-5.el8ui.noarch.rpm
• python3.11-libcomps-0.1.21-1.el8ui.x86_64.rpm
• python3.11-gnupg-0.5.0-5.el8ui.noarch.rpm
• python-aiosignal-1.3.1-5.el8ui.src.rpm
• python3.11-solv-debuginfo-0.7.28-1.el8ui.x86_64.rpm
• python-yarl-debugsource-1.8.2-5.el8ui.x86_64.rpm
• python3-m2crypto-0.40.1-1.0.2.el8ui.x86_64.rpm
• python3.11-pulpcore-3.49.22-1.el8ui.noarch.rpm
• python-asgiref-3.6.0-5.el8ui.src.rpm
• python-backoff-2.2.1-5.el8ui.src.rpm
• python-whitenoise-6.0.0-5.el8ui.src.rpm
• python-typing-extensions-4.7.1-5.el8ui.src.rpm
• python-grpcio-debugsource-1.65.4-1.el8ui.x86_64.rpm
• python3.11-djangorestframework-3.14.0-4.el8ui.noarch.rpm
• python-aiofiles-22.1.0-5.el8ui.src.rpm
• python-dynaconf-3.1.12-4.el8ui.src.rpm
• python-url-normalize-1.4.3-8.el8ui.src.rpm
• python3.11-yarl-debuginfo-1.8.2-5.el8ui.x86_64.rpm
• python3.11-django-import-export-3.1.0-4.el8ui.noarch.rpm
• python3.11-pycryptodomex-debuginfo-3.20.0-1.el8ui.x86_64.rpm
• python3.11-googleapis-common-protos-1.59.1-5.el8ui.noarch.rpm
• rhui-cds-plugin-fetcher-2.0.0-1.el8ui.src.rpm
• python3.11-diff-match-patch-20200713-7.el8ui.noarch.rpm
• python3.11-pulp-container-2.20.3-1.el8ui.noarch.rpm
• python-diff-match-patch-20200713-7.el8ui.src.rpm
• python3.11-pycryptodomex-3.20.0-1.el8ui.x86_64.rpm
• python-ecdsa-0.18.0-5.el8ui.src.rpm
• python3.11-click-8.1.3-5.el8ui.noarch.rpm
• python-cryptography-42.0.8-1.el8ui.src.rpm
• python-et-xmlfile-1.1.0-6.el8ui.src.rpm
• python-pygtrie-2.5.0-5.el8ui.src.rpm
• python-openpyxl-3.1.0-5.el8ui.src.rpm
• rhui-tools-4.11.0.4-1.el8ui.src.rpm
• python-django-guid-3.3.0-5.el8ui.src.rpm
• python3.11-jsonschema-4.10.3-4.el8ui.noarch.rpm
• python-wrapt-1.14.1-5.el8ui.src.rpm
• python-aiohttp-debugsource-3.9.4-1.el8ui.x86_64.rpm
• python3.11-grpcio-debuginfo-1.65.4-1.el8ui.x86_64.rpm
• python-markupsafe-debugsource-2.1.2-5.el8ui.x86_64.rpm
• python-jsonschema-4.10.3-4.el8ui.src.rpm
• python3.11-psycopg-3.2.3-1.el8ui.noarch.rpm
• python3.11-drf-nested-routers-0.93.4-6.el8ui.noarch.rpm
• python-sqlparse-0.5.0-1.el8ui.src.rpm
• python-importlib-metadata-6.0.1-5.el8ui.src.rpm
• python3-m2crypto-debuginfo-0.40.1-1.0.2.el8ui.x86_64.rpm
• python-xlwt-1.3.0-7.el8ui.src.rpm
• python-certifi-2022.12.7-5.0.1.el8ui.src.rpm
• python3.11-jinja2-3.1.4-1.el8ui.noarch.rpm
• rhui-cds-plugin-fetcher-2.0.0-1.el8ui.noarch.rpm
• python-django-import-export-3.1.0-4.el8ui.src.rpm
• python-pycparser-2.21-6.el8ui.src.rpm
• python3.11-multidict-6.0.4-5.el8ui.x86_64.rpm
• python-odfpy-1.4.1-10.el8ui.src.rpm
• python-django-filter-23.2-4.el8ui.src.rpm
• python3.11-inflection-0.5.1-7.el8ui.noarch.rpm
• python3.11-ecdsa-0.18.0-5.el8ui.noarch.rpm
• python-gunicorn-22.0.0-1.0.1.el8ui.src.rpm
• python-asyncio-throttle-1.0.2-7.el8ui.src.rpm
• python3.11-url-normalize-1.4.3-8.el8ui.noarch.rpm
• python3.11-aiosignal-1.3.1-5.el8ui.noarch.rpm
• python3.11-pulp-rpm-3.26.1-1.el8ui.noarch.rpm
• python3.11-pycparser-2.21-6.el8ui.noarch.rpm
• python-multidict-6.0.4-5.el8ui.src.rpm
• python-solv-debugsource-0.7.28-1.el8ui.x86_64.rpm
• rhui-installer-4.11.0.2-1.el8ui.noarch.rpm
• python-jinja2-3.1.4-1.el8ui.src.rpm
• m2crypto-debugsource-0.40.1-1.0.2.el8ui.x86_64.rpm
• python3.11-future-0.18.3-5.el8ui.noarch.rpm
• python3.11-xlwt-1.3.0-7.el8ui.noarch.rpm
• libcomps-0.1.21-1.el8ui.src.rpm
• python3.11-pyOpenSSL-24.1.0-1.el8ui.noarch.rpm
• python3.11-m2crypto-0.40.1-1.0.2.el8ui.x86_64.rpm
• python-drf-spectacular-0.26.5-5.el8ui.src.rpm
• python-pulp-container-client-2.21.0-1.el8ui.src.rpm
• python-wrapt-debugsource-1.14.1-5.el8ui.x86_64.rpm
• python-xlrd-2.0.1-9.el8ui.src.rpm
• python3.11-sqlparse-0.5.0-1.el8ui.noarch.rpm
• python-urlman-2.0.1-5.el8ui.src.rpm
• python-psycopg_c-3.2.3-1.el8ui.src.rpm
• python-pycares-4.1.2-6.el8ui.src.rpm
• python-aiohttp-xmlrpc-1.5.0-6.el8ui.src.rpm
• python3.11-openpyxl-3.1.0-5.el8ui.noarch.rpm
• python3.11-types-cryptography-3.3.23.2-5.el8ui.noarch.rpm
• rhui-cds-plugin-authorizer-cert-2.0.0-1.el8ui.noarch.rpm
• createrepo_c-debuginfo-1.1.3-1.0.1.el8ui.x86_64.rpm
• python-future-0.18.3-5.el8ui.src.rpm
• libcomps-debuginfo-0.1.21-1.el8ui.x86_64.rpm
• python3.11-async-timeout-4.0.2-6.el8ui.noarch.rpm
• createrepo_c-debugsource-1.1.3-1.0.1.el8ui.x86_64.rpm
• python-packaging-21.3-6.el8ui.src.rpm
• python-defusedxml-0.7.1-7.el8ui.src.rpm
• python3.11-brotli-1.0.9-6.el8ui.x86_64.rpm
• rhui-tools-libs-4.11.0.4-1.el8ui.noarch.rpm
• python3-libcomps-debuginfo-0.1.21-1.el8ui.x86_64.rpm
• python3.11-requests-2.32.3-2.el8ui.noarch.rpm
• python-frozenlist-1.3.3-5.el8ui.src.rpm
• python3.11-markupsafe-debuginfo-2.1.2-5.el8ui.x86_64.rpm
• python-pyjwt-2.5.0-5.el8ui.src.rpm
• python3.11-aiofiles-22.1.0-5.el8ui.noarch.rpm
• python-aiodns-3.0.0-7.el8ui.src.rpm
• python-grpcio-1.65.4-1.el8ui.src.rpm
• python-zipp-3.4.0-8.el8ui.src.rpm
• python3.11-aiohttp-debuginfo-3.9.4-1.el8ui.x86_64.rpm
• python3.11-backoff-2.2.1-5.el8ui.noarch.rpm
• python3.11-django-lifecycle-1.0.0-4.el8ui.noarch.rpm
• python-googleapis-common-protos-1.59.1-5.el8ui.src.rpm
• python3-certifi-2022.12.7-5.0.1.el8ui.noarch.rpm
• python-djangorestframework-queryfields-1.0.0-8.el8ui.src.rpm
• python3-createrepo_c-1.1.3-1.0.1.el8ui.x86_64.rpm
• python-drf-access-policy-1.3.0-4.el8ui.src.rpm
• python3.11-djangorestframework-queryfields-1.0.0-8.el8ui.noarch.rpm
• python3.11-urlman-2.0.1-5.el8ui.noarch.rpm
• python3.11-grpcio-1.65.4-1.el8ui.x86_64.rpm
• python3.11-aiohttp-3.9.4-1.el8ui.x86_64.rpm
• python3.11-rhsm-debuginfo-1.19.2-7.0.1.el8ui.x86_64.rpm
• python3.11-cryptography-42.0.8-1.el8ui.x86_64.rpm
• python-click-8.1.3-5.el8ui.src.rpm
• python3.11-attrs-21.4.0-6.el8ui.noarch.rpm
• createrepo_c-1.1.3-1.0.1.el8ui.src.rpm
• python3-pulpcore-client-3.49.19-1.0.2.el8ui.noarch.rpm
• python-django-4.2.15-1.el8ui.src.rpm
• python-drf-nested-routers-0.93.4-6.el8ui.src.rpm
• python-markupsafe-2.1.2-5.el8ui.src.rpm
• python3.11-frozenlist-1.3.3-5.el8ui.x86_64.rpm
• python-django-readonly-field-1.1.2-4.el8ui.src.rpm
• rhui-installer-4.11.0.2-1.el8ui.src.rpm
• python-pulp-glue-0.29.2-2.el8ui.src.rpm
• python3.11-pyjwt-2.5.0-5.el8ui.noarch.rpm
• m2crypto-debuginfo-0.40.1-1.0.2.el8ui.x86_64.rpm
• python-multidict-debugsource-6.0.4-5.el8ui.x86_64.rpm
• python3.11-aiohttp-xmlrpc-1.5.0-6.el8ui.noarch.rpm
• python-djangorestframework-3.14.0-4.el8ui.src.rpm
• python-yarl-1.8.2-5.el8ui.src.rpm
• python3.11-dateutil-2.8.2-7.el8ui.noarch.rpm
• createrepo_c-libs-1.1.3-1.0.1.el8ui.x86_64.rpm

Fixes

• This content is not included.BZ - 2269617
• This content is not included.BZ - 2275280
• This content is not included.BZ - 2275989
• This content is not included.BZ - 2278038
• This content is not included.BZ - 2278710
• This content is not included.BZ - 2279476
• This content is not included.BZ - 2282114
• This content is not included.BZ - 2295938
• This content is not included.BZ - 2302433
• This content is not included.BZ - 2302434
• This content is not included.BZ - 2302435
• This content is not included.BZ - 2302436
• This content is not included.RHUI-617
• This content is not included.RHUI-577
• This content is not included.RHUI-429

CVEs

• CVE-2024-1135
• CVE-2024-4340
• CVE-2024-7246
• CVE-2024-26130
• CVE-2024-27306
• CVE-2024-30251
• CVE-2024-34064
• CVE-2024-35195
• CVE-2024-39614
• CVE-2024-41989
• CVE-2024-41990
• CVE-2024-41991
• CVE-2024-42005

References

• https://access.redhat.com/security/updates/classification/#important
• https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4/html/release_notes/index

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.