Important: Satellite 6.13 Release

Topic

An update is now available for Red Hat Satellite 6.13. The release contains a
new version of Satellite and important security fixes for various components.

Description

Red Hat Satellite is a systems management tool for Linux-based
infrastructure. It allows for provisioning, remote management, and
monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

• CVE-2022-1471 CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 candlepin and puppetserver: various flaws
• CVE-2022-22577 tfm-rubygem-actionpack: rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
• CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
• CVE-2022-23515 rubygem-loofah: rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
• CVE-2022-23516 rubygem-loofah: Uncontrolled Recursion leading to denial of service
• CVE-2022-23517 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service
• CVE-2022-23518 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting
• CVE-2022-23519 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• CVE-2022-23520 tfm-rubygem-rails-html-sanitizer: rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• CVE-2022-27777 tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
• CVE-2022-31163 rubygem-tzinfo: rubygem-tzinfo: arbitrary code execution
• CVE-2022-32224 tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
• CVE-2022-33980 candlepin: apache-commons-configuration2: Apache Commons Configuration insecure interpolation defaults
• CVE-2022-41323 satellite-capsule:el8/python-django: Potential denial-of-service vulnerability in internationalized URLs
• CVE-2022-41946 candlepin: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
• CVE-2022-42003 CVE-2022-42004 candlepin: various flaws
• CVE-2022-42889 candlepin: apache-commons-text: variable interpolation RCE
• CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
• CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
• CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

The items above are not a complete list of changes. This update also fixes
several bugs and adds various enhancements. Documentation for these changes
is available from the Release Notes document.

Solution

For Red Hat Satellite 6.13, see the following documentation for the release.
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13

The important instructions on how to upgrade are available below.
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/upgrading_and_updating_red_hat_satellite

Affected Products

• Red Hat Satellite 6.13 x86_64
• Red Hat Satellite Capsule 6.13 x86_64
• Red Hat Enterprise Linux for x86_64 8 x86_64

Fixes

• BZ - 1225819 - [RFE] Ability to sync from closest CDN mirror for Capsule
• BZ - 1266407 - IPA (external users) not able to authenticate using hammer CLI: invalid user / SSO failed
• BZ - 1630294 - [RFE] Remote execution overview dashboard should be more interactive like the Monitor Dashboard
• BZ - 1638226 - [RFE] Show difference in errata between ContentViewVersions
• BZ - 1650468 - [RFE] Allow to export Docker images from content views or as repository as part ISS
• BZ - 1761012 - [RFE] Ability to generate a report for ansible/remote execution task result.
• BZ - 1786358 - [RFE] Ability to make persistent changes in "ansible.cfg" on Satellite Server.
• BZ - 1787456 - [RFE] Candlepin log rotation settings should be user-configurable
• BZ - 1813274 - [RFE] Allow customers to be able to add more columns to 'All Hosts' page in Red Hat Satellite 6 webui.
• BZ - 1826648 - [RFE] new report template to list all the installed packages
• BZ - 1837767 - Errata search filtered with ID does not work in Web UI
• BZ - 1841534 - Provide support for "Privileged User" session when host console is being taken via cockpit from Satellite 6.7 UI
• BZ - 1845489 - Audit page shows "auditable id / Host2" for "Host1" but Host2 does not exist or deleted from the all hosts
• BZ - 1880947 - Satellite fails with "HTTP error (500 - Internal Server Error): PG::UniqueViolation: ERROR: duplicate key value violates unique constraint" while running concurrent registrations
• BZ - 1888667 - "Applied Errata" report template does not consider input "Up to" and "Since" in WebUI, hammer works
• BZ - 1895976 - Hammer Allows Invalid Release Version to be Set on Activation Key
• BZ - 1920810 - Error message related to Trend in production log
• BZ - 1931027 - Entitlement certificate is missing content section for a custom product
• BZ - 1931533 - Update foreman-bootloaders-redhat to 202102220000 to add efinet module to Grub2 modules
• BZ - 1950468 - root_pass setting does not enforce minimum length of 8 characters as the host and hostgroups forms do
• BZ - 1952529 - Package and Errata actions on content hosts selected using the "select all hosts" option fails.
• BZ - 1956210 - Health check should use hostname -f
• BZ - 1956985 - [RFE] Capsule Last Sync date and status should not be based on task data.
• BZ - 1963266 - [RFE]: Provide Capsule Load Balancer as an option for Global Registration Feature
• BZ - 1964037 - wrong generation of /etc/tomcat/cert-users.properties
• BZ - 1965871 - Change /var/log/candlepin directory owner/group to candlepin with 750 permission
• BZ - 1978683 - [global registration] - puppet configuration are not inherited to host from host-group while global registration
• BZ - 1978995 - [RFE] The satellite-installer should display the mismatched FQDN additionally rather than just showing the commands to verify the output
• BZ - 1990790 - [RFE] add possibility to resize bookmarks dropdown menu
• BZ - 1990875 - Update the foreman-discovery-image to inject the latest e1000e NIC drivers for I219-LM network cards
• BZ - 1995097 - Tuning profile 'default' requires at least 8 GB of memory and 1 CPU cores
• BZ - 1995470 - Activation key can be deleted, but still shows up in hostgroup configuration
• BZ - 1997186 - [regression] data.yml is referring to old sync plain id which does not exist in katello_sync_plans
• BZ - 1997199 - Can't create bookmarks under Lifecyle Environments
• BZ - 2026151 - Can't sync private Azure registry to Satellite
• BZ - 2029402 - [RFE] Add functionality in Hammer to Add/Delete a single Ansible role to Hostgroup without defining every role.
• BZ - 2032040 - Enhance foreman-rake katello:correct_repositories to handle Katello::Errors::CandlepinError: Unable to find content with the ID "xxxxxxxxxxx".
• BZ - 2043600 - consumer certificate is generated with validity after 19th Jan 2038 which is causing 2038 bug on 32bit systems
• BZ - 2050234 - pulp_streamer runs out of file descriptors when upstream server is unavailable
• BZ - 2052904 - [RFE] Prevent the deletion of content credentials when they are in use in Satellite 6.x
• BZ - 2056402 - [RFE] New hosts page doesn't show global and host parameters
• BZ - 2057314 - RHEL 9 as Guest OS is not available on Satellite 6.11
• BZ - 2060099 - [RFE] ouia-ID for tile cards in the new host details page
• BZ - 2062526 - Another deadlock issue when syncing repos with high concurrency
• BZ - 2063999 - No profiles are shown for any module streams
• BZ - 2066323 - [RFE] Satellite should use the newer asynchronous endpoint to export manifests
• BZ - 2069438 - [RFE] new host ui details, tracer tab, page reload required after change
• BZ - 2073847 - Restarting postgres just before task finish causes discrepancy between foreman and dynflow task status - forever
• BZ - 2077363 - Fail to sync kickstart repositories with same sub repositories concurrently
• BZ - 2080296 - CVE-2022-27777 tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
• BZ - 2080302 - CVE-2022-22577 rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack
• BZ - 2088156 - Broken Link in the Realms section of Satellite
• BZ - 2088529 - ForemanCustomScript in Host provisioned on Azure CR fails with `command not found`
• BZ - 2094912 - Unable to search the hosts based on the query "ansible_role", if the roles are inherited from the hostgroup.
• BZ - 2098079 - [RFE] Add an ability to search by Insights status
• BZ - 2101708 - when host is deleted on hypervisor while ansible job is running, hosts gets deleted on hypervisor level
• BZ - 2102078 - podman run returns Error: unexpected end of JSON input on image pulled from satellite
• BZ - 2103936 - Execution of satellite-installer raises multiple "warning: URI.escape is obsolete" messages in Red Hat Satellite 6.11
• BZ - 2104247 - [RFE] version non-specific flag to enable puppet on Red Hat Satellite.
• BZ - 2105067 - CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
• BZ - 2105441 - RHEL 9 provisioned host goes into emergency mode after initial reboot
• BZ - 2106475 - [RFE] Enhance puppet agent deployment for external puppetserver
• BZ - 2106753 - [RFE] Allow user to choose between Graphical and Text mode anaconda installer during system build via Satellite 6
• BZ - 2107011 - [RFE] Keep notifications from RSS feed in Notifications drawer in Satellite webui for a longer period of time
• BZ - 2107758 - [RFE] Upgrade to Redis 6
• BZ - 2108997 - CVE-2022-32224 activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
• BZ - 2109634 - Add module profile information to modulemd enpoints
• BZ - 2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution
• BZ - 2111159 - Refreshing Alternate Content Source complains about invalid remote URL
• BZ - 2115970 - Sync container images of existing docker type repositories fail with 404 - Not found
• BZ - 2116375 - Even in 6.11.1, sync summary email notification shows the incorrect summary for newly added errata.
• BZ - 2118651 - pull-provider rex jobs hang if host is not configured correctly
• BZ - 2119053 - [RFE] X509 Certification Authorities" and "Optional HTTP headers as JSON (ERB allowed)" fields need to be included via Hammer CLI for "hammer webhook create" and "hammer webhook update" sub-options
• BZ - 2119155 - With every edit of an exising webhook, the value in password field disappears in Satellite 6.10/6.11/6.12
• BZ - 2119911 - VMware Image based Provisioning fails with error- : Could not find virtual machine network interface matching <IP>
• BZ - 2120640 - New host details Insights tab doesn't work with breadcrumb switcher
• BZ - 2121210 - [RFE] Add call-to-action empty states
• BZ - 2121288 - Still getting API request timeout when indexing contents.
• BZ - 2122617 - Kerberos authentication fails for POST, PUT and DELETE api calls
• BZ - 2123593 - Satellite should be able to process (and publish) compressed comps.xml / groups metadata
• BZ - 2123696 - The Value of "Allowed bootdisk types" shows up as subnetfull_host where as it is set as subnet,full_host in Satellite 6.12
• BZ - 2123835 - System build based on "PXELess Discovery" will always fail if the "Installation token lifetime" has been disabled in Satellite 6.12
• BZ - 2123932 - Unable to "Remove" a repository directly if the repo is part of a CV as well as CCV in Satellite 6.12
• BZ - 2124419 - Jobs pushed in MQTT queue is not delivered if yggdrasild was not running and communicating with the right broker before the jobs were pushed
• BZ - 2124520 - Changing the Capsule parameter post the curl command generated in Global Registration template failed with error "There was an error while generating the command, see the logs for more information."
• BZ - 2125424 - Mismatched files between stage 1 and stage 2 kernel images during kickstart provisioning
• BZ - 2125444 - Syncable exports across partitions causes ' Invalid cross-device link' error
• BZ - 2126200 - CV version details repository tab links to library_instance_inverse version and lets you use it like a regular library repo
• BZ - 2126349 - Missing cron job for ACS refresh in /etc/cron.d/katello
• BZ - 2126372 - Refreshing ACS with --name instead of --id fails with "Error: Found more than one alternate_content_source."
• BZ - 2126695 - Wrong Ansible documentation links
• BZ - 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
• BZ - 2126905 - Packages tab - Add dropdown to select upgrade version
• BZ - 2127180 - random failure of Inventory Sync
• BZ - 2127470 - Content view publish fails when the content view and repository both have a large name with : Error message: the server returns an error HTTP status code: 500
• BZ - 2127998 - RHEL 9 appstream and baseos kickstart repositories not showing as recommended repositories
• BZ - 2128038 - [RFE] Add Templates tab in the new UI, under (Hosts > All Hosts > Host )
• BZ - 2128256 - Insights recommendation sync failing in Satelliite
• BZ - 2128864 - Repo Deletion with no feed url causes a `ArgumentError`
• BZ - 2128894 - [RFE] Need syncable yum-format repository imports
• BZ - 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
• BZ - 2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
• BZ - 2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
• BZ - 2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
• BZ - 2129950 - ISE when creating a CV with org_id specified as array
• BZ - 2130596 - insights-client --register --verbose throwing error UnicodeEncodeError: 'ascii' codec can't encode character '\ufffd' in position 94: ordinal not in range(128)
• BZ - 2130698 - New Host UI: Toggle group is hidden when host has no installable errata
• BZ - 2131312 - Satellite 6.9\6.10\6.11 suddenly cannot enable or sync satellite-tools repo for rhel 8 but the same works for rhel 7
• BZ - 2131369 - Updating subscription attributes of a host, such as CV and LCE fails with "Katello::Resources::Candlepin::Consumer: 400 Bad Request" and "Cannot construct instance of `org.candlepin.dto.api.v1.GuestIdDTO`" error
• BZ - 2131839 - re-enabling sync plans [FAIL] Could not update the sync plan: ERF28-1357 [ForemanTasks::RecurringLogicCancelledException]: Cannot update a cancelled Recurring Logic.
• BZ - 2132452 - Missing ouia-id for content view
• BZ - 2133343 - Content view filter will include module streams of other repos/arches if the errata contain rpms in different repos/arches.
• BZ - 2133615 - Content view filter included errata not in the filter date range
• BZ - 2134283 - SSH key passphrase is not working if password was set previously
• BZ - 2134682 - Getting "undefined method `schema_version' for nil:NilClass" while syncing from quay.io
• BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
• BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
• BZ - 2135418 - rubygem-foreman_hooks scriptlet issues an error message
• BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
• BZ - 2136130 - CVE-2022-41323 python-django: Potential denial-of-service vulnerability in internationalized URLs
• BZ - 2137318 - hammer content-view purge only deletes up to "Entries per page" versions
• BZ - 2137350 - hammer repository types command is missing options
• BZ - 2137539 - mosquitto service is missing in `satellite-maintain service status -b` output
• BZ - 2138887 - [RFE] Add content export to FAM
• BZ - 2139209 - Don't use the term 'Subscription Watch' anymore
• BZ - 2139418 - MQTT ReX mode makes it too easy to to DDOS Satellite
• BZ - 2139441 - Improve empty state design when a host has applicable errata but no installable errata
• BZ - 2139545 - Registration error: PG::UniqueViolation: ERROR: duplicate key value violates unique constraint "katello_available_module_streams_name_stream_context"
• BZ - 2140628 - Preupgrade and upgrade jobs should not mention RHEL 7
• BZ - 2140807 - Show include all RPM without errata and the 3 other checkboxes for rpm and module stream filters outside table so they don't get hidden by empty state.
• BZ - 2141136 - Orphaned ACSs should be cleaned from smart proxies
• BZ - 2141187 - Searchbar disappears when trying to select a bookmark as user without bookmark permissions
• BZ - 2141455 - New host details - Move Details tab out of experimental labs
• BZ - 2141719 - While selecting "Enable debugging output" option, Satellite generates ahv virt-who confirguration with "internal_debug=true" which is not recognized by virt-who
• BZ - 2141810 - When working with CCV, include and exclude filters, eventually the number of packages in the CCV will not be as expected, causing problems to the customer
• BZ - 2142514 - Satellite-clone not working if ansible-core 2.13 is installed
• BZ - 2142555 - import puppet classes permission filter does not work
• BZ - 2143451 - Satellite upgrades should not require enabling the next versions Satellite repository, and should rely only on the Maintenance repository
• BZ - 2143497 - Can't perform incremental content exports in syncable format
• BZ - 2143515 - ERROR -- /parallel-executor-core: no manager for Dynflow::Director::Event for event: #<Actions::ProxyAction::ProxyActionStopped
• BZ - 2143695 - 0077_move_remote_url_credentials.py fails on Remotes that have @ in path, not netloc
• BZ - 2144044 - Error "no certificate or crl found" when using a http proxy as "Default Http Proxy" for content syncing or manifest operations in Satellite 6.12
• BZ - 2147579 - Unable to promote content view due to "NoMethodError: undefined method `get_status' for nil:NilClass"
• BZ - 2148433 - kickstart_networking_setup template does not configure network
• BZ - 2148813 - Inspecting an image with skopeo no longer works on Capsules
• BZ - 2149030 - iPXE template for hosts are getting generated with two "ks=" kernel command line parameters in Satellite 6.11 and above
• BZ - 2149543 - Incorrect spelling of Effective User on remote execution setting page.
• BZ - 2149730 - new host details - Repository sets pagination ignores filters
• BZ - 2149893 - Some custom repositories are failing to synchorize with error "This field may not be blank" after upgrading to Red Hat Satellite 6.11
• BZ - 2149896 - satellite-change-hostname command fails with "ERROR: Unrecognised option '--disable-system-checks'"
• BZ - 2149990 - 'Via customized remote execution' is broken on the new host detail page
• BZ - 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
• BZ - 2150261 - ansible_roles page points to old URL for ansible guide
• BZ - 2150311 - Hammer simplified ACS creation shouldn't allow user to enter product names
• BZ - 2150380 - Puppet tab on a Host page on NewUI showing 'Something went wrong'
• BZ - 2151333 - Mirror complete sync policy no longer allowed with ignored content types in the repo.
• BZ - 2151487 - Missing Foreman google packages
• BZ - 2151564 - Content view in French/Italian language doesn't show
• BZ - 2151827 - Satellite defaults to old hosts details screen if navigated from dashboard
• BZ - 2151838 - Module streams subtab in new host details UI is missing on RHEL 8.7 hosts
• BZ - 2151856 - Access to /etc/resolv.conf file is denied by selinux for Puma Webserver when it's a symlink or systemd-resolved is explicitly being used
• BZ - 2151935 - UX on change content source page is ambiguous
• BZ - 2152609 - REX task running during logrotate to foreman-proxy goes to suspended state forever
• BZ - 2153234 - CVE-2022-23514 rubygem-loofah: inefficient regular expression leading to denial of service
• BZ - 2153241 - CVE-2022-23516 rubygem-loofah: Uncontrolled Recursion leading to denial of service
• BZ - 2153262 - CVE-2022-23515 rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
• BZ - 2153273 - Subscription can't be blank, A Pool and its Subscription cannot belong to different organizations
• BZ - 2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
• BZ - 2153423 - job remains in pending state even when host detail reports exception
• BZ - 2153701 - CVE-2022-23518 rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting
• BZ - 2153720 - CVE-2022-23517 rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service
• BZ - 2153744 - CVE-2022-23519 rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• BZ - 2153751 - CVE-2022-23520 rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
• BZ - 2154184 - Disabling "Capsule batch tasks" makes all Ansible role jobs to fail - forever
• BZ - 2154397 - Missing upgrade scenarios for 6.13 and 6.13.z in foreman-maintain
• BZ - 2154512 - Katello API activation_key/:id/product_content does not expose per_page
• BZ - 2154734 - Getting 'null value in column \"image_manifest_id\" violates not-null constraint' when syncing openstack container repos
• BZ - 2155221 - Columns are overlapping while adding columns through "Manage columns" tab in "All Hosts"
• BZ - 2155392 - Host config report page raises "undefined method `[]' for nil:NilClass" error
• BZ - 2155527 - unable to install satellite 6.11 on rhel8.8 - ansible-core version is too new
• BZ - 2155911 - Audit ouia-ids for ACS UI
• BZ - 2156294 - Info button in Create templates -> Template opens a prompt showing info, but it is persists even after change of tabs on the "i" button
• BZ - 2156295 - Info button in Create Host -> OpenSCAP capsule opens a prompt showing info, but it is persists even after change of tabs on the "i" button
• BZ - 2156941 - Satellite operations doesn't install in an execution environment
• BZ - 2157627 - health check uses the wrong certificate bundle to talk to Foreman
• BZ - 2157869 - Satellite is not able to pick settings which transitioned from a non-default to default value
• BZ - 2158508 - Permission denied on Ansible part of host page when usergroup of user have administrator role
• BZ - 2158519 - Legacy rex form is missing options for future or recurring execution
• BZ - 2158565 - Job invocation page shows inconsistency when clicking on Run job button.
• BZ - 2158614 - deleting of products after a content export sometimes ends up in a candlepin error
• BZ - 2158738 - time to pickup kills long running pull jobs, timeout to kill doesn't work in the same scenario
• BZ - 2159776 - Unable to change download_policy to on_demand if the Red Hat Repository has any checksum_type set in Satellite
• BZ - 2159963 - ForeignKeyViolation on ACS create when invalid --ssl-* argument is provided
• BZ - 2159967 - Add some validation for name in Simplified ACS creation via hammer
• BZ - 2159974 - Unable to disable SCA for an organization without manifest using API
• BZ - 2160008 - (Regression of 2033940) Error: AttributeError: 'NoneType' object has no attribute 'cast' thrown while listing repository versions
• BZ - 2160056 - mod_expires is not loaded
• BZ - 2160112 - Add validations for Simplified ACS update via hammer
• BZ - 2160264 - delete orphans task does not remove pulp3 remotes from capsules when removing repositories
• BZ - 2160297 - Satellite 6.12 upgrade fails with error ERF73-0602 [Foreman::PermissionMissingException]: some permissions were not found: ["view_puppetclasses", "view_environments", :view_environments, :view_puppetclasses] (Foreman::PermissionMissingException)
• BZ - 2160497 - Calling hammer concurrently raises 500 ISE error on apidoc / apipie
• BZ - 2160508 - Upgrade to 6.13 fails due to satellite-common unsatisfied dependencies
• BZ - 2160524 - rubygem-foreman_google cannot be installed during upgrade
• BZ - 2160528 - foreman-installer and foreman-installer-katello have failing post scriptlets
• BZ - 2160705 - The new kickstart_rhsm snippet is not considered RH supported
• BZ - 2160752 - Bulk select/deselect does not work properly on paginated ACS page
• BZ - 2161304 - foreman-discovery-image is not working for pxe-less discovery provisioning.
• BZ - 2161776 - Subscriptions page - 'Import a Manifest' button displays when a blank manifest is imported
• BZ - 2162129 - Add validations for RHUI ACS create and update
• BZ - 2162130 - hammer acs show does not show any SSL related fields
• BZ - 2162678 - content_export_* modules can time out as an export takes longer than 5 minutes
• BZ - 2162736 - Can't search facts using CLI
• BZ - 2163425 - GCE is not enaabled by default on satellite
• BZ - 2163456 - (ActiveModel::UnknownAttributeError): unknown attribute 'project' for ForemanGoogle::GCE.
• BZ - 2163457 - Remove orphan fails
• BZ - 2163577 - Manage Columns button appears even when there are no hosts
• BZ - 2163582 - Change Content Source LCE dropdown shows multiple Library entries
• BZ - 2163788 - Host Details page doesn't have static UUIDs for the tabs and generate new UUID every time on page load
• BZ - 2164026 - Link from Content Hosts should navigate to Host's Content pane/tab
• BZ - 2164080 - Upgrade will fail during check-tftp-storage check with "no implicit conversion of nil into String"
• BZ - 2164330 - new wait task introduced by rh_cloud 6.0.44 is not recognized by maintain as OK to interrupt
• BZ - 2164413 - backup restore unable to cope with backups created via "-t" option
• BZ - 2164757 - Require rubygem(foreman_google) for Satellite installer
• BZ - 2164989 - GCE - Restrict images to RHEL only
• BZ - 2165482 - foreman::cli::ssh is present in downstream
• BZ - 2165848 - virt-who-config update failed for "Could not create the Virt Who configuration"
• BZ - 2165952 - Warning: Setting puppet_<variable> has no definition, please define it before using
• BZ - 2166244 - assets are not compressed during delivery anymore
• BZ - 2166293 - Expose new REX pull transport tunables in the installer
• BZ - 2166303 - Edit and Submit is not possible from All Hosts in Satellite 6.13
• BZ - 2166374 - --puppet-server-puppetserver-telemetry installer option should be disabled by default
• BZ - 2166424 - The documentation link within Config Management page in Satellite WebUI redirects to upstream documentation
• BZ - 2166457 - CVE-2023-23969 python-django: Potential denial-of-service via Accept-Language headers
• BZ - 2166964 - API endpoint /api/compute_resources/:id/available_networks fails with ISE for GCE CR
• BZ - 2166966 - Candlepin 4.2.13 changes [:content][:id] to ['contentId']
• BZ - 2167685 - [BUG] Manifest re-import fails with error "Unexpected exception occured while executing transactional block" in Satellite 6.13
• BZ - 2168041 - [Nutanix] Remove the duplicate option 'update_interval' for virt-who config
• BZ - 2168096 - Host details from OpenSCAP compliance reports points to Old Hosts UI page
• BZ - 2168168 - Installable errata from Content View setting must be set to True
• BZ - 2168254 - Editing virt-who configuration fails with error undefined method `update_attributes' for #<ForemanVirtWhoConfigure::Config:0x00007fd5d25bfb58> Did you mean? update_attribute audited_attributes
• BZ - 2168258 - saving alternative content source is possible, even if IP instead of fqdn is specified and red warning is present
• BZ - 2168330 - refreshing the manifest sends invalid DISTRIBUTION_VERSION fact to the upstream candlepin
• BZ - 2168494 - Loading preupgrade report on job detail doesn't work
• BZ - 2168679 - Clicking on 'Variables' within 'Ansible' in 'Content Hosts' page fails with 'Received status code 500' when 'theforeman.foreman_scap_client' role is assigned to the host
• BZ - 2168967 - New kickstart_kernel_options snippet breaks UEFI (Grub2) PXE provisioning when boot_mode is static
• BZ - 2169299 - rubygem-openscap (and thus foreman_openscap) can't be installed on CentOS Stream 8
• BZ - 2169402 - CVE-2023-24580 python-django: Potential denial-of-service vulnerability in file uploads
• BZ - 2169633 - Legacy Hosts UI loaded when you navigate from the Host Console button
• BZ - 2169858 - [Bug] - Unable to fix inhibitors from Satellite WebUI after running preugrade check with leapp.
• BZ - 2169866 - Exporting the Library environment incrementally fails with error "Incremental export can only be requested when there is a previous export or start_versions= has been specified."
• BZ - 2170034 - Support Satellite Ansible Collection running on Python 3.11
• BZ - 2171399 - 404 on /images/jquery-ui/ui-bg_glass_75_dadada_1x400.png when searching in content hosts
• BZ - 2172141 - Redundant parentheses around search query after rerun
• BZ - 2172540 - "Restoring postgresql global objects" step is buggy and not required
• BZ - 2172939 - Link from host collections and Errata page should go to new host details page
• BZ - 2173570 - Installer fails in upgrade with "No Puppet module parser is installed and no cache of the file /usr/share/foreman-installer/modules/foreman/manifests/compute/gce.pp is available"
• BZ - 2173756 - Importing incremental content not recreating metadata properly
• BZ - 2174734 - Puppet environment not configured for Puppet agent during host Registration
• BZ - 2174910 - Need to update Recommended Repositories page with Satellite 6.13 repos
• BZ - 2175226 - Cannot force delete repositories that are included in export content view versions
• BZ - 2180417 - foreman-maintain upgrade list-versions lists 6.14 along with 6.13.z
• BZ - 2184018 - Submitting host edit causes wrong UI redirect

CVEs

• CVE-2022-1471
• CVE-2022-22577
• CVE-2022-23514
• CVE-2022-23515
• CVE-2022-23516
• CVE-2022-23517
• CVE-2022-23518
• CVE-2022-23519
• CVE-2022-23520
• CVE-2022-25857
• CVE-2022-27777
• CVE-2022-31163
• CVE-2022-32224
• CVE-2022-33980
• CVE-2022-38749
• CVE-2022-38750
• CVE-2022-38751
• CVE-2022-38752
• CVE-2022-41323
• CVE-2022-41946
• CVE-2022-42003
• CVE-2022-42004
• CVE-2022-42889
• CVE-2023-23969
• CVE-2023-24580

References

• https://access.redhat.com/security/updates/classification/#important