The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1335.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Important: RHUI 4.11 security, bugfix, and enhancement update Advisory ID: RHSA-2025:1335-03 Product: Red Hat Update Infrastructure Advisory URL: https://access.redhat.com/errata/RHSA-2025:1335 Issue date: 2025-02-12 Revision: 03 CVE Names: CVE-2024-1135 ==================================================================== Summary: An updated version of Red Hat Update Infrastructure (RHUI) is now available. RHUI 4.11 updates Pulp to a newer upstream version, fixes several issues, and adds an enhancement. Description: Red Hat Update Infrastructure (RHUI) provides a highly scalable and redundant framework for managing repositories and content. It also allows cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances. Security Fixes: * Cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override (CVE-2024-26130) * Gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers (CVE-2024-1135) * Aiohttp: aiohttp: XSS on index pages for static file handling (CVE-2024-27306) * Aiohttp: aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251) * Sqlparse: sqlparse: parsing heavily nested list leads to denial of service (CVE-2024-4340) * Jinja2: jinja2: accepts keys containing non-attribute characters (CVE-2024-34064) * Django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614) * Django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989) * Django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005) * Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990) * Django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991) * Grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246) * Requests: subsequent requests to the same host ignore cert verification (CVE-2024-35195) For detailed information on other changes in this release, see the Red Hat Update Infrastructure Release Notes linked from the References section. Solution: https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4/html/migrating_red_hat_update_infrastructure/assembly_upgrading-red-hat-update-infrastructure_migrating-red-hat-update-infrastructure https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4 CVEs: CVE-2024-1135 References: https://access.redhat.com/security/updates/classification/#important https://docs.redhat.com/en/documentation/red_hat_update_infrastructure/4/html/release_notes/index https://bugzilla.redhat.com/show_bug.cgi?id=2269617 https://bugzilla.redhat.com/show_bug.cgi?id=2275280 https://bugzilla.redhat.com/show_bug.cgi?id=2275989 https://bugzilla.redhat.com/show_bug.cgi?id=2278038 https://bugzilla.redhat.com/show_bug.cgi?id=2278710 https://bugzilla.redhat.com/show_bug.cgi?id=2279476 https://bugzilla.redhat.com/show_bug.cgi?id=2282114 https://bugzilla.redhat.com/show_bug.cgi?id=2295938 https://bugzilla.redhat.com/show_bug.cgi?id=2302433 https://bugzilla.redhat.com/show_bug.cgi?id=2302434 https://bugzilla.redhat.com/show_bug.cgi?id=2302435 https://bugzilla.redhat.com/show_bug.cgi?id=2302436 https://issues.redhat.com/browse/RHUI-429 https://issues.redhat.com/browse/RHUI-577 https://issues.redhat.com/browse/RHUI-617