An updated version of Red Hat Update Infrastructure (RHUI) is now available.
 RHUI 4.11 updates Pulp to a newer upstream version, fixes several issues, and adds an enhancement.

Red Hat Update Infrastructure (RHUI) provides a highly scalable and redundant
 framework for managing repositories and content. It also allows cloud providers to deliver content and updates to Red Hat Enterprise Linux (RHEL) instances.

Security Fixes:
* Cryptography: NULL pointer dereference with
 pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override (CVE-2024-26130)

* Gunicorn: HTTP Request Smuggling due to improper validation of
 Transfer-Encoding headers (CVE-2024-1135)

* Aiohttp: aiohttp: XSS on index pages for static file handling (CVE-2024-27306)

* Aiohttp: aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)

* Sqlparse: sqlparse: parsing heavily nested list leads to denial of service
 (CVE-2024-4340)

* Jinja2: jinja2: accepts keys containing non-attribute characters
 (CVE-2024-34064)

* Django: Potential denial-of-service in
 django.utils.translation.get_supported_language_variant() (CVE-2024-39614)

* Django: Memory exhaustion in django.utils.numberformat.floatformat()
 (CVE-2024-41989)

* Django: Potential SQL injection in QuerySet.values() and values_list()
 (CVE-2024-42005)

* Django: Potential denial-of-service vulnerability in
 django.utils.html.urlize() (CVE-2024-41990)

* Django: Potential denial-of-service vulnerability in
 django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)

* Grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table
 between the proxy and the backend (CVE-2024-7246)

* Requests: subsequent requests to the same host ignore cert verification
 (CVE-2024-35195)

For detailed information on other changes in this release, see the Red Hat
 Update Infrastructure Release Notes linked from the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2024-1135: Inconsistent Interpretation of HTTP Requests ('HTTP
 Request/Response Smuggling') (CWE-444)
CVE-2024-4340: Uncontrolled Recursion (CWE-674)
CVE-2024-7246: Expected Behavior Violation (CWE-440)
CVE-2024-26130: NULL Pointer Dereference (CWE-476)
CVE-2024-27306: Improper Neutralization of Script-Related HTML Tags in a Web
 Page (Basic XSS) (CWE-80)
CVE-2024-30251: Loop with Unreachable Exit Condition ('Infinite Loop')
 (CWE-835)
CVE-2024-34064: Improper Neutralization of Input During Web Page Generation
 ('Cross-site Scripting') (CWE-79)
CVE-2024-35195: Always-Incorrect Control Flow Implementation (CWE-670)
CVE-2024-39614: Improper Validation of Specified Type of Input (CWE-1287)
CVE-2024-41989: Uncontrolled Resource Consumption (CWE-400)
CVE-2024-41990: Improper Handling of Length Parameter Inconsistency (CWE-130)
CVE-2024-41991: Uncontrolled Resource Consumption (CWE-400)
CVE-2024-42005: Improper Neutralization of Special Elements used in an SQL
 Command ('SQL Injection') (CWE-89)