Rocky Enterprise Software Foundation Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix: * golang: net/http, x/net/http2: rapid stream resets can cause excessive work * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack * GitPython: Insecure non-multi options in clone and clone_from is not blocked * kubeclient: kubeconfig parsing error can lead to MITM attacks * foreman: OS command injection via ct_command and fcct_command * ruby-git: code injection vulnerability * ruby-git: code injection vulnerability * Foreman: Arbitrary code execution through templates * rubygem-activerecord: SQL Injection * openssl: c_rehash script allows command injection * openssl: the c_rehash script allows command injection * Pulp:Tokens stored in plaintext * satellite: Blind SSRF via Referer header * python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests * rubygem-activerecord: Denial of Service * rubygem-rack: denial of service in Content-Disposition parsing * rubygem-rack: denial of service in Content-Disposition parsing * rubygem-rack: denial of service in Content-Disposition parsing * Foreman: Stored cross-site scripting in host tab * puppet: Puppet Server ReDoS * rubygem-actionpack: Denial of Service in Action Dispatch * rubygem-actionpack: Denial of Service in Action Dispatch * rubygem-activesupport: Regular Expression Denial of Service * rubygem-globalid: ReDoS vulnerability * rubygem-rack: Denial of service in Multipart MIME parsing * rubygem-rack: denial of service in header parsing * golang: net/http: insufficient sanitization of Host header * sqlparse: Parser contains a regular expression that is vulnerable to ReDOS * python-django: Potential bypass of validation when uploading multiple files using one form field * python-requests: Unintended leak of Proxy-Authorization header * python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. Additional Changes: This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.