Red Hat Satellite 6.15.4 addresses multiple security vulnerabilities across components used by the product. CVE-2024-1135 is an HTTP request smuggling vulnerability in python-gunicorn caused by improper validation of Transfer-Encoding headers. CVE-2024-24790 involves unexpected behavior in golang's net/netip Is methods for IPv4-mapped IPv6 addresses. CVE-2024-26130 is a NULL pointer dereference in python-cryptography's pkcs12.serialize_key_and_certificates function when called with mismatched certificates and keys combined with an hmac_hash override. CVE-2024-41991 is a potential denial-of-service vulnerability in python-django's urlize() function and AdminURLFieldWidget. Red Hat has released updated packages fixing these issues and recommends users upgrade accordingly.

The vulnerabilities fixed in this update have a moderate security impact. They include HTTP request smuggling, which can affect HTTP request handling; unexpected behavior in IP address handling functions; a NULL pointer dereference that could cause application crashes; and a potential denial-of-service condition in Django components. No known active exploitation has been reported. These issues could affect the stability and security of Red Hat Satellite systems if left unpatched.

Red Hat has released official updates for Red Hat Satellite 6.15.4 that address these vulnerabilities. Users are advised to apply these updates promptly. Before updating, ensure all previously released errata relevant to the system are applied. Detailed update instructions are available in the Red Hat Satellite documentation. No additional mitigation steps are indicated beyond applying the official patches.