Threats Tagged 'cve-2025-69534'

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990) * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727) * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534) * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings (CVE-2026-33176) Bug Fix(es): * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43920) * All communication should happen only over https during global registration execution (SAT-43921) * Impossible to generate registration command via REST API in isolated networks managed by external capsules (SAT-43922) * Errata applicability and Refresh applicability tasks for RHEL 7 hosts runs dnf command. (SAT-43923) * BIOS info is not populated in All hosts page and in Host Details tab (SAT-43925) * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-43926) * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-43928) * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat Satellite using global registration method (SAT-43929) * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43931) * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44039)

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990) * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727) * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534) * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings (CVE-2026-33176) Bug Fix(es): * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43030) * All communication should happen only over https during global registration execution (SAT-44031) * Impossible to generate registration command via REST API in isolated networks managed by external capsules (SAT-44032) * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-44033) * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-44035) * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat Satellite using global registration method (SAT-44036) * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43834) * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44034)

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * python3.12-django: Django: SQL Injection via crafted column aliases (CVE-2026-1287) * python3.12-django: Django: SQL Injection via RasterField band index parameter (CVE-2026-1207) * python3.12-django: Django: SQL injection via crafted column aliases in QuerySet.order_by() (CVE-2026-1312) * python3.12-django: Django: Denial of Service via crafted HTML inputs (CVE-2026-1285) * python3.12-django: Django: Denial of Service via crafted request with duplicate headers (CVE-2025-14550) * python3.12-markdown: markdown: Denial of Service via malformed HTML-like sequences (CVE-2025-69534) * python3.12-pyOpenSSL: pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings (CVE-2026-33176)

A denial of service vulnerability (CVE-2025-69534) exists in the python-markdown package used in Red Hat Enterprise Linux 10.0 Extended Update Support. The issue is triggered by malformed HTML-like sequences processed by python-markdown. Red Hat has issued an important security advisory with updated packages to address this vulnerability.

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): * automation-controller: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * automation-controller: DTLS cookie callback buffer overflow (CVE-2026-27459) * automation-controller: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation) (CVE-2026-32597) * automation-controller: denial of service via malformed HTML-like sequences (CVE-2025-69534) * automation-gateway: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * automation-gateway-proxy: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) * automation-platform-ui: Rollup: Remote Code Execution via Path Traversal Vulnerability (CVE-2026-27606) * automation-platform-ui: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996) * python3.12-django-ansible-base: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * python3.12-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534) * python3.12-jwcrypto: JWCrypto: Memory exhaustion via crafted compressed JWE tokens (CVE-2026-39373) * python3.12-pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922) * python3.12-pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID (CVE-2026-23490) * python3.12-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * receptor: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. For details about this release, refer to the release notes listed in the References section.

Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): * automation-controller: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * automation-controller: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation) (CVE-2026-32597) * automation-controller: denial of service via malformed HTML-like sequences (CVE-2025-69534) * automation-controller: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (CVE-2026-26007) * automation-gateway: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * automation-gateway: Rollup: Remote Code Execution via Path Traversal Vulnerability (CVE-2026-27606) * automation-gateway: SVGO: Denial of Service via XML entity expansion (CVE-2026-29074) * automation-gateway: ReDoS via $data reference (CVE-2025-69873) * automation-gateway-proxy: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) * python3.12-django-ansible-base: Account hijacking and unauthorized access via unverified email linking (CVE-2026-6266) * python3.12-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534) * python3.12-jwcrypto: JWCrypto: Memory exhaustion via crafted compressed JWE tokens (CVE-2026-39373) * python3.12-pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion (CVE-2026-30922) * python3.12-pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID (CVE-2026-23490) * python3.12-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * receptor: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. For details about this release, refer to the release notes listed in the References section.

Quay 3.17.2

Network flows collector and monitoring solution.

See the release notes (link in the references section) for a description of the fixes and enhancements in this particular release.

Release of RHOAI 3.3.3 provides these changes: