Preface: future 0.18.2 – Easy, safe support for Python 2/3 compatibility “future“ is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.

Background: Red Hat Satellite 6 is the evolution of Red Hat’s life cycle management platform. It provides the capabilities that administrators have come to expect in a tool focused on managing systems and content for a global enterprise.

Red Hat Satellite 6 is based upon several open source projects.

• future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
• Foreman contain rubygem-safemode.

Vulnerability details:

• An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server (CVE-2022-40899)
• foreman: Arbitrary code execution through templates. (CVE-2023-0118)

Ref: To send cookies to the server in the request header, you need to add the “Cookie: name=value” HTTP header to the request. To send multiple cookies in one Cookie header, you must separate them with semicolons. Servers store cookies in the client browser by returning “Set-Cookie: name=value” HTTP headers in the response.

Official details: Please refer to the link – https://access.redhat.com/errata/RHSA-2023:4466