We released a security patch for Uyuni 2023.04 that provides fixes for CVE-2023-22644:
* Fix session information leak (bsc#1210107) * Fix credentials and other secrets disclosure when debug log is enabled (bsc#1210154) * Remove web session swap secrets output in logs (bsc#1210086) * Do not output cobbler xmlrpc token in debug logs (bsc#1210162) * Do not output URL parameters for tiny urls (bsc#1210101) * Do not log SSL certificate / key file content (bsc#1210094)
In addition, this patch provides the new GPG keys for Debian 12 and SUSE Package Hub.
You can apply the patch at the Uyuni Server by following the instructions at: https://www.uyuni-project.org/pages/patches.html
If you are still on 2023.03 or earlier, update first to 2023.04 normally (make sure you read the release notes, as special steps may be required if you are not on 2023.04 already), and then apply the patch as explained above.
Happy hacking and have a lot of fun!
-- Marina Latini (she/her/hers) Software Release Engineer SUSE Software Solutions Germany GmbH Frankenstraße 146 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg) #ThePowerOfMany #DareToBeDifferent #HaveALotOfFun