SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:2292-1
Rating:             moderate
References:         #1141663 #1150657 #1153578 #1155794 #1159184 
                    #1159202 #1162391 #1166284 #1167556 #1167871 
                    #1168227 #1169109 #1169865 #1170331 #1171169 
                    #1172462 #1172831 #1173073 #1173946 #1174167 
                    #1174700 #1174768 #1174965 
Cross-References:   CVE-2020-11022
Affected Products:
                    SUSE Manager Server 3.2
                    SUSE Manager Proxy 3.2
______________________________________________________________________________

   An update that solves one vulnerability and has 22 fixes is
   now available.

Description:


   This update fixes the following issues:

   bind-formula:

   - Remove wrong default for bind options preventing correct upload
     of bind options using XMLRPC (bsc#1150657)

   branch-network-formula:

   - Make branch formula to assign home directory to ftp and tftp users     (bsc#1162391)

   py26-compat-salt:

   - Do not make py26-compat-salt to require python-tornado on SLE15 (all SPs)
   - Backport saltutil state module to 2016.11 codebase (bsc#1167556)
   - Add new custom SUSE capability for saltutil state module

   python-susemanager-retail:

   - Allow bind options to be stored to and edited by retail_yaml
     (bsc#1150657)

   release-notes-susemanager:

   - Update to 3.2.15
   - Bugs mentioned bsc#1150657, bsc#1162391, bsc#1167556, bsc#1174965,
     bsc#1170331, bsc#1159184, bsc#1168227, bsc#1172831, bsc#1173073,
     bsc#1167871, bsc#1169109, bsc#1159202, bsc#1168227, bsc#1153578,
     bsc#1141663, bsc#1174768, bsc#1173946, bsc#1174167, bsc#1169865,
     bsc#1155794

   spacewalk-backend:

   - Fix issues importing RPM packages with long RPM headers (bsc#1174965)
   - Do not make mgr-inter-sync to crash if there are non-ASCII characters on
     an exception message (bsc#1170331)
   - Validate cached package entries on ISS slave (bsc#1159184)

   spacewalk-client-tools:

   - Do not crash 'mgr-update-status' because 'long' type is not defined in
     Python 3

   spacewalk-java:

   - Skip upgrades when the target has not the same amount of products as the
     installed set (bsc#1168227)
   - Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
   - Prevent deadlock on suseusernotification (bsc#1173073)
   - Avoid multiple base channels when onboarding minions (bsc#1167871)
   - Hide message about changed Update Tag change (bsc#1169109)
   - Refresh pillar after channel change
   - Use 'changes' field if 'pchanges' field doesn't exist (bsc#1159202)
   - Skip migration targets when they do not have the same amount of products
     as the installed set (bsc#1168227)

   spacewalk-utils:

   - Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578)
   - Fixes SSL hostname matching (bsc#1141663)

   spacewalk-web:

   - Fix saving of formulas (bsc#1174768)
   - Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

   susemanager:

   - Use python2-uyuni-common-libs and python3-uyuni-common-libs for
     bootstrap repositories (bsc#1173946)
   - Add 'python-singledispatch' to SLE12 (all SPs) and RES7 bootstrap repos.
     (bsc#1174700)
   - Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is
     required to get python3-M2crypto (bsc#1174167)
   - Require python3-tornado only for SLE15/SLE15SP1 (bsc#1169865)
   - Use python3-M2Crypto for all SLE15 versions and openSUSE Leap 15.1
     bootstrap repositories
   - Add dbus-1-glib to SLE12SP5 x86_64 to allow onboarding of AWS Cloud
     SLE12SP5 clients (they do not have it by defaul anymore)

   susemanager-frontend-libs:

   - Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831)

   susemanager-schema:

   - Prevent a deadlock error involving delete_server and update_needed_cache
     (bsc#1173073)

   susemanager-sls:

   - Avoid traceback error due lazy loading which_bin (bsc#1155794)
   - Using new module path for which_bin to get rid of DeprecationWarning

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-2292=1

   - SUSE Manager Proxy 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-2292=1



Package List:

   - SUSE Manager Server 3.2 (ppc64le s390x x86_64):

      release-notes-susemanager-3.2.15-6.61.1
      susemanager-3.2.24-3.43.1
      susemanager-tools-3.2.24-3.43.1

   - SUSE Manager Server 3.2 (noarch):

      bind-formula-0.1.1584363976.36bce64-3.6.1
      branch-network-formula-0.1.1584363976.36bce64-3.9.1
      py26-compat-salt-2016.11.10-6.38.1
      python-susemanager-retail-1.0.1584363976.36bce64-2.12.1
      python2-spacewalk-client-tools-2.8.22.8-3.15.1
      spacewalk-backend-2.8.57.23-3.51.1
      spacewalk-backend-app-2.8.57.23-3.51.1
      spacewalk-backend-applet-2.8.57.23-3.51.1
      spacewalk-backend-config-files-2.8.57.23-3.51.1
      spacewalk-backend-config-files-common-2.8.57.23-3.51.1
      spacewalk-backend-config-files-tool-2.8.57.23-3.51.1
      spacewalk-backend-iss-2.8.57.23-3.51.1
      spacewalk-backend-iss-export-2.8.57.23-3.51.1
      spacewalk-backend-libs-2.8.57.23-3.51.1
      spacewalk-backend-package-push-server-2.8.57.23-3.51.1
      spacewalk-backend-server-2.8.57.23-3.51.1
      spacewalk-backend-sql-2.8.57.23-3.51.1
      spacewalk-backend-sql-oracle-2.8.57.23-3.51.1
      spacewalk-backend-sql-postgresql-2.8.57.23-3.51.1
      spacewalk-backend-tools-2.8.57.23-3.51.1
      spacewalk-backend-xml-export-libs-2.8.57.23-3.51.1
      spacewalk-backend-xmlrpc-2.8.57.23-3.51.1
      spacewalk-base-2.8.7.24-3.48.1
      spacewalk-base-minimal-2.8.7.24-3.48.1
      spacewalk-base-minimal-config-2.8.7.24-3.48.1
      spacewalk-client-tools-2.8.22.8-3.15.1
      spacewalk-html-2.8.7.24-3.48.1
      spacewalk-java-2.8.78.29-3.50.1
      spacewalk-java-config-2.8.78.29-3.50.1
      spacewalk-java-lib-2.8.78.29-3.50.1
      spacewalk-java-oracle-2.8.78.29-3.50.1
      spacewalk-java-postgresql-2.8.78.29-3.50.1
      spacewalk-taskomatic-2.8.78.29-3.50.1
      spacewalk-utils-2.8.18.7-3.15.1
      susemanager-frontend-libs-3.2.5-3.13.1
      susemanager-retail-tools-1.0.1584363976.36bce64-2.12.1
      susemanager-schema-3.2.24-3.40.1
      susemanager-sls-3.2.31-3.47.1
      susemanager-web-libs-2.8.7.24-3.48.1

   - SUSE Manager Proxy 3.2 (noarch):

      python2-spacewalk-check-2.8.22.8-3.15.1
      python2-spacewalk-client-setup-2.8.22.8-3.15.1
      python2-spacewalk-client-tools-2.8.22.8-3.15.1
      python2-zypp-plugin-spacewalk-1.0.7-3.13.1
      spacewalk-backend-2.8.57.23-3.51.1
      spacewalk-backend-libs-2.8.57.23-3.51.1
      spacewalk-base-minimal-2.8.7.24-3.48.1
      spacewalk-base-minimal-config-2.8.7.24-3.48.1
      spacewalk-check-2.8.22.8-3.15.1
      spacewalk-client-setup-2.8.22.8-3.15.1
      spacewalk-client-tools-2.8.22.8-3.15.1
      spacewalk-proxy-installer-2.8.6.8-3.18.1
      susemanager-web-libs-2.8.7.24-3.48.1
      zypp-plugin-spacewalk-1.0.7-3.13.1

   - SUSE Manager Proxy 3.2 (x86_64):

      release-notes-susemanager-proxy-3.2.15-0.16.47.1


References:

   https://www.suse.com/security/cve/CVE-2020-11022.html
   https://bugzilla.suse.com/1141663
   https://bugzilla.suse.com/1150657
   https://bugzilla.suse.com/1153578
   https://bugzilla.suse.com/1155794
   https://bugzilla.suse.com/1159184
   https://bugzilla.suse.com/1159202
   https://bugzilla.suse.com/1162391
   https://bugzilla.suse.com/1166284
   https://bugzilla.suse.com/1167556
   https://bugzilla.suse.com/1167871
   https://bugzilla.suse.com/1168227
   https://bugzilla.suse.com/1169109
   https://bugzilla.suse.com/1169865
   https://bugzilla.suse.com/1170331
   https://bugzilla.suse.com/1171169
   https://bugzilla.suse.com/1172462
   https://bugzilla.suse.com/1172831
   https://bugzilla.suse.com/1173073
   https://bugzilla.suse.com/1173946
   https://bugzilla.suse.com/1174167
   https://bugzilla.suse.com/1174700
   https://bugzilla.suse.com/1174768
   https://bugzilla.suse.com/1174965

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2020:2292-1 moderate: SUSE Manager Server 3.2

August 21, 2020
An update that solves one vulnerability and has 22 fixes is now available

Summary

This update fixes the following issues: bind-formula: - Remove wrong default for bind options preventing correct upload of bind options using XMLRPC (bsc#1150657) branch-network-formula: - Make branch formula to assign home directory to ftp and tftp users (bsc#1162391) py26-compat-salt: - Do not make py26-compat-salt to require python-tornado on SLE15 (all SPs) - Backport saltutil state module to 2016.11 codebase (bsc#1167556) - Add new custom SUSE capability for saltutil state module python-susemanager-retail: - Allow bind options to be stored to and edited by retail_yaml (bsc#1150657) release-notes-susemanager: - Update to 3.2.15 - Bugs mentioned bsc#1150657, bsc#1162391, bsc#1167556, bsc#1174965, bsc#1170331, bsc#1159184, bsc#1168227, bsc#1172831, bsc#1173073, bsc#1167871, bsc#1169109, bsc#1159202, bsc#1168227, bsc#1153578, bsc#1141663, bsc#1174768, bsc#1173946, bsc#1174167, bsc#1169865, bsc#1155794 spacewalk-backend: - Fix issues importing RPM packages with long RPM headers (bsc#1174965) - Do not make mgr-inter-sync to crash if there are non-ASCII characters on an exception message (bsc#1170331) - Validate cached package entries on ISS slave (bsc#1159184) spacewalk-client-tools: - Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3 spacewalk-java: - Skip upgrades when the target has not the same amount of products as the installed set (bsc#1168227) - Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831) - Prevent deadlock on suseusernotification (bsc#1173073) - Avoid multiple base channels when onboarding minions (bsc#1167871) - Hide message about changed Update Tag change (bsc#1169109) - Refresh pillar after channel change - Use 'changes' field if 'pchanges' field doesn't exist (bsc#1159202) - Skip migration targets when they do not have the same amount of products as the installed set (bsc#1168227) spacewalk-utils: - Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578) - Fixes SSL hostname matching (bsc#1141663) spacewalk-web: - Fix saving of formulas (bsc#1174768) - Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831) susemanager: - Use python2-uyuni-common-libs and python3-uyuni-common-libs for bootstrap repositories (bsc#1173946) - Add 'python-singledispatch' to SLE12 (all SPs) and RES7 bootstrap repos. (bsc#1174700) - Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is required to get python3-M2crypto (bsc#1174167) - Require python3-tornado only for SLE15/SLE15SP1 (bsc#1169865) - Use python3-M2Crypto for all SLE15 versions and openSUSE Leap 15.1 bootstrap repositories - Add dbus-1-glib to SLE12SP5 x86_64 to allow onboarding of AWS Cloud SLE12SP5 clients (they do not have it by defaul anymore) susemanager-frontend-libs: - Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831) susemanager-schema: - Prevent a deadlock error involving delete_server and update_needed_cache (bsc#1173073) susemanager-sls: - Avoid traceback error due lazy loading which_bin (bsc#1155794) - Using new module path for which_bin to get rid of DeprecationWarning How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-2292=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-2292=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): release-notes-susemanager-3.2.15-6.61.1 susemanager-3.2.24-3.43.1 susemanager-tools-3.2.24-3.43.1 - SUSE Manager Server 3.2 (noarch): bind-formula-0.1.1584363976.36bce64-3.6.1 branch-network-formula-0.1.1584363976.36bce64-3.9.1 py26-compat-salt-2016.11.10-6.38.1 python-susemanager-retail-1.0.1584363976.36bce64-2.12.1 python2-spacewalk-client-tools-2.8.22.8-3.15.1 spacewalk-backend-2.8.57.23-3.51.1 spacewalk-backend-app-2.8.57.23-3.51.1 spacewalk-backend-applet-2.8.57.23-3.51.1 spacewalk-backend-config-files-2.8.57.23-3.51.1 spacewalk-backend-config-files-common-2.8.57.23-3.51.1 spacewalk-backend-config-files-tool-2.8.57.23-3.51.1 spacewalk-backend-iss-2.8.57.23-3.51.1 spacewalk-backend-iss-export-2.8.57.23-3.51.1 spacewalk-backend-libs-2.8.57.23-3.51.1 spacewalk-backend-package-push-server-2.8.57.23-3.51.1 spacewalk-backend-server-2.8.57.23-3.51.1 spacewalk-backend-sql-2.8.57.23-3.51.1 spacewalk-backend-sql-oracle-2.8.57.23-3.51.1 spacewalk-backend-sql-postgresql-2.8.57.23-3.51.1 spacewalk-backend-tools-2.8.57.23-3.51.1 spacewalk-backend-xml-export-libs-2.8.57.23-3.51.1 spacewalk-backend-xmlrpc-2.8.57.23-3.51.1 spacewalk-base-2.8.7.24-3.48.1 spacewalk-base-minimal-2.8.7.24-3.48.1 spacewalk-base-minimal-config-2.8.7.24-3.48.1 spacewalk-client-tools-2.8.22.8-3.15.1 spacewalk-html-2.8.7.24-3.48.1 spacewalk-java-2.8.78.29-3.50.1 spacewalk-java-config-2.8.78.29-3.50.1 spacewalk-java-lib-2.8.78.29-3.50.1 spacewalk-java-oracle-2.8.78.29-3.50.1 spacewalk-java-postgresql-2.8.78.29-3.50.1 spacewalk-taskomatic-2.8.78.29-3.50.1 spacewalk-utils-2.8.18.7-3.15.1 susemanager-frontend-libs-3.2.5-3.13.1 susemanager-retail-tools-1.0.1584363976.36bce64-2.12.1 susemanager-schema-3.2.24-3.40.1 susemanager-sls-3.2.31-3.47.1 susemanager-web-libs-2.8.7.24-3.48.1 - SUSE Manager Proxy 3.2 (noarch): python2-spacewalk-check-2.8.22.8-3.15.1 python2-spacewalk-client-setup-2.8.22.8-3.15.1 python2-spacewalk-client-tools-2.8.22.8-3.15.1 python2-zypp-plugin-spacewalk-1.0.7-3.13.1 spacewalk-backend-2.8.57.23-3.51.1 spacewalk-backend-libs-2.8.57.23-3.51.1 spacewalk-base-minimal-2.8.7.24-3.48.1 spacewalk-base-minimal-config-2.8.7.24-3.48.1 spacewalk-check-2.8.22.8-3.15.1 spacewalk-client-setup-2.8.22.8-3.15.1 spacewalk-client-tools-2.8.22.8-3.15.1 spacewalk-proxy-installer-2.8.6.8-3.18.1 susemanager-web-libs-2.8.7.24-3.48.1 zypp-plugin-spacewalk-1.0.7-3.13.1 - SUSE Manager Proxy 3.2 (x86_64): release-notes-susemanager-proxy-3.2.15-0.16.47.1

References

#1141663 #1150657 #1153578 #1155794 #1159184

#1159202 #1162391 #1166284 #1167556 #1167871

#1168227 #1169109 #1169865 #1170331 #1171169

#1172462 #1172831 #1173073 #1173946 #1174167

#1174700 #1174768 #1174965

Cross- CVE-2020-11022

Affected Products:

SUSE Manager Server 3.2

SUSE Manager Proxy 3.2

https://www.suse.com/security/cve/CVE-2020-11022.html

https://bugzilla.suse.com/1141663

https://bugzilla.suse.com/1150657

https://bugzilla.suse.com/1153578

https://bugzilla.suse.com/1155794

https://bugzilla.suse.com/1159184

https://bugzilla.suse.com/1159202

https://bugzilla.suse.com/1162391

https://bugzilla.suse.com/1166284

https://bugzilla.suse.com/1167556

https://bugzilla.suse.com/1167871

https://bugzilla.suse.com/1168227

https://bugzilla.suse.com/1169109

https://bugzilla.suse.com/1169865

https://bugzilla.suse.com/1170331

https://bugzilla.suse.com/1171169

https://bugzilla.suse.com/1172462

https://bugzilla.suse.com/1172831

https://bugzilla.suse.com/1173073

https://bugzilla.suse.com/1173946

https://bugzilla.suse.com/1174167

https://bugzilla.suse.com/1174700

https://bugzilla.suse.com/1174768

https://bugzilla.suse.com/1174965

Severity
Announcement ID: SUSE-SU-2020:2292-1
Rating: moderate

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved