SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3235-1
Rating:             moderate
References:         #1144447 #1167907 #1169664 #1173199 #1175843 
                    #1175876 #1176159 #1176307 #1176413 #1176603 
                    #1176629 #1176765 #1177092 #1177235 #1177396 
                    #1177478 #1177524 #1177730 #1177790 #1177892 
                    #1178060 #1178145 #1178204 #1178319 #1178361 
                    #1178362 
Cross-References:   CVE-2020-15168 CVE-2020-16846 CVE-2020-17490
                    CVE-2020-25592
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
                    SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1
______________________________________________________________________________

   An update that solves four vulnerabilities and has 22 fixes
   is now available.

Description:


   This update fixes the following issues:

   bind-formula:

   - Temporarily disable dnssec-validation as hotfix for bsc#1177790

   grafana-formula:

   - Use variable for product name
   - Add HA/SAP dashboards
   - Add support for system groups in Client Systems dashboard

   image-sync-formula:

   - Do not use .gz suffix for default initrd symlink
   - Keep the old symlink "initrd.gz" for compatibility

   prometheus-exporters-formula:

   - Fix empty directory values initialization
   - Add systemd collector as default for node_exporters since otherwise some
     SAP/HA grafana dashboards will be empty
   - Disable reverse proxy on default

   prometheus-formula:

   - Disable Alertmanager clustering (bsc#1178145)
   - Use variable for product name

   pxe-formula:

   - Change default to "initrd" without .gz suffix

   py26-compat-salt:

   - Properly validate eauth credentials and tokens on SSH calls made by Salt
     API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592,
     CVE-2020-17490, CVE-2020-16846)

   python-susemanager-retail:

   - Use name "initrd" without .gz suffix

   salt-netapi-client:

   - Version 0.18.0 See:
     https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0

   saltboot-formula:

   - Allow setting terminal kernel parameters in saltboot formula

   spacecmd:

   - Python3 fixes for errata in spacecmd (bsc#1169664)
   - Added support for i18n of user-facing strings
   - Python3 fix for sorted usage (bsc#1167907)

   spacewalk-admin:

   - Show info message when applying schema upgrade

   spacewalk-backend:

   - Prevent IntegrityError during mgr-inter-sync execution (bsc#1177235)

   spacewalk-branding:

   - Enable to switch to multiple webUI theme

   spacewalk-client-tools:

   - Remove RH references in Python/Ruby localization and use the product
     name instead

   spacewalk-java:

   - Use correct eauth module and credentials for Salt SSH calls (bsc#1178319)
   - Remove expiration date from ics files (bsc#1177892)
   - Execute Salt SSH actions in parallel (bsc#1173199)
   - Enable to switch to multiple webUI theme
   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Renaming autoinstall distro didn't change the name of the Cobbler distro
     (bsc#1175876)
   - Fix the links for downloading the binaries in the package details UI
     (bsc#1176603)
   - Allow nightly ISS sync to also cover custom channels
   - Fix: reinspecting a container image (bsc#1177092)
   - Add power management xmlrpc api
   - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system
     (bsc#1176159)
   - Log exception trace on fatal Taskomatic startup error
   - Fix max password length check at user creation (bsc#1176765)
   - Notify about missing libvirt or hypervisor on virtual host
   - Redesign maintenance schedule systems table to use paginated data from
     server
   - Fix SP migration after dry run for cloned channels (bsc#1176307)
   - Filter not available optional channels out

   spacewalk-search:

   - Change default maximum memory to 512 MB, preventing OutOfMemoryError

   spacewalk-web:

   - Enable to switch to multiple webUI theme
   - Only refresh the virtual storage list when pool events are received
   - Drop node-fetch to fix CVE-2020-15168
   - Notify about missing libvirt or hypervisor on virtual host
   - Redesign maintenance schedule systems table to use paginated data from
     server

   susemanager:

   - Create bootstrap repo should not flush by default (bsc#1175843)
   - Improve detection of base channels for products (bsc#1177478)
   - Add LTSS PIDs for SLE12SP1, SLE12SP2, SLE12SP3 and SLE12SP4 to the
     bootstrap definitions as some packages from LTSS are required
     (bsc#1177524)
   - Fix logrotate config
   - Add missing packages to ubuntu20.04 bootstrap data (bsc#1176629)

   susemanager-build-keys:

   - Replace "SuSE" user-facing references with "SUSE"

   susemanager-doc-indexes:

   - Documented zypper autorefresh feature in Upgrade Guide
   - Update SP Migration chapter in Client Configuration Guide
   - In Client Configuration and Upgrade Guide, add link to valid autoyast
     upgrade settings
   - Move client upgrade related sections from Reference and Upgrade Guide to
     Client Configuration Guide
   - Updated Requirements chapter in Installation Guide.
   - Edits OpenSCAP section in Admin Guide (bsc#1176413)
   - Updated Terminology section in Salt Guide
   - Added on-demand images content to Install Guide
   - Adds webUI locale choice to Ref & Admin Guides
   - Adds new System Types section to Client Cfg
   - Updates supported client matrix in Install Guide
   - Add note about log file to Upgrade Guide
   - Removes outdated content from Activation Keys section (bsc#1177396)
   - Adds note about PAM Auth during migration (bsc#1177730)
   - Fixed broken table in admin guide

   susemanager-docs_en:

   - Documented zypper autorefresh feature in Upgrade Guide
   - Update SP Migration chapter in Client Configuration Guide
   - In Client Configuration and Upgrade Guide, add link to valid autoyast
     upgrade settings
   - Move client upgrade related sections from Reference and Upgrade Guide to
     Client Configuration Guide
   - Updated Requirements chapter in Installation Guide.
   - Edits OpenSCAP section in Admin Guide (bsc#1176413)
   - Updated Terminology section in Salt Guide
   - Added on-demand images content to Install Guide
   - Adds webUI locale choice to Ref & Admin Guides
   - Adds new System Types section to Client Cfg
   - Updates supported client matrix in Install Guide
   - Add note about log file to Upgrade Guide
   - Removes outdated content from Activation Keys section (bsc#1177396)
   - Adds note about PAM Auth during migration (bsc#1177730)
   - Fixed broken table in admin guide

   susemanager-schema:

   - Add web_theme user preferences column (bsc#1178204)
   - Execute Salt SSH actions in parallel (bsc#1173199)
   - Show info message when applying schema upgrade

   susemanager-sls:

   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Make grub2 autoinstall kernel path relative to the boot partition root
     (bsc#1175876)
   - Move channel token information from sources.list to auth.conf on Debian
     10 and Ubuntu 18 and newer
   - Add support for activation keys on server configuration Salt modules
   - Ensure the yum/dnf plugins are enabled
   - Remove hostname from /var/lib/salt/.ssh/known_hosts when deleting system
     (bsc#1176159)
   - Fix grub2 autoinstall kernel path (bsc#1178060)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-3235=1

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2020-3235=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      spacewalk-branding-4.1.11-3.9.6
      susemanager-4.1.21-3.11.6
      susemanager-tools-4.1.21-3.11.6

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      bind-formula-0.1.1603299886.60e4bcf-3.3.2
      grafana-formula-0.3.0-3.3.2
      image-sync-formula-0.1.1602150122.f08af0a-3.6.2
      prometheus-exporters-formula-0.8.0-3.16.2
      prometheus-formula-0.3.0-3.3.1
      pxe-formula-0.1.1602490840.4f32148-3.3.2
      py26-compat-salt-2016.11.10-6.3.3
      python3-spacewalk-client-tools-4.1.7-4.6.4
      python3-susemanager-retail-1.0.1602150122.f08af0a-3.3.2
      salt-netapi-client-0.18.0-15.7.5
      saltboot-formula-0.1.1602150122.f08af0a-3.6.2
      spacecmd-4.1.8-4.9.2
      spacewalk-admin-4.1.7-3.6.3
      spacewalk-backend-4.1.16-4.11.5
      spacewalk-backend-app-4.1.16-4.11.5
      spacewalk-backend-applet-4.1.16-4.11.5
      spacewalk-backend-config-files-4.1.16-4.11.5
      spacewalk-backend-config-files-common-4.1.16-4.11.5
      spacewalk-backend-config-files-tool-4.1.16-4.11.5
      spacewalk-backend-iss-4.1.16-4.11.5
      spacewalk-backend-iss-export-4.1.16-4.11.5
      spacewalk-backend-package-push-server-4.1.16-4.11.5
      spacewalk-backend-server-4.1.16-4.11.5
      spacewalk-backend-sql-4.1.16-4.11.5
      spacewalk-backend-sql-postgresql-4.1.16-4.11.5
      spacewalk-backend-tools-4.1.16-4.11.5
      spacewalk-backend-xml-export-libs-4.1.16-4.11.5
      spacewalk-backend-xmlrpc-4.1.16-4.11.5
      spacewalk-base-4.1.19-3.9.5
      spacewalk-base-minimal-4.1.19-3.9.5
      spacewalk-base-minimal-config-4.1.19-3.9.5
      spacewalk-client-tools-4.1.7-4.6.4
      spacewalk-html-4.1.19-3.9.5
      spacewalk-java-4.1.22-3.16.4
      spacewalk-java-config-4.1.22-3.16.4
      spacewalk-java-lib-4.1.22-3.16.4
      spacewalk-java-postgresql-4.1.22-3.16.4
      spacewalk-search-4.1.3-3.3.7
      spacewalk-taskomatic-4.1.22-3.16.4
      susemanager-build-keys-15.2.2-3.6.3
      susemanager-build-keys-web-15.2.2-3.6.3
      susemanager-doc-indexes-4.1-11.17.1
      susemanager-docs_en-4.1-11.17.1
      susemanager-docs_en-pdf-4.1-11.17.1
      susemanager-retail-tools-1.0.1602150122.f08af0a-3.3.2
      susemanager-schema-4.1.15-3.11.2
      susemanager-sls-4.1.17-3.13.6
      susemanager-web-libs-4.1.19-3.9.5
      uyuni-config-modules-4.1.17-3.13.6

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch):

      mgr-daemon-4.1.3-2.6.3
      python3-spacewalk-check-4.1.7-4.6.4
      python3-spacewalk-client-setup-4.1.7-4.6.4
      python3-spacewalk-client-tools-4.1.7-4.6.4
      spacecmd-4.1.8-4.9.2
      spacewalk-backend-4.1.16-4.11.5
      spacewalk-base-minimal-4.1.19-3.9.5
      spacewalk-base-minimal-config-4.1.19-3.9.5
      spacewalk-check-4.1.7-4.6.4
      spacewalk-client-setup-4.1.7-4.6.4
      spacewalk-client-tools-4.1.7-4.6.4
      susemanager-build-keys-15.2.2-3.6.3
      susemanager-build-keys-web-15.2.2-3.6.3


References:

   https://www.suse.com/security/cve/CVE-2020-15168.html
   https://www.suse.com/security/cve/CVE-2020-16846.html
   https://www.suse.com/security/cve/CVE-2020-17490.html
   https://www.suse.com/security/cve/CVE-2020-25592.html
   https://bugzilla.suse.com/1144447
   https://bugzilla.suse.com/1167907
   https://bugzilla.suse.com/1169664
   https://bugzilla.suse.com/1173199
   https://bugzilla.suse.com/1175843
   https://bugzilla.suse.com/1175876
   https://bugzilla.suse.com/1176159
   https://bugzilla.suse.com/1176307
   https://bugzilla.suse.com/1176413
   https://bugzilla.suse.com/1176603
   https://bugzilla.suse.com/1176629
   https://bugzilla.suse.com/1176765
   https://bugzilla.suse.com/1177092
   https://bugzilla.suse.com/1177235
   https://bugzilla.suse.com/1177396
   https://bugzilla.suse.com/1177478
   https://bugzilla.suse.com/1177524
   https://bugzilla.suse.com/1177730
   https://bugzilla.suse.com/1177790
   https://bugzilla.suse.com/1177892
   https://bugzilla.suse.com/1178060
   https://bugzilla.suse.com/1178145
   https://bugzilla.suse.com/1178204
   https://bugzilla.suse.com/1178319
   https://bugzilla.suse.com/1178361
   https://bugzilla.suse.com/1178362