SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3466-1
Rating:             moderate
References:         #1144447 #1172079 #1173199 #1175739 #1175876 
                    #1175987 #1176074 #1176172 #1177336 #1177435 
                    #1177790 #1178060 #1178145 #1178195 
Cross-References:   CVE-2018-10936 CVE-2020-13692
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves two vulnerabilities and has 12 fixes
   is now available.

Description:


   This update fixes the following issues:

   bind-formula:

   - Temporarily disable dnssec-validation as hotfix for bsc#1177790
   - Update to version 0.1.1603299886.60e4bcf

   grafana-formula:

   - Use variable for product name
   - Add support for system groups in Client Systems dashboard

   postgresql-jdbc:

   - Address CVE-2020-13692 (bsc#1172079)
   - Add patch:
   - Major changes since 9.4-1200:
     * License changed to BSD-2-Clause and BSD-3-Clause and Apache-2.0
     * Support PostgreSQL 9.5, 9.6, 10 11 and 12 added
     * Support for PostgreSQL versions below 8.2 was dropped
     * Support for JDK8, JDK9, JDK10, JDK11 and JDK12
     * Support for JDK 1.4 and 1.5 was dropped
     * Support for JDBC 4.2 added
     * Add maxResultBuffer property
     * Add caller push of binary data
     * Read only transactions
     * pkcs12 key functionality
     * New "escapeSyntaxCallMode" connection property
     * Connection property to limit server error detail in exception
       exceptions
     * CancelQuery() to PGConnection public interface
     * Support for large update counts (JDBC 4.2)
     * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY
     * Expose parameter status messages (GUC_REPORT) to the user
     * Log ignoring rollback when no transaction in progress
     * Map inet type to InetAddress
     * Change ISGENERATED to ISGENERATEDCOLUMN as per spec
     * Support temporary replication slots in ReplicationCreateSlotBuilder
     * Return function (PostgreSQL 11) columns in
       PgDatabaseMetaData#getFunctionColumns
     * Return information on create replication slot, now the snapshot_name
       is exported to allow a consistent snapshot in some uses cases
     * `ssl=true` implies `sslmode=verify-full`, that is it requires valid
       server certificate
     * Support for `sslmode=allow/prefer/require`
     * Added server hostname verification for non-default SSL factories in
       `sslmode=verify-full` (CVE-2018-10936)
     * PreparedStatement.setNull(int parameterIndex, int t, String typeName)
       no longer ignores the typeName argument if it is not setNull
     * Reduce the severity of the error log messages when an exception is
       re-thrown. The error will be thrown to caller to be dealt with so no
       need to log at this verbosity by pgjdbc
     * Deprecate Fastpath API PR 903
     * Support parenthesis in {oj ...} JDBC escape syntax
     * socksProxyHost is ignored in case it contains empty string
     * Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java
       8+) using the Ongres SCRAM library
     * Make SELECT INTO and CREATE TABLE AS return row counts to the client
       in their command tags
     * Support Subject Alternative Names for SSL connections
     * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY column
     * Support for primitive arrays PR 887 3e0491a
     * Implement support for get/setNetworkTimeout() in connections
     * Make GSS JAAS login optional, add an option "jaasLogin"
     * Improve behaviour of ResultSet.getObject(int, Class)
     * Parse CommandComplete message using a regular expression, allows
       complete catch of server returned commands for INSERT, UPDATE, DELETE,
       SELECT, FETCH, MOVE,COPY and future commands.
     * Use 'time with timezone' and 'timestamp with timezone' as is and
       ignore the user provided Calendars, 'time' and 'timestamp' work as
       earlier except "00:00:00" now maps to 1970-01-01 and "24:00:00" uses
       the system provided Calendar ignoring the user-provided one
     * Change behaviour of multihost connection. The new behaviour is to try
       all secondaries first before trying the master
     * Drop support for the (insecure) crypt authentication method
     * slave and preferSlave values for the targetServerType connection
       property have been deprecated in favour of secondary and
       preferSecondary respectively
     * Statements with non-zero fetchSize no longer require server-side named
       handle. This might cause issues when using old PostgreSQL versions
       (pre-8.4)+fetchSize+interleaved ResultSet processing combo
     * Better logic for returning keyword detection. Previously, pgjdbc could
       be defeated by column names that contain returning, so pgjdbc failed
       to "return generated keys" as it considered statement as already
       having returning keyword
     * Use server-prepared statements for batch inserts when
       prepareThreshold>0. This enables batch to use server-prepared from the
       first executeBatch() execution (previously it waited for
       prepareThreshold executeBatch() calls)
     * Replication protocol API was added: replication API documentation
     * java.util.logging is now used for logging: logging documentation
     * Add support for PreparedStatement.setCharacterStream(int, Reader)
     * Ensure executeBatch() can be used with pgbouncer. Previously pgjdbc
       could use server-prepared statements for batch execution even with
       prepareThreshold=0
     * Error position is displayed when SQL has unterminated literals,
       comments, etc
     * Strict handling of accepted values in getBoolean and
       setObject(BOOLEAN), now it follows PostgreSQL accepted values, only 1
       and 0 for numeric types are acepted (previusly !=0 was true)
     * Deprecated PGPoolingDataSource, instead of this class you should use a
       fully featured connection pool like HikariCP, vibur-dbcp,
       commons-dbcp, c3p0, etc
     * 'current transaction is aborted' exception includes the original
       exception via caused-by chain
     * Better support for RETURNGENERATEDKEYS, statements with RETURNING
       clause
     * Avoid user-visible prepared-statement errors if client uses
       DEALLOCATE/DISCARD statements (invalidate cache when those statements
       detected)
     * Avoid user-visible prepared-statement errors if client changes
       searchpath (invalidate cache when set searchpath detected)
     * Support comments when replacing {fn ...} JDBC syntax
     * Support for Types.REF_CURSOR
     * Performance optimization for timestamps (~TimeZone.getDefault
       optimization)
     * Ability to customize socket factory (e.g. for unix domain sockets)
     * Ignore empty sub-queries in composite queries
     * Add equality support to PSQLState
     * Improved composite/array type support and type naming changes.
   - Update to version 42.2.10
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.10

   - Update to version 42.2.9
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.9
   - Update to version 42.2.8
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.8
   - Update to version 42.2.7
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.7
   - Update to version 42.2.6
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.6
   - Update to version 42.2.5
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.5
   - Update to version 42.2.4
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.4
   - Update to version 42.2.3
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.3
   - Update to version 42.2.2
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.2
   - Update to version 42.2.1
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.1
   - Update to version 42.2.0
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.0
   - Update to version 42.1.4
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.4
   - Update to version 42.1.3
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.3
   - Update to version 42.1.2
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.2
   - Update to version 42.1.1
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.1
   - Update to version 42.1.0
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.1
   - Update to version 42.2.0
     * https://jdbc.postgresql.org/documentation/changelog.html#version_42.1.0
   - Update to version 9.4.1211
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1211

   - Update to version 9.4.1210
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1210

   - Update to version 9.4.1209
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1209

   - Update to version 9.4.1208
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1208

   - Update to version 9.4.1207
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1207

   - Update to version 9.4.1206
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1206

   - Update to version 9.4.1205
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1204

   - Update to version 9.4.1204
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1204

   - Update to version 9.4.1203
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1203

   - Update to version 9.4.1202
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1202

   - Update to version 9.4.1201
     *
   https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1201


   prometheus-exporters-formula:

   - Fix empty directory values initialization
   - Disable reverse proxy on default

   prometheus-formula:

   - Update to version 0.2.3
   - Disable Alertmanager clustering (bsc#1178145)
   - Update to version 0.2.2
   - Use variable for product name

   salt-netapi-client:

   - Version 0.18.0 See:
     https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0

   spacewalk-admin:

   - Use the license macro to mark the LICENSE in the package so that when
     installing without docs, it does install the LICENSE file
   - Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE
     Manager 3.2 (bsc#1177435)

   spacewalk-backend:

   - ISS: Differentiate packages with same nevra but different checksum in
     the same channel (bsc#1178195)
   - Fix unique machine_id detection (bsc#1176074)

   spacewalk-java:

   - Revert: Sync state modules when starting action chain execution
     (bsc#1177336)
   - Sync state modules when starting action chain execution (bsc#1177336)
   - Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file
     (bsc#1175739)
   - Log token verify errors and check for expired tokens
   - Execute Salt SSH actions in parallel (bsc#1173199)
   - Take pool and volume from Salt virt.vm_info for files and blocks disks
     (bsc#1175987)
   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Renaming autoinstall distro didn't change the name of the Cobbler distro
     (bsc#1175876)

   spacewalk-web:

   - Fix link to documentation in Admin -> Manager Configuration ->
     Monitoring (bsc#1176172)
   - Don't allow selecting spice for Xen PV and PVH guests

   susemanager:

   - Add --force to mgr-create-bootstrap-repo to enforce generation even when
     some products are not synchronized

   susemanager-schema:

   - Execute Salt SSH actions in parallel (bsc#1173199)

   susemanager-sls:

   - Revert: Sync state modules when starting action chain execution
     (bsc#1177336)
   - Sync state modules when starting action chain execution (bsc#1177336)
   - Fix grub2 autoinstall kernel path (bsc#1178060)
   - Move channel token information from sources.list to auth.conf on Debian
     10 and Ubuntu 18 and newer
   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Make grub2 autoinstall kernel path relative to the boot partition root
     (bsc#1175876)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):

      susemanager-4.0.32-3.46.1
      susemanager-tools-4.0.32-3.46.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      bind-formula-0.1.1603299886.60e4bcf-3.11.1
      grafana-formula-0.2.2-4.13.1
      postgresql-jdbc-42.2.10-3.3.1
      prometheus-exporters-formula-0.7.5-3.16.1
      prometheus-formula-0.2.3-4.16.1
      python3-spacewalk-backend-libs-4.0.35-3.38.1
      salt-netapi-client-0.18.0-4.12.1
      spacewalk-admin-4.0.12-3.15.1
      spacewalk-backend-4.0.35-3.38.1
      spacewalk-backend-app-4.0.35-3.38.1
      spacewalk-backend-applet-4.0.35-3.38.1
      spacewalk-backend-config-files-4.0.35-3.38.1
      spacewalk-backend-config-files-common-4.0.35-3.38.1
      spacewalk-backend-config-files-tool-4.0.35-3.38.1
      spacewalk-backend-iss-4.0.35-3.38.1
      spacewalk-backend-iss-export-4.0.35-3.38.1
      spacewalk-backend-package-push-server-4.0.35-3.38.1
      spacewalk-backend-server-4.0.35-3.38.1
      spacewalk-backend-sql-4.0.35-3.38.1
      spacewalk-backend-sql-postgresql-4.0.35-3.38.1
      spacewalk-backend-tools-4.0.35-3.38.1
      spacewalk-backend-xml-export-libs-4.0.35-3.38.1
      spacewalk-backend-xmlrpc-4.0.35-3.38.1
      spacewalk-base-4.0.25-3.36.1
      spacewalk-base-minimal-4.0.25-3.36.1
      spacewalk-base-minimal-config-4.0.25-3.36.1
      spacewalk-html-4.0.25-3.36.1
      spacewalk-java-4.0.40-3.48.2
      spacewalk-java-config-4.0.40-3.48.2
      spacewalk-java-lib-4.0.40-3.48.2
      spacewalk-java-postgresql-4.0.40-3.48.2
      spacewalk-taskomatic-4.0.40-3.48.2
      susemanager-schema-4.0.23-3.32.1
      susemanager-sls-4.0.31-3.37.1
      susemanager-web-libs-4.0.25-3.36.1


References:

   https://www.suse.com/security/cve/CVE-2018-10936.html
   https://www.suse.com/security/cve/CVE-2020-13692.html
   https://bugzilla.suse.com/1144447
   https://bugzilla.suse.com/1172079
   https://bugzilla.suse.com/1173199
   https://bugzilla.suse.com/1175739
   https://bugzilla.suse.com/1175876
   https://bugzilla.suse.com/1175987
   https://bugzilla.suse.com/1176074
   https://bugzilla.suse.com/1176172
   https://bugzilla.suse.com/1177336
   https://bugzilla.suse.com/1177435
   https://bugzilla.suse.com/1177790
   https://bugzilla.suse.com/1178060
   https://bugzilla.suse.com/1178145
   https://bugzilla.suse.com/1178195