SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3466-1
Rating:             moderate
References:         #1144447 #1172079 #1173199 #1175739 #1175876 
                    #1175987 #1176074 #1176172 #1177336 #1177435 
                    #1177790 #1178060 #1178145 #1178195 
Cross-References:   CVE-2018-10936 CVE-2020-13692
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves two vulnerabilities and has 12 fixes
   is now available.

Description:


   This update fixes the following issues:

   bind-formula:

   - Temporarily disable dnssec-validation as hotfix for bsc#1177790
   - Update to version 0.1.1603299886.60e4bcf

   grafana-formula:

   - Use variable for product name
   - Add support for system groups in Client Systems dashboard

   postgresql-jdbc:

   - Address CVE-2020-13692 (bsc#1172079)
   - Add patch:
   - Major changes since 9.4-1200:
     * License changed to BSD-2-Clause and BSD-3-Clause and Apache-2.0
     * Support PostgreSQL 9.5, 9.6, 10 11 and 12 added
     * Support for PostgreSQL versions below 8.2 was dropped
     * Support for JDK8, JDK9, JDK10, JDK11 and JDK12
     * Support for JDK 1.4 and 1.5 was dropped
     * Support for JDBC 4.2 added
     * Add maxResultBuffer property
     * Add caller push of binary data
     * Read only transactions
     * pkcs12 key functionality
     * New "escapeSyntaxCallMode" connection property
     * Connection property to limit server error detail in exception
       exceptions
     * CancelQuery() to PGConnection public interface
     * Support for large update counts (JDBC 4.2)
     * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY
     * Expose parameter status messages (GUC_REPORT) to the user
     * Log ignoring rollback when no transaction in progress
     * Map inet type to InetAddress
     * Change ISGENERATED to ISGENERATEDCOLUMN as per spec
     * Support temporary replication slots in ReplicationCreateSlotBuilder
     * Return function (PostgreSQL 11) columns in
       PgDatabaseMetaData#getFunctionColumns
     * Return information on create replication slot, now the snapshot_name
       is exported to allow a consistent snapshot in some uses cases
     * `ssl=true` implies `sslmode=verify-full`, that is it requires valid
       server certificate
     * Support for `sslmode=allow/prefer/require`
     * Added server hostname verification for non-default SSL factories in
       `sslmode=verify-full` (CVE-2018-10936)
     * PreparedStatement.setNull(int parameterIndex, int t, String typeName)
       no longer ignores the typeName argument if it is not setNull
     * Reduce the severity of the error log messages when an exception is
       re-thrown. The error will be thrown to caller to be dealt with so no
       need to log at this verbosity by pgjdbc
     * Deprecate Fastpath API PR 903
     * Support parenthesis in {oj ...} JDBC escape syntax
     * socksProxyHost is ignored in case it contains empty string
     * Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java
       8+) using the Ongres SCRAM library
     * Make SELECT INTO and CREATE TABLE AS return row counts to the client
       in their command tags
     * Support Subject Alternative Names for SSL connections
     * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY column
     * Support for primitive arrays PR 887 3e0491a
     * Implement support for get/setNetworkTimeout() in connections
     * Make GSS JAAS login optional, add an option "jaasLogin"
     * Improve behaviour of ResultSet.getObject(int, Class)
     * Parse CommandComplete message using a regular expression, allows
       complete catch of server returned commands for INSERT, UPDATE, DELETE,
       SELECT, FETCH, MOVE,COPY and future commands.
     * Use 'time with timezone' and 'timestamp with timezone' as is and
       ignore the user provided Calendars, 'time' and 'timestamp' work as
       earlier except "00:00:00" now maps to 1970-01-01 and "24:00:00" uses
       the system provided Calendar ignoring the user-provided one
     * Change behaviour of multihost connection. The new behaviour is to try
       all secondaries first before trying the master
     * Drop support for the (insecure) crypt authentication method
     * slave and preferSlave values for the targetServerType connection
       property have been deprecated in favour of secondary and
       preferSecondary respectively
     * Statements with non-zero fetchSize no longer require server-side named
       handle. This might cause issues when using old PostgreSQL versions
       (pre-8.4)+fetchSize+interleaved ResultSet processing combo
     * Better logic for returning keyword detection. Previously, pgjdbc could
       be defeated by column names that contain returning, so pgjdbc failed
       to "return generated keys" as it considered statement as already
       having returning keyword
     * Use server-prepared statements for batch inserts when
       prepareThreshold>0. This enables batch to use server-prepared from the
       first executeBatch() execution (previously it waited for
       prepareThreshold executeBatch() calls)
     * Replication protocol API was added: replication API documentation
     * java.util.logging is now used for logging: logging documentation
     * Add support for PreparedStatement.setCharacterStream(int, Reader)
     * Ensure executeBatch() can be used with pgbouncer. Previously pgjdbc
       could use server-prepared statements for batch execution even with
       prepareThreshold=0
     * Error position is displayed when SQL has unterminated literals,
       comments, etc
     * Strict handling of accepted values in getBoolean and
       setObject(BOOLEAN), now it follows PostgreSQL accepted values, only 1
       and 0 for numeric types are acepted (previusly !=0 was true)
     * Deprecated PGPoolingDataSource, instead of this class you should use a
       fully featured connection pool like HikariCP, vibur-dbcp,
       commons-dbcp, c3p0, etc
     * 'current transaction is aborted' exception includes the original
       exception via caused-by chain
     * Better support for RETURNGENERATEDKEYS, statements with RETURNING
       clause
     * Avoid user-visible prepared-statement errors if client uses
       DEALLOCATE/DISCARD statements (invalidate cache when those statements
       detected)
     * Avoid user-visible prepared-statement errors if client changes
       searchpath (invalidate cache when set searchpath detected)
     * Support comments when replacing {fn ...} JDBC syntax
     * Support for Types.REF_CURSOR
     * Performance optimization for timestamps (~TimeZone.getDefault
       optimization)
     * Ability to customize socket factory (e.g. for unix domain sockets)
     * Ignore empty sub-queries in composite queries
     * Add equality support to PSQLState
     * Improved composite/array type support and type naming changes.
   - Update to version 42.2.10
     *
   
   - Update to version 42.2.9
     *    - Update to version 42.2.8
     *    - Update to version 42.2.7
     *    - Update to version 42.2.6
     *    - Update to version 42.2.5
     *    - Update to version 42.2.4
     *    - Update to version 42.2.3
     *    - Update to version 42.2.2
     *    - Update to version 42.2.1
     *    - Update to version 42.2.0
     *    - Update to version 42.1.4
     *    - Update to version 42.1.3
     *    - Update to version 42.1.2
     *    - Update to version 42.1.1
     *    - Update to version 42.1.0
     *    - Update to version 42.2.0
     *    - Update to version 9.4.1211
     *
   
   - Update to version 9.4.1210
     *
   
   - Update to version 9.4.1209
     *
   
   - Update to version 9.4.1208
     *
   
   - Update to version 9.4.1207
     *
   
   - Update to version 9.4.1206
     *
   
   - Update to version 9.4.1205
     *
   
   - Update to version 9.4.1204
     *
   
   - Update to version 9.4.1203
     *
   
   - Update to version 9.4.1202
     *
   
   - Update to version 9.4.1201
     *
   

   prometheus-exporters-formula:

   - Fix empty directory values initialization
   - Disable reverse proxy on default

   prometheus-formula:

   - Update to version 0.2.3
   - Disable Alertmanager clustering (bsc#1178145)
   - Update to version 0.2.2
   - Use variable for product name

   salt-netapi-client:

   - Version 0.18.0 See:
     https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0

   spacewalk-admin:

   - Use the license macro to mark the LICENSE in the package so that when
     installing without docs, it does install the LICENSE file
   - Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE
     Manager 3.2 (bsc#1177435)

   spacewalk-backend:

   - ISS: Differentiate packages with same nevra but different checksum in
     the same channel (bsc#1178195)
   - Fix unique machine_id detection (bsc#1176074)

   spacewalk-java:

   - Revert: Sync state modules when starting action chain execution
     (bsc#1177336)
   - Sync state modules when starting action chain execution (bsc#1177336)
   - Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file
     (bsc#1175739)
   - Log token verify errors and check for expired tokens
   - Execute Salt SSH actions in parallel (bsc#1173199)
   - Take pool and volume from Salt virt.vm_info for files and blocks disks
     (bsc#1175987)
   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Renaming autoinstall distro didn't change the name of the Cobbler distro
     (bsc#1175876)

   spacewalk-web:

   - Fix link to documentation in Admin -> Manager Configuration ->
     Monitoring (bsc#1176172)
   - Don't allow selecting spice for Xen PV and PVH guests

   susemanager:

   - Add --force to mgr-create-bootstrap-repo to enforce generation even when
     some products are not synchronized

   susemanager-schema:

   - Execute Salt SSH actions in parallel (bsc#1173199)

   susemanager-sls:

   - Revert: Sync state modules when starting action chain execution
     (bsc#1177336)
   - Sync state modules when starting action chain execution (bsc#1177336)
   - Fix grub2 autoinstall kernel path (bsc#1178060)
   - Move channel token information from sources.list to auth.conf on Debian
     10 and Ubuntu 18 and newer
   - Fix action chain resuming when patches updating salt-minion don't cause
     service to be restarted (bsc#1144447)
   - Make grub2 autoinstall kernel path relative to the boot partition root
     (bsc#1175876)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):

      susemanager-4.0.32-3.46.1
      susemanager-tools-4.0.32-3.46.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      bind-formula-0.1.1603299886.60e4bcf-3.11.1
      grafana-formula-0.2.2-4.13.1
      postgresql-jdbc-42.2.10-3.3.1
      prometheus-exporters-formula-0.7.5-3.16.1
      prometheus-formula-0.2.3-4.16.1
      python3-spacewalk-backend-libs-4.0.35-3.38.1
      salt-netapi-client-0.18.0-4.12.1
      spacewalk-admin-4.0.12-3.15.1
      spacewalk-backend-4.0.35-3.38.1
      spacewalk-backend-app-4.0.35-3.38.1
      spacewalk-backend-applet-4.0.35-3.38.1
      spacewalk-backend-config-files-4.0.35-3.38.1
      spacewalk-backend-config-files-common-4.0.35-3.38.1
      spacewalk-backend-config-files-tool-4.0.35-3.38.1
      spacewalk-backend-iss-4.0.35-3.38.1
      spacewalk-backend-iss-export-4.0.35-3.38.1
      spacewalk-backend-package-push-server-4.0.35-3.38.1
      spacewalk-backend-server-4.0.35-3.38.1
      spacewalk-backend-sql-4.0.35-3.38.1
      spacewalk-backend-sql-postgresql-4.0.35-3.38.1
      spacewalk-backend-tools-4.0.35-3.38.1
      spacewalk-backend-xml-export-libs-4.0.35-3.38.1
      spacewalk-backend-xmlrpc-4.0.35-3.38.1
      spacewalk-base-4.0.25-3.36.1
      spacewalk-base-minimal-4.0.25-3.36.1
      spacewalk-base-minimal-config-4.0.25-3.36.1
      spacewalk-html-4.0.25-3.36.1
      spacewalk-java-4.0.40-3.48.2
      spacewalk-java-config-4.0.40-3.48.2
      spacewalk-java-lib-4.0.40-3.48.2
      spacewalk-java-postgresql-4.0.40-3.48.2
      spacewalk-taskomatic-4.0.40-3.48.2
      susemanager-schema-4.0.23-3.32.1
      susemanager-sls-4.0.31-3.37.1
      susemanager-web-libs-4.0.25-3.36.1


References:

   https://www.suse.com/security/cve/CVE-2018-10936.html
   https://www.suse.com/security/cve/CVE-2020-13692.html
   https://bugzilla.suse.com/1144447
   https://bugzilla.suse.com/1172079
   https://bugzilla.suse.com/1173199
   https://bugzilla.suse.com/1175739
   https://bugzilla.suse.com/1175876
   https://bugzilla.suse.com/1175987
   https://bugzilla.suse.com/1176074
   https://bugzilla.suse.com/1176172
   https://bugzilla.suse.com/1177336
   https://bugzilla.suse.com/1177435
   https://bugzilla.suse.com/1177790
   https://bugzilla.suse.com/1178060
   https://bugzilla.suse.com/1178145
   https://bugzilla.suse.com/1178195

SUSE: 2020:3466-1 moderate: SUSE Manager Server 4.0

November 20, 2020
An update that solves two vulnerabilities and has 12 fixes is now available

Summary

This update fixes the following issues: bind-formula: - Temporarily disable dnssec-validation as hotfix for bsc#1177790 - Update to version 0.1.1603299886.60e4bcf grafana-formula: - Use variable for product name - Add support for system groups in Client Systems dashboard postgresql-jdbc: - Address CVE-2020-13692 (bsc#1172079) - Add patch: - Major changes since 9.4-1200: * License changed to BSD-2-Clause and BSD-3-Clause and Apache-2.0 * Support PostgreSQL 9.5, 9.6, 10 11 and 12 added * Support for PostgreSQL versions below 8.2 was dropped * Support for JDK8, JDK9, JDK10, JDK11 and JDK12 * Support for JDK 1.4 and 1.5 was dropped * Support for JDBC 4.2 added * Add maxResultBuffer property * Add caller push of binary data * Read only transactions * pkcs12 key functionality * New "escapeSyntaxCallMode" connection property * Connection property to limit server error detail in exception exceptions * CancelQuery() to PGConnection public interface * Support for large update counts (JDBC 4.2) * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY * Expose parameter status messages (GUC_REPORT) to the user * Log ignoring rollback when no transaction in progress * Map inet type to InetAddress * Change ISGENERATED to ISGENERATEDCOLUMN as per spec * Support temporary replication slots in ReplicationCreateSlotBuilder * Return function (PostgreSQL 11) columns in PgDatabaseMetaData#getFunctionColumns * Return information on create replication slot, now the snapshot_name is exported to allow a consistent snapshot in some uses cases * `ssl=true` implies `sslmode=verify-full`, that is it requires valid server certificate * Support for `sslmode=allow/prefer/require` * Added server hostname verification for non-default SSL factories in `sslmode=verify-full` (CVE-2018-10936) * PreparedStatement.setNull(int parameterIndex, int t, String typeName) no longer ignores the typeName argument if it is not setNull * Reduce the severity of the error log messages when an exception is re-thrown. The error will be thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc * Deprecate Fastpath API PR 903 * Support parenthesis in {oj ...} JDBC escape syntax * socksProxyHost is ignored in case it contains empty string * Support SCRAM-SHA-256 for PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM library * Make SELECT INTO and CREATE TABLE AS return row counts to the client in their command tags * Support Subject Alternative Names for SSL connections * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY column * Support for primitive arrays PR 887 3e0491a * Implement support for get/setNetworkTimeout() in connections * Make GSS JAAS login optional, add an option "jaasLogin" * Improve behaviour of ResultSet.getObject(int, Class) * Parse CommandComplete message using a regular expression, allows complete catch of server returned commands for INSERT, UPDATE, DELETE, SELECT, FETCH, MOVE,COPY and future commands. * Use 'time with timezone' and 'timestamp with timezone' as is and ignore the user provided Calendars, 'time' and 'timestamp' work as earlier except "00:00:00" now maps to 1970-01-01 and "24:00:00" uses the system provided Calendar ignoring the user-provided one * Change behaviour of multihost connection. The new behaviour is to try all secondaries first before trying the master * Drop support for the (insecure) crypt authentication method * slave and preferSlave values for the targetServerType connection property have been deprecated in favour of secondary and preferSecondary respectively * Statements with non-zero fetchSize no longer require server-side named handle. This might cause issues when using old PostgreSQL versions (pre-8.4)+fetchSize+interleaved ResultSet processing combo * Better logic for returning keyword detection. Previously, pgjdbc could be defeated by column names that contain returning, so pgjdbc failed to "return generated keys" as it considered statement as already having returning keyword * Use server-prepared statements for batch inserts when prepareThreshold>0. This enables batch to use server-prepared from the first executeBatch() execution (previously it waited for prepareThreshold executeBatch() calls) * Replication protocol API was added: replication API documentation * java.util.logging is now used for logging: logging documentation * Add support for PreparedStatement.setCharacterStream(int, Reader) * Ensure executeBatch() can be used with pgbouncer. Previously pgjdbc could use server-prepared statements for batch execution even with prepareThreshold=0 * Error position is displayed when SQL has unterminated literals, comments, etc * Strict handling of accepted values in getBoolean and setObject(BOOLEAN), now it follows PostgreSQL accepted values, only 1 and 0 for numeric types are acepted (previusly !=0 was true) * Deprecated PGPoolingDataSource, instead of this class you should use a fully featured connection pool like HikariCP, vibur-dbcp, commons-dbcp, c3p0, etc * 'current transaction is aborted' exception includes the original exception via caused-by chain * Better support for RETURNGENERATEDKEYS, statements with RETURNING clause * Avoid user-visible prepared-statement errors if client uses DEALLOCATE/DISCARD statements (invalidate cache when those statements detected) * Avoid user-visible prepared-statement errors if client changes searchpath (invalidate cache when set searchpath detected) * Support comments when replacing {fn ...} JDBC syntax * Support for Types.REF_CURSOR * Performance optimization for timestamps (~TimeZone.getDefault optimization) * Ability to customize socket factory (e.g. for unix domain sockets) * Ignore empty sub-queries in composite queries * Add equality support to PSQLState * Improved composite/array type support and type naming changes. - Update to version 42.2.10 * - Update to version 42.2.9 * - Update to version 42.2.8 * - Update to version 42.2.7 * - Update to version 42.2.6 * - Update to version 42.2.5 * - Update to version 42.2.4 * - Update to version 42.2.3 * - Update to version 42.2.2 * - Update to version 42.2.1 * - Update to version 42.2.0 * - Update to version 42.1.4 * - Update to version 42.1.3 * - Update to version 42.1.2 * - Update to version 42.1.1 * - Update to version 42.1.0 * - Update to version 42.2.0 * - Update to version 9.4.1211 * - Update to version 9.4.1210 * - Update to version 9.4.1209 * - Update to version 9.4.1208 * - Update to version 9.4.1207 * - Update to version 9.4.1206 * - Update to version 9.4.1205 * - Update to version 9.4.1204 * - Update to version 9.4.1203 * - Update to version 9.4.1202 * - Update to version 9.4.1201 * prometheus-exporters-formula: - Fix empty directory values initialization - Disable reverse proxy on default prometheus-formula: - Update to version 0.2.3 - Disable Alertmanager clustering (bsc#1178145) - Update to version 0.2.2 - Use variable for product name salt-netapi-client: - Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.18.0 spacewalk-admin: - Use the license macro to mark the LICENSE in the package so that when installing without docs, it does install the LICENSE file - Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE Manager 3.2 (bsc#1177435) spacewalk-backend: - ISS: Differentiate packages with same nevra but different checksum in the same channel (bsc#1178195) - Fix unique machine_id detection (bsc#1176074) spacewalk-java: - Revert: Sync state modules when starting action chain execution (bsc#1177336) - Sync state modules when starting action chain execution (bsc#1177336) - Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file (bsc#1175739) - Log token verify errors and check for expired tokens - Execute Salt SSH actions in parallel (bsc#1173199) - Take pool and volume from Salt virt.vm_info for files and blocks disks (bsc#1175987) - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Renaming autoinstall distro didn't change the name of the Cobbler distro (bsc#1175876) spacewalk-web: - Fix link to documentation in Admin -> Manager Configuration -> Monitoring (bsc#1176172) - Don't allow selecting spice for Xen PV and PVH guests susemanager: - Add --force to mgr-create-bootstrap-repo to enforce generation even when some products are not synchronized susemanager-schema: - Execute Salt SSH actions in parallel (bsc#1173199) susemanager-sls: - Revert: Sync state modules when starting action chain execution (bsc#1177336) - Sync state modules when starting action chain execution (bsc#1177336) - Fix grub2 autoinstall kernel path (bsc#1178060) - Move channel token information from sources.list to auth.conf on Debian 10 and Ubuntu 18 and newer - Fix action chain resuming when patches updating salt-minion don't cause service to be restarted (bsc#1144447) - Make grub2 autoinstall kernel path relative to the boot partition root (bsc#1175876) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): susemanager-4.0.32-3.46.1 susemanager-tools-4.0.32-3.46.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): bind-formula-0.1.1603299886.60e4bcf-3.11.1 grafana-formula-0.2.2-4.13.1 postgresql-jdbc-42.2.10-3.3.1 prometheus-exporters-formula-0.7.5-3.16.1 prometheus-formula-0.2.3-4.16.1 python3-spacewalk-backend-libs-4.0.35-3.38.1 salt-netapi-client-0.18.0-4.12.1 spacewalk-admin-4.0.12-3.15.1 spacewalk-backend-4.0.35-3.38.1 spacewalk-backend-app-4.0.35-3.38.1 spacewalk-backend-applet-4.0.35-3.38.1 spacewalk-backend-config-files-4.0.35-3.38.1 spacewalk-backend-config-files-common-4.0.35-3.38.1 spacewalk-backend-config-files-tool-4.0.35-3.38.1 spacewalk-backend-iss-4.0.35-3.38.1 spacewalk-backend-iss-export-4.0.35-3.38.1 spacewalk-backend-package-push-server-4.0.35-3.38.1 spacewalk-backend-server-4.0.35-3.38.1 spacewalk-backend-sql-4.0.35-3.38.1 spacewalk-backend-sql-postgresql-4.0.35-3.38.1 spacewalk-backend-tools-4.0.35-3.38.1 spacewalk-backend-xml-export-libs-4.0.35-3.38.1 spacewalk-backend-xmlrpc-4.0.35-3.38.1 spacewalk-base-4.0.25-3.36.1 spacewalk-base-minimal-4.0.25-3.36.1 spacewalk-base-minimal-config-4.0.25-3.36.1 spacewalk-html-4.0.25-3.36.1 spacewalk-java-4.0.40-3.48.2 spacewalk-java-config-4.0.40-3.48.2 spacewalk-java-lib-4.0.40-3.48.2 spacewalk-java-postgresql-4.0.40-3.48.2 spacewalk-taskomatic-4.0.40-3.48.2 susemanager-schema-4.0.23-3.32.1 susemanager-sls-4.0.31-3.37.1 susemanager-web-libs-4.0.25-3.36.1

References

#1144447 #1172079 #1173199 #1175739 #1175876

#1175987 #1176074 #1176172 #1177336 #1177435

#1177790 #1178060 #1178145 #1178195

Cross- CVE-2018-10936 CVE-2020-13692

Affected Products:

SUSE Linux Enterprise Module for SUSE Manager Server 4.0

https://www.suse.com/security/cve/CVE-2018-10936.html

https://www.suse.com/security/cve/CVE-2020-13692.html

https://bugzilla.suse.com/1144447

https://bugzilla.suse.com/1172079

https://bugzilla.suse.com/1173199

https://bugzilla.suse.com/1175739

https://bugzilla.suse.com/1175876

https://bugzilla.suse.com/1175987

https://bugzilla.suse.com/1176074

https://bugzilla.suse.com/1176172

https://bugzilla.suse.com/1177336

https://bugzilla.suse.com/1177435

https://bugzilla.suse.com/1177790

https://bugzilla.suse.com/1178060

https://bugzilla.suse.com/1178145

https://bugzilla.suse.com/1178195

Severity
Announcement ID: SUSE-SU-2020:3466-1
Rating: moderate

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved