SUSE: 2021:3561-1 moderate: SUSE Manager Server 4.2
Summary
This update fixes the following issues: cobbler: - Fixed modify_setting test to complete successfully hub-xmlrpc-api: - Use rpm systemd macro to restart service in replace of systemctl patterns-suse-manager: - Virtualization-host-formula was renamed to virtualization-formulas py26-compat-salt: - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) py26-compat-tornado: - Added compatibility to Enterprise Linux 8 py27-compat-salt: - Fix the regression of docker_container state module - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) spacewalk-admin: - Version 4.2.9-1 * Fix setup with rhn-config-satellite (bsc#1190300) * Allow admins to modify only spacewalk config files with rhn-config-satellite.pl (bsc#1190040) (CVE-2021-40348) spacewalk-backend: - Version 4.2.17-1 * Update translations strings * handle download of metadata filesnames with checksums (bsc#1188315) * Sanitize cached filename for custom SSL certs used by reposync (bsc#1190751) spacewalk-certs-tools: - Version 4.2.13-1 * add GPG keys using apt-key on debian machines (bsc#1187998) spacewalk-client-tools: - Version 4.2.14-1 * Update translation strings spacewalk-java: - Version 4.2.30-1 * Fix datetime format parsing with moment (bsc#1191348) - Version 4.2.29-1 * Update translation strings * fix logging of the spark framework and map requests to media.1 directory in the download controller (bsc#1189933) * Add 'Last build date' column to CLM project list (jsc#PM-2644) (jsc#SUMA-61) * Improve exception handling and logging for mgr-libmod calls * Add checksums to repository metadata filenames (bsc#1188315) * Fix ISE in product migration if base product is missing (bsc#1190151) * use TLSv1.3 if it is a supported Protocol * Adapt auto errata update to respect maintenance windows * Adapt auto errata update to skip during CLM build (bsc#1189609) * add CentOS 7/8 aarch64 * add Oracle Linux 7/8 aarch64 * add Rocky Linux 8 aarch64 * add AlmaLinux 8 aarch64 * add Amazon Linux 2 aarch64 * Add new endpoints to saltkeys API: acceptedList, pendingList, rejectedList, deniedList, accept and reject * fix ISE in SSM when scheduling patches on multiple systems (bsc#1190396, bsc#1190275) * Add 'Flush cache' option to Ansible playbook execution (bsc#1190405) * Update kernel live patch version on minion startup (bsc#1190276) * Allow getting all completed actions via XMLRPC without display limit (bsc#1181223) * Support syncing patches with advisory status 'pending' (bsc#1190455) * Add XMLRPC API to force refreshing pillar data (bsc#1190123) * Add missing string on XCCDF scan results (bsc#1190164) * Ignore duplicates in 'pkg.installed' result when applying patches (bsc#1187572) * Improved timezone support * implement package locking for salt minions spacewalk-utils: - Version 4.2.14-1 * When renaming: don't regenerate CA, allow using third-party certificate and trigger pillar refresh (bsc#1190123) spacewalk-web: - Version 4.2.23-1 * Fix datetime format parsing with moment (bsc#1191348) - Version 4.2.22-1 * Add 'Last build date' column to CLM project list (jsc#PM-2644) (jsc#SUMA-61) * Fix 'Type' input in CLM source edit form (bsc#1190820) * Add 'Flush cache' checkbox to Ansible playbook execution page (bsc#1190405) * Fix the VM creation and editing submit button action (bsc#1190602) * Improved timezone support * Enhance the default base channel help message (bsc#1171520) subscription-matcher: - Version 0.27 * update subscription rules for new SKUs (bsc#1189818) supportutils-plugin-susemanager: - Version 4.2.3-1 * detect broken symlinks in tomcat, taskomatic and search daemon susemanager: - Version 4.2.25-1 * Add python-mako, python-gnupg and gnupg1 to the Debian 9 bootstrap repository so bootstrapping without any enabled repositories is possible (bsc#1191898) * Fix syntax error on migration script (bsc#1191551) * Add aarch64 bootstrap repositories for CentOS 7/8, Oracle Linux 7/8, Rocky Linux8, AlmaLinux8, Amazon Linux 2 and openSUSE Leap 15.3 * Add the gnupg package for ubuntu which is then needed by apt-key (bsc#1187998) * Add SLE 15 SAP Product ID to SLE15 bootstrap repositories, as it is required to get python3-M2Crypto (bsc#1189422) susemanager-doc-indexes: - Added aarch64 support for selection of clients in the Installation Guide and Client Configuration Guide - Documented Amazon Web Services permissions for Virtual Host Manager in the Virtual Host Manager and Amazon Web Service chapters in the Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Updated Proxy installation screenshots to reflect SUSE Manager 4.2 version in the Installation Guide - Updated migration instructions to help avoid migration from Proxy 4.0 to 4.1 if 4.2 is already available to the Upgrade Guide - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter of the Administration Guide - Documented package lock as a supported feature for some Salt clients in the Client Configuration Guide. susemanager-docs_en: - Added aarch64 support for selection of clients in the Installation Guide and Client Configuration Guide - Documented Amazon Web Services permissions for Virtual Host Manager in the Virtual Host Manager and Amazon Web Service chapters in the Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Updated Proxy installation screenshots to reflect SUSE Manager 4.2 version in the Installation Guide - Updated migration instructions to help avoid migration from Proxy 4.0 to 4.1 if 4.2 is already available to the Upgrade Guide - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter of the Administration Guide - Documented package lock as a supported feature for some Salt clients in the Client Configuration Guide. susemanager-schema: - Version 4.2.18-1 * create unique index on package details action id (bsc#1190396, bsc#1190275) * Add 'flush_cache' flag to Ansible playbook execution action (bsc#1190405) * Support syncing patches with advisory status 'pending' (bsc#1190455) * allow Ansible Control Node entitlement for aarch64, ppc64le and s390x (bsc#1189799) * implement package locking for salt minions susemanager-sls: - Version 4.2.18-1 * Fix cpuinfo grain and virt_utils state python2 compatibility (bsc#1191139, bsc#1191123) * deploy certificate on SLE Micro 5.1 * Realign pkgset cookie path for Salt Bundle changes * Fix pkgset beacon to work with salt-minion 2016.11.10 (bsc#1189260) * Fix virt grain python2 compatibility * Fix mgrcompat state module to work with Salt 3003 and 3004 * Add 'flush_cache' flag to 'ansible.playbooks' call (bsc#1190405) * Update kernel live patch version on minion startup (bsc#1190276) * don't use libvirt API to get its version for the virt features grain * implement package locking for salt minions susemanager-sync-data: - Version 4.2.9-1 * add CentOS 7/8 aarch64 * add Oracle Linux 7/8 aarch64 * add Rocky Linux 8 aarch64 * add AlmaLinux 8 aarch64 * add Amazon Linux 2 aarch64 How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3561=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): hub-xmlrpc-api-0.7-3.3.3 hub-xmlrpc-api-debuginfo-0.7-3.3.3 inter-server-sync-0.0.5-8.6.3 inter-server-sync-debuginfo-0.0.5-8.6.3 patterns-suma_retail-4.2-4.3.1 patterns-suma_server-4.2-4.3.1 py26-compat-tornado-4.2.1-3.3.1 py26-compat-tornado-debuginfo-4.2.1-3.3.1 py26-compat-tornado-debugsource-4.2.1-3.3.1 susemanager-4.2.25-3.13.1 susemanager-tools-4.2.25-3.13.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): cobbler-3.1.2-5.11.1 py26-compat-salt-2016.11.10-11.28.9.1 py27-compat-salt-3000.3-7.7.11.1 python3-spacewalk-certs-tools-4.2.13-3.9.2 python3-spacewalk-client-tools-4.2.14-4.9.3 spacecmd-4.2.13-4.9.1 spacewalk-admin-4.2.9-3.6.2 spacewalk-backend-4.2.17-4.9.3 spacewalk-backend-app-4.2.17-4.9.3 spacewalk-backend-applet-4.2.17-4.9.3 spacewalk-backend-config-files-4.2.17-4.9.3 spacewalk-backend-config-files-common-4.2.17-4.9.3 spacewalk-backend-config-files-tool-4.2.17-4.9.3 spacewalk-backend-iss-4.2.17-4.9.3 spacewalk-backend-iss-export-4.2.17-4.9.3 spacewalk-backend-package-push-server-4.2.17-4.9.3 spacewalk-backend-server-4.2.17-4.9.3 spacewalk-backend-sql-4.2.17-4.9.3 spacewalk-backend-sql-postgresql-4.2.17-4.9.3 spacewalk-backend-tools-4.2.17-4.9.3 spacewalk-backend-xml-export-libs-4.2.17-4.9.3 spacewalk-backend-xmlrpc-4.2.17-4.9.3 spacewalk-base-4.2.23-3.9.3 spacewalk-base-minimal-4.2.23-3.9.3 spacewalk-base-minimal-config-4.2.23-3.9.3 spacewalk-certs-tools-4.2.13-3.9.2 spacewalk-client-tools-4.2.14-4.9.3 spacewalk-html-4.2.23-3.9.3 spacewalk-java-4.2.30-3.14.4 spacewalk-java-config-4.2.30-3.14.4 spacewalk-java-lib-4.2.30-3.14.4 spacewalk-java-postgresql-4.2.30-3.14.4 spacewalk-taskomatic-4.2.30-3.14.4 spacewalk-utils-4.2.14-3.9.3 spacewalk-utils-extras-4.2.14-3.9.3 subscription-matcher-0.27-6.3.1 supportutils-plugin-susemanager-4.2.3-3.3.2 susemanager-doc-indexes-4.2-12.11.3 susemanager-docs_en-4.2-12.11.1 susemanager-docs_en-pdf-4.2-12.11.1 susemanager-schema-4.2.18-3.9.3 susemanager-sls-4.2.18-3.11.1 susemanager-sync-data-4.2.9-3.9.1 susemanager-web-libs-4.2.23-3.9.3 uyuni-config-modules-4.2.18-3.11.1 virtualization-formulas-0.6.1-8.3.1
References
#1171520 #1181223 #1187572 #1187998 #1188315
#1188977 #1189260 #1189422 #1189609 #1189799
#1189818 #1189933 #1190040 #1190123 #1190151
#1190164 #1190166 #1190265 #1190275 #1190276
#1190300 #1190396 #1190405 #1190455 #1190512
#1190602 #1190751 #1190820 #1191123 #1191139
#1191348 #1191551 #1191898 PM-2644 SUMA-61
Cross- CVE-2021-21996 CVE-2021-40348
CVSS scores:
CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CVE-2021-40348 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
https://www.suse.com/security/cve/CVE-2021-21996.html
https://www.suse.com/security/cve/CVE-2021-40348.html
https://bugzilla.suse.com/1171520
https://bugzilla.suse.com/1181223
https://bugzilla.suse.com/1187572
https://bugzilla.suse.com/1187998
https://bugzilla.suse.com/1188315
https://bugzilla.suse.com/1188977
https://bugzilla.suse.com/1189260
https://bugzilla.suse.com/1189422
https://bugzilla.suse.com/1189609
https://bugzilla.suse.com/1189799
https://bugzilla.suse.com/1189818
https://bugzilla.suse.com/1189933
https://bugzilla.suse.com/1190040
https://bugzilla.suse.com/1190123
https://bugzilla.suse.com/1190151
https://bugzilla.suse.com/1190164
https://bugzilla.suse.com/1190166
https://bugzilla.suse.com/1190265
https://bugzilla.suse.com/1190275
https://bugzilla.suse.com/1190276
https://bugzilla.suse.com/1190300
https://bugzilla.suse.com/1190396
https://bugzilla.suse.com/1190405
https://bugzilla.suse.com/1190455
https://bugzilla.suse.com/1190512
https://bugzilla.suse.com/1190602
https://bugzilla.suse.com/1190751
https://bugzilla.suse.com/1190820
https://bugzilla.suse.com/1191123
https://bugzilla.suse.com/1191139
https://bugzilla.suse.com/1191348
https://bugzilla.suse.com/1191551
https://bugzilla.suse.com/1191898