SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0225-1
Rating:             moderate
References:         #1173103 #1173143 #1184617 #1187708 #1188505 
                    #1188900 #1190114 #1190446 #1191192 #1191222 
                    #1191285 #1191313 #1191340 #1191377 #1191412 
                    #1191442 #1191656 #1191702 #1191899 #1192487 
                    #1192514 #1192736 #1193008 #1193585 #1193612 
                    #1193694 #1193832 #1194990 
Cross-References:   CVE-2020-25638
CVSS scores:
                    CVE-2020-25638 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2020-25638 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves one vulnerability and has 27 fixes is
   now available.

Description:

   This update fixes the following issues:

   hibernate5:

   - Fix potential SQL injection CVE-2020-25638 (bsc#1193832)

   mgr-libmod:

   - Version 4.1.10-1
     * require python macros for building

   mgr-osad:

   - Version 4.1.6-1
     * require python macros for building

   prometheus-formula:

   - Version 0.3.5
     * Add support for new Uyuni SD in Prometheus >= 2.31

   py27-compat-salt:

   - Fix `tmpfiles.d` configuration for salt to not use legacy paths
     (bsc#1173103)
   - Remove wrong `_parse_cpe_name` from grains.core
   - Fix file.find tracebacks with non utf8 file names (bsc#1190114)
   - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
   - Added Python2 build possibility for RHEL8
   - Do not consider skipped targets as failed for ansible.playbooks state
     (bsc#1190446)
   - Fix traceback.*_exc() calls
   - Fix the regression of docker_container state module (bsc#1191285)

   spacecmd:

   - Version 4.1.16-1
     * require python macros for building

   spacewalk-admin:

   - Version 4.1.11-1
     * add service to update configfile and introduce a backup scc user

   spacewalk-backend:

   - Version 4.1.30-1
     * Add headers to update proxy auth token in listChannels (bsc#1193585)
     * require python macros for building
     * Fix the IS_SUSE variable in spacewalk-debug
     * exchange zypp-plugin dependency to use the python3 version
       (bsc#1192514)
     * Minor spec update.
     * Added RHN config parameter httpd_config_dir.

   spacewalk-certs-tools:

   - Version 4.1.20-1
     * Make bootstrap script to use bash when called with a different
       interpreter (bsc#1191656)

   spacewalk-client-tools:

   - Version 4.1.11-1
     * require python macros for building

   spacewalk-java:

   - Version 4.1.43-1
     * Fix stack overflow when building a CLM project from modular sources
       (bsc#1194990)
     * Avoid using RPM tags when filtering modular packages in CLM
       (bsc#1192487)
     * fix XML syntax in cobbler snippets (bsc#1193694)
     * Fix stripping module metadata when cloning channels in CLM
       (bsc#1193008)
     * Fix system information forwarding to SCC (bsc#1188900)
     * forward registration data to SUSE Customer Center
     * Run Prometheus JMX exporter as Java agent (bsc#1184617)
     * Fix calling wrong XMLRPC bootstrap method (bsc#1192736)
     * Fix package update action with shared channels (bsc#1191313)
     * fix issue with empty action chains getting deleted too early
       (bsc#1191377)
     * switch to best repo auth item for contentsources (bsc#1191442)
     * Set product name and version in the User-Agent header when connecting
       to SCC
     * update last boot time of SSH Minions after bootstrapping (bsc#1191899)
     * Mark SSH minion actions when they're picked up (bsc#1188505)
     * Add compressed flag to image pillars when kiwi image is compressed
       (bsc#1191702)
     * mgr-sync refresh logs when a vendor channel is expired and shows how
       to remove it (bsc#1191222)
   - Readable error when "mgr-sync add channel" is called with a non-existing
     label (bsc#1173143)

   spacewalk-reports:

   - Version 4.1.5-1
     * Fixes query for system-history report to prevent more than one row
       returned by a subquery with rhnxccdftestresult.identifier (bsc#1191192)

   spacewalk-setup:

   - Version 4.1.10-1
     * Increase "max_event_size" value for the Salt master (bsc#1191340)
     * Leave Cobbler bootloader directory at the default (bsc#1187708)
     * Don't delete cobbler.conf contents.
     * Fixed FileNotFoundError on cobbler setup.
     * cobbler20-setup was removed
     * spacewalk-setup-cobbler was reimplemented in Python
     * Config files for Cobbler don't get edited in place anymore, thus the
       original
       ones are saved with a ".backup" suffix

   spacewalk-utils:

   - Version 4.1.19-1
     * require python macros for building

   spacewalk-web:

   - Version 4.1.31-1
     * Update Web UI version to 4.1.13

   suseRegisterInfo:

   - Version 4.1.4-1
     * require python macros for building

   susemanager:

   - Version 4.1.32-1
     * add additional default config values for forwarding registrations to
       SCC

   susemanager-doc-indexes:

   - In the Troubleshooting section of the Client Configuration Guide, SUSE
     Linux Enterprise Server 11 clients also require previous SSL versions
     installed on the server

   susemanager-docs_en:

   - In the Troubleshooting section of the Client Configuration Guide, SUSE
     Linux Enterprise Server 11 clients also require previous SSL versions
     installed on the server

   susemanager-schema:

   - Version 4.1.24-1
     * Fix rhnChannelNewestPackageView in case there are duplicates
       (bsc#1193612)
     * DB schema to support forwarding data to SCC

   susemanager-sls:

   - Version 4.1.32-1
     * Run Prometheus JMX exporter as Java agent (bsc#1184617)
     * Fix problem installing/removing packages using action chains in
       transactional systems
     * Don't create skeleton /srv/salt/top.sls
     * Add missing compressed_hash value from Kiwi inspect (bsc#1191702)

   uyuni-common-libs:

   - Version 4.1.10-1
     * Read modularity data from DISTTAG tag as fallback (bsc#1192487)
     * require python macros for building

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-225=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      python3-uyuni-common-libs-4.1.10-3.15.1
      susemanager-4.1.32-3.42.2
      susemanager-tools-4.1.32-3.42.2

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      hibernate5-5.3.7-3.6.1
      mgr-libmod-4.1.10-3.25.2
      mgr-osa-dispatcher-4.1.6-2.12.2
      prometheus-formula-0.3.5-3.15.1
      py27-compat-salt-3000.3-6.18.1
      python3-mgr-osa-common-4.1.6-2.12.2
      python3-mgr-osa-dispatcher-4.1.6-2.12.2
      python3-spacewalk-certs-tools-4.1.20-3.25.2
      python3-spacewalk-client-tools-4.1.11-4.18.2
      python3-suseRegisterInfo-4.1.4-4.6.2
      spacecmd-4.1.16-4.33.2
      spacewalk-admin-4.1.11-3.18.2
      spacewalk-backend-4.1.30-4.47.2
      spacewalk-backend-app-4.1.30-4.47.2
      spacewalk-backend-applet-4.1.30-4.47.2
      spacewalk-backend-config-files-4.1.30-4.47.2
      spacewalk-backend-config-files-common-4.1.30-4.47.2
      spacewalk-backend-config-files-tool-4.1.30-4.47.2
      spacewalk-backend-iss-4.1.30-4.47.2
      spacewalk-backend-iss-export-4.1.30-4.47.2
      spacewalk-backend-package-push-server-4.1.30-4.47.2
      spacewalk-backend-server-4.1.30-4.47.2
      spacewalk-backend-sql-4.1.30-4.47.2
      spacewalk-backend-sql-postgresql-4.1.30-4.47.2
      spacewalk-backend-tools-4.1.30-4.47.2
      spacewalk-backend-xml-export-libs-4.1.30-4.47.2
      spacewalk-backend-xmlrpc-4.1.30-4.47.2
      spacewalk-base-4.1.31-3.39.1
      spacewalk-base-minimal-4.1.31-3.39.1
      spacewalk-base-minimal-config-4.1.31-3.39.1
      spacewalk-certs-tools-4.1.20-3.25.2
      spacewalk-client-tools-4.1.11-4.18.2
      spacewalk-html-4.1.31-3.39.1
      spacewalk-java-4.1.43-3.63.1
      spacewalk-java-config-4.1.43-3.63.1
      spacewalk-java-lib-4.1.43-3.63.1
      spacewalk-java-postgresql-4.1.43-3.63.1
      spacewalk-reports-4.1.5-3.9.1
      spacewalk-setup-4.1.10-3.15.2
      spacewalk-taskomatic-4.1.43-3.63.1
      spacewalk-utils-4.1.19-3.27.2
      spacewalk-utils-extras-4.1.19-3.27.2
      suseRegisterInfo-4.1.4-4.6.2
      susemanager-doc-indexes-4.1-11.49.2
      susemanager-docs_en-4.1-11.49.1
      susemanager-docs_en-pdf-4.1-11.49.1
      susemanager-schema-4.1.24-3.39.2
      susemanager-sls-4.1.32-3.54.1
      susemanager-web-libs-4.1.31-3.39.1
      uyuni-config-modules-4.1.32-3.54.1


References:

   https://www.suse.com/security/cve/CVE-2020-25638.html
   https://bugzilla.suse.com/1173103
   https://bugzilla.suse.com/1173143
   https://bugzilla.suse.com/1184617
   https://bugzilla.suse.com/1187708
   https://bugzilla.suse.com/1188505
   https://bugzilla.suse.com/1188900
   https://bugzilla.suse.com/1190114
   https://bugzilla.suse.com/1190446
   https://bugzilla.suse.com/1191192
   https://bugzilla.suse.com/1191222
   https://bugzilla.suse.com/1191285
   https://bugzilla.suse.com/1191313
   https://bugzilla.suse.com/1191340
   https://bugzilla.suse.com/1191377
   https://bugzilla.suse.com/1191412
   https://bugzilla.suse.com/1191442
   https://bugzilla.suse.com/1191656
   https://bugzilla.suse.com/1191702
   https://bugzilla.suse.com/1191899
   https://bugzilla.suse.com/1192487
   https://bugzilla.suse.com/1192514
   https://bugzilla.suse.com/1192736
   https://bugzilla.suse.com/1193008
   https://bugzilla.suse.com/1193585
   https://bugzilla.suse.com/1193612
   https://bugzilla.suse.com/1193694
   https://bugzilla.suse.com/1193832
   https://bugzilla.suse.com/1194990