
   SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0225-1
Rating:             moderate
References:         #1173103 #1173143 #1184617 #1187708 #1188505 
                    #1188900 #1190114 #1190446 #1191192 #1191222 
                    #1191285 #1191313 #1191340 #1191377 #1191412 
                    #1191442 #1191656 #1191702 #1191899 #1192487 
                    #1192514 #1192736 #1193008 #1193585 #1193612 
                    #1193694 #1193832 #1194990 
Cross-References:   CVE-2020-25638
CVSS scores:
                    CVE-2020-25638 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2020-25638 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves one vulnerability and has 27 fixes is
   now available.

Description:

   This update fixes the following issues:

   hibernate5:

   - Fix potential SQL injection CVE-2020-25638 (bsc#1193832)

   mgr-libmod:

   - Version 4.1.10-1
     * require python macros for building

   mgr-osad:

   - Version 4.1.6-1
     * require python macros for building

   prometheus-formula:

   - Version 0.3.5
     * Add support for new Uyuni SD in Prometheus >= 2.31

   py27-compat-salt:

   - Fix `tmpfiles.d` configuration for salt to not use legacy paths
     (bsc#1173103)
   - Remove wrong `_parse_cpe_name` from grains.core
   - Fix file.find tracebacks with non utf8 file names (bsc#1190114)
   - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
   - Added Python2 build possibility for RHEL8
   - Do not consider skipped targets as failed for ansible.playbooks state
     (bsc#1190446)
   - Fix traceback.*_exc() calls
   - Fix the regression of docker_container state module (bsc#1191285)

   spacecmd:

   - Version 4.1.16-1
     * require python macros for building

   spacewalk-admin:

   - Version 4.1.11-1
     * add service to update configfile and introduce a backup scc user

   spacewalk-backend:

   - Version 4.1.30-1
     * Add headers to update proxy auth token in listChannels (bsc#1193585)
     * require python macros for building
     * Fix the IS_SUSE variable in spacewalk-debug
     * exchange zypp-plugin dependency to use the python3 version
       (bsc#1192514)
     * Minor spec update.
     * Added RHN config parameter httpd_config_dir.

   spacewalk-certs-tools:

   - Version 4.1.20-1
     * Make bootstrap script to use bash when called with a different
       interpreter (bsc#1191656)

   spacewalk-client-tools:

   - Version 4.1.11-1
     * require python macros for building

   spacewalk-java:

   - Version 4.1.43-1
     * Fix stack overflow when building a CLM project from modular sources
       (bsc#1194990)
     * Avoid using RPM tags when filtering modular packages in CLM
       (bsc#1192487)
     * fix XML syntax in cobbler snippets (bsc#1193694)
     * Fix stripping module metadata when cloning channels in CLM
       (bsc#1193008)
     * Fix system information forwarding to SCC (bsc#1188900)
     * forward registration data to SUSE Customer Center
     * Run Prometheus JMX exporter as Java agent (bsc#1184617)
     * Fix calling wrong XMLRPC bootstrap method (bsc#1192736)
     * Fix package update action with shared channels (bsc#1191313)
     * fix issue with empty action chains getting deleted too early
       (bsc#1191377)
     * switch to best repo auth item for contentsources (bsc#1191442)
     * Set product name and version in the User-Agent header when connecting
       to SCC
     * update last boot time of SSH Minions after bootstrapping (bsc#1191899)
     * Mark SSH minion actions when they're picked up (bsc#1188505)
     * Add compressed flag to image pillars when kiwi image is compressed
       (bsc#1191702)
     * mgr-sync refresh logs when a vendor channel is expired and shows how
       to remove it (bsc#1191222)
   - Readable error when "mgr-sync add channel" is called with a non-existing
     label (bsc#1173143)

   spacewalk-reports:

   - Version 4.1.5-1
     * Fixes query for system-history report to prevent more than one row
       returned by a subquery with rhnxccdftestresult.identifier (bsc#1191192)

   spacewalk-setup:

   - Version 4.1.10-1
     * Increase "max_event_size" value for the Salt master (bsc#1191340)
     * Leave Cobbler bootloader directory at the default (bsc#1187708)
     * Don't delete cobbler.conf contents.
     * Fixed FileNotFoundError on cobbler setup.
     * cobbler20-setup was removed
     * spacewalk-setup-cobbler was reimplemented in Python
     * Config files for Cobbler don't get edited in place anymore, thus the
       original
       ones are saved with a ".backup" suffix

   spacewalk-utils:

   - Version 4.1.19-1
     * require python macros for building

   spacewalk-web:

   - Version 4.1.31-1
     * Update Web UI version to 4.1.13

   suseRegisterInfo:

   - Version 4.1.4-1
     * require python macros for building

   susemanager:

   - Version 4.1.32-1
     * add additional default config values for forwarding registrations to
       SCC

   susemanager-doc-indexes:

   - In the Troubleshooting section of the Client Configuration Guide, SUSE
     Linux Enterprise Server 11 clients also require previous SSL versions
     installed on the server

   susemanager-docs_en:

   - In the Troubleshooting section of the Client Configuration Guide, SUSE
     Linux Enterprise Server 11 clients also require previous SSL versions
     installed on the server

   susemanager-schema:

   - Version 4.1.24-1
     * Fix rhnChannelNewestPackageView in case there are duplicates
       (bsc#1193612)
     * DB schema to support forwarding data to SCC

   susemanager-sls:

   - Version 4.1.32-1
     * Run Prometheus JMX exporter as Java agent (bsc#1184617)
     * Fix problem installing/removing packages using action chains in
       transactional systems
     * Don't create skeleton /srv/salt/top.sls
     * Add missing compressed_hash value from Kiwi inspect (bsc#1191702)

   uyuni-common-libs:

   - Version 4.1.10-1
     * Read modularity data from DISTTAG tag as fallback (bsc#1192487)
     * require python macros for building

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-225=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      python3-uyuni-common-libs-4.1.10-3.15.1
      susemanager-4.1.32-3.42.2
      susemanager-tools-4.1.32-3.42.2

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      hibernate5-5.3.7-3.6.1
      mgr-libmod-4.1.10-3.25.2
      mgr-osa-dispatcher-4.1.6-2.12.2
      prometheus-formula-0.3.5-3.15.1
      py27-compat-salt-3000.3-6.18.1
      python3-mgr-osa-common-4.1.6-2.12.2
      python3-mgr-osa-dispatcher-4.1.6-2.12.2
      python3-spacewalk-certs-tools-4.1.20-3.25.2
      python3-spacewalk-client-tools-4.1.11-4.18.2
      python3-suseRegisterInfo-4.1.4-4.6.2
      spacecmd-4.1.16-4.33.2
      spacewalk-admin-4.1.11-3.18.2
      spacewalk-backend-4.1.30-4.47.2
      spacewalk-backend-app-4.1.30-4.47.2
      spacewalk-backend-applet-4.1.30-4.47.2
      spacewalk-backend-config-files-4.1.30-4.47.2
      spacewalk-backend-config-files-common-4.1.30-4.47.2
      spacewalk-backend-config-files-tool-4.1.30-4.47.2
      spacewalk-backend-iss-4.1.30-4.47.2
      spacewalk-backend-iss-export-4.1.30-4.47.2
      spacewalk-backend-package-push-server-4.1.30-4.47.2
      spacewalk-backend-server-4.1.30-4.47.2
      spacewalk-backend-sql-4.1.30-4.47.2
      spacewalk-backend-sql-postgresql-4.1.30-4.47.2
      spacewalk-backend-tools-4.1.30-4.47.2
      spacewalk-backend-xml-export-libs-4.1.30-4.47.2
      spacewalk-backend-xmlrpc-4.1.30-4.47.2
      spacewalk-base-4.1.31-3.39.1
      spacewalk-base-minimal-4.1.31-3.39.1
      spacewalk-base-minimal-config-4.1.31-3.39.1
      spacewalk-certs-tools-4.1.20-3.25.2
      spacewalk-client-tools-4.1.11-4.18.2
      spacewalk-html-4.1.31-3.39.1
      spacewalk-java-4.1.43-3.63.1
      spacewalk-java-config-4.1.43-3.63.1
      spacewalk-java-lib-4.1.43-3.63.1
      spacewalk-java-postgresql-4.1.43-3.63.1
      spacewalk-reports-4.1.5-3.9.1
      spacewalk-setup-4.1.10-3.15.2
      spacewalk-taskomatic-4.1.43-3.63.1
      spacewalk-utils-4.1.19-3.27.2
      spacewalk-utils-extras-4.1.19-3.27.2
      suseRegisterInfo-4.1.4-4.6.2
      susemanager-doc-indexes-4.1-11.49.2
      susemanager-docs_en-4.1-11.49.1
      susemanager-docs_en-pdf-4.1-11.49.1
      susemanager-schema-4.1.24-3.39.2
      susemanager-sls-4.1.32-3.54.1
      susemanager-web-libs-4.1.31-3.39.1
      uyuni-config-modules-4.1.32-3.54.1


References:

   https://www.suse.com/security/cve/CVE-2020-25638.html
   https://bugzilla.suse.com/1173103
   https://bugzilla.suse.com/1173143
   https://bugzilla.suse.com/1184617
   https://bugzilla.suse.com/1187708
   https://bugzilla.suse.com/1188505
   https://bugzilla.suse.com/1188900
   https://bugzilla.suse.com/1190114
   https://bugzilla.suse.com/1190446
   https://bugzilla.suse.com/1191192
   https://bugzilla.suse.com/1191222
   https://bugzilla.suse.com/1191285
   https://bugzilla.suse.com/1191313
   https://bugzilla.suse.com/1191340
   https://bugzilla.suse.com/1191377
   https://bugzilla.suse.com/1191412
   https://bugzilla.suse.com/1191442
   https://bugzilla.suse.com/1191656
   https://bugzilla.suse.com/1191702
   https://bugzilla.suse.com/1191899
   https://bugzilla.suse.com/1192487
   https://bugzilla.suse.com/1192514
   https://bugzilla.suse.com/1192736
   https://bugzilla.suse.com/1193008
   https://bugzilla.suse.com/1193585
   https://bugzilla.suse.com/1193612
   https://bugzilla.suse.com/1193694
   https://bugzilla.suse.com/1193832
   https://bugzilla.suse.com/1194990

SUSE: 2022:0225-1 moderate: SUSE Manager Server 4.1

January 28, 2022

An update that solves one vulnerability and has 27 fixes is now available

Summary

This update fixes the following issues: hibernate5: - Fix potential SQL injection CVE-2020-25638 (bsc#1193832) mgr-libmod: - Version 4.1.10-1 * require python macros for building mgr-osad: - Version 4.1.6-1 * require python macros for building prometheus-formula: - Version 0.3.5 * Add support for new Uyuni SD in Prometheus >= 2.31 py27-compat-salt: - Fix `tmpfiles.d` configuration for salt to not use legacy paths (bsc#1173103) - Remove wrong `_parse_cpe_name` from grains.core - Fix file.find tracebacks with non utf8 file names (bsc#1190114) - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412) - Added Python2 build possibility for RHEL8 - Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446) - Fix traceback.*_exc() calls - Fix the regression of docker_container state module (bsc#1191285) spacecmd: - Version 4.1.16-1 * require python macros for building spacewalk-admin: - Version 4.1.11-1 * add service to update configfile and introduce a backup scc user spacewalk-backend: - Version 4.1.30-1 * Add headers to update proxy auth token in listChannels (bsc#1193585) * require python macros for building * Fix the IS_SUSE variable in spacewalk-debug * exchange zypp-plugin dependency to use the python3 version (bsc#1192514) * Minor spec update. * Added RHN config parameter httpd_config_dir. spacewalk-certs-tools: - Version 4.1.20-1 * Make bootstrap script to use bash when called with a different interpreter (bsc#1191656) spacewalk-client-tools: - Version 4.1.11-1 * require python macros for building spacewalk-java: - Version 4.1.43-1 * Fix stack overflow when building a CLM project from modular sources (bsc#1194990) * Avoid using RPM tags when filtering modular packages in CLM (bsc#1192487) * fix XML syntax in cobbler snippets (bsc#1193694) * Fix stripping module metadata when cloning channels in CLM (bsc#1193008) * Fix system information forwarding to SCC (bsc#1188900) * forward registration data to SUSE Customer Center * Run Prometheus JMX exporter as Java agent (bsc#1184617) * Fix calling wrong XMLRPC bootstrap method (bsc#1192736) * Fix package update action with shared channels (bsc#1191313) * fix issue with empty action chains getting deleted too early (bsc#1191377) * switch to best repo auth item for contentsources (bsc#1191442) * Set product name and version in the User-Agent header when connecting to SCC * update last boot time of SSH Minions after bootstrapping (bsc#1191899) * Mark SSH minion actions when they're picked up (bsc#1188505) * Add compressed flag to image pillars when kiwi image is compressed (bsc#1191702) * mgr-sync refresh logs when a vendor channel is expired and shows how to remove it (bsc#1191222) - Readable error when "mgr-sync add channel" is called with a non-existing label (bsc#1173143) spacewalk-reports: - Version 4.1.5-1 * Fixes query for system-history report to prevent more than one row returned by a subquery with rhnxccdftestresult.identifier (bsc#1191192) spacewalk-setup: - Version 4.1.10-1 * Increase "max_event_size" value for the Salt master (bsc#1191340) * Leave Cobbler bootloader directory at the default (bsc#1187708) * Don't delete cobbler.conf contents. * Fixed FileNotFoundError on cobbler setup. * cobbler20-setup was removed * spacewalk-setup-cobbler was reimplemented in Python * Config files for Cobbler don't get edited in place anymore, thus the original ones are saved with a ".backup" suffix spacewalk-utils: - Version 4.1.19-1 * require python macros for building spacewalk-web: - Version 4.1.31-1 * Update Web UI version to 4.1.13 suseRegisterInfo: - Version 4.1.4-1 * require python macros for building susemanager: - Version 4.1.32-1 * add additional default config values for forwarding registrations to SCC susemanager-doc-indexes: - In the Troubleshooting section of the Client Configuration Guide, SUSE Linux Enterprise Server 11 clients also require previous SSL versions installed on the server susemanager-docs_en: - In the Troubleshooting section of the Client Configuration Guide, SUSE Linux Enterprise Server 11 clients also require previous SSL versions installed on the server susemanager-schema: - Version 4.1.24-1 * Fix rhnChannelNewestPackageView in case there are duplicates (bsc#1193612) * DB schema to support forwarding data to SCC susemanager-sls: - Version 4.1.32-1 * Run Prometheus JMX exporter as Java agent (bsc#1184617) * Fix problem installing/removing packages using action chains in transactional systems * Don't create skeleton /srv/salt/top.sls * Add missing compressed_hash value from Kiwi inspect (bsc#1191702) uyuni-common-libs: - Version 4.1.10-1 * Read modularity data from DISTTAG tag as fallback (bsc#1192487) * require python macros for building How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-225=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): python3-uyuni-common-libs-4.1.10-3.15.1 susemanager-4.1.32-3.42.2 susemanager-tools-4.1.32-3.42.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): hibernate5-5.3.7-3.6.1 mgr-libmod-4.1.10-3.25.2 mgr-osa-dispatcher-4.1.6-2.12.2 prometheus-formula-0.3.5-3.15.1 py27-compat-salt-3000.3-6.18.1 python3-mgr-osa-common-4.1.6-2.12.2 python3-mgr-osa-dispatcher-4.1.6-2.12.2 python3-spacewalk-certs-tools-4.1.20-3.25.2 python3-spacewalk-client-tools-4.1.11-4.18.2 python3-suseRegisterInfo-4.1.4-4.6.2 spacecmd-4.1.16-4.33.2 spacewalk-admin-4.1.11-3.18.2 spacewalk-backend-4.1.30-4.47.2 spacewalk-backend-app-4.1.30-4.47.2 spacewalk-backend-applet-4.1.30-4.47.2 spacewalk-backend-config-files-4.1.30-4.47.2 spacewalk-backend-config-files-common-4.1.30-4.47.2 spacewalk-backend-config-files-tool-4.1.30-4.47.2 spacewalk-backend-iss-4.1.30-4.47.2 spacewalk-backend-iss-export-4.1.30-4.47.2 spacewalk-backend-package-push-server-4.1.30-4.47.2 spacewalk-backend-server-4.1.30-4.47.2 spacewalk-backend-sql-4.1.30-4.47.2 spacewalk-backend-sql-postgresql-4.1.30-4.47.2 spacewalk-backend-tools-4.1.30-4.47.2 spacewalk-backend-xml-export-libs-4.1.30-4.47.2 spacewalk-backend-xmlrpc-4.1.30-4.47.2 spacewalk-base-4.1.31-3.39.1 spacewalk-base-minimal-4.1.31-3.39.1 spacewalk-base-minimal-config-4.1.31-3.39.1 spacewalk-certs-tools-4.1.20-3.25.2 spacewalk-client-tools-4.1.11-4.18.2 spacewalk-html-4.1.31-3.39.1 spacewalk-java-4.1.43-3.63.1 spacewalk-java-config-4.1.43-3.63.1 spacewalk-java-lib-4.1.43-3.63.1 spacewalk-java-postgresql-4.1.43-3.63.1 spacewalk-reports-4.1.5-3.9.1 spacewalk-setup-4.1.10-3.15.2 spacewalk-taskomatic-4.1.43-3.63.1 spacewalk-utils-4.1.19-3.27.2 spacewalk-utils-extras-4.1.19-3.27.2 suseRegisterInfo-4.1.4-4.6.2 susemanager-doc-indexes-4.1-11.49.2 susemanager-docs_en-4.1-11.49.1 susemanager-docs_en-pdf-4.1-11.49.1 susemanager-schema-4.1.24-3.39.2 susemanager-sls-4.1.32-3.54.1 susemanager-web-libs-4.1.31-3.39.1 uyuni-config-modules-4.1.32-3.54.1

References

#1173103 #1173143 #1184617 #1187708 #1188505

#1188900 #1190114 #1190446 #1191192 #1191222

#1191285 #1191313 #1191340 #1191377 #1191412

#1191442 #1191656 #1191702 #1191899 #1192487

#1192514 #1192736 #1193008 #1193585 #1193612

#1193694 #1193832 #1194990

Cross- CVE-2020-25638

CVSS scores:

CVE-2020-25638 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2020-25638 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:

SUSE Linux Enterprise Module for SUSE Manager Server 4.1

https://www.suse.com/security/cve/CVE-2020-25638.html

https://bugzilla.suse.com/1173103

https://bugzilla.suse.com/1173143

https://bugzilla.suse.com/1184617

https://bugzilla.suse.com/1187708

https://bugzilla.suse.com/1188505

https://bugzilla.suse.com/1188900

https://bugzilla.suse.com/1190114

https://bugzilla.suse.com/1190446

https://bugzilla.suse.com/1191192

https://bugzilla.suse.com/1191222

https://bugzilla.suse.com/1191285

https://bugzilla.suse.com/1191313

https://bugzilla.suse.com/1191340

https://bugzilla.suse.com/1191377

https://bugzilla.suse.com/1191412

https://bugzilla.suse.com/1191442

https://bugzilla.suse.com/1191656

https://bugzilla.suse.com/1191702

https://bugzilla.suse.com/1191899

https://bugzilla.suse.com/1192487

https://bugzilla.suse.com/1192514

https://bugzilla.suse.com/1192736

https://bugzilla.suse.com/1193008

https://bugzilla.suse.com/1193585

https://bugzilla.suse.com/1193612

https://bugzilla.suse.com/1193694

https://bugzilla.suse.com/1193832

https://bugzilla.suse.com/1194990

Severity

Announcement ID: SUSE-SU-2022:0225-1

Rating: moderate

SUSE: 2022:0225-1 moderate: SUSE Manager Server 4.1

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By