SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0593-1
Rating:             moderate
References:         #1097531 #1173103 #1189561 #1190781 #1191192 
                    #1191285 #1191857 #1192321 #1192368 #1192440 
                    #1192487 #1192510 #1192514 #1192550 #1192566 
                    #1192699 #1192776 #1193008 #1193292 #1193565 
                    #1193585 #1193612 #1193694 #1193832 #1194044 
                    #1194397 #1194862 #1194905 #1194990 #1195171 
                    
Cross-References:   CVE-2020-25638
CVSS scores:
                    CVE-2020-25638 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2020-25638 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves one vulnerability and has 29 fixes is
   now available.

Description:

   This update fixes the following issues:

   c3p0:

   - Build with log4j mapper

   dhcpd-formula:

   - Update to version 0.1.1641480250.d5bd14c
     * make routers option optional

   hibernate5:

   - Fix potential SQL injection CVE-2020-25638 (bsc#1193832)

   mgr-libmod:

   - Version 4.2.7-1
     * require python macros for building

   mgr-osad:

   - Version 4.2.7-1
     * Do not build python 2 package for SLE15SP4 and higher
     * require python macros for building

   mgr-push:

   - Version 4.2.4-1
     * Do not build python 2 package for SLE15SP4 and higher

   py27-compat-salt:

   - Fix inspector module export function (bsc#1097531)
   - Fix possible traceback on ip6_interface grain (bsc#1193565)
   - Don't check for cached pillar errors on state.apply (bsc#1190781)
   - Simplify "transactional_update" module to not use SSH wrapper and allow
     more flexible execution
   - Add "--no-return-event" option to salt-call to prevent sending return
     event back to master.
   - Make "state.highstate" to acts on concurrent flag.
   - Fix the regression with invalid syntax in test_parse_cpe_name_v23.
   - Fix tmpfiles.d configuration for salt to not use legacy paths
     (bsc#1173103)
   - Fix the regression of docker_container state module (bsc#1191285)

   rhnlib:

   - Version 4.2.5-1
     * do not build python 2 package for SLE15

   salt-netapi-client:

   - Hotfix (bsc#1192550):
   - Version 0.19.0
     * See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.19.0

   saltboot-formula:

   - Update to version 0.1.1637232240.87d79ed
     * Prevent python failure under some circumstances when filesystem was
       not set (bsc#1192440)
     * Add missing boot_images option in SLE11 saltboot version

   spacecmd:

   - Version 4.2.15-1
     * require python macros for building

   spacewalk-backend:

   - Version 4.2.19-1
     * Retrieve and store copyright information about patches
     * SLES PAYG client support on cloud
     * Add headers to update proxy auth token in listChannels (bsc#1193585)
     * require python macros for building
     * exchange zypp-plugin dependency to use the python3 version
       (bsc#1192514)

   spacewalk-branding:

   - Version 4.2.12-1
     * Fix header search autofocus

   spacewalk-client-tools:

   - Version 4.2.16-1
     * do not build python 2 package for SLE15
     * require python macros for building

   spacewalk-config:

   - Version 4.2.5-1
     * add migration for changed rhn.conf values

   spacewalk-java:

   - Version 4.2.32-1
     * Pass only selected servers to taskomatic for cancelation (bsc#1194044)
     * Added rights field to generated updateinfo.xml to handle copyright
     * provide static configuration key name for SSHMinionActionExecutor
       parallel threads
     * Add support for custom SSH port for SSH minions
     * add ubuntu errata data and install handling
     * Fix stack overflow when building a CLM project from modular sources
       (bsc#1194990)
     * SLES PAYG client support on cloud
     * Change order of 'Relevant' and 'All' in patches menu
     * Handle multiple Kiwi bundles (bsc#1194905)
     * Install product by default after a channel is subscribed
     * Improve token validation logs
     * fix possible race condition in job handling (bsc#1192510)
     * Migrate the displaying of the date/time to rhn:formatDate
     * Add additional matchers to package (nevra) filter
     * Add greater equals matcher to package (nevra) filter
     * fix XML syntax in cobbler snippets (bsc#1193694)
     * Add new endpoints to packages API: schedulePackageLockChange,
       listPackagesLockStatus
     * Avoid using RPM tags when filtering modular packages in CLM
       (bsc#1192487)
     * Fix stripping module metadata when cloning channels in CLM
       (bsc#1193008)
     * UI and API call for changing proxy
     * require postgresql14 on SLE15 SP4
     * Update proxy path on minion connection
     * fix actionchain stuck in pending/picked up (bsc#1189561)
     * fix parsing error by making SCAP Profile description attribute
       optional (bsc#1192321)
     * Show salt ssh error message in failed action details

   spacewalk-reports:

   - Version 4.2.7-1
     * Fixes query for system-history report to prevent more than one row
       returned by a subquery with rhnxccdftestresult.identifier (bsc#1191192)

   spacewalk-search:

   - Version 4.2.6-1
     * Rename jakarta to apache on SPEC

   spacewalk-setup:

   - Version 4.2.10-1
     * During upgrade, set tomcat connector connectionTimeout to 900000 if
       the previous values is the old default (20000)

   spacewalk-utils:

   - Version 4.2.15-1
     * require python macros for building

   spacewalk-web:

   - Version 4.2.25-1
     * Add support for custom SSH port for SSH minions
     * SLES PAYG client support on cloud
     * Migrate the displaying of the date/time to rhn:formatDate, get rid of
       the legacy fmt:formatDate glue
     * Fix header search autofocus
     * Fix virtual systems list request error (bsc#1194397)
     * UI for changing proxy
     * Fix legacy timepicker passing wrong time to the backend if server and
       user time differ (bsc#1192699)
     * Fix legacy timepicker passing wrong time to the backend if selected
       date is in summer time (bsc#1192776)

   suseRegisterInfo:

   - Version 4.2.5-1
     * require python macros for building
     * Do not build python 2 package for SLE15 and higher

   susemanager:

   - Version 4.2.27-1
     * mgr-setup: do not concanate www and apache groups (bsc#1195171)
     * fix pg-migrate to check version of postgresql??-server (bsc#1192368)
     * remove obsoleted sysv init script (bsc#1191857)

   susemanager-doc-indexes:

   - Added instructions for Pay-as-you-go to the Installation Guide
   - In the Client Configuration Guide, documented finding channel names for
     registering older SUSE Linux Enterprise clients
   - Documented moving Salt clients between proxies in the Client
     Configuration Guide
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
   - In the Troubleshooting section of the Client Configuration Guide,
     documented that SUSE Linux Enterprise Server 11 clients require previous
     SSL versions installed on the server
   - In the Retail Guide, adjust branch server version numbers (bsc#1193292)

   susemanager-docs_en:

   - Added instructions for Pay-as-you-go to the Installation Guide
   - In the Client Configuration Guide, documented finding channel names for
     registering older SUSE Linux Enterprise clients
   - Documented moving Salt clients between proxies in the Client
     Configuration Guide
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
   - In the Troubleshooting section of the Client Configuration Guide,
     documented that SUSE Linux Enterprise Server 11 clients require previous
     SSL versions installed on the server
   - In the Retail Guide, adjust branch server version numbers (bsc#1193292)

   susemanager-schema:

   - Version 4.2.20-1
     * Added rights column to rhnerrata to handle copyright information
     * Add support for custom SSH port for SSH minions
     * add ubuntu errata data and install handling
     * SLES PAYG client support on cloud
     * Replace not existing Asia/Beijing timezone with Asia/Shanghai
       (bsc#1194862)
     * Continue with index migration when the expected indexes do not exist
       (bsc#1192566)
     * Fix changing of existing proxy path
     * Add pillars to Apply States action
     * Fix rhnChannelNewestPackageView in case there are duplicates
       (bsc#1193612)

   susemanager-sls:

   - Version 4.2.20-1
     * Handle multiple Kiwi bundles (bsc#1194905)
     * enforce correct minion configuration similar to bootstrapping
       (bsc#1192510)
     * Add state for changing proxy
     * Update proxy path on minion connection
     * Fix problem installing/removing packages using action chains in
       transactional systems

   uyuni-common-libs:

   - Version 4.2.6-1
     * Read modularity data from DISTTAG tag as fallback (bsc#1192487)
     * require python macros for building

   uyuni-config-formula:

   - Version 0.2
     * support to manager activation keys

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-593=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      inter-server-sync-0.0.7-150300.8.9.1
      inter-server-sync-debuginfo-0.0.7-150300.8.9.1
      python3-uyuni-common-libs-4.2.6-150300.3.6.1
      spacewalk-branding-4.2.12-150300.3.6.1
      susemanager-4.2.27-150300.3.19.1
      susemanager-tools-4.2.27-150300.3.19.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      c3p0-0.9.5.2-150300.4.3.1
      dhcpd-formula-0.1.1641480250.d5bd14c-150300.3.3.1
      hibernate5-5.3.7-150300.5.3.1
      mgr-libmod-4.2.7-150300.3.6.1
      mgr-osa-dispatcher-4.2.7-150300.2.6.1
      mgr-push-4.2.4-150300.2.6.1
      py27-compat-salt-3000.3-150300.7.7.17.1
      python3-mgr-osa-common-4.2.7-150300.2.6.1
      python3-mgr-osa-dispatcher-4.2.7-150300.2.6.1
      python3-mgr-push-4.2.4-150300.2.6.1
      python3-rhnlib-4.2.5-150300.4.6.1
      python3-spacewalk-client-tools-4.2.16-150300.4.15.1
      python3-suseRegisterInfo-4.2.5-150300.4.6.1
      salt-netapi-client-0.19.0-150300.3.3.1
      saltboot-formula-0.1.1637232240.87d79ed-150300.3.6.1
      spacecmd-4.2.15-150300.4.15.1
      spacewalk-backend-4.2.19-150300.4.15.1
      spacewalk-backend-app-4.2.19-150300.4.15.1
      spacewalk-backend-applet-4.2.19-150300.4.15.1
      spacewalk-backend-config-files-4.2.19-150300.4.15.1
      spacewalk-backend-config-files-common-4.2.19-150300.4.15.1
      spacewalk-backend-config-files-tool-4.2.19-150300.4.15.1
      spacewalk-backend-iss-4.2.19-150300.4.15.1
      spacewalk-backend-iss-export-4.2.19-150300.4.15.1
      spacewalk-backend-package-push-server-4.2.19-150300.4.15.1
      spacewalk-backend-server-4.2.19-150300.4.15.1
      spacewalk-backend-sql-4.2.19-150300.4.15.1
      spacewalk-backend-sql-postgresql-4.2.19-150300.4.15.1
      spacewalk-backend-tools-4.2.19-150300.4.15.1
      spacewalk-backend-xml-export-libs-4.2.19-150300.4.15.1
      spacewalk-backend-xmlrpc-4.2.19-150300.4.15.1
      spacewalk-base-4.2.25-150300.3.15.2
      spacewalk-base-minimal-4.2.25-150300.3.15.2
      spacewalk-base-minimal-config-4.2.25-150300.3.15.2
      spacewalk-client-tools-4.2.16-150300.4.15.1
      spacewalk-config-4.2.5-150300.3.3.1
      spacewalk-html-4.2.25-150300.3.15.2
      spacewalk-java-4.2.32-150300.3.20.1
      spacewalk-java-config-4.2.32-150300.3.20.1
      spacewalk-java-lib-4.2.32-150300.3.20.1
      spacewalk-java-postgresql-4.2.32-150300.3.20.1
      spacewalk-reports-4.2.7-150300.3.9.1
      spacewalk-search-4.2.6-150300.3.6.1
      spacewalk-setup-4.2.10-150300.3.12.1
      spacewalk-taskomatic-4.2.32-150300.3.20.1
      spacewalk-utils-4.2.15-150300.3.12.1
      spacewalk-utils-extras-4.2.15-150300.3.12.1
      suseRegisterInfo-4.2.5-150300.4.6.1
      susemanager-doc-indexes-4.2-150300.12.19.1
      susemanager-docs_en-4.2-150300.12.19.1
      susemanager-docs_en-pdf-4.2-150300.12.19.1
      susemanager-schema-4.2.20-150300.3.15.1
      susemanager-sls-4.2.20-150300.3.17.1
      susemanager-web-libs-4.2.25-150300.3.15.2
      uyuni-config-formula-0.2-150300.3.3.1
      uyuni-config-modules-4.2.20-150300.3.17.1


References:

   https://www.suse.com/security/cve/CVE-2020-25638.html
   https://bugzilla.suse.com/1097531
   https://bugzilla.suse.com/1173103
   https://bugzilla.suse.com/1189561
   https://bugzilla.suse.com/1190781
   https://bugzilla.suse.com/1191192
   https://bugzilla.suse.com/1191285
   https://bugzilla.suse.com/1191857
   https://bugzilla.suse.com/1192321
   https://bugzilla.suse.com/1192368
   https://bugzilla.suse.com/1192440
   https://bugzilla.suse.com/1192487
   https://bugzilla.suse.com/1192510
   https://bugzilla.suse.com/1192514
   https://bugzilla.suse.com/1192550
   https://bugzilla.suse.com/1192566
   https://bugzilla.suse.com/1192699
   https://bugzilla.suse.com/1192776
   https://bugzilla.suse.com/1193008
   https://bugzilla.suse.com/1193292
   https://bugzilla.suse.com/1193565
   https://bugzilla.suse.com/1193585
   https://bugzilla.suse.com/1193612
   https://bugzilla.suse.com/1193694
   https://bugzilla.suse.com/1193832
   https://bugzilla.suse.com/1194044
   https://bugzilla.suse.com/1194397
   https://bugzilla.suse.com/1194862
   https://bugzilla.suse.com/1194905
   https://bugzilla.suse.com/1194990
   https://bugzilla.suse.com/1195171