SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0798-1
Rating:             moderate
References:         #1097531 #1133198 #1190781 #1191360 #1192510 
                    #1192566 #1192822 #1193565 #1194044 #1194363 
                    #1194464 #1195043 #1195282 
Cross-References:   CVE-2018-20433 CVE-2019-5427
CVSS scores:
                    CVE-2018-20433 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2018-20433 (SUSE): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
                    CVE-2019-5427 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-5427 (SUSE): 5.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
                    SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves two vulnerabilities and has 11 fixes
   is now available.

Description:

   This update fixes the following issues:

   c3p0:

   - Update to version c3p0 0.9.5.5 and mchange-commons-java 0.2.19
     * Address CVE-2018-20433
     * Address CVE-2019-5427 - XML-config parsing related attacks
       (bsc#1133198)
     * Properly implement the JDBC 4.1 abort method
   - Build with log4j mapper
   - Enhanced for RHEL8

   dhcpd-formula:

   - Update to version 0.1.1641480250.d5bd14c
     * make routers option optional
   - Add arm64 support
   - Update to version 0.1.1615805990.f15c8d9

   hub-xmlrpc-api:

   - Updated to build on Enterprise Linux 8.

   py26-compat-msgpack-python:

   - Adapted to build on OBS for Enterprise Linux.

   py27-compat-salt:

   - Fix inspector module export function (bsc#1097531)
   - Fix possible traceback on ip6_interface grain (bsc#1193565)
   - Don't check for cached pillar errors on state.apply (bsc#1190781)
   - Simplify "transactional_update" module to not use SSH wrapper and allow
     more flexible execution
   - Add "--no-return-event" option to salt-call to prevent sending return
     event back to master.
   - Make "state.highstate" to acts on concurrent flag.
   - Fix the regression with invalid syntax in test_parse_cpe_name_v23.

   spacecmd:

   - Version 4.1.17-1
     * Fix interactive mode for "system_applyerrata" and "errata_apply"
       (bsc#1194363)

   spacewalk-java:

   - Version 4.1.44-1
     * allow SCC to display the last check-in time for registered systems
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)
     * Add store info to Equals and hash methods to fix CVE audit process
       (bsc#1195282)
     * fix ClassCastException during action processing (bsc#1195043)
     * Fix disappearing metadata key files after channel change (bsc#1192822)
     * Pass only selected servers to taskomatic for cancelation (bsc#1194044)

   spacewalk-web:

   - Version 4.1.32-1
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)

   susemanager:

   - Version 4.1.33-1
     * set default for registration batch size

   susemanager-doc-indexes:

   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - In the Client Configuration Guide, explain how you find channel names to
     register older SUSE Linux Enterprise clients.
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client

   susemanager-docs_en:

   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - In the Client Configuration Guide, explain how you find channel names to
     register older SUSE Linux Enterprise clients.
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
     Configuration Guide

   susemanager-schema:

   - Version 4.1.25-1
     * Continue with index migration when the expected indexes do not exist
       (bsc#1192566)

   susemanager-sls:

   - Version 4.1.34-1
     * Improve `pkgset` beacon with using `salt.cache` to notify about the
       changes made while the minion was stopped.
     * Align the code of pkgset beacon to prevent warnings (bsc#1194464)
   - Version 4.1.33-1
     * Fix errors on calling sed -E ... by force_restart_minion with action
       chains
     * Postgres exporter package was renamed
     * fix deprecation warnings
     * enforce correct minion configuration similar to bootstrapping
       (bsc#1192510)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-798=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      hub-xmlrpc-api-0.7-3.9.2
      py26-compat-msgpack-python-0.4.6-3.6.2
      py26-compat-msgpack-python-debuginfo-0.4.6-3.6.2
      py26-compat-msgpack-python-debugsource-0.4.6-3.6.2
      susemanager-4.1.33-3.45.2
      susemanager-tools-4.1.33-3.45.2

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      c3p0-0.9.5.5-3.3.2
      dhcpd-formula-0.1.1641480250.d5bd14c-3.3.2
      py27-compat-salt-3000.3-6.21.2
      spacecmd-4.1.17-4.36.2
      spacewalk-base-4.1.32-3.42.2
      spacewalk-base-minimal-4.1.32-3.42.2
      spacewalk-base-minimal-config-4.1.32-3.42.2
      spacewalk-html-4.1.32-3.42.2
      spacewalk-java-4.1.44-3.66.2
      spacewalk-java-config-4.1.44-3.66.2
      spacewalk-java-lib-4.1.44-3.66.2
      spacewalk-java-postgresql-4.1.44-3.66.2
      spacewalk-taskomatic-4.1.44-3.66.2
      susemanager-doc-indexes-4.1-11.52.2
      susemanager-docs_en-4.1-11.52.2
      susemanager-docs_en-pdf-4.1-11.52.2
      susemanager-schema-4.1.25-3.42.2
      susemanager-sls-4.1.34-3.59.2
      susemanager-web-libs-4.1.32-3.42.2
      uyuni-config-modules-4.1.34-3.59.2


References:

   https://www.suse.com/security/cve/CVE-2018-20433.html
   https://www.suse.com/security/cve/CVE-2019-5427.html
   https://bugzilla.suse.com/1097531
   https://bugzilla.suse.com/1133198
   https://bugzilla.suse.com/1190781
   https://bugzilla.suse.com/1191360
   https://bugzilla.suse.com/1192510
   https://bugzilla.suse.com/1192566
   https://bugzilla.suse.com/1192822
   https://bugzilla.suse.com/1193565
   https://bugzilla.suse.com/1194044
   https://bugzilla.suse.com/1194363
   https://bugzilla.suse.com/1194464
   https://bugzilla.suse.com/1195043
   https://bugzilla.suse.com/1195282