
   SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0798-1
Rating:             moderate
References:         #1097531 #1133198 #1190781 #1191360 #1192510 
                    #1192566 #1192822 #1193565 #1194044 #1194363 
                    #1194464 #1195043 #1195282 
Cross-References:   CVE-2018-20433 CVE-2019-5427
CVSS scores:
                    CVE-2018-20433 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2018-20433 (SUSE): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
                    CVE-2019-5427 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-5427 (SUSE): 5.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
                    SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves two vulnerabilities and has 11 fixes
   is now available.

Description:

   This update fixes the following issues:

   c3p0:

   - Update to version c3p0 0.9.5.5 and mchange-commons-java 0.2.19
     * Address CVE-2018-20433
     * Address CVE-2019-5427 - XML-config parsing related attacks
       (bsc#1133198)
     * Properly implement the JDBC 4.1 abort method
   - Build with log4j mapper
   - Enhanced for RHEL8

   dhcpd-formula:

   - Update to version 0.1.1641480250.d5bd14c
     * make routers option optional
   - Add arm64 support
   - Update to version 0.1.1615805990.f15c8d9

   hub-xmlrpc-api:

   - Updated to build on Enterprise Linux 8.

   py26-compat-msgpack-python:

   - Adapted to build on OBS for Enterprise Linux.

   py27-compat-salt:

   - Fix inspector module export function (bsc#1097531)
   - Fix possible traceback on ip6_interface grain (bsc#1193565)
   - Don't check for cached pillar errors on state.apply (bsc#1190781)
   - Simplify "transactional_update" module to not use SSH wrapper and allow
     more flexible execution
   - Add "--no-return-event" option to salt-call to prevent sending return
     event back to master.
   - Make "state.highstate" to acts on concurrent flag.
   - Fix the regression with invalid syntax in test_parse_cpe_name_v23.

   spacecmd:

   - Version 4.1.17-1
     * Fix interactive mode for "system_applyerrata" and "errata_apply"
       (bsc#1194363)

   spacewalk-java:

   - Version 4.1.44-1
     * allow SCC to display the last check-in time for registered systems
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)
     * Add store info to Equals and hash methods to fix CVE audit process
       (bsc#1195282)
     * fix ClassCastException during action processing (bsc#1195043)
     * Fix disappearing metadata key files after channel change (bsc#1192822)
     * Pass only selected servers to taskomatic for cancelation (bsc#1194044)

   spacewalk-web:

   - Version 4.1.32-1
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)

   susemanager:

   - Version 4.1.33-1
     * set default for registration batch size

   susemanager-doc-indexes:

   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - In the Client Configuration Guide, explain how you find channel names to
     register older SUSE Linux Enterprise clients.
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client

   susemanager-docs_en:

   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - In the Client Configuration Guide, explain how you find channel names to
     register older SUSE Linux Enterprise clients.
   - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client
     Configuration Guide

   susemanager-schema:

   - Version 4.1.25-1
     * Continue with index migration when the expected indexes do not exist
       (bsc#1192566)

   susemanager-sls:

   - Version 4.1.34-1
     * Improve `pkgset` beacon with using `salt.cache` to notify about the
       changes made while the minion was stopped.
     * Align the code of pkgset beacon to prevent warnings (bsc#1194464)
   - Version 4.1.33-1
     * Fix errors on calling sed -E ... by force_restart_minion with action
       chains
     * Postgres exporter package was renamed
     * fix deprecation warnings
     * enforce correct minion configuration similar to bootstrapping
       (bsc#1192510)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-798=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      hub-xmlrpc-api-0.7-3.9.2
      py26-compat-msgpack-python-0.4.6-3.6.2
      py26-compat-msgpack-python-debuginfo-0.4.6-3.6.2
      py26-compat-msgpack-python-debugsource-0.4.6-3.6.2
      susemanager-4.1.33-3.45.2
      susemanager-tools-4.1.33-3.45.2

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      c3p0-0.9.5.5-3.3.2
      dhcpd-formula-0.1.1641480250.d5bd14c-3.3.2
      py27-compat-salt-3000.3-6.21.2
      spacecmd-4.1.17-4.36.2
      spacewalk-base-4.1.32-3.42.2
      spacewalk-base-minimal-4.1.32-3.42.2
      spacewalk-base-minimal-config-4.1.32-3.42.2
      spacewalk-html-4.1.32-3.42.2
      spacewalk-java-4.1.44-3.66.2
      spacewalk-java-config-4.1.44-3.66.2
      spacewalk-java-lib-4.1.44-3.66.2
      spacewalk-java-postgresql-4.1.44-3.66.2
      spacewalk-taskomatic-4.1.44-3.66.2
      susemanager-doc-indexes-4.1-11.52.2
      susemanager-docs_en-4.1-11.52.2
      susemanager-docs_en-pdf-4.1-11.52.2
      susemanager-schema-4.1.25-3.42.2
      susemanager-sls-4.1.34-3.59.2
      susemanager-web-libs-4.1.32-3.42.2
      uyuni-config-modules-4.1.34-3.59.2


References:

   https://www.suse.com/security/cve/CVE-2018-20433.html
   https://www.suse.com/security/cve/CVE-2019-5427.html
   https://bugzilla.suse.com/1097531
   https://bugzilla.suse.com/1133198
   https://bugzilla.suse.com/1190781
   https://bugzilla.suse.com/1191360
   https://bugzilla.suse.com/1192510
   https://bugzilla.suse.com/1192566
   https://bugzilla.suse.com/1192822
   https://bugzilla.suse.com/1193565
   https://bugzilla.suse.com/1194044
   https://bugzilla.suse.com/1194363
   https://bugzilla.suse.com/1194464
   https://bugzilla.suse.com/1195043
   https://bugzilla.suse.com/1195282

SUSE: 2022:0798-1 moderate: SUSE Manager Server 4.1

March 10, 2022

An update that solves two vulnerabilities and has 11 fixes is now available

Summary

This update fixes the following issues: c3p0: - Update to version c3p0 0.9.5.5 and mchange-commons-java 0.2.19 * Address CVE-2018-20433 * Address CVE-2019-5427 - XML-config parsing related attacks (bsc#1133198) * Properly implement the JDBC 4.1 abort method - Build with log4j mapper - Enhanced for RHEL8 dhcpd-formula: - Update to version 0.1.1641480250.d5bd14c * make routers option optional - Add arm64 support - Update to version 0.1.1615805990.f15c8d9 hub-xmlrpc-api: - Updated to build on Enterprise Linux 8. py26-compat-msgpack-python: - Adapted to build on OBS for Enterprise Linux. py27-compat-salt: - Fix inspector module export function (bsc#1097531) - Fix possible traceback on ip6_interface grain (bsc#1193565) - Don't check for cached pillar errors on state.apply (bsc#1190781) - Simplify "transactional_update" module to not use SSH wrapper and allow more flexible execution - Add "--no-return-event" option to salt-call to prevent sending return event back to master. - Make "state.highstate" to acts on concurrent flag. - Fix the regression with invalid syntax in test_parse_cpe_name_v23. spacecmd: - Version 4.1.17-1 * Fix interactive mode for "system_applyerrata" and "errata_apply" (bsc#1194363) spacewalk-java: - Version 4.1.44-1 * allow SCC to display the last check-in time for registered systems * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360) * Add store info to Equals and hash methods to fix CVE audit process (bsc#1195282) * fix ClassCastException during action processing (bsc#1195043) * Fix disappearing metadata key files after channel change (bsc#1192822) * Pass only selected servers to taskomatic for cancelation (bsc#1194044) spacewalk-web: - Version 4.1.32-1 * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360) susemanager: - Version 4.1.33-1 * set default for registration batch size susemanager-doc-indexes: - Added a warning about the origin of the salt-minion package in the Register on the Command Line (Salt) section of the Client Configuration Guide - In the Client Configuration Guide, explain how you find channel names to register older SUSE Linux Enterprise clients. - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client susemanager-docs_en: - Added a warning about the origin of the salt-minion package in the Register on the Command Line (Salt) section of the Client Configuration Guide - In the Client Configuration Guide, explain how you find channel names to register older SUSE Linux Enterprise clients. - Added grub.cfg for GRUB 2 in the Upgrade chapter of the Client Configuration Guide susemanager-schema: - Version 4.1.25-1 * Continue with index migration when the expected indexes do not exist (bsc#1192566) susemanager-sls: - Version 4.1.34-1 * Improve `pkgset` beacon with using `salt.cache` to notify about the changes made while the minion was stopped. * Align the code of pkgset beacon to prevent warnings (bsc#1194464) - Version 4.1.33-1 * Fix errors on calling sed -E ... by force_restart_minion with action chains * Postgres exporter package was renamed * fix deprecation warnings * enforce correct minion configuration similar to bootstrapping (bsc#1192510) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-798=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): hub-xmlrpc-api-0.7-3.9.2 py26-compat-msgpack-python-0.4.6-3.6.2 py26-compat-msgpack-python-debuginfo-0.4.6-3.6.2 py26-compat-msgpack-python-debugsource-0.4.6-3.6.2 susemanager-4.1.33-3.45.2 susemanager-tools-4.1.33-3.45.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): c3p0-0.9.5.5-3.3.2 dhcpd-formula-0.1.1641480250.d5bd14c-3.3.2 py27-compat-salt-3000.3-6.21.2 spacecmd-4.1.17-4.36.2 spacewalk-base-4.1.32-3.42.2 spacewalk-base-minimal-4.1.32-3.42.2 spacewalk-base-minimal-config-4.1.32-3.42.2 spacewalk-html-4.1.32-3.42.2 spacewalk-java-4.1.44-3.66.2 spacewalk-java-config-4.1.44-3.66.2 spacewalk-java-lib-4.1.44-3.66.2 spacewalk-java-postgresql-4.1.44-3.66.2 spacewalk-taskomatic-4.1.44-3.66.2 susemanager-doc-indexes-4.1-11.52.2 susemanager-docs_en-4.1-11.52.2 susemanager-docs_en-pdf-4.1-11.52.2 susemanager-schema-4.1.25-3.42.2 susemanager-sls-4.1.34-3.59.2 susemanager-web-libs-4.1.32-3.42.2 uyuni-config-modules-4.1.34-3.59.2

References

#1097531 #1133198 #1190781 #1191360 #1192510

#1192566 #1192822 #1193565 #1194044 #1194363

#1194464 #1195043 #1195282

Cross- CVE-2018-20433 CVE-2019-5427

CVSS scores:

CVE-2018-20433 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2018-20433 (SUSE): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE-2019-5427 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019-5427 (SUSE): 5.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected Products:

SUSE Linux Enterprise Module for SUSE Manager Server 4.1

SUSE Manager Server 4.1

https://www.suse.com/security/cve/CVE-2018-20433.html

https://www.suse.com/security/cve/CVE-2019-5427.html

https://bugzilla.suse.com/1097531

https://bugzilla.suse.com/1133198

https://bugzilla.suse.com/1190781

https://bugzilla.suse.com/1191360

https://bugzilla.suse.com/1192510

https://bugzilla.suse.com/1192566

https://bugzilla.suse.com/1192822

https://bugzilla.suse.com/1193565

https://bugzilla.suse.com/1194044

https://bugzilla.suse.com/1194363

https://bugzilla.suse.com/1194464

https://bugzilla.suse.com/1195043

https://bugzilla.suse.com/1195282

Severity

Announcement ID: SUSE-SU-2022:0798-1

Rating: moderate

What Are You Looking For?

SUSE: 2022:0798-1 moderate: SUSE Manager Server 4.1

Summary

References

Kali Linux 2023.4 Released With New Hacking Tools

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector

Using Open Source to Ensure Compliance & Data Integrity through Data Governance

Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!

Unlocking the Future of Authentication: Passkeys vs. Passwords

Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

What Are You Looking For?

SUSE: 2022:0798-1 moderate: SUSE Manager Server 4.1

Summary

References

Get the Latest News & Insights

Related News

News

Advisories

HOWTOs

Features

About Us

Powered By