SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:1397-1
Rating:             moderate
References:         #1133198 #1173527 #1186336 #1191360 #1191597 
                    #1192150 #1192822 #1193448 #1194363 #1194447 
                    #1194464 #1194909 #1195043 #1195145 #1195271 
                    #1195282 #1195294 #1195666 #1195712 #1195750 
                    #1195757 #1195762 #1195765 #1195772 #1195920 
                    #1196067 #1196094 #1196407 #1196455 #1196693 
                    #1196704 #1196977 #1197007 
Cross-References:   CVE-2018-20433 CVE-2019-5427
CVSS scores:
                    CVE-2018-20433 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2018-20433 (SUSE): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
                    CVE-2019-5427 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-5427 (SUSE): 5.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves two vulnerabilities and has 31 fixes
   is now available.

Description:

   This update fixes the following issues:

   c3p0:

   - Update to version c3p0 0.9.5.5 and mchange-commons-java 0.2.19
     * Address CVE-2018-20433
     * Address CVE-2019-5427 - XML-config parsing related attacks
       (bsc#1133198)
     * Properly implement the JDBC 4.1 abort method

   grafana-formula:

   - Version 0.7.0
     * Add SLES 15 SP4 and openSUSE Leap 15.4 to supported versions

   hub-xmlrpc-api:

   - Updated to build on Enterprise Linux 8.

   inter-server-sync:

   - Version 0.1.0
     * Allow export and import of configuration channels
     * Clean lookup cache after processing a channel (bsc#1195750)
     * Improve lookup method for generate foreign key export
   - Adapted for build on Enterprise Linux 8.

   mgr-osad:

   - Version 4.2.8-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   mgr-push:

   - Version 4.2.5-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   patterns-suse-manager:

   - golang-github-wrouesnel-postgres_exporter was renamed to
     prometheus-postgres_exporter

   prometheus-exporters-formula:

   - Version 1.2.0
     * Postres exporter package was renamed for RedHat
   - Version 1.1.0
     * Postgres exporter package was renamed for SLES/openSUSE

   py26-compat-msgpack-python:

   - Adapted to build on OBS for Enterprise Linux.

   rhnlib:

   - Version 4.2.6-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   saltboot-formula:

   - Update to version 0.1.1645440615.7f1328c
     * skip device lookup for correctly provided devices
     * improve image url modifications - preparation for ftp/http changes
   - Skip device lookup if correct path to device is already provided
     (bsc#1195757)
   - Improve image url modifications

   smdba:

   - Version 1.7.10
     * adapt pgtune using new defaults for new postgres versions
     * support special configuration for SSD storage
     * make argument "--backup-dir" symlink aware
   - Version 1.7.9
   - Allow different standard configuration file location for other OSes

   spacecmd:

   - Version 4.2.16-1
     * implement system.bootstrap (bsc#1194909)
     * Fix interactive mode for "system_applyerrata" and "errata_apply"
       (bsc#1194363)

   spacewalk-admin:

   - Version 4.2.10-1
     * wait after copying the CA to give systemd time to finish automation

   spacewalk-backend:

   - Version 4.2.20-1
     * Fix reposync update notice formatting and date parsing (bsc#1194447)
     * implement more decompression algorithms for reposync (bsc#1196704)
     * enable check for client certificates in reposync
     * remove auto inherit of host entitlements for virtual guests

   spacewalk-branding:

   - Version 4.2.13-1
     * Fix modal footer misalignment

   spacewalk-certs-tools:

   - Version 4.2.15-1
     * Add dynamic version for bootstrap script header (bsc#1186336)

   spacewalk-client-tools:

   - Version 4.2.18-1
     * Fix the condition for preventing building python 2 subpackage for SLE15
   - Version 4.2.17-1
     * Update translation strings

   spacewalk-config:

   - Version 4.2.6-1
     * Upgrade build tooling, and corresponding cache configuration

   spacewalk-java:

   - Version 4.2.34-1
     * Added new XML-RPC mathod: configchannel.syncSaltFilesOnDisk
     * update last checkin only if job is successful (bsc#1197007)
     * Fix NPE when accessing cancelled action via system history
       (bsc#1195762)
     * CVE Audit: Show patch as available in the currently installed product
       even if successor patch affects additional packages (bsc#1196455)
     * send notifications for new or changed ubuntu errata (bsc#1196977)
     * change directory owner and permissions only when needed
     * Fixed broken help link for system overview
     * Provide link to Sync page when unsynced patches message show up
       (bsc#1196094)
     * fix class cast exception during action chains (bsc#1195772)
     * Finding empty profiles by mac address must be case insensitive
       (bsc#1196407)
     * prepare to use new postgresql-jdbc driver with stringprep and saslprep
       support (bsc#1196693)
     * allow SCC to display the last check-in time for registered systems
     * generate the system ssh key when bootstrapping a salt-ssh client
       (bsc#1194909)
     * Provide link for CVEs
     * Fix lock/unlock scheduling on page Software Packages Lock (bsc#1195271)
     * When adding a product, check if the new vendor channels conflicts with
       any of the existing custom channel (bsc#1193448)
     * Fix disappearing metadata key files after channel change (bsc#1192822)
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)
     * Add store info to Equals and hash methods to fix CVE audit process
       (bsc#1195282)
     * Fix virtualization list rendering for foreign systems (bsc#1195712)
     * FIX errors when an image profile / store is deleted during build /
       inspect action (bsc#1191597, bsc#1192150)
     * Remove verbose token log (bsc#1195666)
     * fix ClassCastException during action processing (bsc#1195043)

   spacewalk-web:

   - Version 4.2.26-1
     * Provide link to Sync page when unsynced patches message show up
       (bsc#1196094)
     * Provide a search box on section name for Formulas content
     * Add expand/collapse all button for formula sections
     * Improved large data support in channel selection
     * Provide link for CVEs
     * Improved error handling in the product setup page
     * Suggest Product Migration when patch for CVE is in a successor Product
       (bsc#1191360)
     * susemanager-web-libs is now packaged as a part of spacewalk-html

   subscription-matcher:

   - Version 0.29
     * Migration to log4j 2
   - Version 0.28
     * Support both antlr3-java and antlr3-runtime as dependencies
     * Make it obvious that log4j12 is used

   supportutils-plugin-susemanager:

   - Version 4.2.4-1
     * Get version of bootstrap scripts for supportconfig (bsc#1186336)

   suseRegisterInfo:

   - Version 4.2.6-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   susemanager:

   - Version 4.2.28-1
     * set default for registration batch size

   susemanager-doc-indexes:

   - Renamed golang-github-wrouesnel-postgres_exporter to
     prometheus-postgres_exporter in the Administration Guide
   - Clarified in Client Configuration Guide and Retail Guide that mandatory
     channels are automatically checked. Also recommended channels as long as
     they are not deactivated (bsc#1173527)
   - In Custom Channels chapter of the Administration Guide, provide
     information about creating metadata (bsc#1195294)
   - In the Client Configuration Guide, mark Yomi as unsupported on SUSE
     Linux Enterprise Server 11 and 12
   - Documented GPG encrypted Salt Pillars in the Salt book
   - In Client Configuration Guide, fixed channel configuration and
     registration of Expanded Support clients
   - Clarified channel label name in Registering Clients with RHUI section of
     the Client Configuration Guide (bsc#1196067)
   - In Throubleshooting Synchronization chapter in the Administration Guide
     added instructions for GPG removal
   - In Client Configuration Guide, integrated SUSE Linux Enterprise Micro
     Client documentation next to SUSE Linux Enterprise Client documentation
     and other related documentation improvements (bsc#1195145)
   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - Add troubleshooting section about avoiding package conflicts with custom
     channels

   susemanager-docs_en:

   - Renamed golang-github-wrouesnel-postgres_exporter to
     prometheus-postgres_exporter in the Administration Guide
   - Clarified in Client Configuration Guide and Retail Guide that mandatory
     channels are automatically checked. Also recommended channels as long as
     they are not deactivated (bsc#1173527)
   - In Custom Channels chapter of the Administration Guide, provide
     information about creating metadata (bsc#1195294)
   - In the Client Configuration Guide, mark Yomi as unsupported on SUSE
     Linux Enterprise Server 11 and 12
   - Documented GPG encrypted Salt Pillars in the Salt book
   - In Client Configuration Guide, fixed channel configuration and
     registration of Expanded Support clients
   - Clarified channel label name in Registering Clients with RHUI section of
     the Client Configuration Guide (bsc#1196067)
   - In Throubleshooting Synchronization chapter in the Administration Guide
     added instructions for GPG removal
   - In Client Configuration Guide, integrated SUSE Linux Enterprise Micro
     Client documentation next to SUSE Linux Enterprise Client documentation
     and other related documentation improvements (bsc#1195145)
   - Added a warning about the origin of the salt-minion package in the
     Register on the Command Line (Salt) section of the Client Configuration
     Guide
   - Add troubleshooting section about avoiding package conflicts with custom
     channels

   susemanager-schema:

   - Version 4.2.21-1
     * fix check on allowVendorChange
     * fix advisory status migration (bsc#1195765)
     * FIX error when an image profile / store is deleted during build /
       inspect action (bsc#1191597, bsc#1192150)

   susemanager-sls:

   - Version 4.2.21-1
     * Improve `pkgset` beacon with using `salt.cache` to notify about the
       changes made while the minion was stopped
     * Align the code of pkgset beacon to prevent warnings (bsc#1194464)
     * fixing how the return code is returned in mgrutil runner (bsc#1194909)
     * Fix errors on calling sed -E ... by force_restart_minion with action
       chains
     * Avoid using lscpu -J option in grains (bsc#1195920)
     * Postgres exporter package was renamed
     * fix deprecation warnings

   virtualization-formulas:

   - Update to version 0.6.2
     * Ensure qemu-ksm is installed on host

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-1397=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      hub-xmlrpc-api-0.7-150300.3.6.1
      inter-server-sync-0.1.0-150300.8.12.1
      inter-server-sync-debuginfo-0.1.0-150300.8.12.1
      patterns-suma_retail-4.2-150300.4.9.1
      patterns-suma_server-4.2-150300.4.9.1
      py26-compat-msgpack-python-0.4.6-150300.4.3.1
      py26-compat-msgpack-python-debuginfo-0.4.6-150300.4.3.1
      py26-compat-msgpack-python-debugsource-0.4.6-150300.4.3.1
      smdba-1.7.10-0.150300.3.3.1
      spacewalk-branding-4.2.13-150300.3.9.1
      susemanager-4.2.28-150300.3.22.1
      susemanager-tools-4.2.28-150300.3.22.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      c3p0-0.9.5.5-150300.4.6.1
      grafana-formula-0.7.0-150300.3.6.1
      mgr-osa-dispatcher-4.2.8-150300.2.9.1
      mgr-push-4.2.5-150300.2.9.1
      prometheus-exporters-formula-1.2.0-150300.3.9.1
      python3-mgr-osa-common-4.2.8-150300.2.9.1
      python3-mgr-osa-dispatcher-4.2.8-150300.2.9.1
      python3-mgr-push-4.2.5-150300.2.9.1
      python3-rhnlib-4.2.6-150300.4.9.1
      python3-spacewalk-certs-tools-4.2.15-150300.3.15.1
      python3-spacewalk-client-tools-4.2.18-150300.4.18.1
      python3-suseRegisterInfo-4.2.6-150300.4.9.1
      saltboot-formula-0.1.1645440615.7f1328c-150300.3.9.1
      spacecmd-4.2.16-150300.4.18.1
      spacewalk-admin-4.2.10-150300.3.9.1
      spacewalk-backend-4.2.20-150300.4.18.1
      spacewalk-backend-app-4.2.20-150300.4.18.1
      spacewalk-backend-applet-4.2.20-150300.4.18.1
      spacewalk-backend-config-files-4.2.20-150300.4.18.1
      spacewalk-backend-config-files-common-4.2.20-150300.4.18.1
      spacewalk-backend-config-files-tool-4.2.20-150300.4.18.1
      spacewalk-backend-iss-4.2.20-150300.4.18.1
      spacewalk-backend-iss-export-4.2.20-150300.4.18.1
      spacewalk-backend-package-push-server-4.2.20-150300.4.18.1
      spacewalk-backend-server-4.2.20-150300.4.18.1
      spacewalk-backend-sql-4.2.20-150300.4.18.1
      spacewalk-backend-sql-postgresql-4.2.20-150300.4.18.1
      spacewalk-backend-tools-4.2.20-150300.4.18.1
      spacewalk-backend-xml-export-libs-4.2.20-150300.4.18.1
      spacewalk-backend-xmlrpc-4.2.20-150300.4.18.1
      spacewalk-base-4.2.26-150300.3.18.2
      spacewalk-base-minimal-4.2.26-150300.3.18.2
      spacewalk-base-minimal-config-4.2.26-150300.3.18.2
      spacewalk-certs-tools-4.2.15-150300.3.15.1
      spacewalk-client-tools-4.2.18-150300.4.18.1
      spacewalk-config-4.2.6-150300.3.6.1
      spacewalk-html-4.2.26-150300.3.18.2
      spacewalk-java-4.2.34-150300.3.26.2
      spacewalk-java-config-4.2.34-150300.3.26.2
      spacewalk-java-lib-4.2.34-150300.3.26.2
      spacewalk-java-postgresql-4.2.34-150300.3.26.2
      spacewalk-taskomatic-4.2.34-150300.3.26.2
      subscription-matcher-0.29-150300.6.6.1
      supportutils-plugin-susemanager-4.2.4-150300.3.6.1
      suseRegisterInfo-4.2.6-150300.4.9.1
      susemanager-doc-indexes-4.2-150300.12.22.1
      susemanager-docs_en-4.2-150300.12.22.1
      susemanager-docs_en-pdf-4.2-150300.12.22.1
      susemanager-schema-4.2.21-150300.3.18.1
      susemanager-sls-4.2.21-150300.3.20.1
      uyuni-config-modules-4.2.21-150300.3.20.1
      virtualization-formulas-0.6.2-150300.8.6.1


References:

   https://www.suse.com/security/cve/CVE-2018-20433.html
   https://www.suse.com/security/cve/CVE-2019-5427.html
   https://bugzilla.suse.com/1133198
   https://bugzilla.suse.com/1173527
   https://bugzilla.suse.com/1186336
   https://bugzilla.suse.com/1191360
   https://bugzilla.suse.com/1191597
   https://bugzilla.suse.com/1192150
   https://bugzilla.suse.com/1192822
   https://bugzilla.suse.com/1193448
   https://bugzilla.suse.com/1194363
   https://bugzilla.suse.com/1194447
   https://bugzilla.suse.com/1194464
   https://bugzilla.suse.com/1194909
   https://bugzilla.suse.com/1195043
   https://bugzilla.suse.com/1195145
   https://bugzilla.suse.com/1195271
   https://bugzilla.suse.com/1195282
   https://bugzilla.suse.com/1195294
   https://bugzilla.suse.com/1195666
   https://bugzilla.suse.com/1195712
   https://bugzilla.suse.com/1195750
   https://bugzilla.suse.com/1195757
   https://bugzilla.suse.com/1195762
   https://bugzilla.suse.com/1195765
   https://bugzilla.suse.com/1195772
   https://bugzilla.suse.com/1195920
   https://bugzilla.suse.com/1196067
   https://bugzilla.suse.com/1196094
   https://bugzilla.suse.com/1196407
   https://bugzilla.suse.com/1196455
   https://bugzilla.suse.com/1196693
   https://bugzilla.suse.com/1196704
   https://bugzilla.suse.com/1196977
   https://bugzilla.suse.com/1197007