SUSE: 2022:2568-1 important: SUSE Manager Server 4.2
Summary
This update fixes the following issues: apache-commons-csv: - Fix the URL for the package - Declare the LICENSE file as license and not doc apache-commons-math3: - Fix the URL for the package - Declare the LICENSE file as license and not doc drools: - Declare the LICENSE file as license and not doc jakarta-commons-validator: - Declare the LICENSE file as license and not doc jose4j: - Declare the LICENSE file as license and not doc kie-api: - Declare the LICENSE file as license and not doc mvel2: - Declare the LICENSE file as license and not doc optaplanner: - Declare the LICENSE file as license and not doc py27-compat-salt: - Remove redundant overrides causing confusing DEBUG logging (bsc#1189501) python-susemanager-retail: - Update to version 1.0.1653987003.92d4870 * Fix messages and logging in retail_create_delta (bsc#1199727) smdba: - Declare the LICENSE file as license and not doc - Make EL egginfo removal more generic spacecmd: - Version 4.2.18-1 * on full system update call schedulePackageUpdate API (bsc#1197507) spacewalk-admin: - Version 4.2.11-1 * clarify schema upgrade check message (bsc#1198999) spacewalk-backend: - Version 4.2.23-1 * Fix traceback on calling spacewalk-repo-sync --show-packages (bsc#1193238) * Fix virt_notify SQL syntax error (bsc#1199528) * store create-bootstrap logs in spacewalk-debug spacewalk-branding: - Version 4.2.14-1 * Stylesheets and relevant assets are now provided by spacewalk-web spacewalk-certs-tools: - Version 4.2.17-1 * use RES bootstrap repo as a fallback for Red Hat downstream OS (bsc#1200087) spacewalk-client-tools: - Version 4.2.19-1 * Update translation strings spacewalk-java: - version 4.2.40-1 * Fix conflict when system is assigned to multiple instances of the same formula (bsc#1194394) - Version 4.2.39-1 * Keep the websocket connections alive with ping/pong frames (bsc#1199874) * Fix missing remote command history events for big output (bsc#1199656) * Improve CLM channel cloning performance (bsc#1199523) * fix api log message references the wrong user (bsc#1179962) * Show patch as installed in CVE Audit even if successor patch affects additional packages (bsc#1199646) * fix download of packages with caret sign in the version due to missing url decode * Prefer the Salt Bundle with Cobbler snippets configuration (minion_script and redhat_register_using_salt) (bsc#1198646) * During re-activation, recalculate grains if contact method has been changed (bsc#1199677) * Hide authentication data in PAYG UI (bsc#1199679) * autoinstallation: missing whitespace after install URL (bsc#1199888) * Improved handling of error messages during bootstrapping * skip forwarding data to scc if no credentials are available * Change system details lock tab name to lock/unlock (bsc#1193032) * Added a notification to inform the administrators about the product end-of-life * Set profile tag has no-mandatory in XCCDF result (bsc#1194262) * provisioning thought proxy should use proxy for self_update (bsc#1199036) * Allow removing duplicated packages names in the same Salt action (bsc#1198686) * fix NoSuchElementException when pkg install date is missing * Improve API documentation * Fix outdated documentation and release notes links * Fix error message in Kubernetes VHM creation dialog * Add createAppStreamFilters() XMLRPC function * Correct concurrency error on payg taskomatic task for updating certificates (#17783) * Fix ACL rules for config diff download for SLS files (bsc#1198914) * fix package selection for ubuntu errata install (bsc#1199049) * fix invalid link to action schedule * add schedulePackageUpdate() XMLRPC function (bsc#1197507) * update server needed cache after adding Ubuntu Errata (bsc#1196977) * check if file exists before sending it to xsendfile (bsc#1198191) * Display usertime instead of server time for clm issue date filter (bsc#1198429) * Redesign the auto errata task to schedule combined actions (bsc#1197429) * Fix send login(s) and send password actions to avoid user enumeration (bsc#1199629) (CVE-2022-31248) spacewalk-search: - Version 4.2.7-1 * Update development configuration file spacewalk-setup: - Version 4.2.11-1 * spacewalk-setup-cobbler assumes /etc/apache2/conf.d now as a default instead of /etc/httpd/conf.d (bsc#1198356) spacewalk-utils: - Version 4.2.17-1 * spacewalk-hostname-rename now correctly replaces the hostname for the mgr-sync configuration file (bsc#1198356) * spacewalk-hostname-rename now utilizes the "--apache2-conf-dir" flag for spacewalk-setup-cobbler (bsc#1198356) spacewalk-web: - Version 4.2.28-1 * Stylesheets and relevant assets are now provided by spacewalk-web * Remove nodejs-packaging as a build requirement * Hide authentication data in PAYG UI (bsc#1199679) * Improved handling of error messages during bootstrapping * Added support for end of life notifications * Improved test integration for dropdowns * Upgrade moment to 2.29.2 * Fix outdated documentation and release notes links * Fix mimetype in kubeconfig validation request (bsc#1199019) subscription-matcher: - Declare the LICENSE file as license and not doc susemanager: - version 4.2.35-1 * Add missing python3-gnupg to Debian10 bootstrap repo (bsc#1201842) - Version 4.2.34-1 * mgr-sync: Raise a proper exception when duplicated lines exist in a config file (bsc#1182742) * add SLED 12 SP3 bootstrap repo definition (bsc#1199438) - Version 4.2.33-1 * Fix issue with bootstrap repo definitions for RHEL/RES8 variants (bsc#1200863) susemanager-doc-indexes: - Fixed the 'fast' switch ('-f') of the database migration script in the Installation and Upgrade Guides - Updated the Virtualization chapter in the Client Configuration Guide - Added information about registering RHEL clients on Azure in the Import Entitlements and Certificates section of the Client Configuration Guide (bsc#1198944) - In the Client Configuration Guide, package locking is now supported for Ubuntu and Debian - Fixed VisibleIf documentation in the Formula section of the Salt Guide - Added note about importing CA certifcates in the Installation and Upgrade Guide (bsc#1198358) - Documented how to define monitored targets using the file-based service discovery provided in the Prometheus formula of the Salt Guide - Add note about OpenSCAP security profile support in OpenSCAP section of the Administration Guide - Fixed spacewalk-remove-channel command in Delete Channels section of the Administration Guide (bsc#1199596) - Large deployments guide now includes a mention of the proxy (bsc#1199577) - Enhanced the Product Migration chapter of the Client Configuration Guide with a SUSE Linux Enterprise example susemanager-docs_en: - Fixed the 'fast' switch ('-f') of the database migration script in the Installation and Upgrade Guides - Updated the Virtualization chapter in the Client Configuration Guide - Added information about registering RHEL clients on Azure in the Import Entitlements and Certificates section of the Client Configuration Guide (bsc#1198944) - In the Client Configuration Guide, package locking is now supported for Ubuntu and Debian - Fixed VisibleIf documentation in the Formula section of the Salt Guide - Added note about importing CA certifcates in the Installation and Upgrade Guide (bsc#1198358) - Documented how to define monitored targets using the file-based service discovery provided in the Prometheus formula of the Salt Guide - Add note about OpenSCAP security profile support in OpenSCAP section of the Administration Guide - Fixed spacewalk-remove-channel command in Delete Channels section of the Administration Guide (bsc#1199596) - Large deployments guide now includes a mention of the proxy (bsc#1199577) - Enhanced the Product Migration chapter of the Client Configuration Guide with a SUSE Linux Enterprise example susemanager-schema: - Version 4.2.23-1 * Add schema directory for susemanager-schema-4.2.22 susemanager-sls: - version 4.2.26-1 * Fix issue bootstrap issue with Debian 9 because missing python3-contextvars (bsc#1201782) - Version 4.2.25-1 * use RES bootstrap repo as a fallback for Red Hat downstream OS (bsc#1200087) * Add support to packages.pkgremove to deal with duplicated pkg names (bsc#1198686) * do not install products and gpg keys when performing distupgrade dry-run (bsc#1199466) * Fix deprecated warning when getting pillar data (bsc#1192850) * remove unknown repository flags on EL * add packages.pkgupdate state (bsc#1197507) - Version 4.2.24-1 * Manage the correct minion config file when venv-salt-minion is installed (bsc#1200703) * Fix bootstrapping for Ubuntu 18.04 with classic Salt package (bsc#1200707) susemanager-sync-data: - Version 4.2.13-1 * change release status of Debian 11 to released virtual-host-gatherer: - Declare the LICENSE file as license and not doc woodstox: - Declare the LICENSE file as license and not doc xmlpull-api: - Declare the LICENSE file as license and not doc How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-2568=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): smdba-1.7.10-0.150300.3.9.2 spacewalk-branding-4.2.14-150300.3.12.3 susemanager-4.2.35-150300.3.36.1 susemanager-tools-4.2.35-150300.3.36.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): apache-commons-csv-1.2-150300.3.3.2 apache-commons-math3-3.2-150300.3.3.2 drools-7.17.0-150300.4.3.2 jakarta-commons-validator-1.1.4-21.150300.21.3.3 jose4j-0.5.1-150300.3.3.2 kie-api-7.17.0-150300.4.3.2 mvel2-2.2.6.Final-150300.3.3.2 optaplanner-7.17.0-150300.4.3.2 py27-compat-salt-3000.3-150300.7.7.20.2 python3-spacewalk-certs-tools-4.2.17-150300.3.21.2 python3-spacewalk-client-tools-4.2.19-150300.4.21.3 python3-susemanager-retail-1.0.1653987003.92d4870-150300.3.3.2 spacecmd-4.2.18-150300.4.24.3 spacewalk-admin-4.2.11-150300.3.12.3 spacewalk-backend-4.2.23-150300.4.26.3 spacewalk-backend-app-4.2.23-150300.4.26.3 spacewalk-backend-applet-4.2.23-150300.4.26.3 spacewalk-backend-config-files-4.2.23-150300.4.26.3 spacewalk-backend-config-files-common-4.2.23-150300.4.26.3 spacewalk-backend-config-files-tool-4.2.23-150300.4.26.3 spacewalk-backend-iss-4.2.23-150300.4.26.3 spacewalk-backend-iss-export-4.2.23-150300.4.26.3 spacewalk-backend-package-push-server-4.2.23-150300.4.26.3 spacewalk-backend-server-4.2.23-150300.4.26.3 spacewalk-backend-sql-4.2.23-150300.4.26.3 spacewalk-backend-sql-postgresql-4.2.23-150300.4.26.3 spacewalk-backend-tools-4.2.23-150300.4.26.3 spacewalk-backend-xml-export-libs-4.2.23-150300.4.26.3 spacewalk-backend-xmlrpc-4.2.23-150300.4.26.3 spacewalk-base-4.2.28-150300.3.24.3 spacewalk-base-minimal-4.2.28-150300.3.24.3 spacewalk-base-minimal-config-4.2.28-150300.3.24.3 spacewalk-certs-tools-4.2.17-150300.3.21.2 spacewalk-client-tools-4.2.19-150300.4.21.3 spacewalk-html-4.2.28-150300.3.24.3 spacewalk-java-4.2.40-150300.3.40.2 spacewalk-java-config-4.2.40-150300.3.40.2 spacewalk-java-lib-4.2.40-150300.3.40.2 spacewalk-java-postgresql-4.2.40-150300.3.40.2 spacewalk-search-4.2.7-150300.3.9.2 spacewalk-setup-4.2.11-150300.3.15.2 spacewalk-taskomatic-4.2.40-150300.3.40.2 spacewalk-utils-4.2.17-150300.3.18.3 spacewalk-utils-extras-4.2.17-150300.3.18.3 subscription-matcher-0.29-150300.6.9.2 susemanager-doc-indexes-4.2-150300.12.30.3 susemanager-docs_en-4.2-150300.12.30.2 susemanager-docs_en-pdf-4.2-150300.12.30.2 susemanager-retail-tools-1.0.1653987003.92d4870-150300.3.3.2 susemanager-schema-4.2.23-150300.3.24.3 susemanager-sls-4.2.26-150300.3.30.1 susemanager-sync-data-4.2.13-150300.3.21.2 uyuni-config-modules-4.2.26-150300.3.30.1 virtual-host-gatherer-1.0.23-150300.3.6.2 virtual-host-gatherer-Kubernetes-1.0.23-150300.3.6.2 virtual-host-gatherer-Nutanix-1.0.23-150300.3.6.2 virtual-host-gatherer-VMware-1.0.23-150300.3.6.2 virtual-host-gatherer-libcloud-1.0.23-150300.3.6.2 woodstox-4.4.2-150300.3.3.2 xmlpull-api-1.1.3.1-150300.3.3.2
References
#1179962 #1182742 #1189501 #1192850 #1193032
#1193238 #1194262 #1194394 #1196977 #1197429
#1197507 #1198191 #1198356 #1198358 #1198429
#1198646 #1198686 #1198914 #1198944 #1198999
#1199019 #1199036 #1199049 #1199438 #1199466
#1199523 #1199528 #1199577 #1199596 #1199629
#1199646 #1199656 #1199677 #1199679 #1199727
#1199874 #1199888 #1200087 #1200703 #1200707
#1200863 #1201782 #1201842
Cross- CVE-2022-31248
CVSS scores:
CVE-2022-31248 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-31248 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Manager Server 4.2
https://www.suse.com/security/cve/CVE-2022-31248.html
https://bugzilla.suse.com/1179962
https://bugzilla.suse.com/1182742
https://bugzilla.suse.com/1189501
https://bugzilla.suse.com/1192850
https://bugzilla.suse.com/1193032
https://bugzilla.suse.com/1193238
https://bugzilla.suse.com/1194262
https://bugzilla.suse.com/1194394
https://bugzilla.suse.com/1196977
https://bugzilla.suse.com/1197429
https://bugzilla.suse.com/1197507
https://bugzilla.suse.com/1198191
https://bugzilla.suse.com/1198356
https://bugzilla.suse.com/1198358
https://bugzilla.suse.com/1198429
https://bugzilla.suse.com/1198646
https://bugzilla.suse.com/1198686
https://bugzilla.suse.com/1198914
https://bugzilla.suse.com/1198944
https://bugzilla.suse.com/1198999
https://bugzilla.suse.com/1199019
https://bugzilla.suse.com/1199036
https://bugzilla.suse.com/1199049
https://bugzilla.suse.com/1199438
https://bugzilla.suse.com/1199466
https://bugzilla.suse.com/1199523
https://bugzilla.suse.com/1199528
https://bugzilla.suse.com/1199577
https://bugzilla.suse.com/1199596
https://bugzilla.suse.com/1199629
https://bugzilla.suse.com/1199646
https://bugzilla.suse.com/1199656
https://bugzilla.suse.com/1199677
https://bugzilla.suse.com/1199679
https://bugzilla.suse.com/1199727
https://bugzilla.suse.com/1199874
https://bugzilla.suse.com/1199888
https://bugzilla.suse.com/1200087
https://bugzilla.suse.com/1200703
https://bugzilla.suse.com/1200707
https://bugzilla.suse.com/1200863
https://bugzilla.suse.com/1201782
https://bugzilla.suse.com/1201842