SUSE: 2022:3314-1 critical: SUSE Manager Server 4.2
Summary
This update fixes the following issues: drools: - CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java. (bsc#1200629) httpcomponents-asyncclient: - Provide maven metadata needed by other packages to build image-sync-formula: - Update to version 0.1.1661440526.b08d95b * Add option to sort boot images by version (bsc#1196729) inter-server-sync: - Version 0.2.3 * Compress exported sql data #16631 * Add gzip dependency to decompress data file during import process patterns-suse-manager: - Strictly require OpenJDK 11 (bsc#1202142) py27-compat-salt: - Add support for gpgautoimport in zypperpkg module - Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372) - Add support for name, pkgs and diff_attr parameters to upgrade function for zypper and yum (bsc#1198489) - Unify logic on using multiple requisites and add onfail_all (bsc#1198738) - Normalize package names once with pkg.installed/removed using yum (bsc#1195895) salt-netapi-client: - Declare the LICENSE file as license and not doc - Adapted for Enterprise Linux 9. - Version 0.20.0 * See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.20.0 saltboot-formula: - Update to version 0.1.1661440526.b08d95b * Fallback to local boot if the configured image is not synced * improve image url modifications - preparation for ftp/http changes spacecmd: - Version 4.2.19-1 * Process date values in spacecmd api calls (bsc#1198903) * Show correct help on calling kickstart_importjson with no arguments * Fix tracebacks on spacecmd kickstart_export (bsc#1200591) spacewalk-admin: - Version 4.2.12-1 * Add --help option to mgr-monitoring-ctl spacewalk-backend: - Version 4.2.24-1 * Make reposync use the configured http proxy with mirrorlist (bsc#1198168) * Revert proxy listChannels token caching pr#4548 * cleanup leftovers from removing unused xmlrpc endpoint spacewalk-certs-tools: - Version 4.2.18-1 * traditional stack bootstrap: install product packages (bsc#1201142) spacewalk-client-tools: - Version 4.2.20-1 * Update translation strings spacewalk-java: - Version 4.2.41-1 * Fixed date format on scheduler related messages (bsc#1195455) * Support inherited values for kernel options from Cobbler API (bsc#1199913) * Add channel availability check for product migration (bsc#1200296) * Check if system has all formulas correctly assigned (bsc#1201607) * Remove group formula assignments and data on group delete (bsc#1201606) * Fix sync for external repositories (bsc#1201753) * fix state.apply result parsing in test mode (bsc#1201913) * Reduce the length of image channel URL (bsc#1201220) * Calculate dependencies between cloned channels of vendor channels (bsc#1201626) * fix symlinks pointing to ongres-stringprep * Modify parameter type when communicating with the search server (bsc#1187028) * Fix initial profile and build host on Image Build page (bsc#1199659) * Fix the confirm message on the refresh action by adding a link to pending actions on it (bsc#1172705) * require new salt-netapi-client version * Clean grub2 reinstall entry in autoyast snippet (bsc#1199950) spacewalk-search: - Version 4.2.8-1 * Add methods to handle session id as String spacewalk-web: - Version 4.2.29-1 * CVE-2021-43138: Obtain privileges via the `mapValues()` method. (bsc#1200480) * CVE-2021-42740: Command injection in the shell-quote package. (bsc#1203287) * CVE-2022-31129: Denial-of-Service moment: inefficient parsing algorithm (bsc#1203288) * Fix table header layout for unselectable tables * Fix initial profile and build host on Image Build page (bsc#1199659) subscription-matcher: - Added Guava maximum version requirement. susemanager: - Version 4.2.37-1 * mark new dependencies for python-py optional in bootstrap repo to fix generation for older service packs (bsc#1203449) - Version 4.2.36-1 * add missing packages on SLES 15 * remove server-migrator.sh from SUSE Manager installations (bsc#1202728) * mgr-create-bootstrap-repo: flush directory also when called for a specific label (bsc#1200573) * add missing packages on SLES 12 SP5 bootstrap repo (bsc#1201918) * remove python-tornado from bootstrap repo, since no longer required for salt version >= 3000 * add openSUSE 15.4 product (bsc#1201527) * add clients tool product to generate bootstrap repo on openSUSE 15.x (bsc#1201189) susemanager-doc-indexes: - Documented mandatory channels in the Disconnected Setup chapter of the Administration Guide (bsc#1202464) - Documented how to onboard Ubuntu clients with the Salt bundle as a regular user - Documented how to onboard Debian clients with the Salt bundle or plain Salt as a regular user - Fixed the names of updates channels for Leap - Fixed errors in OpenSCAP chapter of Administration Guide - Added exact command to create the bootstrap repo for Salt bundle and about how to disable salt-thin - Removed CentOS 8 from the list of supported client systems - Extend the notes about using noexec option for /tmp and /var/tmp (bsc#1201210) - Reverted single snippet change for two separate books - Added extend Salt Bundle functionality with Python packages using pip - Add missing part of the description to enable optional support of the Salt Bundle with Salt SSH - Added exact command to create the bootstrap repo for salt bundle and about how to disable salt-thin - Salt Configuration Modules are no longer Technology Preview in Salt Guide. - Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc#1201224) - Added ports 1232 and 1233 in the Ports section of the Installation and Upgrade Guide; required for Salt SSH Push (bsc#1200532) - In the Custom Channel section of the Administration Guide add a note about synchronizing repositories regularly. - Removed SUSE Linux Enterprise 11 from the list of supported client systems susemanager-docs_en: - Documented mandatory channels in the Disconnected Setup chapter of the Administration Guide (bsc#1202464) - Documented how to onboard Ubuntu clients with the Salt bundle as a regular user - Documented how to onboard Debian clients with the Salt bundle or plain Salt as a regular user - Fixed the names of updates channels for Leap - Fixed errors in OpenSCAP chapter of Administration Guide - Added exact command to create the bootstrap repo for Salt bundle and about how to disable salt-thin - Removed CentOS 8 from the list of supported client systems - Extend the notes about using noexec option for /tmp and /var/tmp (bsc#1201210) - Reverted single snippet change for two separate books - Added extend Salt Bundle functionality with Python packages using pip - Add missing part of the description to enable optional support of the Salt Bundle with Salt SSH - Added exact command to create the bootstrap repo for salt bundle and about how to disable salt-thin - Salt Configuration Modules are no longer Technology Preview in Salt Guide. - Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc#1201224) - Added ports 1232 and 1233 in the Ports section of the Installation and Upgrade Guide; required for Salt SSH Push (bsc#1200532) - In the Custom Channel section of the Administration Guide add a note about synchronizing repositories regularly. - Removed SUSE Linux Enterprise 11 from the list of supported client systems susemanager-schema: - Version 4.2.24-1 * Fix migration of image actions (bsc#1202272) susemanager-sls: - Version 4.2.27-1 * Copy grains file with util.mgr_switch_to_venv_minion state apply * Remove the message 'rpm: command not found' on using Salt SSH with Debian based systems which has no Salt Bundle * Prevent possible tracebacks on calling module.run from mgrcompat by setting proper globals with using LazyLoader * Fix deploy of SLE Micro CA Certificate (bsc#1200276) uyuni-common-libs: - Version 4.2.7-1 * Do not allow creating path if nonexistent user or group in fileutils. How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3314=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): inter-server-sync-0.2.3-150300.8.22.2 inter-server-sync-debuginfo-0.2.3-150300.8.22.2 patterns-suma_retail-4.2-150300.4.12.2 patterns-suma_server-4.2-150300.4.12.2 python3-uyuni-common-libs-4.2.7-150300.3.9.2 susemanager-4.2.37-150300.3.41.1 susemanager-tools-4.2.37-150300.3.41.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): drools-7.17.0-150300.4.6.2 httpcomponents-asyncclient-4.1.4-150300.3.3.2 image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2 py27-compat-salt-3000.3-150300.7.7.23.2 python3-spacewalk-certs-tools-4.2.18-150300.3.24.3 python3-spacewalk-client-tools-4.2.20-150300.4.24.3 salt-netapi-client-0.20.0-150300.3.9.4 saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2 spacecmd-4.2.19-150300.4.27.2 spacewalk-admin-4.2.12-150300.3.15.3 spacewalk-backend-4.2.24-150300.4.29.5 spacewalk-backend-app-4.2.24-150300.4.29.5 spacewalk-backend-applet-4.2.24-150300.4.29.5 spacewalk-backend-config-files-4.2.24-150300.4.29.5 spacewalk-backend-config-files-common-4.2.24-150300.4.29.5 spacewalk-backend-config-files-tool-4.2.24-150300.4.29.5 spacewalk-backend-iss-4.2.24-150300.4.29.5 spacewalk-backend-iss-export-4.2.24-150300.4.29.5 spacewalk-backend-package-push-server-4.2.24-150300.4.29.5 spacewalk-backend-server-4.2.24-150300.4.29.5 spacewalk-backend-sql-4.2.24-150300.4.29.5 spacewalk-backend-sql-postgresql-4.2.24-150300.4.29.5 spacewalk-backend-tools-4.2.24-150300.4.29.5 spacewalk-backend-xml-export-libs-4.2.24-150300.4.29.5 spacewalk-backend-xmlrpc-4.2.24-150300.4.29.5 spacewalk-base-4.2.29-150300.3.27.3 spacewalk-base-minimal-4.2.29-150300.3.27.3 spacewalk-base-minimal-config-4.2.29-150300.3.27.3 spacewalk-certs-tools-4.2.18-150300.3.24.3 spacewalk-client-tools-4.2.20-150300.4.24.3 spacewalk-html-4.2.29-150300.3.27.3 spacewalk-java-4.2.41-150300.3.43.5 spacewalk-java-config-4.2.41-150300.3.43.5 spacewalk-java-lib-4.2.41-150300.3.43.5 spacewalk-java-postgresql-4.2.41-150300.3.43.5 spacewalk-search-4.2.8-150300.3.12.2 spacewalk-taskomatic-4.2.41-150300.3.43.5 subscription-matcher-0.29-150300.6.12.2 susemanager-doc-indexes-4.2-150300.12.33.4 susemanager-docs_en-4.2-150300.12.33.2 susemanager-docs_en-pdf-4.2-150300.12.33.2 susemanager-schema-4.2.24-150300.3.27.3 susemanager-sls-4.2.27-150300.3.33.4 uyuni-config-modules-4.2.27-150300.3.33.4
References
#1172705 #1187028 #1195455 #1195895 #1196729
#1198168 #1198489 #1198738 #1198903 #1199372
#1199659 #1199913 #1199950 #1200276 #1200296
#1200480 #1200532 #1200573 #1200591 #1200629
#1201142 #1201189 #1201210 #1201220 #1201224
#1201527 #1201606 #1201607 #1201626 #1201753
#1201913 #1201918 #1202142 #1202272 #1202464
#1202728 #1203287 #1203288 #1203449
Cross- CVE-2021-41411 CVE-2021-42740 CVE-2021-43138
CVE-2022-31129
CVSS scores:
CVE-2021-41411 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41411 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Manager Server 4.2
https://www.suse.com/security/cve/CVE-2021-41411.html
https://www.suse.com/security/cve/CVE-2021-42740.html
https://www.suse.com/security/cve/CVE-2021-43138.html
https://www.suse.com/security/cve/CVE-2022-31129.html
https://bugzilla.suse.com/1172705
https://bugzilla.suse.com/1187028
https://bugzilla.suse.com/1195455
https://bugzilla.suse.com/1195895
https://bugzilla.suse.com/1196729
https://bugzilla.suse.com/1198168
https://bugzilla.suse.com/1198489
https://bugzilla.suse.com/1198738
https://bugzilla.suse.com/1198903
https://bugzilla.suse.com/1199372
https://bugzilla.suse.com/1199659
https://bugzilla.suse.com/1199913
https://bugzilla.suse.com/1199950
https://bugzilla.suse.com/1200276
https://bugzilla.suse.com/1200296
https://bugzilla.suse.com/1200480
https://bugzilla.suse.com/1200532
https://bugzilla.suse.com/1200573
https://bugzilla.suse.com/1200591
https://bugzilla.suse.com/1200629
https://bugzilla.suse.com/1201142
https://bugzilla.suse.com/1201189
https://bugzilla.suse.com/1201210
https://bugzilla.suse.com/1201220
https://bugzilla.suse.com/1201224
https://bugzilla.suse.com/1201527
https://bugzilla.suse.com/1201606
https://bugzilla.suse.com/1201607
https://bugzilla.suse.com/1201626
https://bugzilla.suse.com/1201753
https://bugzilla.suse.com/1201913
https://bugzilla.suse.com/1201918
https://bugzilla.suse.com/1202142
https://bugzilla.suse.com/1202272
https://bugzilla.suse.com/1202464
https://bugzilla.suse.com/1202728
https://bugzilla.suse.com/1203287
https://bugzilla.suse.com/1203288
https://bugzilla.suse.com/1203449