SUSE Security Update: Security update for SUSE Manager Proxy 4.3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3750-1
Rating:             moderate
References:         #1198168 #1198903 #1200480 #1201589 #1201788 
                    #1203287 #1203288 #1203585 
Cross-References:   CVE-2021-42740 CVE-2021-43138 CVE-2022-31129
                   
CVSS scores:
                    CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3
                    SUSE Manager Proxy 4.3
______________________________________________________________________________

   An update that solves three vulnerabilities and has 5 fixes
   is now available.

Description:


   This update fixes the following issues:

   mgr-daemon:

   - Version 4.3.6-1
     * Update translation strings

   spacecmd:

   - Version 4.3.15-1
     * Process date values in spacecmd api calls (bsc#1198903)

   spacewalk-backend:

   - Version 4.3.16-1
     * Prevent mixing credentials for proxy and repository server while using
       basic authentication and avoid hiding errors i.e. timeouts while
       having proxy settings issues with extra logging in verbose mode
       (bsc#1201788)
     * Fix the condition of hiding the token from URL on logging
     * export armored GPG key to salt filesystem as well
     * Upgrade Cobbler requirement to 3.3.3 or later
     * Make reposync use the configured http proxy with mirrorlist
       (bsc#1198168)

   spacewalk-certs-tools:

   - Version 4.3.15-1
     * fix mgr-ssl-cert-setup for root CAs which do not set
       authorityKeyIdentifier (bsc#1203585)

   spacewalk-client-tools:

   - Version 4.3.12-1
     * Update translation strings

   spacewalk-web:

   - Version 4.3.24-1
     * Upgrade moment-timezone
     * CVE-2021-43138: Obtain privileges via the `mapValues()` method.
       (bsc#1200480)
     * CVE-2021-42740: Command injection in the shell-quote package.
       (bsc#1203287)
     * CVE-2022-31129: Denial-of-Service moment: inefficient parsing
       algorithm (bsc#1203288)
     * Fix table header layout for unselectable tables

   susemanager-build-keys:

   - Add release and auxiliary GPG keys for RedHat
   - Add keys for Rocky Linux 9
     * RPM-GPG-KEY-redhat-release
     * RPM-GPG-KEY-redhat-auxiliary
     * RPM-GPG-KEY-Rocky-9

   susemanager-tftpsync-recv:

   - Version 4.3.7-1
     * Add missing IPv6 default configuration (bsc#1201589)
     * fix problems with parallel running processes

   uyuni-common-libs:

   - Version 4.3.6-1
     * Do not allow creating path if nonexistent user or group in fileutils.

   How to apply this update:

   1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy
   service: spacewalk-proxy stop 3. Apply the patch using either zypper patch
   or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy
   start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64):

      python3-uyuni-common-libs-4.3.6-150400.3.6.4

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch):

      mgr-daemon-4.3.6-150400.3.6.4
      python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
      python3-spacewalk-check-4.3.12-150400.3.6.6
      python3-spacewalk-client-setup-4.3.12-150400.3.6.6
      python3-spacewalk-client-tools-4.3.12-150400.3.6.6
      spacecmd-4.3.15-150400.3.6.4
      spacewalk-backend-4.3.16-150400.3.6.8
      spacewalk-base-minimal-4.3.24-150400.3.6.4
      spacewalk-base-minimal-config-4.3.24-150400.3.6.4
      spacewalk-certs-tools-4.3.15-150400.3.6.2
      spacewalk-check-4.3.12-150400.3.6.6
      spacewalk-client-setup-4.3.12-150400.3.6.6
      spacewalk-client-tools-4.3.12-150400.3.6.6
      susemanager-build-keys-15.4.3-150400.3.6.1
      susemanager-build-keys-web-15.4.3-150400.3.6.1
      susemanager-tftpsync-recv-4.3.7-150400.3.3.3


References:

   https://www.suse.com/security/cve/CVE-2021-42740.html
   https://www.suse.com/security/cve/CVE-2021-43138.html
   https://www.suse.com/security/cve/CVE-2022-31129.html
   https://bugzilla.suse.com/1198168
   https://bugzilla.suse.com/1198903
   https://bugzilla.suse.com/1200480
   https://bugzilla.suse.com/1201589
   https://bugzilla.suse.com/1201788
   https://bugzilla.suse.com/1203287
   https://bugzilla.suse.com/1203288
   https://bugzilla.suse.com/1203585

SUSE: 2022:3750-1 moderate: SUSE Manager Proxy 4.3

October 26, 2022
An update that solves three vulnerabilities and has 5 fixes is now available

Summary

This update fixes the following issues: mgr-daemon: - Version 4.3.6-1 * Update translation strings spacecmd: - Version 4.3.15-1 * Process date values in spacecmd api calls (bsc#1198903) spacewalk-backend: - Version 4.3.16-1 * Prevent mixing credentials for proxy and repository server while using basic authentication and avoid hiding errors i.e. timeouts while having proxy settings issues with extra logging in verbose mode (bsc#1201788) * Fix the condition of hiding the token from URL on logging * export armored GPG key to salt filesystem as well * Upgrade Cobbler requirement to 3.3.3 or later * Make reposync use the configured http proxy with mirrorlist (bsc#1198168) spacewalk-certs-tools: - Version 4.3.15-1 * fix mgr-ssl-cert-setup for root CAs which do not set authorityKeyIdentifier (bsc#1203585) spacewalk-client-tools: - Version 4.3.12-1 * Update translation strings spacewalk-web: - Version 4.3.24-1 * Upgrade moment-timezone * CVE-2021-43138: Obtain privileges via the `mapValues()` method. (bsc#1200480) * CVE-2021-42740: Command injection in the shell-quote package. (bsc#1203287) * CVE-2022-31129: Denial-of-Service moment: inefficient parsing algorithm (bsc#1203288) * Fix table header layout for unselectable tables susemanager-build-keys: - Add release and auxiliary GPG keys for RedHat - Add keys for Rocky Linux 9 * RPM-GPG-KEY-redhat-release * RPM-GPG-KEY-redhat-auxiliary * RPM-GPG-KEY-Rocky-9 susemanager-tftpsync-recv: - Version 4.3.7-1 * Add missing IPv6 default configuration (bsc#1201589) * fix problems with parallel running processes uyuni-common-libs: - Version 4.3.6-1 * Do not allow creating path if nonexistent user or group in fileutils. How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64): python3-uyuni-common-libs-4.3.6-150400.3.6.4 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch): mgr-daemon-4.3.6-150400.3.6.4 python3-spacewalk-certs-tools-4.3.15-150400.3.6.2 python3-spacewalk-check-4.3.12-150400.3.6.6 python3-spacewalk-client-setup-4.3.12-150400.3.6.6 python3-spacewalk-client-tools-4.3.12-150400.3.6.6 spacecmd-4.3.15-150400.3.6.4 spacewalk-backend-4.3.16-150400.3.6.8 spacewalk-base-minimal-4.3.24-150400.3.6.4 spacewalk-base-minimal-config-4.3.24-150400.3.6.4 spacewalk-certs-tools-4.3.15-150400.3.6.2 spacewalk-check-4.3.12-150400.3.6.6 spacewalk-client-setup-4.3.12-150400.3.6.6 spacewalk-client-tools-4.3.12-150400.3.6.6 susemanager-build-keys-15.4.3-150400.3.6.1 susemanager-build-keys-web-15.4.3-150400.3.6.1 susemanager-tftpsync-recv-4.3.7-150400.3.3.3

References

#1198168 #1198903 #1200480 #1201589 #1201788

#1203287 #1203288 #1203585

Cross- CVE-2021-42740 CVE-2021-43138 CVE-2022-31129

CVSS scores:

CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3

SUSE Manager Proxy 4.3

https://www.suse.com/security/cve/CVE-2021-42740.html

https://www.suse.com/security/cve/CVE-2021-43138.html

https://www.suse.com/security/cve/CVE-2022-31129.html

https://bugzilla.suse.com/1198168

https://bugzilla.suse.com/1198903

https://bugzilla.suse.com/1200480

https://bugzilla.suse.com/1201589

https://bugzilla.suse.com/1201788

https://bugzilla.suse.com/1203287

https://bugzilla.suse.com/1203288

https://bugzilla.suse.com/1203585

Severity
Announcement ID: SUSE-SU-2022:3750-1
Rating: moderate

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved