
   SUSE Security Update: Security update for SUSE Manager Server 4.3
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3750-1
Rating:             moderate
References:         #1191857 #1195624 #1196729 #1197027 #1198168 
                    #1198903 #1199726 #1200480 #1200573 #1200629 
                    #1201210 #1201220 #1201260 #1201589 #1201626 
                    #1201753 #1201788 #1201913 #1201918 #1202271 
                    #1202272 #1202367 #1202455 #1202464 #1202602 
                    #1202728 #1202729 #1202805 #1202899 #1203026 
                    #1203049 #1203056 #1203169 #1203287 #1203288 
                    #1203385 #1203406 #1203422 #1203449 #1203478 
                    #1203484 #1203564 #1203585 #1203611 #1204208 
                    SUMA-112 
Cross-References:   CVE-2021-41411 CVE-2021-42740 CVE-2021-43138
                    CVE-2022-0860 CVE-2022-31129
CVSS scores:
                    CVE-2021-41411 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41411 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-0860 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
                    CVE-2022-0860 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
                    CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.3
                    SUSE Manager Proxy 4.3
                    SUSE Manager Server 4.3
______________________________________________________________________________

   An update that solves 5 vulnerabilities, contains one
   feature and has 40 fixes is now available.

Description:


   This update fixes the following issues:

   cobbler:

   - Consider case of "next_server" being a hostname during migration of
     Cobbler collections.
   - Fix problem with "proxy_url_ext" setting being None type.
   - Fix settings migration schema to work while upgrading on existing
     running Uyuni and SUSE Manager servers running with old Cobbler settings
     (bsc#1203478)
   - Do generate boot menus even if no profiles or systems - only local boot
   - Avoid crashing running buildiso in certain conditions.
   - Fix issue that a custom kernel with the extension ".kernel" is not
     accepted by "cobbler distro add"
   - Fix issue with "get_item_resolved_value" that prevented it from
     returning in cases where a complex object would have been returned
   - Fix issue where the logs would have been spammed with "grab_tree"
     messages that are meant for debugging
   - Buildiso - Fix DNS append line generation
   - Change apache2 conf dir for SUSE distros to allow integration with Uyuni
     and SUSE Manager
   - Avoid permissions errors during cobbler sync
   - Update to version 3.3.3
   - Add UEFI capabilities to "cobbler buildiso" (jsc#SUMA-112)
   - Relevant changes on this release:
     * New:
       * Uyuni Proxies can now be set with the schema validation.
       * Cobbler should now build on AlmaLinux.
       * The initrd is not required anymore as it is an optional file.
       * XML-RPC: Added dump_vars endpoint. This is intended to replace
         get_blended_data as of 3.4.0.
       * XML-RPC: Added get_item_resolved_value & set_item_resolved_value
         endpoints.
     * Breaking Changes:
       * The field virt_file_size is now a float and the related settings as
         well.
     * Changes:
       * The error messages for duplicated objects now contains the name of
         the duplicated object.
     * Bugfixes:
       * Dictionaries had the wrong value set for <>.
       * There were some cases in which the autoinstallation manager was
         handed the wrong object and then crashed.
       * The inheritance of the owners field was fixed.
       * Serial Console options should not contain bogous -1 value anymore.
       * HTTP API should not throw permission errors anymore.
       * During build the log was not visible due to a custom logger without
         output.
       * cobbler mkloaders now also copies dependencies of menu.c32.
       * We now generate the grub configuration for the architectures correct
         again.
       * virt_file_size now is a float at all times.
       * Cobbler should restart successfully now if you have attached an
         image to a system.
       * If you have a system named default the bootloader was not removed
         properly before.
       * cobbler buildiso: The isolinux.cfg was not properly formatted.
       * There were unharmful templating errors in the log related to
         redhat_management_type. The parts depending on this were removed.
       * The DNS managers were non-functional before because of a not
         existing function call.
       * cobbler buildiso failed with --tmpdirs that don't end in buildiso.
       * cobbler buildiso had outdated docs and help messages for some
         parameters.
       * cobbler import: It was impossible to import Rocky Linux 8.5
         successfully.
       * Cobbler created duplicated settings files before.
       * cobbler sync was broken by refactoring to shell=False before.
   - CVE-2022-0860: Improper Authorization in Cobbler. (bsc#1197027)
   - Version 3.3.0 fixed jsc#SUMA-112
   - Update to version 3.3.2
       * cobbler sync doesn't have to be executed no more after enable_ipxe
         was flipped
       * Auth: Support for Global Secure Catalog via LDAP provider
       * Reposync now deletes old metadata to prevent metadata merge conflicts
       * The automigration of the settings is now not enabled per default.
       * We removed ppc from RedHat EL 7 as it is not supported
       * Network interface is not subscriptable errors were fixed
       * The stacktraces related to the package and file pre & post triggers         should no longer appear
       * You should be able to add multiple initrds if needed again
       * Debian: Fix regex for SHIM_FILE which now provides a working
         reasonable default

   drools:

   - CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java
     (bsc#1200629)

   image-sync-formula:

   - Update to version 0.1.1661440542.6cbe0da
     * Sort boot images by version instead of name-version (bsc#1196729)
     * Do not send events if syncing fails

   inter-server-sync:

     * Compress exported sql data and decompress during import
     * Add gzip dependency to decompress data file during import process

   locale-formula:

   - Update to version 0.3
     * Remove .map.gz from kb_map dictionary (bsc#1203406)

   python-urlgrabber:

   - Avoid crashing when setting URLGRABBER_DEBUG=1 environment variable

   reprepro:

   - Update from version 5.3.0 to version 5.4.0
     * Add shunit2 based tests
     * Support multiple versions
     * Add the commands move, movesrc, movematched, movefilter
     * Add Limit and Archive option
     * fix manpage to add the behaviour if reprepro is linked against liblzma
     * Mark 'dumpcontents' command as deprecated

   saltboot-formula:

   - Update to version 0.1.1661440542.6cbe0da
     * Fallback to local boot if the configured image is not synced
     * Support salt bundle

   spacecmd:

   - Version 4.3.15-1
     * Process date values in spacecmd api calls (bsc#1198903)

   spacewalk-admin:

   - Version 4.3.10-1
     * Ensure "cobbler mkloaders" is executed after restarting services
     * Add --help option to mgr-monitoring-ctl
     * reportdb access: force new report_db_sslrootcert if previous default
       is set

   spacewalk-backend:

   - Version 4.3.16-1
     * Prevent mixing credentials for proxy and repository server while using
       basic authentication and avoid hiding errors i.e. timeouts while
       having proxy settings issues with extra logging in verbose mode
       (bsc#1201788)
     * Fix the condition of hiding the token from URL on logging
     * export armored GPG key to salt filesystem as well
     * Upgrade Cobbler requirement to 3.3.3 or later
     * Make reposync use the configured http proxy with mirrorlist
       (bsc#1198168)

   spacewalk-certs-tools:

   - Version 4.3.15-1
     * fix mgr-ssl-cert-setup for root CAs which do not set
       authorityKeyIdentifier (bsc#1203585)

   spacewalk-client-tools:

   - Version 4.3.12-1
     * Update translation strings

   spacewalk-java:

   - version 4.3.38-1
     * delay hardware refresh action to avoid missing channels (bsc#1204208)
   - Version 4.3.37-1
     * Fix get_item_resolved_value call
   - Version 4.3.36-1
     * Fix prerequisite action serialization (bsc#1202899, bsc#1203484)
     * Fix hardware update where there is no DNS FQDN changes (bsc#1203611)
     * Fix UI crash when filtering on systems list (bsc#1203169)
     * Filter out successors that have no repositories on SP migration
       (bsc#1202367)
     * Reduced the usage of deprecated Hibernate API
     * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
     * Support Pay-as-you-go new CA location for SUSE Linux Enterprise Server
       15 SP4 and higher (bsc#1202729)
     * Fixed pagination for completed/failed systems in action details
     * Add support in rhn.conf for smtp port, auth, ssl/tls config
     * Calculate dependencies between cloned channels of vendor channels
       (bsc#1201626)
     * Fix sync for external repositories (bsc#1201753)
     * Detect the clients running on Amazon EC2 (bsc#1195624)
     * Adjust cobbler requirement to version 3.3.3
     * Support inherited values for kernel options from Cobbler API
     * Fix virtFileSize type after cobbler upgrade
     * Redefine available power_management.types for cobbler >= 3.3.1
     * fix state.apply result parsing in test mode (bsc#1201913)
     * require tomcat native interface to prevent misleading warning in
       tomcat startup log (bsc#1202455)
     * Reduce the length of image channel URL (bsc#1201220)
     * Fixed formula deselection in systemgroup (bsc#1202271)
     * Added a new configuration property to allow custom channels to be
       synced together with vendor channels.
     * add onlyRelevant argument to addErrataUpdate API
     * fix taskomatic task remain in progress

   spacewalk-search:

   - Version 4.3.7-1
     * update dependencies after package rename

   spacewalk-setup:

   - version 4.3.12
     * Fix detected issues to perform migration of Cobbler settings and
       collections.

   - Version 4.3.11-1
     * Trigger migration of Cobbler settings and collections if necessary
       during package installation (bsc#1203478)
     * Execute "cobbler mkloaders" when setting up cobbler
     * Adjust next_server cobbler settings for cobbler >= 3.3.1
     * fix prototype missmatch in idn_to_ascii (bsc#1203385)

   spacewalk-utils:

   - Version 4.3.14-1
     * Make spacewalk-hostname-rename working with settings.yaml cobbler
       config file (bsc#1203564)
     * spacewalk-common-channels now syncs the channels automatically
       on creation, if the new configuration property named
        'unify_custom_channel_management' is enabled

   spacewalk-web:

   - Version 4.3.24-1
     * Upgrade moment-timezone
     * CVE-2021-43138: Obtain privileges via the `mapValues()` method.
       (bsc#1200480)
     * CVE-2021-42740: Command injection in the shell-quote package.
       (bsc#1203287)
     * CVE-2022-31129: Denial-of-Service moment: inefficient parsing
       algorithm (bsc#1203288)
     * Fix table header layout for unselectable tables

   subscription-matcher:

   - Added Guava maximum version requirement

   susemanager:

   - Version 4.3.19-1
     * mark new dependencies for python-py optional in bootstrap repo to fix
       generation for older service packs (bsc#1203449)
     * add bootstrap repository definition for OES2023 (bsc#1202602)
     * add missing packages on SUSE Linux Enterprise Server 15
     * remove server-migrator.sh from SUSE Manager installations (bsc#1202728)
     * create bootstrap repository data for Ubuntu 22.04 Vendor Channels
     * remove obsoleted sysv init script (bsc#1191857)
     * mgr-create-bootstrap-repo: flush directory also when called for a
       specific label (bsc#1200573)
     * pg-migrate-x-to-y.sh: improve output (bsc#1201260)
     * remove python-tornado from bootstrap repo, since no longer required
       for salt version >= 3000
     * add missing packages on SUSE Linux Enterprise Server 12 SP5 bootstrap
       repo (bsc#1201918)
     * revert "bootstrap repo: set optional packages"

   susemanager-build-keys:

   - Add release and auxiliary GPG keys for RedHat
   - Add keys for Rocky Linux 9
     * RPM-GPG-KEY-redhat-release
     * RPM-GPG-KEY-redhat-auxiliary
     * RPM-GPG-KEY-Rocky-9

   susemanager-docs_en:

   - Removed Debian 9 references due to end of life and added missing Debian
     11 info
   - Fixed description of default notification settings (bsc#1203422)
   - Added missing Debian 11 references
   - Documented helm deployment of the proxy on k3s and MetalLB in
     Installation and Upgrade Guide
   - Added secure mail communication settings in Administration Guide
   - Fixed path to state and pillar files
   - Documented how pxeboot works with Secure Boot enabled in Client
     Configuration Guide
   - Add repository via proxy issues troubleshooting page
   - Change import GPG key description
   - Added SLE Micro 5.2 and 5.3 as available as a technology preview in
     Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
     5.3
   - Added command to remove the obsolete Python module on SUSE Manager
     Server 4.1 in the Installation and Upgrade Guide (bsc#1203026)
   - Mention CA certificate directory in the proxy setup description in the
     Installation and Upgrade Guide (bsc#1202805)
   - Documented mandatory channels in the Disconnected Setup chapter of the
     Administration Guide (bsc#1202464)
   - Documented how to onboard Ubuntu clients with the Salt bundle as a
     regular user
   - Documented how to onboard Debian clients with the Salt bundle or plain
     Salt as a regular user
   - Fixed the names of updates channels for Leap
   - Fixed errors in OpenSCAP chapter of Administration Guide
   - Removed CentOS 8 from the list of supported client systems
   - Extend the notes about using noexec option for /tmp and /var/tmp
     (bsc#1201210)
   - Added Extend Salt Bundle functionality with Python packages using pip
   - Salt Configuration Modules are no longer Technology Preview in the Salt
     Guide

   susemanager-schema:

   - Version 4.3.14-1
     * Add subtypes for Amazon EC2 virtual instances (bsc#1195624)
     * Fix migration of image actions (bsc#1202272)
     * improve schema compatibility with Amazon RDS

   susemanager-sls:

   - Version 4.3.25-1
     * Fix mgrnet availability check
     * Remove dependence on Kiwi libraries
     * disable always the bootstrap repository also when
       "mgr_disable_local_repos" is set to False
     * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
     * fix syntax error - remove trailing colon (bsc#1203049)
     * Add mgrnet salt module with mgrnet.dns_fqnd function implementation
       allowing to get all possible FQDNs from DNS (bsc#1199726)
     * Copy grains file with util.mgr_switch_to_venv_minion state apply
       (bsc#1203056)
     * Remove the message 'rpm: command not found' on using Salt SSH with
       Debian based systems which has no Salt Bundle

   susemanager-sync-data:

   - Version 4.3.9-1
     * add oes2023 (bsc#1202602)
     * add Ubuntu 22.04 amd64

   susemanager-tftpsync:

   - Version 4.3.2-1
     * Adjust sync_post_tftpd_proxies module to cobbler >= 3.3.1

   uyuni-common-libs:

   - Version 4.3.6-1
     * Do not allow creating path if nonexistent user or group in fileutils.

   uyuni-reportdb-schema:

   - Version 4.3.6-1
     * improve schema compatibility with Amazon RDS

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.3:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-3750=1

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (ppc64le s390x x86_64):

      inter-server-sync-0.2.3-150400.3.6.1
      inter-server-sync-debuginfo-0.2.3-150400.3.6.1
      python3-magic-5.32-150000.7.16.1
      python3-uyuni-common-libs-4.3.6-150400.3.6.4
      reprepro-5.4.0-150400.3.6.1
      reprepro-debuginfo-5.4.0-150400.3.6.1
      reprepro-debugsource-5.4.0-150400.3.6.1
      susemanager-4.3.19-150400.3.6.4
      susemanager-tftpsync-4.3.2-150400.3.3.4
      susemanager-tools-4.3.19-150400.3.6.4

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch):

      cobbler-3.3.3-150400.5.7.1
      drools-7.17.0-150400.3.6.1
      image-sync-formula-0.1.1661440542.6cbe0da-150400.3.6.1
      locale-formula-0.3-150400.3.3.1
      python3-schema-0.6.7-150400.10.3.1
      python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
      python3-spacewalk-client-tools-4.3.12-150400.3.6.6
      python3-urlgrabber-4.1.0-150400.3.6.1
      saltboot-formula-0.1.1661440542.6cbe0da-150400.3.3.1
      spacecmd-4.3.15-150400.3.6.4
      spacewalk-admin-4.3.10-150400.3.3.2
      spacewalk-backend-4.3.16-150400.3.6.8
      spacewalk-backend-app-4.3.16-150400.3.6.8
      spacewalk-backend-applet-4.3.16-150400.3.6.8
      spacewalk-backend-config-files-4.3.16-150400.3.6.8
      spacewalk-backend-config-files-common-4.3.16-150400.3.6.8
      spacewalk-backend-config-files-tool-4.3.16-150400.3.6.8
      spacewalk-backend-iss-4.3.16-150400.3.6.8
      spacewalk-backend-iss-export-4.3.16-150400.3.6.8
      spacewalk-backend-package-push-server-4.3.16-150400.3.6.8
      spacewalk-backend-server-4.3.16-150400.3.6.8
      spacewalk-backend-sql-4.3.16-150400.3.6.8
      spacewalk-backend-sql-postgresql-4.3.16-150400.3.6.8
      spacewalk-backend-tools-4.3.16-150400.3.6.8
      spacewalk-backend-xml-export-libs-4.3.16-150400.3.6.8
      spacewalk-backend-xmlrpc-4.3.16-150400.3.6.8
      spacewalk-base-4.3.24-150400.3.6.4
      spacewalk-base-minimal-4.3.24-150400.3.6.4
      spacewalk-base-minimal-config-4.3.24-150400.3.6.4
      spacewalk-certs-tools-4.3.15-150400.3.6.2
      spacewalk-client-tools-4.3.12-150400.3.6.6
      spacewalk-html-4.3.24-150400.3.6.4
      spacewalk-java-4.3.38-150400.3.8.3
      spacewalk-java-config-4.3.38-150400.3.8.3
      spacewalk-java-lib-4.3.38-150400.3.8.3
      spacewalk-java-postgresql-4.3.38-150400.3.8.3
      spacewalk-search-4.3.7-150400.3.6.2
      spacewalk-setup-4.3.12-150400.3.8.1
      spacewalk-taskomatic-4.3.38-150400.3.8.3
      spacewalk-utils-4.3.14-150400.3.6.3
      spacewalk-utils-extras-4.3.14-150400.3.6.3
      subscription-matcher-0.29-150400.3.7.1
      susemanager-build-keys-15.4.3-150400.3.6.1
      susemanager-build-keys-web-15.4.3-150400.3.6.1
      susemanager-docs_en-4.3-150400.9.6.1
      susemanager-docs_en-pdf-4.3-150400.9.6.1
      susemanager-schema-4.3.14-150400.3.6.5
      susemanager-schema-utility-4.3.14-150400.3.6.5
      susemanager-sls-4.3.25-150400.3.6.4
      susemanager-sync-data-4.3.9-150400.3.3.1
      uyuni-config-modules-4.3.25-150400.3.6.4
      uyuni-reportdb-schema-4.3.6-150400.3.3.6

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch):

      mgr-daemon-4.3.6-150400.3.6.4
      python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
      python3-spacewalk-check-4.3.12-150400.3.6.6
      python3-spacewalk-client-setup-4.3.12-150400.3.6.6
      python3-spacewalk-client-tools-4.3.12-150400.3.6.6
      spacecmd-4.3.15-150400.3.6.4
      spacewalk-backend-4.3.16-150400.3.6.8
      spacewalk-base-minimal-4.3.24-150400.3.6.4
      spacewalk-base-minimal-config-4.3.24-150400.3.6.4
      spacewalk-certs-tools-4.3.15-150400.3.6.2
      spacewalk-check-4.3.12-150400.3.6.6
      spacewalk-client-setup-4.3.12-150400.3.6.6
      spacewalk-client-tools-4.3.12-150400.3.6.6
      susemanager-build-keys-15.4.3-150400.3.6.1
      susemanager-build-keys-web-15.4.3-150400.3.6.1
      susemanager-tftpsync-recv-4.3.7-150400.3.3.3

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64):

      python3-uyuni-common-libs-4.3.6-150400.3.6.4


References:

   https://www.suse.com/security/cve/CVE-2021-41411.html
   https://www.suse.com/security/cve/CVE-2021-42740.html
   https://www.suse.com/security/cve/CVE-2021-43138.html
   https://www.suse.com/security/cve/CVE-2022-0860.html
   https://www.suse.com/security/cve/CVE-2022-31129.html
   https://bugzilla.suse.com/1191857
   https://bugzilla.suse.com/1195624
   https://bugzilla.suse.com/1196729
   https://bugzilla.suse.com/1197027
   https://bugzilla.suse.com/1198168
   https://bugzilla.suse.com/1198903
   https://bugzilla.suse.com/1199726
   https://bugzilla.suse.com/1200480
   https://bugzilla.suse.com/1200573
   https://bugzilla.suse.com/1200629
   https://bugzilla.suse.com/1201210
   https://bugzilla.suse.com/1201220
   https://bugzilla.suse.com/1201260
   https://bugzilla.suse.com/1201589
   https://bugzilla.suse.com/1201626
   https://bugzilla.suse.com/1201753
   https://bugzilla.suse.com/1201788
   https://bugzilla.suse.com/1201913
   https://bugzilla.suse.com/1201918
   https://bugzilla.suse.com/1202271
   https://bugzilla.suse.com/1202272
   https://bugzilla.suse.com/1202367
   https://bugzilla.suse.com/1202455
   https://bugzilla.suse.com/1202464
   https://bugzilla.suse.com/1202602
   https://bugzilla.suse.com/1202728
   https://bugzilla.suse.com/1202729
   https://bugzilla.suse.com/1202805
   https://bugzilla.suse.com/1202899
   https://bugzilla.suse.com/1203026
   https://bugzilla.suse.com/1203049
   https://bugzilla.suse.com/1203056
   https://bugzilla.suse.com/1203169
   https://bugzilla.suse.com/1203287
   https://bugzilla.suse.com/1203288
   https://bugzilla.suse.com/1203385
   https://bugzilla.suse.com/1203406
   https://bugzilla.suse.com/1203422
   https://bugzilla.suse.com/1203449
   https://bugzilla.suse.com/1203478
   https://bugzilla.suse.com/1203484
   https://bugzilla.suse.com/1203564
   https://bugzilla.suse.com/1203585
   https://bugzilla.suse.com/1203611
   https://bugzilla.suse.com/1204208

SUSE: 2022:3750-1 moderate: SUSE Manager Server 4.3

October 26, 2022

An update that solves 5 vulnerabilities, contains one feature and has 40 fixes is now available

Summary

This update fixes the following issues: cobbler: - Consider case of "next_server" being a hostname during migration of Cobbler collections. - Fix problem with "proxy_url_ext" setting being None type. - Fix settings migration schema to work while upgrading on existing running Uyuni and SUSE Manager servers running with old Cobbler settings (bsc#1203478) - Do generate boot menus even if no profiles or systems - only local boot - Avoid crashing running buildiso in certain conditions. - Fix issue that a custom kernel with the extension ".kernel" is not accepted by "cobbler distro add" - Fix issue with "get_item_resolved_value" that prevented it from returning in cases where a complex object would have been returned - Fix issue where the logs would have been spammed with "grab_tree" messages that are meant for debugging - Buildiso - Fix DNS append line generation - Change apache2 conf dir for SUSE distros to allow integration with Uyuni and SUSE Manager - Avoid permissions errors during cobbler sync - Update to version 3.3.3 - Add UEFI capabilities to "cobbler buildiso" (jsc#SUMA-112) - Relevant changes on this release: * New: * Uyuni Proxies can now be set with the schema validation. * Cobbler should now build on AlmaLinux. * The initrd is not required anymore as it is an optional file. * XML-RPC: Added dump_vars endpoint. This is intended to replace get_blended_data as of 3.4.0. * XML-RPC: Added get_item_resolved_value & set_item_resolved_value endpoints. * Breaking Changes: * The field virt_file_size is now a float and the related settings as well. * Changes: * The error messages for duplicated objects now contains the name of the duplicated object. * Bugfixes: * Dictionaries had the wrong value set for <>. * There were some cases in which the autoinstallation manager was handed the wrong object and then crashed. * The inheritance of the owners field was fixed. * Serial Console options should not contain bogous -1 value anymore. * HTTP API should not throw permission errors anymore. * During build the log was not visible due to a custom logger without output. * cobbler mkloaders now also copies dependencies of menu.c32. * We now generate the grub configuration for the architectures correct again. * virt_file_size now is a float at all times. * Cobbler should restart successfully now if you have attached an image to a system. * If you have a system named default the bootloader was not removed properly before. * cobbler buildiso: The isolinux.cfg was not properly formatted. * There were unharmful templating errors in the log related to redhat_management_type. The parts depending on this were removed. * The DNS managers were non-functional before because of a not existing function call. * cobbler buildiso failed with --tmpdirs that don't end in buildiso. * cobbler buildiso had outdated docs and help messages for some parameters. * cobbler import: It was impossible to import Rocky Linux 8.5 successfully. * Cobbler created duplicated settings files before. * cobbler sync was broken by refactoring to shell=False before. - CVE-2022-0860: Improper Authorization in Cobbler. (bsc#1197027) - Version 3.3.0 fixed jsc#SUMA-112 - Update to version 3.3.2 * cobbler sync doesn't have to be executed no more after enable_ipxe was flipped * Auth: Support for Global Secure Catalog via LDAP provider * Reposync now deletes old metadata to prevent metadata merge conflicts * The automigration of the settings is now not enabled per default. * We removed ppc from RedHat EL 7 as it is not supported * Network interface is not subscriptable errors were fixed * The stacktraces related to the package and file pre & post triggers should no longer appear * You should be able to add multiple initrds if needed again * Debian: Fix regex for SHIM_FILE which now provides a working reasonable default drools: - CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java (bsc#1200629) image-sync-formula: - Update to version 0.1.1661440542.6cbe0da * Sort boot images by version instead of name-version (bsc#1196729) * Do not send events if syncing fails inter-server-sync: * Compress exported sql data and decompress during import * Add gzip dependency to decompress data file during import process locale-formula: - Update to version 0.3 * Remove .map.gz from kb_map dictionary (bsc#1203406) python-urlgrabber: - Avoid crashing when setting URLGRABBER_DEBUG=1 environment variable reprepro: - Update from version 5.3.0 to version 5.4.0 * Add shunit2 based tests * Support multiple versions * Add the commands move, movesrc, movematched, movefilter * Add Limit and Archive option * fix manpage to add the behaviour if reprepro is linked against liblzma * Mark 'dumpcontents' command as deprecated saltboot-formula: - Update to version 0.1.1661440542.6cbe0da * Fallback to local boot if the configured image is not synced * Support salt bundle spacecmd: - Version 4.3.15-1 * Process date values in spacecmd api calls (bsc#1198903) spacewalk-admin: - Version 4.3.10-1 * Ensure "cobbler mkloaders" is executed after restarting services * Add --help option to mgr-monitoring-ctl * reportdb access: force new report_db_sslrootcert if previous default is set spacewalk-backend: - Version 4.3.16-1 * Prevent mixing credentials for proxy and repository server while using basic authentication and avoid hiding errors i.e. timeouts while having proxy settings issues with extra logging in verbose mode (bsc#1201788) * Fix the condition of hiding the token from URL on logging * export armored GPG key to salt filesystem as well * Upgrade Cobbler requirement to 3.3.3 or later * Make reposync use the configured http proxy with mirrorlist (bsc#1198168) spacewalk-certs-tools: - Version 4.3.15-1 * fix mgr-ssl-cert-setup for root CAs which do not set authorityKeyIdentifier (bsc#1203585) spacewalk-client-tools: - Version 4.3.12-1 * Update translation strings spacewalk-java: - version 4.3.38-1 * delay hardware refresh action to avoid missing channels (bsc#1204208) - Version 4.3.37-1 * Fix get_item_resolved_value call - Version 4.3.36-1 * Fix prerequisite action serialization (bsc#1202899, bsc#1203484) * Fix hardware update where there is no DNS FQDN changes (bsc#1203611) * Fix UI crash when filtering on systems list (bsc#1203169) * Filter out successors that have no repositories on SP migration (bsc#1202367) * Reduced the usage of deprecated Hibernate API * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726) * Support Pay-as-you-go new CA location for SUSE Linux Enterprise Server 15 SP4 and higher (bsc#1202729) * Fixed pagination for completed/failed systems in action details * Add support in rhn.conf for smtp port, auth, ssl/tls config * Calculate dependencies between cloned channels of vendor channels (bsc#1201626) * Fix sync for external repositories (bsc#1201753) * Detect the clients running on Amazon EC2 (bsc#1195624) * Adjust cobbler requirement to version 3.3.3 * Support inherited values for kernel options from Cobbler API * Fix virtFileSize type after cobbler upgrade * Redefine available power_management.types for cobbler >= 3.3.1 * fix state.apply result parsing in test mode (bsc#1201913) * require tomcat native interface to prevent misleading warning in tomcat startup log (bsc#1202455) * Reduce the length of image channel URL (bsc#1201220) * Fixed formula deselection in systemgroup (bsc#1202271) * Added a new configuration property to allow custom channels to be synced together with vendor channels. * add onlyRelevant argument to addErrataUpdate API * fix taskomatic task remain in progress spacewalk-search: - Version 4.3.7-1 * update dependencies after package rename spacewalk-setup: - version 4.3.12 * Fix detected issues to perform migration of Cobbler settings and collections. - Version 4.3.11-1 * Trigger migration of Cobbler settings and collections if necessary during package installation (bsc#1203478) * Execute "cobbler mkloaders" when setting up cobbler * Adjust next_server cobbler settings for cobbler >= 3.3.1 * fix prototype missmatch in idn_to_ascii (bsc#1203385) spacewalk-utils: - Version 4.3.14-1 * Make spacewalk-hostname-rename working with settings.yaml cobbler config file (bsc#1203564) * spacewalk-common-channels now syncs the channels automatically on creation, if the new configuration property named 'unify_custom_channel_management' is enabled spacewalk-web: - Version 4.3.24-1 * Upgrade moment-timezone * CVE-2021-43138: Obtain privileges via the `mapValues()` method. (bsc#1200480) * CVE-2021-42740: Command injection in the shell-quote package. (bsc#1203287) * CVE-2022-31129: Denial-of-Service moment: inefficient parsing algorithm (bsc#1203288) * Fix table header layout for unselectable tables subscription-matcher: - Added Guava maximum version requirement susemanager: - Version 4.3.19-1 * mark new dependencies for python-py optional in bootstrap repo to fix generation for older service packs (bsc#1203449) * add bootstrap repository definition for OES2023 (bsc#1202602) * add missing packages on SUSE Linux Enterprise Server 15 * remove server-migrator.sh from SUSE Manager installations (bsc#1202728) * create bootstrap repository data for Ubuntu 22.04 Vendor Channels * remove obsoleted sysv init script (bsc#1191857) * mgr-create-bootstrap-repo: flush directory also when called for a specific label (bsc#1200573) * pg-migrate-x-to-y.sh: improve output (bsc#1201260) * remove python-tornado from bootstrap repo, since no longer required for salt version >= 3000 * add missing packages on SUSE Linux Enterprise Server 12 SP5 bootstrap repo (bsc#1201918) * revert "bootstrap repo: set optional packages" susemanager-build-keys: - Add release and auxiliary GPG keys for RedHat - Add keys for Rocky Linux 9 * RPM-GPG-KEY-redhat-release * RPM-GPG-KEY-redhat-auxiliary * RPM-GPG-KEY-Rocky-9 susemanager-docs_en: - Removed Debian 9 references due to end of life and added missing Debian 11 info - Fixed description of default notification settings (bsc#1203422) - Added missing Debian 11 references - Documented helm deployment of the proxy on k3s and MetalLB in Installation and Upgrade Guide - Added secure mail communication settings in Administration Guide - Fixed path to state and pillar files - Documented how pxeboot works with Secure Boot enabled in Client Configuration Guide - Add repository via proxy issues troubleshooting page - Change import GPG key description - Added SLE Micro 5.2 and 5.3 as available as a technology preview in Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and 5.3 - Added command to remove the obsolete Python module on SUSE Manager Server 4.1 in the Installation and Upgrade Guide (bsc#1203026) - Mention CA certificate directory in the proxy setup description in the Installation and Upgrade Guide (bsc#1202805) - Documented mandatory channels in the Disconnected Setup chapter of the Administration Guide (bsc#1202464) - Documented how to onboard Ubuntu clients with the Salt bundle as a regular user - Documented how to onboard Debian clients with the Salt bundle or plain Salt as a regular user - Fixed the names of updates channels for Leap - Fixed errors in OpenSCAP chapter of Administration Guide - Removed CentOS 8 from the list of supported client systems - Extend the notes about using noexec option for /tmp and /var/tmp (bsc#1201210) - Added Extend Salt Bundle functionality with Python packages using pip - Salt Configuration Modules are no longer Technology Preview in the Salt Guide susemanager-schema: - Version 4.3.14-1 * Add subtypes for Amazon EC2 virtual instances (bsc#1195624) * Fix migration of image actions (bsc#1202272) * improve schema compatibility with Amazon RDS susemanager-sls: - Version 4.3.25-1 * Fix mgrnet availability check * Remove dependence on Kiwi libraries * disable always the bootstrap repository also when "mgr_disable_local_repos" is set to False * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726) * fix syntax error - remove trailing colon (bsc#1203049) * Add mgrnet salt module with mgrnet.dns_fqnd function implementation allowing to get all possible FQDNs from DNS (bsc#1199726) * Copy grains file with util.mgr_switch_to_venv_minion state apply (bsc#1203056) * Remove the message 'rpm: command not found' on using Salt SSH with Debian based systems which has no Salt Bundle susemanager-sync-data: - Version 4.3.9-1 * add oes2023 (bsc#1202602) * add Ubuntu 22.04 amd64 susemanager-tftpsync: - Version 4.3.2-1 * Adjust sync_post_tftpd_proxies module to cobbler >= 3.3.1 uyuni-common-libs: - Version 4.3.6-1 * Do not allow creating path if nonexistent user or group in fileutils. uyuni-reportdb-schema: - Version 4.3.6-1 * improve schema compatibility with Amazon RDS How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.3: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-3750=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (ppc64le s390x x86_64): inter-server-sync-0.2.3-150400.3.6.1 inter-server-sync-debuginfo-0.2.3-150400.3.6.1 python3-magic-5.32-150000.7.16.1 python3-uyuni-common-libs-4.3.6-150400.3.6.4 reprepro-5.4.0-150400.3.6.1 reprepro-debuginfo-5.4.0-150400.3.6.1 reprepro-debugsource-5.4.0-150400.3.6.1 susemanager-4.3.19-150400.3.6.4 susemanager-tftpsync-4.3.2-150400.3.3.4 susemanager-tools-4.3.19-150400.3.6.4 - SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch): cobbler-3.3.3-150400.5.7.1 drools-7.17.0-150400.3.6.1 image-sync-formula-0.1.1661440542.6cbe0da-150400.3.6.1 locale-formula-0.3-150400.3.3.1 python3-schema-0.6.7-150400.10.3.1 python3-spacewalk-certs-tools-4.3.15-150400.3.6.2 python3-spacewalk-client-tools-4.3.12-150400.3.6.6 python3-urlgrabber-4.1.0-150400.3.6.1 saltboot-formula-0.1.1661440542.6cbe0da-150400.3.3.1 spacecmd-4.3.15-150400.3.6.4 spacewalk-admin-4.3.10-150400.3.3.2 spacewalk-backend-4.3.16-150400.3.6.8 spacewalk-backend-app-4.3.16-150400.3.6.8 spacewalk-backend-applet-4.3.16-150400.3.6.8 spacewalk-backend-config-files-4.3.16-150400.3.6.8 spacewalk-backend-config-files-common-4.3.16-150400.3.6.8 spacewalk-backend-config-files-tool-4.3.16-150400.3.6.8 spacewalk-backend-iss-4.3.16-150400.3.6.8 spacewalk-backend-iss-export-4.3.16-150400.3.6.8 spacewalk-backend-package-push-server-4.3.16-150400.3.6.8 spacewalk-backend-server-4.3.16-150400.3.6.8 spacewalk-backend-sql-4.3.16-150400.3.6.8 spacewalk-backend-sql-postgresql-4.3.16-150400.3.6.8 spacewalk-backend-tools-4.3.16-150400.3.6.8 spacewalk-backend-xml-export-libs-4.3.16-150400.3.6.8 spacewalk-backend-xmlrpc-4.3.16-150400.3.6.8 spacewalk-base-4.3.24-150400.3.6.4 spacewalk-base-minimal-4.3.24-150400.3.6.4 spacewalk-base-minimal-config-4.3.24-150400.3.6.4 spacewalk-certs-tools-4.3.15-150400.3.6.2 spacewalk-client-tools-4.3.12-150400.3.6.6 spacewalk-html-4.3.24-150400.3.6.4 spacewalk-java-4.3.38-150400.3.8.3 spacewalk-java-config-4.3.38-150400.3.8.3 spacewalk-java-lib-4.3.38-150400.3.8.3 spacewalk-java-postgresql-4.3.38-150400.3.8.3 spacewalk-search-4.3.7-150400.3.6.2 spacewalk-setup-4.3.12-150400.3.8.1 spacewalk-taskomatic-4.3.38-150400.3.8.3 spacewalk-utils-4.3.14-150400.3.6.3 spacewalk-utils-extras-4.3.14-150400.3.6.3 subscription-matcher-0.29-150400.3.7.1 susemanager-build-keys-15.4.3-150400.3.6.1 susemanager-build-keys-web-15.4.3-150400.3.6.1 susemanager-docs_en-4.3-150400.9.6.1 susemanager-docs_en-pdf-4.3-150400.9.6.1 susemanager-schema-4.3.14-150400.3.6.5 susemanager-schema-utility-4.3.14-150400.3.6.5 susemanager-sls-4.3.25-150400.3.6.4 susemanager-sync-data-4.3.9-150400.3.3.1 uyuni-config-modules-4.3.25-150400.3.6.4 uyuni-reportdb-schema-4.3.6-150400.3.3.6 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch): mgr-daemon-4.3.6-150400.3.6.4 python3-spacewalk-certs-tools-4.3.15-150400.3.6.2 python3-spacewalk-check-4.3.12-150400.3.6.6 python3-spacewalk-client-setup-4.3.12-150400.3.6.6 python3-spacewalk-client-tools-4.3.12-150400.3.6.6 spacecmd-4.3.15-150400.3.6.4 spacewalk-backend-4.3.16-150400.3.6.8 spacewalk-base-minimal-4.3.24-150400.3.6.4 spacewalk-base-minimal-config-4.3.24-150400.3.6.4 spacewalk-certs-tools-4.3.15-150400.3.6.2 spacewalk-check-4.3.12-150400.3.6.6 spacewalk-client-setup-4.3.12-150400.3.6.6 spacewalk-client-tools-4.3.12-150400.3.6.6 susemanager-build-keys-15.4.3-150400.3.6.1 susemanager-build-keys-web-15.4.3-150400.3.6.1 susemanager-tftpsync-recv-4.3.7-150400.3.3.3 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64): python3-uyuni-common-libs-4.3.6-150400.3.6.4

References

#1191857 #1195624 #1196729 #1197027 #1198168

#1198903 #1199726 #1200480 #1200573 #1200629

#1201210 #1201220 #1201260 #1201589 #1201626

#1201753 #1201788 #1201913 #1201918 #1202271

#1202272 #1202367 #1202455 #1202464 #1202602

#1202728 #1202729 #1202805 #1202899 #1203026

#1203049 #1203056 #1203169 #1203287 #1203288

#1203385 #1203406 #1203422 #1203449 #1203478

#1203484 #1203564 #1203585 #1203611 #1204208

SUMA-112

Cross- CVE-2021-41411 CVE-2021-42740 CVE-2021-43138

CVE-2022-0860 CVE-2022-31129

CVSS scores:

CVE-2021-41411 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-41411 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-0860 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2022-0860 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3

SUSE Linux Enterprise Module for SUSE Manager Server 4.3

SUSE Manager Proxy 4.3

SUSE Manager Server 4.3

https://www.suse.com/security/cve/CVE-2021-41411.html

https://www.suse.com/security/cve/CVE-2021-42740.html

https://www.suse.com/security/cve/CVE-2021-43138.html

https://www.suse.com/security/cve/CVE-2022-0860.html

https://www.suse.com/security/cve/CVE-2022-31129.html

https://bugzilla.suse.com/1191857

https://bugzilla.suse.com/1195624

https://bugzilla.suse.com/1196729

https://bugzilla.suse.com/1197027

https://bugzilla.suse.com/1198168

https://bugzilla.suse.com/1198903

https://bugzilla.suse.com/1199726

https://bugzilla.suse.com/1200480

https://bugzilla.suse.com/1200573

https://bugzilla.suse.com/1200629

https://bugzilla.suse.com/1201210

https://bugzilla.suse.com/1201220

https://bugzilla.suse.com/1201260

https://bugzilla.suse.com/1201589

https://bugzilla.suse.com/1201626

https://bugzilla.suse.com/1201753

https://bugzilla.suse.com/1201788

https://bugzilla.suse.com/1201913

https://bugzilla.suse.com/1201918

https://bugzilla.suse.com/1202271

https://bugzilla.suse.com/1202272

https://bugzilla.suse.com/1202367

https://bugzilla.suse.com/1202455

https://bugzilla.suse.com/1202464

https://bugzilla.suse.com/1202602

https://bugzilla.suse.com/1202728

https://bugzilla.suse.com/1202729

https://bugzilla.suse.com/1202805

https://bugzilla.suse.com/1202899

https://bugzilla.suse.com/1203026

https://bugzilla.suse.com/1203049

https://bugzilla.suse.com/1203056

https://bugzilla.suse.com/1203169

https://bugzilla.suse.com/1203287

https://bugzilla.suse.com/1203288

https://bugzilla.suse.com/1203385

https://bugzilla.suse.com/1203406

https://bugzilla.suse.com/1203422

https://bugzilla.suse.com/1203449

https://bugzilla.suse.com/1203478

https://bugzilla.suse.com/1203484

https://bugzilla.suse.com/1203564

https://bugzilla.suse.com/1203585

https://bugzilla.suse.com/1203611

https://bugzilla.suse.com/1204208

Severity

Announcement ID: SUSE-SU-2022:3750-1

Rating: moderate

SUSE: 2022:3750-1 moderate: SUSE Manager Server 4.3

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By