SUSE: 2022:3878-1 critical: SUSE Manager Server 4.2
Summary
This update fixes the following issues: hub-xmlrpc-api: - Use golang(API) = 1.18 for building on SUSE (bsc#1203599) This source fails to build with the current go1.19 on SUSE and we need to use go1.18 instead. inter-server-sync: - Version 0.2.4 * Improve memory usage and log information #17193 * Conditional insert check for FK reference exists (bsc#1202785) * Correct navigation path for table rhnerratafilechannel (bsc#1202785) locale-formula: - Update to version 0.3 * Remove .map.gz from kb_map dictionary (bsc#1203406) py27-compat-salt: - Fix state.apply in test mode with file state module on user/group checking (bsc#1202167) - Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596) python-urlgrabber: - Fix wrong logic on find_proxy method causing proxy not being used (bsc#1201788) spacecmd: - Version 4.2.20-1 * Remove "Undefined return code" from debug messages (bsc#1203283) spacewalk-backend: - Version 4.2.25-1 * Enhance passwords cleanup and add extra files in spacewalk-debug (bsc#1201059) * Prevent mixing credentials for proxy and repository server while using basic authentication and avoid hiding errors i.e. timeouts while having proxy settings issues with extra logging in verbose mode (bsc#1201788) spacewalk-client-tools: - Version 4.2.21-1 * Update translation strings spacewalk-java: - Version 4.2.43-1 * CVE-2022-31255: Fix directory path traversal vulnerability (bsc#1204543) * CVE-2022-43754: Fix reflected cross site scripting vulnerability (bsc#1204741) * CVE-2022-43753: Fix arbitrary file disclosure vulnerability (bsc#1204716) - Version 4.2.42-1 * Properly pass allow vendor change to salt state (bsc#1204203) * add ongres requirements to spec file (bsc#1203898) * Refresh pillar data (bsc#1197724) * Fix hardware update where there is no DNS FQDN changes (bsc#1203611) * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726) * Support Pay-as-you-go new CA location for SLES15SP4 and higher (bsc#1202729) * Detect the clients running on Amazon EC2 (bsc#1195624) spacewalk-utils: - Version 4.2.18-1 * Make spacewalk-hostname-rename working with settings.yaml cobbler config file (bsc#1203564) spacewalk-web: - Version 4.2.30-1 * Upgrade moment-timezone susemanager: - Version 4.2.38-1 * add venv-salt-minion to bootstrap repo (bsc#1204146) susemanager-doc-indexes: - Documented that only SUSE clients are supported as monitoring servers in the Administration Guide - Fixed description of default notification settings (bsc#1203422) - Added missing Debian 11 references - Removed references to Debian 9, as it is EoL, and therefore unsupported by SUSE Manager - Document Helm deployment of the proxy on k3s and MetalLB in Installation and Upgrade Guide - Added secure mail communication settings in Administration Guide - Fixed the incorrect path to state and pillar files in Salt Guide - Documented how pxeboot works with Secure Boot enabled in Client Configuration Guide - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and 5.3 susemanager-docs_en: - Documented that only SUSE clients are supported as monitoring servers in the Administration Guide - Fixed description of default notification settings (bsc#1203422) - Added missing Debian 11 references - Removed references to Debian 9, as it is EoL, and therefore unsupported by SUSE Manager - Document Helm deployment of the proxy on k3s and MetalLB in Installation and Upgrade Guide - Added secure mail communication settings in Administration Guide - Fixed the incorrect path to state and pillar files in Salt Guide - Documented how pxeboot works with Secure Boot enabled in Client Configuration Guide - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and 5.3 susemanager-schema: - Version 4.2.25-1 * Add subtypes for Amazon EC2 virtual instances (bsc#1195624) susemanager-sls: - Version 4.2.28-1 * Fix mgrnet availability check * Remove dependence on Kiwi libraries * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726) * Add mgrnet salt module with mgrnet.dns_fqnd function implementation allowing to get all possible FQDNs from DNS (bsc#1199726) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3878=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): hub-xmlrpc-api-0.7-150300.3.9.2 inter-server-sync-0.2.4-150300.8.25.2 inter-server-sync-debuginfo-0.2.4-150300.8.25.2 susemanager-4.2.38-150300.3.44.3 susemanager-tools-4.2.38-150300.3.44.3 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): locale-formula-0.3-150300.3.3.2 py27-compat-salt-3000.3-150300.7.7.26.2 python3-spacewalk-client-tools-4.2.21-150300.4.27.3 python3-urlgrabber-3.10.2.1py2_3-150300.3.3.2 spacecmd-4.2.20-150300.4.30.2 spacewalk-backend-4.2.25-150300.4.32.4 spacewalk-backend-app-4.2.25-150300.4.32.4 spacewalk-backend-applet-4.2.25-150300.4.32.4 spacewalk-backend-config-files-4.2.25-150300.4.32.4 spacewalk-backend-config-files-common-4.2.25-150300.4.32.4 spacewalk-backend-config-files-tool-4.2.25-150300.4.32.4 spacewalk-backend-iss-4.2.25-150300.4.32.4 spacewalk-backend-iss-export-4.2.25-150300.4.32.4 spacewalk-backend-package-push-server-4.2.25-150300.4.32.4 spacewalk-backend-server-4.2.25-150300.4.32.4 spacewalk-backend-sql-4.2.25-150300.4.32.4 spacewalk-backend-sql-postgresql-4.2.25-150300.4.32.4 spacewalk-backend-tools-4.2.25-150300.4.32.4 spacewalk-backend-xml-export-libs-4.2.25-150300.4.32.4 spacewalk-backend-xmlrpc-4.2.25-150300.4.32.4 spacewalk-base-4.2.30-150300.3.30.3 spacewalk-base-minimal-4.2.30-150300.3.30.3 spacewalk-base-minimal-config-4.2.30-150300.3.30.3 spacewalk-client-tools-4.2.21-150300.4.27.3 spacewalk-html-4.2.30-150300.3.30.3 spacewalk-java-4.2.43-150300.3.48.2 spacewalk-java-config-4.2.43-150300.3.48.2 spacewalk-java-lib-4.2.43-150300.3.48.2 spacewalk-java-postgresql-4.2.43-150300.3.48.2 spacewalk-taskomatic-4.2.43-150300.3.48.2 spacewalk-utils-4.2.18-150300.3.21.2 spacewalk-utils-extras-4.2.18-150300.3.21.2 susemanager-doc-indexes-4.2-150300.12.36.3 susemanager-docs_en-4.2-150300.12.36.2 susemanager-docs_en-pdf-4.2-150300.12.36.2 susemanager-schema-4.2.25-150300.3.30.3 susemanager-sls-4.2.28-150300.3.36.2 uyuni-config-modules-4.2.28-150300.3.36.2
References
#1195624 #1197724 #1199726 #1200596 #1201059
#1201788 #1202167 #1202729 #1202785 #1203283
#1203406 #1203422 #1203564 #1203599 #1203611
#1203898 #1204146 #1204203 #1204543 #1204716
#1204741
Cross- CVE-2022-31255 CVE-2022-43753 CVE-2022-43754
CVSS scores:
CVE-2022-43753 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVE-2022-43754 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Manager Server 4.2
https://www.suse.com/security/cve/CVE-2022-31255.html
https://www.suse.com/security/cve/CVE-2022-43753.html
https://www.suse.com/security/cve/CVE-2022-43754.html
https://bugzilla.suse.com/1195624
https://bugzilla.suse.com/1197724
https://bugzilla.suse.com/1199726
https://bugzilla.suse.com/1200596
https://bugzilla.suse.com/1201059
https://bugzilla.suse.com/1201788
https://bugzilla.suse.com/1202167
https://bugzilla.suse.com/1202729
https://bugzilla.suse.com/1202785
https://bugzilla.suse.com/1203283
https://bugzilla.suse.com/1203406
https://bugzilla.suse.com/1203422
https://bugzilla.suse.com/1203564
https://bugzilla.suse.com/1203599
https://bugzilla.suse.com/1203611
https://bugzilla.suse.com/1203898
https://bugzilla.suse.com/1204146
https://bugzilla.suse.com/1204203
https://bugzilla.suse.com/1204543
https://bugzilla.suse.com/1204716
https://bugzilla.suse.com/1204741