

# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server

Announcement ID: SUSE-SU-2024:0485-1  
Rating: important  
References:

  * bsc#1170848
  * bsc#1210911
  * bsc#1211254
  * bsc#1211560
  * bsc#1211912
  * bsc#1213079
  * bsc#1213507
  * bsc#1213738
  * bsc#1213981
  * bsc#1214077
  * bsc#1214791
  * bsc#1215166
  * bsc#1215514
  * bsc#1215769
  * bsc#1215810
  * bsc#1215813
  * bsc#1215982
  * bsc#1216114
  * bsc#1216394
  * bsc#1216437
  * bsc#1216550
  * bsc#1216609
  * bsc#1216657
  * bsc#1216753
  * bsc#1216781
  * bsc#1216988
  * bsc#1217069
  * bsc#1217209
  * bsc#1217588
  * bsc#1217784
  * bsc#1217869
  * bsc#1218019
  * bsc#1218074
  * bsc#1218075
  * bsc#1218089
  * bsc#1218094
  * bsc#1218146
  * bsc#1218490
  * bsc#1218615
  * bsc#1218669
  * bsc#1218837
  * bsc#1218849
  * bsc#1219151
  * bsc#1219449
  * bsc#1219577
  * bsc#1219850
  * jsc#MSQA-719

  
Cross-References:

  * CVE-2023-31582
  * CVE-2023-32189

  
CVSS scores:

  * CVE-2023-31582 ( SUSE ):  3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2023-31582 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * SUSE Manager Proxy 4.3
  * SUSE Manager Proxy 4.3 Module 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3

  
  
An update that solves two vulnerabilities, contains one feature and has 44
security fixes can now be installed.

## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

### Description:

This update fixes the following issues:

mgr-daemon:

  * Version 4.3.8-1
  * Update translation strings

patterns-suse-manager:

  * Add liberate-formula to the required packages for the server to get it
    installed by default

spacecmd:

  * Version 4.3.26-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.27-1
  * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
    size greater than 4GB (bsc#1219151)
  * Version 4.3.26-1
  * Fix decompressing and renaming bzip2 comps files in reposync
  * Update query to the new credentials structure
  * Remove normalize_orphan_vendor_packages and move it to taskomatic
    (bsc#1216781)
  * Skip syncing packages with incorrect metadata (bsc#1213738)
  * Update translation strings

spacewalk-certs-tools:

  * version 4.3.22-1
  * Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  * Version 4.3.21-1
  * Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  * Version 4.3.20-1
  * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  * Include reboot info beacon in the bootstrap script for transactional systems
    (bsc#1217588)

spacewalk-client-tools:

  * Version 4.3.18-1
  * Update translation strings

spacewalk-web:

  * Version 4.3.37-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue displaying Ansible playbook name (bsc#1216657)
  * Add support for `PaygNotCompliantWarning` notification
  * Bump web.version to 4.3.11

susemanager-build-keys:

  * Version 15.4.10
  * Add new Almalinux 8 GPG Key (bsc#1218849)
  * Refresh extended Uyuni GPG public key

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: `spacewalk-proxy stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-proxy start`

## Security update for SUSE Manager Server 4.3

### Description:

This update fixes the following issues:

cobbler:

  * Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)
  * Notify to "systemd" when cobblerd startup is finished (bsc#1215982)
  * Enable ppc64(le) buildiso support (bsc#1214077)

grafana-formula:

  * Version 0.10.0
  * Replace legacy message queue metrics with Salt queue metrics
  * Grafana formula should not be supported in a Proxy/Retail

inter-server-sync:

  * Version 0.3.2-1
  * Fix conflict in rhndistchannelmap (bsc#1216114)

jose4j:

  * CVE-2023-31582: Insecure Password-Based Encryption Iteration Count
    (bsc#1216609)

liberate-formula:

  * Version 0.1.0
  * Provide liberate-formula, a formula for converting a system to SUSE Liberty
    Linux

patterns-suse-manager:

  * Add liberate-formula to the required packages for the server to get it
    installed by default

prometheus-formula:

  * Version 0.8.0
  * Fix federation endpoint
  * Add remote write configuration
  * Add group filtering for service discovery relabeling configuration
  * Version 0.7.1
  * Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550)

prometheus-postgres_exporter:

  * Do not build debug if RHEL >= 8
  * Do not strip if SUSE Linux Enterprise 15 SP3
  * Build at least with with Go >= 1.18 on RHEL
  * Build with Go >= 1.20 elsewhere

saltboot-formula:

  * Update to version 0.1.1701196218.b6b8ca1
  * Remove f-formating to be compatible with python < 3.6
  * Update packaging not to package salt directories
  * Update to version 0.1.1692188980.9aa0455

spacecmd:

  * Version 4.3.26-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.27-1
  * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
    size greater than 4GB (bsc#1219151)
  * Version 4.3.26-1
  * Fix decompressing and renaming bzip2 comps files in reposync
  * Update query to the new credentials structure
  * Remove normalize_orphan_vendor_packages and move it to taskomatic
    (bsc#1216781)
  * Skip syncing packages with incorrect metadata (bsc#1213738)
  * Update translation strings

spacewalk-certs-tools:

  * version 4.3.22-1
  * Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  * Version 4.3.21-1
  * Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  * Version 4.3.20-1
  * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  * Include reboot info beacon in the bootstrap script for transactional systems
    (bsc#1217588)

spacewalk-client-tools:

  * Version 4.3.18-1
  * Update translation strings

spacewalk-java:

  * Version 4.3.71-1
  * Generate server SSH key also when bootstrapping regular Minions
    (bsc#1219449)
  * Version 4.3.70-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue with disabling token check not working (bsc#1218669)
  * Enforce snakeyaml version requirement (bsc#1215166)
  * Improve the performance of paginated queries when syncing the reporting
    database (bsc#1211912, bsc#1213079)
  * Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server
    for SAP (bsc#1217069)
  * Use the base product file to show the correct SUSE Manager product in the
    subscription matching results page
  * Do not require entitlements if SUSE Manager is Pay-as-you-go
  * Exclude SUSE Manager from subscription matching if it's Pay-as-you-go
  * Refactor Credentials to a proper class hierarchy
  * Fix unit test about duplicated packages
  * Prevent installation of packages with same name in a single action
    (bsc#1214791)
  * When canceling an action which has prerequisites, return hints to get the
    first action id which can be canceled (bsc#1216988)
  * Fix exception when removing a Debian package (bsc#1216781)
  * Fix XSS in taskomatic XML RPC handler (bsc#1210911)
  * Improve logging for Product Migration (bsc#1218490)
  * Add only 1 IP for Cloud RMT Host in /etc/hosts
  * Change org for orphan vendor packages that an admin can delete (bsc#1216781)
  * Expose the monitoring data for the Salt queue handling the Salt results
  * Provide total number of CPUs for SUSE Linux Enterprise Micro systems to
    subscription matcher when it is not used as hypervisor to match vCore
    subscriptions correctly (bsc#1218074)
  * Try to download compressed Ubuntu USN database
  * Add user information to system organization transfer message (bsc#1216753)
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)
  * Add notification in daily email in addition to in SUSE Manager home page
    when SUSE Manager Pay-as-you-go is not compliant
  * Fix apidoc link from #top to $call.name (bsc#1213507)
  * Add config option to disable remote commands from web UI (bsc#1217869)
  * Address high rating Sonar issues
  * Refactor SUSE Customer Center registration flow
  * Avoid blocking Taskomatic thread when waiting for queued action
    (bsc#1211560)
  * Fix modify kickstart profile when using "Always newest tree" option
    (bsc#1215813)
  * Configure reboot method for SUSE Linux Enterprise Micro when applying
    bootstrap state (bsc#1213981)
  * Handle not existing known_host file in permission check
  * Fix handling of proxy ssh public keys
  * Include reboot required indication for non-Suse distros

spacewalk-setup:

  * Version 4.3.19-1
  * Update query to the new credentials structure
  * Fix setting SUSE Customer Center password during setup

spacewalk-utils:

  * Version 4.3.19-1
  * Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels

spacewalk-web:

  * Version 4.3.37-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue displaying Ansible playbook name (bsc#1216657)
  * Add support for `PaygNotCompliantWarning` notification
  * Bump web.version to 4.3.11

subscription-matcher:

  * Version 0.35
  * Added missing part number
  * Version 0.34
  * Enabled support for Long Term Service Pack Support subscriptions
    (bsc#1218075)
  * Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074)
  * Added new SKUs and new bundles

supportutils-plugin-susemanager:

  * Version 4.3.10-1
  * Update query to the new credentials structure

susemanager:

  * Version 4.3.34-1
  * Rename Open Enterprise Server label to OES23.4 (bsc#1215514)
  * Verify in Yast FQDN with name returned via DNS reverse lookup
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)

susemanager-build-keys:

  * Version 15.4.10
  * Add new Almalinux 8 GPG Key (bsc#1218849)
  * Refresh extended Uyuni GPG public key

susemanager-docs_en:

  * Removed obsolete traditional to Salt migration documentation from the System
    Types section of the Client Configuration Guide and updated the Migrate
    traditional clients to Salt clients section
  * Fixed navigation bar of Client Configuration Guide (bsc#1218089)
  * Added openSUSE Leap to Supported Features navigation list in Client
    Configuration Guide (bsc#1218094)
  * Described new monitoring metrics for Salt queue in Administration Guide
  * Fixed xrefs for internal book references
  * Removed mentioning that CVE number for CVE auditing is optional
    (bsc#1218019)
  * Corrected channel names for CentOS 7 Updates and Extras in CentOS Client
    Configuration Guide
  * Documented bootstrap settings for SUSE Linux Enterprise Micro in Client
    Configuration Guide (bsc#1216394)
  * Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810)
  * Updated Red Hat OVAL data URL and file in CentOS Clients Registration in
    Client Configution Guide
  * Added Pay-as-you-go for Azure documentation to the Specialized Guides book
  * Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
  * Removed Ubuntu 18.04 from the list of supported clients
  * Fixed file location in Custom Salt Formulas section of Salt Guide
  * Documented using Virtualization Host formula in Client Configuration

susemanager-schema:

  * Version 4.3.24-1
  * Refactor susecredentials to support the new hierarchy
  * Improve performance of System (bsc#1211254)
  * Change schedule of system-profile-refresh to run on the 2nd Saturday of a
    month to not collide with normal working times (bsc#1215769)

susemanager-sls:

  * version 4.3.40-1
  * Remove automatic reboot from transactional systems bootstrap (bsc#1218146)
  * Version 4.3.39-1
  * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file
    (bsc#1219577)
  * Version 4.3.38-1
  * Improve Pay-as-you-go instance detection (bsc#1217784)
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)
  * Configure reboot method for SUSE Linux Enterprise Micro when applying
    bootstrap state (bsc#1213981)
  * Include reboot required indication for non SUSE distros

susemanager-sync-data:

  * Version 4.3.16-1
  * Fix OES 23.4 internal name (bsc#1218837)
  * Version 4.3.15-1
  * Update release status and repository description of Open Enterprise Server
    23.4 (bsc#1215514)
  * Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families
  * Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL
    CentOS 8 from the name

uyuni-reportdb-schema:

  * Version 4.3.9-1
  * Provide reportdb upgrade schema path structure

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: `spacewalk-service stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-service start`

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Manager Proxy 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1

## Package List:

  * SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    * spacewalk-base-minimal-4.3.37-150400.3.39.7
    * mgr-daemon-4.3.8-150400.3.12.5
    * susemanager-build-keys-15.4.10-150400.3.23.5
    * spacewalk-client-tools-4.3.18-150400.3.24.7
    * susemanager-build-keys-web-15.4.10-150400.3.23.5
    * spacewalk-check-4.3.18-150400.3.24.7
    * python3-spacewalk-check-4.3.18-150400.3.24.7
    * python3-spacewalk-client-setup-4.3.18-150400.3.24.7
    * spacecmd-4.3.26-150400.3.33.5
    * spacewalk-client-setup-4.3.18-150400.3.24.7
    * spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    * spacewalk-backend-4.3.27-150400.3.38.2
    * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    * spacewalk-certs-tools-4.3.22-150400.3.25.1
    * python3-spacewalk-client-tools-4.3.18-150400.3.24.7
  * SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    * patterns-suma_proxy-4.3-150400.5.9.5
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * spacewalk-java-config-4.3.71-150400.3.74.2
    * spacewalk-base-minimal-4.3.37-150400.3.39.7
    * spacewalk-backend-iss-4.3.27-150400.3.38.2
    * spacewalk-backend-tools-4.3.27-150400.3.38.2
    * susemanager-build-keys-15.4.10-150400.3.23.5
    * susemanager-sls-4.3.40-150400.3.44.1
    * susemanager-build-keys-web-15.4.10-150400.3.23.5
    * uyuni-config-modules-4.3.40-150400.3.44.1
    * spacewalk-backend-applet-4.3.27-150400.3.38.2
    * spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    * spacewalk-backend-4.3.27-150400.3.38.2
    * spacewalk-backend-app-4.3.27-150400.3.38.2
    * spacewalk-utils-4.3.19-150400.3.21.5
    * susemanager-sync-data-4.3.16-150400.3.22.2
    * spacewalk-backend-config-files-4.3.27-150400.3.38.2
    * spacewalk-java-lib-4.3.71-150400.3.74.2
    * cobbler-3.3.3-150400.5.39.5
    * spacewalk-setup-4.3.19-150400.3.30.5
    * spacewalk-utils-extras-4.3.19-150400.3.21.5
    * spacewalk-backend-config-files-common-4.3.27-150400.3.38.2
    * uyuni-reportdb-schema-4.3.9-150400.3.12.7
    * spacecmd-4.3.26-150400.3.33.5
    * susemanager-docs_en-4.3-150400.9.53.5
    * susemanager-schema-4.3.24-150400.3.36.7
    * spacewalk-java-4.3.71-150400.3.74.2
    * spacewalk-html-4.3.37-150400.3.39.7
    * spacewalk-base-4.3.37-150400.3.39.7
    * spacewalk-certs-tools-4.3.22-150400.3.25.1
    * grafana-formula-0.10.0-150400.3.15.5
    * spacewalk-java-postgresql-4.3.71-150400.3.74.2
    * supportutils-plugin-susemanager-4.3.10-150400.3.18.5
    * spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2
    * spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2
    * spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2
    * subscription-matcher-0.35-150400.3.19.5
    * spacewalk-backend-iss-export-4.3.27-150400.3.38.2
    * jose4j-0.5.1-150400.3.6.2
    * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    * liberate-formula-0.1.0-150400.10.3.3
    * python3-spacewalk-client-tools-4.3.18-150400.3.24.7
    * spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2
    * spacewalk-client-tools-4.3.18-150400.3.24.7
    * susemanager-schema-utility-4.3.24-150400.3.36.7
    * susemanager-docs_en-pdf-4.3-150400.9.53.5
    * spacewalk-backend-sql-4.3.27-150400.3.38.2
    * prometheus-formula-0.8.0-150400.3.6.5
    * spacewalk-backend-server-4.3.27-150400.3.38.2
    * saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3
    * spacewalk-backend-package-push-server-4.3.27-150400.3.38.2
    * spacewalk-taskomatic-4.3.71-150400.3.74.2
  * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    * patterns-suma_retail-4.3-150400.5.9.5
    * inter-server-sync-0.3.2-150400.3.27.5
    * prometheus-postgres_exporter-0.10.1-150400.3.9.5
    * susemanager-4.3.34-150400.3.45.5
    * patterns-suma_server-4.3-150400.5.9.5
    * inter-server-sync-debuginfo-0.3.2-150400.3.27.5
    * susemanager-tools-4.3.34-150400.3.45.5

## References:

  * https://www.suse.com/security/cve/CVE-2023-31582.html
  * https://www.suse.com/security/cve/CVE-2023-32189.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1170848
  * https://bugzilla.suse.com/show_bug.cgi?id=1210911
  * https://bugzilla.suse.com/show_bug.cgi?id=1211254
  * https://bugzilla.suse.com/show_bug.cgi?id=1211560
  * https://bugzilla.suse.com/show_bug.cgi?id=1211912
  * https://bugzilla.suse.com/show_bug.cgi?id=1213079
  * https://bugzilla.suse.com/show_bug.cgi?id=1213507
  * https://bugzilla.suse.com/show_bug.cgi?id=1213738
  * https://bugzilla.suse.com/show_bug.cgi?id=1213981
  * https://bugzilla.suse.com/show_bug.cgi?id=1214077
  * https://bugzilla.suse.com/show_bug.cgi?id=1214791
  * https://bugzilla.suse.com/show_bug.cgi?id=1215166
  * https://bugzilla.suse.com/show_bug.cgi?id=1215514
  * https://bugzilla.suse.com/show_bug.cgi?id=1215769
  * https://bugzilla.suse.com/show_bug.cgi?id=1215810
  * https://bugzilla.suse.com/show_bug.cgi?id=1215813
  * https://bugzilla.suse.com/show_bug.cgi?id=1215982
  * https://bugzilla.suse.com/show_bug.cgi?id=1216114
  * https://bugzilla.suse.com/show_bug.cgi?id=1216394
  * https://bugzilla.suse.com/show_bug.cgi?id=1216437
  * https://bugzilla.suse.com/show_bug.cgi?id=1216550
  * https://bugzilla.suse.com/show_bug.cgi?id=1216609
  * https://bugzilla.suse.com/show_bug.cgi?id=1216657
  * https://bugzilla.suse.com/show_bug.cgi?id=1216753
  * https://bugzilla.suse.com/show_bug.cgi?id=1216781
  * https://bugzilla.suse.com/show_bug.cgi?id=1216988
  * https://bugzilla.suse.com/show_bug.cgi?id=1217069
  * https://bugzilla.suse.com/show_bug.cgi?id=1217209
  * https://bugzilla.suse.com/show_bug.cgi?id=1217588
  * https://bugzilla.suse.com/show_bug.cgi?id=1217784
  * https://bugzilla.suse.com/show_bug.cgi?id=1217869
  * https://bugzilla.suse.com/show_bug.cgi?id=1218019
  * https://bugzilla.suse.com/show_bug.cgi?id=1218074
  * https://bugzilla.suse.com/show_bug.cgi?id=1218075
  * https://bugzilla.suse.com/show_bug.cgi?id=1218089
  * https://bugzilla.suse.com/show_bug.cgi?id=1218094
  * https://bugzilla.suse.com/show_bug.cgi?id=1218146
  * https://bugzilla.suse.com/show_bug.cgi?id=1218490
  * https://bugzilla.suse.com/show_bug.cgi?id=1218615
  * https://bugzilla.suse.com/show_bug.cgi?id=1218669
  * https://bugzilla.suse.com/show_bug.cgi?id=1218837
  * https://bugzilla.suse.com/show_bug.cgi?id=1218849
  * https://bugzilla.suse.com/show_bug.cgi?id=1219151
  * https://bugzilla.suse.com/show_bug.cgi?id=1219449
  * https://bugzilla.suse.com/show_bug.cgi?id=1219577
  * https://bugzilla.suse.com/show_bug.cgi?id=1219850
  * https://jira.suse.com/login.jsp

SUSE: 2024:0485-1 important: Maintenance SUSE Manager 4.3

February 15, 2024

* bsc#1170848 * bsc#1210911 * bsc#1211254 * bsc#1211560 * bsc#1211912

Summary

### This update fixes the following issues: mgr-daemon: * Version 4.3.8-1 * Update translation strings patterns-suse-manager: * Add liberate-formula to the required packages for the server to get it installed by default spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renaming bzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to 4.3.11 susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key How to apply this update: 1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server. 2. Stop the proxy service: `spacewalk-proxy stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-proxy start` ## Security update for SUSE Manager Server 4.3 ### This update fixes the following issues: cobbler: * Build the appendline correctly for RHEL-family <= 9 (bsc#1216437) * Notify to "systemd" when cobblerd startup is finished (bsc#1215982) * Enable ppc64(le) buildiso support (bsc#1214077) grafana-formula: * Version 0.10.0 * Replace legacy message queue metrics with Salt queue metrics * Grafana formula should not be supported in a Proxy/Retail inter-server-sync: * Version 0.3.2-1 * Fix conflict in rhndistchannelmap (bsc#1216114) jose4j: * CVE-2023-31582: Insecure Password-Based Encryption Iteration Count (bsc#1216609) liberate-formula: * Version 0.1.0 * Provide liberate-formula, a formula for converting a system to SUSE Liberty Linux patterns-suse-manager: * Add liberate-formula to the required packages for the server to get it installed by default prometheus-formula: * Version 0.8.0 * Fix federation endpoint * Add remote write configuration * Add group filtering for service discovery relabeling configuration * Version 0.7.1 * Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550) prometheus-postgres_exporter: * Do not build debug if RHEL >= 8 * Do not strip if SUSE Linux Enterprise 15 SP3 * Build at least with with Go >= 1.18 on RHEL * Build with Go >= 1.20 elsewhere saltboot-formula: * Update to version 0.1.1701196218.b6b8ca1 * Remove f-formating to be compatible with python < 3.6 * Update packaging not to package salt directories * Update to version 0.1.1692188980.9aa0455 spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renaming bzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-java: * Version 4.3.71-1 * Generate server SSH key also when bootstrapping regular Minions (bsc#1219449) * Version 4.3.70-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue with disabling token check not working (bsc#1218669) * Enforce snakeyaml version requirement (bsc#1215166) * Improve the performance of paginated queries when syncing the reporting database (bsc#1211912, bsc#1213079) * Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server for SAP (bsc#1217069) * Use the base product file to show the correct SUSE Manager product in the subscription matching results page * Do not require entitlements if SUSE Manager is Pay-as-you-go * Exclude SUSE Manager from subscription matching if it's Pay-as-you-go * Refactor Credentials to a proper class hierarchy * Fix unit test about duplicated packages * Prevent installation of packages with same name in a single action (bsc#1214791) * When canceling an action which has prerequisites, return hints to get the first action id which can be canceled (bsc#1216988) * Fix exception when removing a Debian package (bsc#1216781) * Fix XSS in taskomatic XML RPC handler (bsc#1210911) * Improve logging for Product Migration (bsc#1218490) * Add only 1 IP for Cloud RMT Host in /etc/hosts * Change org for orphan vendor packages that an admin can delete (bsc#1216781) * Expose the monitoring data for the Salt queue handling the Salt results * Provide total number of CPUs for SUSE Linux Enterprise Micro systems to subscription matcher when it is not used as hypervisor to match vCore subscriptions correctly (bsc#1218074) * Try to download compressed Ubuntu USN database * Add user information to system organization transfer message (bsc#1216753) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Add notification in daily email in addition to in SUSE Manager home page when SUSE Manager Pay-as-you-go is not compliant * Fix apidoc link from #top to $call.name (bsc#1213507) * Add config option to disable remote commands from web UI (bsc#1217869) * Address high rating Sonar issues * Refactor SUSE Customer Center registration flow * Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560) * Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Handle not existing known_host file in permission check * Fix handling of proxy ssh public keys * Include reboot required indication for non-Suse distros spacewalk-setup: * Version 4.3.19-1 * Update query to the new credentials structure * Fix setting SUSE Customer Center password during setup spacewalk-utils: * Version 4.3.19-1 * Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to 4.3.11 subscription-matcher: * Version 0.35 * Added missing part number * Version 0.34 * Enabled support for Long Term Service Pack Support subscriptions (bsc#1218075) * Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074) * Added new SKUs and new bundles supportutils-plugin-susemanager: * Version 4.3.10-1 * Update query to the new credentials structure susemanager: * Version 4.3.34-1 * Rename Open Enterprise Server label to OES23.4 (bsc#1215514) * Verify in Yast FQDN with name returned via DNS reverse lookup * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key susemanager-docs_en: * Removed obsolete traditional to Salt migration documentation from the System Types section of the Client Configuration Guide and updated the Migrate traditional clients to Salt clients section * Fixed navigation bar of Client Configuration Guide (bsc#1218089) * Added openSUSE Leap to Supported Features navigation list in Client Configuration Guide (bsc#1218094) * Described new monitoring metrics for Salt queue in Administration Guide * Fixed xrefs for internal book references * Removed mentioning that CVE number for CVE auditing is optional (bsc#1218019) * Corrected channel names for CentOS 7 Updates and Extras in CentOS Client Configuration Guide * Documented bootstrap settings for SUSE Linux Enterprise Micro in Client Configuration Guide (bsc#1216394) * Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810) * Updated Red Hat OVAL data URL and file in CentOS Clients Registration in Client Configution Guide * Added Pay-as-you-go for Azure documentation to the Specialized Guides book * Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide * Removed Ubuntu 18.04 from the list of supported clients * Fixed file location in Custom Salt Formulas section of Salt Guide * Documented using Virtualization Host formula in Client Configuration susemanager-schema: * Version 4.3.24-1 * Refactor susecredentials to support the new hierarchy * Improve performance of System (bsc#1211254) * Change schedule of system-profile-refresh to run on the 2nd Saturday of a month to not collide with normal working times (bsc#1215769) susemanager-sls: * version 4.3.40-1 * Remove automatic reboot from transactional systems bootstrap (bsc#1218146) * Version 4.3.39-1 * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file (bsc#1219577) * Version 4.3.38-1 * Improve Pay-as-you-go instance detection (bsc#1217784) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Include reboot required indication for non SUSE distros susemanager-sync-data: * Version 4.3.16-1 * Fix OES 23.4 internal name (bsc#1218837) * Version 4.3.15-1 * Update release status and repository description of Open Enterprise Server 23.4 (bsc#1215514) * Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families * Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL CentOS 8 from the name uyuni-reportdb-schema: * Version 4.3.9-1 * Provide reportdb upgrade schema path structure How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1 ## Package List: * SUSE Manager Proxy 4.3 Module 4.3 (noarch) * spacewalk-base-minimal-4.3.37-150400.3.39.7 * mgr-daemon-4.3.8-150400.3.12.5 * susemanager-build-keys-15.4.10-150400.3.23.5 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-client-setup-4.3.18-150400.3.24.7 * spacecmd-4.3.26-150400.3.33.5 * spacewalk-client-setup-4.3.18-150400.3.24.7 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * SUSE Manager Proxy 4.3 Module 4.3 (x86_64) * patterns-suma_proxy-4.3-150400.5.9.5 * SUSE Manager Server 4.3 Module 4.3 (noarch) * spacewalk-java-config-4.3.71-150400.3.74.2 * spacewalk-base-minimal-4.3.37-150400.3.39.7 * spacewalk-backend-iss-4.3.27-150400.3.38.2 * spacewalk-backend-tools-4.3.27-150400.3.38.2 * susemanager-build-keys-15.4.10-150400.3.23.5 * susemanager-sls-4.3.40-150400.3.44.1 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * uyuni-config-modules-4.3.40-150400.3.44.1 * spacewalk-backend-applet-4.3.27-150400.3.38.2 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * spacewalk-backend-app-4.3.27-150400.3.38.2 * spacewalk-utils-4.3.19-150400.3.21.5 * susemanager-sync-data-4.3.16-150400.3.22.2 * spacewalk-backend-config-files-4.3.27-150400.3.38.2 * spacewalk-java-lib-4.3.71-150400.3.74.2 * cobbler-3.3.3-150400.5.39.5 * spacewalk-setup-4.3.19-150400.3.30.5 * spacewalk-utils-extras-4.3.19-150400.3.21.5 * spacewalk-backend-config-files-common-4.3.27-150400.3.38.2 * uyuni-reportdb-schema-4.3.9-150400.3.12.7 * spacecmd-4.3.26-150400.3.33.5 * susemanager-docs_en-4.3-150400.9.53.5 * susemanager-schema-4.3.24-150400.3.36.7 * spacewalk-java-4.3.71-150400.3.74.2 * spacewalk-html-4.3.37-150400.3.39.7 * spacewalk-base-4.3.37-150400.3.39.7 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * grafana-formula-0.10.0-150400.3.15.5 * spacewalk-java-postgresql-4.3.71-150400.3.74.2 * supportutils-plugin-susemanager-4.3.10-150400.3.18.5 * spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2 * spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2 * spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2 * subscription-matcher-0.35-150400.3.19.5 * spacewalk-backend-iss-export-4.3.27-150400.3.38.2 * jose4j-0.5.1-150400.3.6.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * liberate-formula-0.1.0-150400.10.3.3 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-schema-utility-4.3.24-150400.3.36.7 * susemanager-docs_en-pdf-4.3-150400.9.53.5 * spacewalk-backend-sql-4.3.27-150400.3.38.2 * prometheus-formula-0.8.0-150400.3.6.5 * spacewalk-backend-server-4.3.27-150400.3.38.2 * saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3 * spacewalk-backend-package-push-server-4.3.27-150400.3.38.2 * spacewalk-taskomatic-4.3.71-150400.3.74.2 * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64) * patterns-suma_retail-4.3-150400.5.9.5 * inter-server-sync-0.3.2-150400.3.27.5 * prometheus-postgres_exporter-0.10.1-150400.3.9.5 * susemanager-4.3.34-150400.3.45.5 * patterns-suma_server-4.3-150400.5.9.5 * inter-server-sync-debuginfo-0.3.2-150400.3.27.5 * susemanager-tools-4.3.34-150400.3.45.5

References

* bsc#1170848

* bsc#1210911

* bsc#1211254

* bsc#1211560

* bsc#1211912

* bsc#1213079

* bsc#1213507

* bsc#1213738

* bsc#1213981

* bsc#1214077

* bsc#1214791

* bsc#1215166

* bsc#1215514

* bsc#1215769

* bsc#1215810

* bsc#1215813

* bsc#1215982

* bsc#1216114

* bsc#1216394

* bsc#1216437

* bsc#1216550

* bsc#1216609

* bsc#1216657

* bsc#1216753

* bsc#1216781

* bsc#1216988

* bsc#1217069

* bsc#1217209

* bsc#1217588

* bsc#1217784

* bsc#1217869

* bsc#1218019

* bsc#1218074

* bsc#1218075

* bsc#1218089

* bsc#1218094

* bsc#1218146

* bsc#1218490

* bsc#1218615

* bsc#1218669

* bsc#1218837

* bsc#1218849

* bsc#1219151

* bsc#1219449

* bsc#1219577

* bsc#1219850

* jsc#MSQA-719

Cross-

* CVE-2023-31582

* CVE-2023-32189

CVSS scores:

* CVE-2023-31582 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

* CVE-2023-31582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products:

* SUSE Manager Proxy 4.3

* SUSE Manager Proxy 4.3 Module 4.3

* SUSE Manager Retail Branch Server 4.3

* SUSE Manager Server 4.3

* SUSE Manager Server 4.3 Module 4.3

An update that solves two vulnerabilities, contains one feature and has 44

security fixes can now be installed.

## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

* https://www.suse.com/security/cve/CVE-2023-31582.html

* https://www.suse.com/security/cve/CVE-2023-32189.html

* https://bugzilla.suse.com/show_bug.cgi?id=1170848

* https://bugzilla.suse.com/show_bug.cgi?id=1210911

* https://bugzilla.suse.com/show_bug.cgi?id=1211254

* https://bugzilla.suse.com/show_bug.cgi?id=1211560

* https://bugzilla.suse.com/show_bug.cgi?id=1211912

* https://bugzilla.suse.com/show_bug.cgi?id=1213079

* https://bugzilla.suse.com/show_bug.cgi?id=1213507

* https://bugzilla.suse.com/show_bug.cgi?id=1213738

* https://bugzilla.suse.com/show_bug.cgi?id=1213981

* https://bugzilla.suse.com/show_bug.cgi?id=1214077

* https://bugzilla.suse.com/show_bug.cgi?id=1214791

* https://bugzilla.suse.com/show_bug.cgi?id=1215166

* https://bugzilla.suse.com/show_bug.cgi?id=1215514

* https://bugzilla.suse.com/show_bug.cgi?id=1215769

* https://bugzilla.suse.com/show_bug.cgi?id=1215810

* https://bugzilla.suse.com/show_bug.cgi?id=1215813

* https://bugzilla.suse.com/show_bug.cgi?id=1215982

* https://bugzilla.suse.com/show_bug.cgi?id=1216114

* https://bugzilla.suse.com/show_bug.cgi?id=1216394

* https://bugzilla.suse.com/show_bug.cgi?id=1216437

* https://bugzilla.suse.com/show_bug.cgi?id=1216550

* https://bugzilla.suse.com/show_bug.cgi?id=1216609

* https://bugzilla.suse.com/show_bug.cgi?id=1216657

* https://bugzilla.suse.com/show_bug.cgi?id=1216753

* https://bugzilla.suse.com/show_bug.cgi?id=1216781

* https://bugzilla.suse.com/show_bug.cgi?id=1216988

* https://bugzilla.suse.com/show_bug.cgi?id=1217069

* https://bugzilla.suse.com/show_bug.cgi?id=1217209

* https://bugzilla.suse.com/show_bug.cgi?id=1217588

* https://bugzilla.suse.com/show_bug.cgi?id=1217784

* https://bugzilla.suse.com/show_bug.cgi?id=1217869

* https://bugzilla.suse.com/show_bug.cgi?id=1218019

* https://bugzilla.suse.com/show_bug.cgi?id=1218074

* https://bugzilla.suse.com/show_bug.cgi?id=1218075

* https://bugzilla.suse.com/show_bug.cgi?id=1218089

* https://bugzilla.suse.com/show_bug.cgi?id=1218094

* https://bugzilla.suse.com/show_bug.cgi?id=1218146

* https://bugzilla.suse.com/show_bug.cgi?id=1218490

* https://bugzilla.suse.com/show_bug.cgi?id=1218615

* https://bugzilla.suse.com/show_bug.cgi?id=1218669

* https://bugzilla.suse.com/show_bug.cgi?id=1218837

* https://bugzilla.suse.com/show_bug.cgi?id=1218849

* https://bugzilla.suse.com/show_bug.cgi?id=1219151

* https://bugzilla.suse.com/show_bug.cgi?id=1219449

* https://bugzilla.suse.com/show_bug.cgi?id=1219577

* https://bugzilla.suse.com/show_bug.cgi?id=1219850

* https://jira.suse.com/login.jsp

Severity

Announcement ID: SUSE-SU-2024:0485-1

Rating: important

SUSE: 2024:0485-1 important: Maintenance SUSE Manager 4.3

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By