SUSE: 2024:0485-1 important: Maintenance SUSE Manager 4.3
Summary
### This update fixes the following issues: mgr-daemon: * Version 4.3.8-1 * Update translation strings patterns-suse-manager: * Add liberate-formula to the required packages for the server to get it installed by default spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renaming bzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to 4.3.11 susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key How to apply this update: 1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server. 2. Stop the proxy service: `spacewalk-proxy stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-proxy start` ## Security update for SUSE Manager Server 4.3 ### This update fixes the following issues: cobbler: * Build the appendline correctly for RHEL-family <= 9 (bsc#1216437) * Notify to "systemd" when cobblerd startup is finished (bsc#1215982) * Enable ppc64(le) buildiso support (bsc#1214077) grafana-formula: * Version 0.10.0 * Replace legacy message queue metrics with Salt queue metrics * Grafana formula should not be supported in a Proxy/Retail inter-server-sync: * Version 0.3.2-1 * Fix conflict in rhndistchannelmap (bsc#1216114) jose4j: * CVE-2023-31582: Insecure Password-Based Encryption Iteration Count (bsc#1216609) liberate-formula: * Version 0.1.0 * Provide liberate-formula, a formula for converting a system to SUSE Liberty Linux patterns-suse-manager: * Add liberate-formula to the required packages for the server to get it installed by default prometheus-formula: * Version 0.8.0 * Fix federation endpoint * Add remote write configuration * Add group filtering for service discovery relabeling configuration * Version 0.7.1 * Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550) prometheus-postgres_exporter: * Do not build debug if RHEL >= 8 * Do not strip if SUSE Linux Enterprise 15 SP3 * Build at least with with Go >= 1.18 on RHEL * Build with Go >= 1.20 elsewhere saltboot-formula: * Update to version 0.1.1701196218.b6b8ca1 * Remove f-formating to be compatible with python < 3.6 * Update packaging not to package salt directories * Update to version 0.1.1692188980.9aa0455 spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renaming bzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-java: * Version 4.3.71-1 * Generate server SSH key also when bootstrapping regular Minions (bsc#1219449) * Version 4.3.70-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue with disabling token check not working (bsc#1218669) * Enforce snakeyaml version requirement (bsc#1215166) * Improve the performance of paginated queries when syncing the reporting database (bsc#1211912, bsc#1213079) * Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server for SAP (bsc#1217069) * Use the base product file to show the correct SUSE Manager product in the subscription matching results page * Do not require entitlements if SUSE Manager is Pay-as-you-go * Exclude SUSE Manager from subscription matching if it's Pay-as-you-go * Refactor Credentials to a proper class hierarchy * Fix unit test about duplicated packages * Prevent installation of packages with same name in a single action (bsc#1214791) * When canceling an action which has prerequisites, return hints to get the first action id which can be canceled (bsc#1216988) * Fix exception when removing a Debian package (bsc#1216781) * Fix XSS in taskomatic XML RPC handler (bsc#1210911) * Improve logging for Product Migration (bsc#1218490) * Add only 1 IP for Cloud RMT Host in /etc/hosts * Change org for orphan vendor packages that an admin can delete (bsc#1216781) * Expose the monitoring data for the Salt queue handling the Salt results * Provide total number of CPUs for SUSE Linux Enterprise Micro systems to subscription matcher when it is not used as hypervisor to match vCore subscriptions correctly (bsc#1218074) * Try to download compressed Ubuntu USN database * Add user information to system organization transfer message (bsc#1216753) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Add notification in daily email in addition to in SUSE Manager home page when SUSE Manager Pay-as-you-go is not compliant * Fix apidoc link from #top to $call.name (bsc#1213507) * Add config option to disable remote commands from web UI (bsc#1217869) * Address high rating Sonar issues * Refactor SUSE Customer Center registration flow * Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560) * Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Handle not existing known_host file in permission check * Fix handling of proxy ssh public keys * Include reboot required indication for non-Suse distros spacewalk-setup: * Version 4.3.19-1 * Update query to the new credentials structure * Fix setting SUSE Customer Center password during setup spacewalk-utils: * Version 4.3.19-1 * Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to 4.3.11 subscription-matcher: * Version 0.35 * Added missing part number * Version 0.34 * Enabled support for Long Term Service Pack Support subscriptions (bsc#1218075) * Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074) * Added new SKUs and new bundles supportutils-plugin-susemanager: * Version 4.3.10-1 * Update query to the new credentials structure susemanager: * Version 4.3.34-1 * Rename Open Enterprise Server label to OES23.4 (bsc#1215514) * Verify in Yast FQDN with name returned via DNS reverse lookup * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key susemanager-docs_en: * Removed obsolete traditional to Salt migration documentation from the System Types section of the Client Configuration Guide and updated the Migrate traditional clients to Salt clients section * Fixed navigation bar of Client Configuration Guide (bsc#1218089) * Added openSUSE Leap to Supported Features navigation list in Client Configuration Guide (bsc#1218094) * Described new monitoring metrics for Salt queue in Administration Guide * Fixed xrefs for internal book references * Removed mentioning that CVE number for CVE auditing is optional (bsc#1218019) * Corrected channel names for CentOS 7 Updates and Extras in CentOS Client Configuration Guide * Documented bootstrap settings for SUSE Linux Enterprise Micro in Client Configuration Guide (bsc#1216394) * Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810) * Updated Red Hat OVAL data URL and file in CentOS Clients Registration in Client Configution Guide * Added Pay-as-you-go for Azure documentation to the Specialized Guides book * Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide * Removed Ubuntu 18.04 from the list of supported clients * Fixed file location in Custom Salt Formulas section of Salt Guide * Documented using Virtualization Host formula in Client Configuration susemanager-schema: * Version 4.3.24-1 * Refactor susecredentials to support the new hierarchy * Improve performance of System (bsc#1211254) * Change schedule of system-profile-refresh to run on the 2nd Saturday of a month to not collide with normal working times (bsc#1215769) susemanager-sls: * version 4.3.40-1 * Remove automatic reboot from transactional systems bootstrap (bsc#1218146) * Version 4.3.39-1 * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file (bsc#1219577) * Version 4.3.38-1 * Improve Pay-as-you-go instance detection (bsc#1217784) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Include reboot required indication for non SUSE distros susemanager-sync-data: * Version 4.3.16-1 * Fix OES 23.4 internal name (bsc#1218837) * Version 4.3.15-1 * Update release status and repository description of Open Enterprise Server 23.4 (bsc#1215514) * Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families * Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL CentOS 8 from the name uyuni-reportdb-schema: * Version 4.3.9-1 * Provide reportdb upgrade schema path structure How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1 ## Package List: * SUSE Manager Proxy 4.3 Module 4.3 (noarch) * spacewalk-base-minimal-4.3.37-150400.3.39.7 * mgr-daemon-4.3.8-150400.3.12.5 * susemanager-build-keys-15.4.10-150400.3.23.5 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-client-setup-4.3.18-150400.3.24.7 * spacecmd-4.3.26-150400.3.33.5 * spacewalk-client-setup-4.3.18-150400.3.24.7 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * SUSE Manager Proxy 4.3 Module 4.3 (x86_64) * patterns-suma_proxy-4.3-150400.5.9.5 * SUSE Manager Server 4.3 Module 4.3 (noarch) * spacewalk-java-config-4.3.71-150400.3.74.2 * spacewalk-base-minimal-4.3.37-150400.3.39.7 * spacewalk-backend-iss-4.3.27-150400.3.38.2 * spacewalk-backend-tools-4.3.27-150400.3.38.2 * susemanager-build-keys-15.4.10-150400.3.23.5 * susemanager-sls-4.3.40-150400.3.44.1 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * uyuni-config-modules-4.3.40-150400.3.44.1 * spacewalk-backend-applet-4.3.27-150400.3.38.2 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * spacewalk-backend-app-4.3.27-150400.3.38.2 * spacewalk-utils-4.3.19-150400.3.21.5 * susemanager-sync-data-4.3.16-150400.3.22.2 * spacewalk-backend-config-files-4.3.27-150400.3.38.2 * spacewalk-java-lib-4.3.71-150400.3.74.2 * cobbler-3.3.3-150400.5.39.5 * spacewalk-setup-4.3.19-150400.3.30.5 * spacewalk-utils-extras-4.3.19-150400.3.21.5 * spacewalk-backend-config-files-common-4.3.27-150400.3.38.2 * uyuni-reportdb-schema-4.3.9-150400.3.12.7 * spacecmd-4.3.26-150400.3.33.5 * susemanager-docs_en-4.3-150400.9.53.5 * susemanager-schema-4.3.24-150400.3.36.7 * spacewalk-java-4.3.71-150400.3.74.2 * spacewalk-html-4.3.37-150400.3.39.7 * spacewalk-base-4.3.37-150400.3.39.7 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * grafana-formula-0.10.0-150400.3.15.5 * spacewalk-java-postgresql-4.3.71-150400.3.74.2 * supportutils-plugin-susemanager-4.3.10-150400.3.18.5 * spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2 * spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2 * spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2 * subscription-matcher-0.35-150400.3.19.5 * spacewalk-backend-iss-export-4.3.27-150400.3.38.2 * jose4j-0.5.1-150400.3.6.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * liberate-formula-0.1.0-150400.10.3.3 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-schema-utility-4.3.24-150400.3.36.7 * susemanager-docs_en-pdf-4.3-150400.9.53.5 * spacewalk-backend-sql-4.3.27-150400.3.38.2 * prometheus-formula-0.8.0-150400.3.6.5 * spacewalk-backend-server-4.3.27-150400.3.38.2 * saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3 * spacewalk-backend-package-push-server-4.3.27-150400.3.38.2 * spacewalk-taskomatic-4.3.71-150400.3.74.2 * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64) * patterns-suma_retail-4.3-150400.5.9.5 * inter-server-sync-0.3.2-150400.3.27.5 * prometheus-postgres_exporter-0.10.1-150400.3.9.5 * susemanager-4.3.34-150400.3.45.5 * patterns-suma_server-4.3-150400.5.9.5 * inter-server-sync-debuginfo-0.3.2-150400.3.27.5 * susemanager-tools-4.3.34-150400.3.45.5
References
* bsc#1170848
* bsc#1210911
* bsc#1211254
* bsc#1211560
* bsc#1211912
* bsc#1213079
* bsc#1213507
* bsc#1213738
* bsc#1213981
* bsc#1214077
* bsc#1214791
* bsc#1215166
* bsc#1215514
* bsc#1215769
* bsc#1215810
* bsc#1215813
* bsc#1215982
* bsc#1216114
* bsc#1216394
* bsc#1216437
* bsc#1216550
* bsc#1216609
* bsc#1216657
* bsc#1216753
* bsc#1216781
* bsc#1216988
* bsc#1217069
* bsc#1217209
* bsc#1217588
* bsc#1217784
* bsc#1217869
* bsc#1218019
* bsc#1218074
* bsc#1218075
* bsc#1218089
* bsc#1218094
* bsc#1218146
* bsc#1218490
* bsc#1218615
* bsc#1218669
* bsc#1218837
* bsc#1218849
* bsc#1219151
* bsc#1219449
* bsc#1219577
* bsc#1219850
* jsc#MSQA-719
Cross-
* CVE-2023-31582
* CVE-2023-32189
CVSS scores:
* CVE-2023-31582 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-31582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves two vulnerabilities, contains one feature and has 44
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
##
* https://www.suse.com/security/cve/CVE-2023-31582.html
* https://www.suse.com/security/cve/CVE-2023-32189.html
* https://bugzilla.suse.com/show_bug.cgi?id=1170848
* https://bugzilla.suse.com/show_bug.cgi?id=1210911
* https://bugzilla.suse.com/show_bug.cgi?id=1211254
* https://bugzilla.suse.com/show_bug.cgi?id=1211560
* https://bugzilla.suse.com/show_bug.cgi?id=1211912
* https://bugzilla.suse.com/show_bug.cgi?id=1213079
* https://bugzilla.suse.com/show_bug.cgi?id=1213507
* https://bugzilla.suse.com/show_bug.cgi?id=1213738
* https://bugzilla.suse.com/show_bug.cgi?id=1213981
* https://bugzilla.suse.com/show_bug.cgi?id=1214077
* https://bugzilla.suse.com/show_bug.cgi?id=1214791
* https://bugzilla.suse.com/show_bug.cgi?id=1215166
* https://bugzilla.suse.com/show_bug.cgi?id=1215514
* https://bugzilla.suse.com/show_bug.cgi?id=1215769
* https://bugzilla.suse.com/show_bug.cgi?id=1215810
* https://bugzilla.suse.com/show_bug.cgi?id=1215813
* https://bugzilla.suse.com/show_bug.cgi?id=1215982
* https://bugzilla.suse.com/show_bug.cgi?id=1216114
* https://bugzilla.suse.com/show_bug.cgi?id=1216394
* https://bugzilla.suse.com/show_bug.cgi?id=1216437
* https://bugzilla.suse.com/show_bug.cgi?id=1216550
* https://bugzilla.suse.com/show_bug.cgi?id=1216609
* https://bugzilla.suse.com/show_bug.cgi?id=1216657
* https://bugzilla.suse.com/show_bug.cgi?id=1216753
* https://bugzilla.suse.com/show_bug.cgi?id=1216781
* https://bugzilla.suse.com/show_bug.cgi?id=1216988
* https://bugzilla.suse.com/show_bug.cgi?id=1217069
* https://bugzilla.suse.com/show_bug.cgi?id=1217209
* https://bugzilla.suse.com/show_bug.cgi?id=1217588
* https://bugzilla.suse.com/show_bug.cgi?id=1217784
* https://bugzilla.suse.com/show_bug.cgi?id=1217869
* https://bugzilla.suse.com/show_bug.cgi?id=1218019
* https://bugzilla.suse.com/show_bug.cgi?id=1218074
* https://bugzilla.suse.com/show_bug.cgi?id=1218075
* https://bugzilla.suse.com/show_bug.cgi?id=1218089
* https://bugzilla.suse.com/show_bug.cgi?id=1218094
* https://bugzilla.suse.com/show_bug.cgi?id=1218146
* https://bugzilla.suse.com/show_bug.cgi?id=1218490
* https://bugzilla.suse.com/show_bug.cgi?id=1218615
* https://bugzilla.suse.com/show_bug.cgi?id=1218669
* https://bugzilla.suse.com/show_bug.cgi?id=1218837
* https://bugzilla.suse.com/show_bug.cgi?id=1218849
* https://bugzilla.suse.com/show_bug.cgi?id=1219151
* https://bugzilla.suse.com/show_bug.cgi?id=1219449
* https://bugzilla.suse.com/show_bug.cgi?id=1219577
* https://bugzilla.suse.com/show_bug.cgi?id=1219850
* https://jira.suse.com/login.jsp