SUSE: 2024:1507-1 moderate: Maintenance SUSE Manager 4.3: Server, Proxy and Retail Branch Server Security Advisory Updates
Summary
### This update fixes the following issues: mgr-daemon: * Version 4.3.9-0 * Update translation strings spacecmd: * Version 4.3.27-0 * Update translation strings spacewalk-backend: * Version 4.3.28-0 * Strip whitespace from .deb package metadata (bsc#1214387) * Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980) * Add support for package signature type V4 RSA/SHA512 (bsc#1221465) * Unquote HTML-encoded credentials before synchronizing repositories (bsc#1217204) spacewalk-certs-tools: * Version 4.3.23-0 * Fix liberty bootstrapping when zypper is installed (bsc#1222347) * Apply reboot method changes for transactional systems in the bootstrap script spacewalk-client-tools: * Version 4.3.19-0 * Update translation strings spacewalk-web: * Version 4.3.38-0 * Upgrade json5 to 2.2.3 * Upgrade semver to 7.6.0 * Add one-shot action execution to recurring custom state create/edit * Add two filters for rpmlint in package spacewalk-web: explicit-lib- dependency and filename-too-long-for-joliet * Fix virtual systems filters (bsc#1208572) * Improve CLM Create New Filter button * Bump the WebUI version to 4.3.12 uyuni-common-libs: * Version 4.3.10-0 * Add support for package signature type V4 RSA/SHA384 * Add support for package signature type V4 RSA/SHA512 (bsc#1221465) uyuni-proxy-systemd-services: * Version 4.3.12-0 * Update to SUSE Manager 4.3.12 * Version 4.3.11-1 * Update the image version How to apply this update: 1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server. 2. Stop the proxy service: `spacewalk-proxy stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-proxy start` ## Security update for SUSE Manager Server 4.3 ### This update fixes the following issues: cobbler: * Provide option to use pre-built GRUB bootloader * Prevent parallel executions of cobbler sync actions (bsc#1218764) image-sync-formula: * Update to version 0.1.1711646883.4a44375 * Add missing URL tag * Update license to SPDX syntax inter-server-sync: * Version 0.3.3-1 * Correct primary key export for table suseproductsccrepository (bsc#1220169) jose4j: * CVE-2023-51775: Fix denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value (bsc#1220726) smdba: * Version 1.7.13 * postmaster no longer exists from >=16 and it's an alias for postgresql, using postgresql command spacecmd: * Version 4.3.27-0 * Update translation strings spacewalk-backend: * Version 4.3.28-0 * Strip whitespace from .deb package metadata (bsc#1214387) * Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980) * Add support for package signature type V4 RSA/SHA512 (bsc#1221465) * Unquote HTML-encoded credentials before synchronizing repositories (bsc#1217204) spacewalk-certs-tools: * Version 4.3.23-0 * Fix liberty bootstrapping when zypper is installed (bsc#1222347) * Apply reboot method changes for transactional systems in the bootstrap script spacewalk-client-tools: * Version 4.3.19-0 * Update translation strings spacewalk-config: * Version 4.3.13-0 * Be explicit about default Apache configs being overwritten on updates and point to making custom configs. (bsc#1219061) spacewalk-java: * Version 4.3.73-0 * New API endpoint for getRelevantErrata. It takes multiple servers as argument and it returns an array of maps representing the errata that can be applied to each system * Version 4.3.72-0 * Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805) * Update help text for the custom repo filter field (bsc#1217874) * Fix issue where Salt cannot access autoinstallation files (bsc#1220221) * Fix issue when checking for credential duplication (bsc#1218957) * Fix matching epoch while creating Ubuntu erratas * When an action that belongs to an action chain is unscheduled, unschedule the action chain as well (bsc#1221784) * Reschedule failed SSH actions caused by a connection error due to a scheduled reboot * Fix removal of old IPv6 addresses (bsc#1214340) * Do not automatically add child channels outside of selected base channel (bsc#1220101) * Fix listProxies API call (bsc#1219233) * Fix system.provisionSystem when called via HTTP API (bsc#1219875) * Remove package sync not available message in Software > Packages > Profile since it is no longer available for supported clients (bsc#1221279) * Fix login for read-only users when using HTTP API (bsc#1221111) * Add one-shot action execution to recurring custom state create/edit * Fix a typo in 'Deploy Files' page * Drop system password as identifier on SCC system registration (bsc#1219634, bsc#1221182) * Fix memory size extraction in virtual instances (bsc#1219634) * Fix virtual systems filters (bsc#1208572) * Update license to include the year 2024 * Add timeout for SMTP server connection (bsc#1218931) * Commit Salt event removal in case of process failure (bsc#1218931) * Users with API read only are only allowed to make GET requests * Ignore retry suffix when getting recurring action id from schedule name * Sort CLM project filters by filter name spacewalk-web: * Version 4.3.38-0 * Upgrade json5 to 2.2.3 * Upgrade semver to 7.6.0 * Add one-shot action execution to recurring custom state create/edit * Fix virtual systems filters (bsc#1208572) * Improve CLM Create New Filter button * Bump the WebUI version to 4.3.12 subscription-matcher: * Version 0.37 * add missing part number (bsc#1221922) * Fix penalties logging by initializing the score director consistently * Removed wrong apache-commons-lang dependency * Version 0.36 * Fixed Log4j 2 initialization supportutils-plugin-susemanager: * Version 4.3.11-0 * Add Salt and Reposync connections to minimum required DB connections calculation susemanager: * Version 4.3.35-0 * Add bootstrap repository definition for openSUSE Leap 15.6 * Add bootstrap repository definition for SUSE Linux Enterprise 15 SP6 susemanager-docs_en: * Removed Debian 10 from the list of supported clients * Added new workflow describing updating of clients using recurring actions to Commown Workflows * Added documentation on adding a storage device for VMWare * Documented registercloudguest tools for registering public cloud installation (BYOS) by adding a reference to the Public Cloud Guide * Added information about requirements for the PostgreSQL database to the Installation and Upgrade Guide (bsc#1220376) * Fixed the instructions for SSL Certificates (bsc#1219061) * Remove package sync paragraph in package-management doc since it is not available for Salt clients and traditional clients are no longer supported (bsc#1221279) * Fixed incorrect reference to SUSE Linux Enterprise Server 15 SP5 as base product for SUSE Manager 4.3, even in public cloud * Updated VM based installation for 4.3 VM image with ignition or cloudinit in Installation and Upgrade Guide * Added reference from Hub documentation to Inter-Server Synchronization in Large Deployment Guide * Documented Virtualization Guest and Virtualization Host Formula * Reformatted Supported Clients tables in Client Configuration Guide and Installation and Upgrade Guide * Add documentation about SMTP timeout configuration * Documented SSH key rotation in Salt Guide (bsc#1170848) * Documented liberate formula in Salt Guide * Fixed Prepare on-demand images section in Client Configuration * Fixed a changed configuration parameter for salt-ssh * Added Pay-as-you-go on the Cloud: FAQ document * Updated max-connections tuning recommendation in Large Deployment * Added troubleshooting instructions for setting up in public cloud (BYOS) to Administration Guide * Added section about migrating Enterprise Linux (EL) clients to SUSE Liberty Linux to Client Configuration Guide * Added detailed information about the messages produced by subscription matcher * Added Pay-as-you-go as supported service on Azure to the Public Cloud Guide * Added and fixed configuration details in Troubleshooting Renaming Server in Administration Guide susemanager-schema: * Version 4.3.25-0 * Add update-salt to internal state table susemanager-sls: * Version 4.3.41-0 * Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805) * Do not log dnf needs-restarting output in Salt's log (bsc#1220194) * Dynamically load an SELinux policy for "Push via SSH tunnel" for SELinux enabled clients. This policy allows communication over a custom SSH port * Fix reboot needed detection for SUSE systems * Fix SUSE Liberty Linux bootstrapping when Zypper is installed (bsc#1222347) * Distinguish between different SUSE versions when detecting if a reboot is needed (bsc#1220903, bsc#1221571) * Improve updatestack update in uptodate state * Add a standalone update-salt state * Add pillar check to skip reboot_if_needed state * Recognize .tar.xz and .ext4 image files (bsc#1216085) * Avoid issues on reactivating traditional clients as Salt managed * Fix the case of missing requisites on bootstrap (bsc#1220705) susemanager-sync-data: * Version 4.3.17-0 * AlmaLinux 9 PowerTools was renamed into CRB (bsc#1222110) uyuni-common-libs: * Version 4.3.10-0 * Add support for package signature type V4 RSA/SHA384 * Add support for package signature type V4 RSA/SHA512 (bsc#1221465) uyuni-reportdb-schema: * Version 4.3.10-0 * Provide reportdb upgrade schema path structure How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-1507=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-1507=1 ## Package List: * SUSE Manager Proxy 4.3 Module 4.3 (noarch) * spacewalk-base-minimal-4.3.38-150400.3.42.6 * python3-spacewalk-certs-tools-4.3.23-150400.3.28.5 * python3-spacewalk-client-setup-4.3.19-150400.3.27.5 * python3-spacewalk-client-tools-4.3.19-150400.3.27.5 * mgr-daemon-4.3.9-150400.3.15.5 * spacewalk-backend-4.3.28-150400.3.41.7 * spacecmd-4.3.27-150400.3.36.5 * spacewalk-certs-tools-4.3.23-150400.3.28.5 * spacewalk-client-setup-4.3.19-150400.3.27.5 * spacewalk-client-tools-4.3.19-150400.3.27.5 * python3-spacewalk-check-4.3.19-150400.3.27.5 * spacewalk-check-4.3.19-150400.3.27.5 * spacewalk-base-minimal-config-4.3.38-150400.3.42.6 * SUSE Manager Proxy 4.3 Module 4.3 (x86_64) * python3-uyuni-common-libs-4.3.10-150400.3.18.4 * SUSE Manager Server 4.3 Module 4.3 (noarch) * spacewalk-java-lib-4.3.73-150400.3.79.1 * susemanager-docs_en-4.3-150400.9.56.4 * spacewalk-backend-package-push-server-4.3.28-150400.3.41.7 * spacewalk-backend-4.3.28-150400.3.41.7 * spacewalk-java-4.3.73-150400.3.79.1 * spacewalk-backend-iss-export-4.3.28-150400.3.41.7 * spacewalk-backend-xmlrpc-4.3.28-150400.3.41.7 * spacewalk-base-4.3.38-150400.3.42.6 * spacewalk-taskomatic-4.3.73-150400.3.79.1 * spacewalk-backend-sql-4.3.28-150400.3.41.7 * spacewalk-backend-sql-postgresql-4.3.28-150400.3.41.7 * python3-spacewalk-certs-tools-4.3.23-150400.3.28.5 * python3-spacewalk-client-tools-4.3.19-150400.3.27.5 * susemanager-docs_en-pdf-4.3-150400.9.56.4 * jose4j-0.5.1-150400.3.9.4 * spacewalk-backend-config-files-tool-4.3.28-150400.3.41.7 * spacecmd-4.3.27-150400.3.36.5 * spacewalk-certs-tools-4.3.23-150400.3.28.5 * susemanager-schema-4.3.25-150400.3.39.5 * spacewalk-backend-config-files-common-4.3.28-150400.3.41.7 * supportutils-plugin-susemanager-4.3.11-150400.3.21.4 * spacewalk-java-config-4.3.73-150400.3.79.1 * image-sync-formula-0.1.1711646883.4a44375-150400.3.18.4 * spacewalk-base-minimal-config-4.3.38-150400.3.42.6 * spacewalk-java-postgresql-4.3.73-150400.3.79.1 * subscription-matcher-0.37-150400.3.22.4 * susemanager-schema-utility-4.3.25-150400.3.39.5 * uyuni-reportdb-schema-4.3.10-150400.3.15.6 * spacewalk-backend-xml-export-libs-4.3.28-150400.3.41.7 * spacewalk-backend-iss-4.3.28-150400.3.41.7 * susemanager-sync-data-4.3.17-150400.3.25.4 * cobbler-3.3.3-150400.5.42.5 * spacewalk-backend-config-files-4.3.28-150400.3.41.7 * spacewalk-backend-applet-4.3.28-150400.3.41.7 * spacewalk-base-minimal-4.3.38-150400.3.42.6 * spacewalk-backend-app-4.3.28-150400.3.41.7 * uyuni-config-modules-4.3.41-150400.3.47.6 * susemanager-sls-4.3.41-150400.3.47.6 * spacewalk-html-4.3.38-150400.3.42.6 * spacewalk-client-tools-4.3.19-150400.3.27.5 * spacewalk-backend-tools-4.3.28-150400.3.41.7 * spacewalk-backend-server-4.3.28-150400.3.41.7 * spacewalk-config-4.3.13-150400.3.15.5 * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64) * smdba-1.7.13-0.150400.4.12.4 * susemanager-4.3.35-150400.3.48.6 * inter-server-sync-debuginfo-0.3.3-150400.3.30.4 * inter-server-sync-0.3.3-150400.3.30.4 * susemanager-tools-4.3.35-150400.3.48.6 * python3-uyuni-common-libs-4.3.10-150400.3.18.4
References
* bsc#1170848
* bsc#1208572
* bsc#1214340
* bsc#1214387
* bsc#1216085
* bsc#1217204
* bsc#1217874
* bsc#1218764
* bsc#1218805
* bsc#1218931
* bsc#1218957
* bsc#1219061
* bsc#1219233
* bsc#1219634
* bsc#1219875
* bsc#1220101
* bsc#1220169
* bsc#1220194
* bsc#1220221
* bsc#1220376
* bsc#1220705
* bsc#1220726
* bsc#1220903
* bsc#1220980
* bsc#1221111
* bsc#1221182
* bsc#1221279
* bsc#1221465
* bsc#1221571
* bsc#1221784
* bsc#1221922
* bsc#1222110
* bsc#1222347
* jsc#MSQA-760
Cross-
* CVE-2023-51775
CVSS scores:
* CVE-2023-51775 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves one vulnerability, contains one feature and has 32
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
##
* https://www.suse.com/security/cve/CVE-2023-51775.html
* https://bugzilla.suse.com/show_bug.cgi?id=1170848
* https://bugzilla.suse.com/show_bug.cgi?id=1208572
* https://bugzilla.suse.com/show_bug.cgi?id=1214340
* https://bugzilla.suse.com/show_bug.cgi?id=1214387
* https://bugzilla.suse.com/show_bug.cgi?id=1216085
* https://bugzilla.suse.com/show_bug.cgi?id=1217204
* https://bugzilla.suse.com/show_bug.cgi?id=1217874
* https://bugzilla.suse.com/show_bug.cgi?id=1218764
* https://bugzilla.suse.com/show_bug.cgi?id=1218805
* https://bugzilla.suse.com/show_bug.cgi?id=1218931
* https://bugzilla.suse.com/show_bug.cgi?id=1218957
* https://bugzilla.suse.com/show_bug.cgi?id=1219061
* https://bugzilla.suse.com/show_bug.cgi?id=1219233
* https://bugzilla.suse.com/show_bug.cgi?id=1219634
* https://bugzilla.suse.com/show_bug.cgi?id=1219875
* https://bugzilla.suse.com/show_bug.cgi?id=1220101
* https://bugzilla.suse.com/show_bug.cgi?id=1220169
* https://bugzilla.suse.com/show_bug.cgi?id=1220194
* https://bugzilla.suse.com/show_bug.cgi?id=1220221
* https://bugzilla.suse.com/show_bug.cgi?id=1220376
* https://bugzilla.suse.com/show_bug.cgi?id=1220705
* https://bugzilla.suse.com/show_bug.cgi?id=1220726
* https://bugzilla.suse.com/show_bug.cgi?id=1220903
* https://bugzilla.suse.com/show_bug.cgi?id=1220980
* https://bugzilla.suse.com/show_bug.cgi?id=1221111
* https://bugzilla.suse.com/show_bug.cgi?id=1221182
* https://bugzilla.suse.com/show_bug.cgi?id=1221279
* https://bugzilla.suse.com/show_bug.cgi?id=1221465
* https://bugzilla.suse.com/show_bug.cgi?id=1221571
* https://bugzilla.suse.com/show_bug.cgi?id=1221784
* https://bugzilla.suse.com/show_bug.cgi?id=1221922
* https://bugzilla.suse.com/show_bug.cgi?id=1222110
* https://bugzilla.suse.com/show_bug.cgi?id=1222347
* https://jira.suse.com/browse/MSQA-760