Stay Secure with the Latest Linux Advisories

security advisoryupdate instructionsapache2

SUSE Manager 4.3: Important Security Update and Fixes Overview

* bsc#1191143 * bsc#1204235 * bsc#1207012 * bsc#1207532 * bsc#1210928 . # Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server Announcement ID: SUSE-SU-2023:4737-1 Rating: important References: * bsc#1191143 * bsc#1204235 * bsc#1207012 * bsc#1207532 * bsc#1210928 * bsc#1210930 * bsc#1211355 * bsc#1211560 * bsc#1211649 * bsc#1212695 * bsc#1212904 * bsc#1213469 * bsc#1214186 * bsc#1214471 * bsc#1214601 * bsc#1214759 * bsc#1215209 * bsc#1215514 * bsc#1215949 * bsc#1216030 * bsc#1216041 * bsc#1216085 * bsc#1216128 * bsc#1216380 * bsc#1216506 * bsc#1216555 * bsc#1216690 * bsc#1216754 * bsc#1217038 * bsc#1217223 * bsc#1217224 * jsc#MSQA-708 * jsc#SUMA-282 Cross-References: * CVE-2023-22644 CVSS scores: * CVE-2023-22644 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 * Public Cloud Module 15-SP4 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Proxy 4.3 Module 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * SUSE Manager Server 4.3 Module 4.3 An update that solves one vulnerability, contains two features and has 30 security fixes can now be installed. ## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3 ### Description: This update fixes the following issues: spacecmd: * Version 4.3.25-1 * Update translation strings spacewalk-backend: * Version 4.3.25-1 * Use the new apache2-mod_wsgi package name * Set stricter file permissions for config file * Add table statistics and options to the support config database output * Add CLM data collection tospacewalk-debug spacewalk-client-tools: * Version 4.3.17-1 * Update translation strings spacewalk-proxy: * Version 4.3.17-1 * Use the new apache2-mod_wsgi package name spacewalk-web: * Version 4.3.36-1 * Safeguard request URLs against tempering (bsc#1216754) * Improve datetimepicker input formatting * Improve logging to better capture third-party library issues * Simplify and modernize password generation logic * Update webpack to 5.88.2 * Handle new message from subscription-matcher (bsc#1216506) * Add sanity checks for FQDNs in proxy configuration dialog * Add option to filter packages by build time in CLM (jsc#SUMA-282) susemanager-tftpsync-recv: * Version 4.3.9-1 * Use the new apache2-mod_wsgi package name * Build with Python 3 and clean up references to Python 2 How to apply this update: 1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server. 2. Stop the proxy service: `spacewalk-proxy stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-proxy start` ## Security update for SUSE Manager Server 4.3 ### Description: This update fixes the following issues: billing-data-service: * Version 4.3.2-1 * Relax dependency to csp-billing-adapter-service inter-server-sync: * Version 0.3.1 * Require at least Go 1.20 for building SUSE packages spacecmd: * Version 4.3.25-1 * Update translation strings spacewalk-backend: * Version 4.3.25-1 * Use the new apache2-mod_wsgi package name * Set stricter file permissions for config file * Add table statistics and options to the support config database output * Add CLM data collection to spacewalk-debug spacewalk-client-tools: * Version 4.3.17-1 * Update translation strings spacewalk-java: * Version 4.3.69-1 * Security fixes: * CVE-2023-22644: Sanitize token before logging it (bsc#1210930) * CVE-2023-22644: Fix permissions for logfiles (bsc#1210928) * CVE-2023-22644: Log potential sensitive information only in debug mode (bsc#1210928) *Non security fixes: * Include in API response reboot_suggested and restart_suggested booleans * Fix filter ID comparison when attaching filters to a CLM project (bsc#1215949) * Fix validation of lists with empty defaults in formulas (bsc#1216555) * Safeguard request URLs against tempering (bsc#1216754) * Improve logging to better capture third-party library issues * Fix issue of non-installed package listed as errata package update candidates (bsc#1212904) * Fix issue with reporting database query pagination * Update tomcat jars to version greater than 9.0.75 * Fix notification messages email content (bsc#1216041) * Look for the PAYG CA certificate location in different order to find and import the correct one (bsc#1214759) * Add salt-api socket timeout to abort stuck taskomatic jobs (bsc#1211649) * Fix SUSE Linux Enterprise Micro PAYG detection * Wait for lock to execute SCC sync task (bsc#1216030) * Fix url pointing to SCC (bsc#1216690) * Prevent download when a PAYG Server is not compliant * Fix system.provisionSystem xmlrpc endpoint to calculate host properly (bsc#1215209) * Include "uuid" as system search xmlrpc results (bsc#1216380) * Prevent losing Remote Command action result if returned JSON cannot be parsed * Add PAYG info to UI and rest API * Add management restrictions to SUMA PAYG when dealing with BYOS instances when no SCC credentials are set * Fix issue where bad SCC credentials were preventing other credentials to refresh (bsc#1211355) * Fix conversion to string if branchid is numeric in PXEEvent * Fix token validation for shared (public) child channels (bsc#1216128) * Prevent NullPointerException in updateSystemInfo (bsc#1217224) * Update SCC REST call to register systems in bulk * Enhance hardware data sent to SCC by memory * Fix FQDN machine name mapping on proxy configuration * Fix NullPointerException when creating PXE config for an unmanaged profile (bsc#1217223) * Add option to filter packages by build time in CLM (jsc#SUMA-282) * Consider server id whenremoving invalid erratas from rhnSet (bsc#1204235,bsc#1207012,bsc#1211560) * Fix createSystemRecord XML-RPC API call so the Cobbler UID is persisted (bsc#1207532) spacewalk-search: * Version 4.3.10-1 * Include "uuid" as system search result attribute (bsc#1216380) spacewalk-web: * Version 4.3.36-1 * Safeguard request URLs against tempering (bsc#1216754) * Improve datetimepicker input formatting * Improve logging to better capture third-party library issues * Simplify and modernize password generation logic * Update webpack to 5.88.2 * Handle new message from subscription-matcher (bsc#1216506) * Add sanity checks for FQDNs in proxy configuration dialog * Add option to filter packages by build time in CLM (jsc#SUMA-282) subscription-matcher: * Version 0.33 * Added missing part numbers (bsc#1216506) * Ignore subscriptions without any associated products (bsc#1216506) * Update Guava to version 32.0 susemanager: * Version 4.3.33-1 * Add bootstrap repository data for SUSE Linux Enterprise Micro 5.5 (bsc#1217038) susemanager-docs_en: * Add SUSE Liberty Linux versions 7 and 8 to the supported features matrix in the Client Configuration Guide * Add support for SUSE Linux Enterprise Micro 5.5 and openSUSE Leap Micro 5.5 clients to the Installation and Upgrade Guide, and to the Client Configuration Guide * Update Twitter handle reference in documentation user interface * Update feature table and add legend in the Configuration Management section of the Client Configuration Guide * Fix parameter name in the Register clients section of the Client Configuration Guide * Fix links to HTML output of SUSE Linux Enterprise Server 15 SP4 documentation * Add note about using short hostname in the Quick Start: SAP guide (bsc#1212695) * Mention the option to install Prometheus on Retail branch servers (bsc#1191143) * Fix link loop and clarify some server upgrade description details in the Installation and Upgrade Guide (bsc#1214471) * SUSE Manager 4.3 is based on SUSE Linux Enterprise 15SP4; update the installation procedure (bsc#1213469) susemanager-schema: * Version 4.3.22-1 * Drop special versioned schema files * Add unique index for rhnpackagechangelogdata table susemanager-sls: * Version 4.3.37-1 * Disable dnf_rhui_plugin as it breaks our susemanagerplugin (bsc#1214601) * Fix susemanagerplugin to not overwrite header fields set by other plugins * Let the DNF plugin log when a token was set * Retry loading of pillars from DB on connection error (bsc#1214186) * Recognize squashfs build results from KIWI (bsc#1216085) susemanager-sync-data: * Version 4.3.14-1 * SUSE Linux Enterprise 15 SP4 Long Term Service Pack Support (LTSS) * Extended Service Pack Overlay Support (ESPOS) for High Performance Computing 15 SP5 * Long Term Service Pack Support (LTSS) for High Performance Computing 15 SP5 * Update Open Enterprise Server to 2023.4 (bsc#1215514) uyuni-reportdb-schema: * Version 4.3.8-1 * Provide reportdb upgrade schema path structure How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` ## Recommended update for apache2-mod_wsgi ### Description: This update fixes the following issues: apache2-mod_wsgi: * Ensure the binaries are included in SUSE Manager Server ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4737=1 openSUSE-SLE-15.4-2023-4737=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4737=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4737=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4737=1 * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-4737=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-4737=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * SUSE Manager Proxy 4.3 Module 4.3 (x86_64) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * SUSE Manager Proxy 4.3 Module 4.3 (noarch) * spacecmd-4.3.25-150400.3.30.5 * python3-spacewalk-client-tools-4.3.17-150400.3.21.6 * spacewalk-proxy-redirect-4.3.17-150400.3.23.5 * spacewalk-client-setup-4.3.17-150400.3.21.6 * python3-spacewalk-check-4.3.17-150400.3.21.6 * spacewalk-proxy-broker-4.3.17-150400.3.23.5 * spacewalk-proxy-common-4.3.17-150400.3.23.5 * spacewalk-backend-4.3.25-150400.3.33.7 * spacewalk-proxy-salt-4.3.17-150400.3.23.5 * spacewalk-check-4.3.17-150400.3.21.6 * spacewalk-proxy-management-4.3.17-150400.3.23.5 * spacewalk-proxy-package-manager-4.3.17-150400.3.23.5 * python3-spacewalk-client-setup-4.3.17-150400.3.21.6 * spacewalk-client-tools-4.3.17-150400.3.21.6 * spacewalk-base-minimal-4.3.36-150400.3.36.7 * susemanager-tftpsync-recv-4.3.9-150400.3.9.5 * spacewalk-base-minimal-config-4.3.36-150400.3.36.7 * SUSE ManagerServer 4.3 Module 4.3 (ppc64le s390x x86_64) * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4 * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4 * inter-server-sync-0.3.1-150400.3.24.5 * susemanager-tools-4.3.33-150400.3.42.4 * susemanager-4.3.33-150400.3.42.4 * apache2-mod_wsgi-4.7.1-150400.3.9.4 * inter-server-sync-debuginfo-0.3.1-150400.3.24.5 * SUSE Manager Server 4.3 Module 4.3 (noarch) * spacewalk-backend-config-files-tool-4.3.25-150400.3.33.7 * spacewalk-search-4.3.10-150400.3.15.4 * python3-spacewalk-client-tools-4.3.17-150400.3.21.6 * susemanager-sync-data-4.3.14-150400.3.17.5 * spacewalk-backend-config-files-common-4.3.25-150400.3.33.7 * susemanager-docs_en-pdf-4.3-150400.9.50.5 * spacewalk-backend-sql-postgresql-4.3.25-150400.3.33.7 * spacewalk-base-4.3.36-150400.3.36.7 * susemanager-schema-4.3.22-150400.3.30.5 * spacewalk-backend-iss-4.3.25-150400.3.33.7 * spacewalk-taskomatic-4.3.69-150400.3.69.5 * susemanager-docs_en-4.3-150400.9.50.5 * susemanager-sls-4.3.37-150400.3.37.5 * spacewalk-client-tools-4.3.17-150400.3.21.6 * spacecmd-4.3.25-150400.3.30.5 * spacewalk-html-4.3.36-150400.3.36.7 * spacewalk-backend-xmlrpc-4.3.25-150400.3.33.7 * susemanager-schema-utility-4.3.22-150400.3.30.5 * spacewalk-backend-iss-export-4.3.25-150400.3.33.7 * spacewalk-base-minimal-config-4.3.36-150400.3.36.7 * spacewalk-backend-xml-export-libs-4.3.25-150400.3.33.7 * spacewalk-java-config-4.3.69-150400.3.69.5 * spacewalk-backend-config-files-4.3.25-150400.3.33.7 * spacewalk-backend-sql-4.3.25-150400.3.33.7 * uyuni-reportdb-schema-4.3.8-150400.3.9.6 * spacewalk-java-4.3.69-150400.3.69.5 * spacewalk-backend-server-4.3.25-150400.3.33.7 * subscription-matcher-0.33-150400.3.16.3 * spacewalk-java-lib-4.3.69-150400.3.69.5 * spacewalk-base-minimal-4.3.36-150400.3.36.7 * spacewalk-java-postgresql-4.3.69-150400.3.69.5 * billing-data-service-4.3.2-150400.10.12.5 * spacewalk-backend-tools-4.3.25-150400.3.33.7 * spacewalk-backend-applet-4.3.25-150400.3.33.7 *spacewalk-backend-4.3.25-150400.3.33.7 * uyuni-config-modules-4.3.37-150400.3.37.5 * spacewalk-backend-package-push-server-4.3.25-150400.3.33.7 * spacewalk-backend-app-4.3.25-150400.3.33.7 ## References: * https://www.suse.com/security/cve/CVE-2023-22644.html * https://bugzilla.suse.com/show_bug.cgi?id=1191143 * https://bugzilla.suse.com/show_bug.cgi?id=1204235 * https://bugzilla.suse.com/show_bug.cgi?id=1207012 * https://bugzilla.suse.com/show_bug.cgi?id=1207532 * https://bugzilla.suse.com/show_bug.cgi?id=1210928 * https://bugzilla.suse.com/show_bug.cgi?id=1210930 * https://bugzilla.suse.com/show_bug.cgi?id=1211355 * https://bugzilla.suse.com/show_bug.cgi?id=1211560 * https://bugzilla.suse.com/show_bug.cgi?id=1211649 * https://bugzilla.suse.com/show_bug.cgi?id=1212695 * https://bugzilla.suse.com/show_bug.cgi?id=1212904 * https://bugzilla.suse.com/show_bug.cgi?id=1213469 * https://bugzilla.suse.com/show_bug.cgi?id=1214186 * https://bugzilla.suse.com/show_bug.cgi?id=1214471 * https://bugzilla.suse.com/show_bug.cgi?id=1214601 * https://bugzilla.suse.com/show_bug.cgi?id=1214759 * https://bugzilla.suse.com/show_bug.cgi?id=1215209 * https://bugzilla.suse.com/show_bug.cgi?id=1215514 * https://bugzilla.suse.com/show_bug.cgi?id=1215949 * https://bugzilla.suse.com/show_bug.cgi?id=1216030 * https://bugzilla.suse.com/show_bug.cgi?id=1216041 * https://bugzilla.suse.com/show_bug.cgi?id=1216085 * https://bugzilla.suse.com/show_bug.cgi?id=1216128 * https://bugzilla.suse.com/show_bug.cgi?id=1216380 * https://bugzilla.suse.com/show_bug.cgi?id=1216506 * https://bugzilla.suse.com/show_bug.cgi?id=1216555 * https://bugzilla.suse.com/show_bug.cgi?id=1216690 * https://bugzilla.suse.com/show_bug.cgi?id=1216754 * https://bugzilla.suse.com/show_bug.cgi?id=1217038 * https://bugzilla.suse.com/show_bug.cgi?id=1217223 * https://bugzilla.suse.com/show_bug.cgi?id=1217224 * * . Critical upkeep instructions for SUSE Manager 4.3 targeting diverse issues and bolstering security across solutions.. SUSEManager, Security Update, Maintenance Release, SUSE Linux, Patch Instructions. . Severity: Important. LinuxSecurity.com Team

Dec 14, 2023 •Important SuSE