Stay Secure with the Latest Linux Advisories

security advisoryserverimportant

SUSE: 2024:0485-1 Important: Proxy and Server Maintenance Update

* bsc#1170848 * bsc#1210911 * bsc#1211254 * bsc#1211560 * bsc#1211912 . # Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server Announcement ID: SUSE-SU-2024:0485-1 Rating: important References: * bsc#1170848 * bsc#1210911 * bsc#1211254 * bsc#1211560 * bsc#1211912 * bsc#1213079 * bsc#1213507 * bsc#1213738 * bsc#1213981 * bsc#1214077 * bsc#1214791 * bsc#1215166 * bsc#1215514 * bsc#1215769 * bsc#1215810 * bsc#1215813 * bsc#1215982 * bsc#1216114 * bsc#1216394 * bsc#1216437 * bsc#1216550 * bsc#1216609 * bsc#1216657 * bsc#1216753 * bsc#1216781 * bsc#1216988 * bsc#1217069 * bsc#1217209 * bsc#1217588 * bsc#1217784 * bsc#1217869 * bsc#1218019 * bsc#1218074 * bsc#1218075 * bsc#1218089 * bsc#1218094 * bsc#1218146 * bsc#1218490 * bsc#1218615 * bsc#1218669 * bsc#1218837 * bsc#1218849 * bsc#1219151 * bsc#1219449 * bsc#1219577 * bsc#1219850 * jsc#MSQA-719 Cross-References: * CVE-2023-31582 * CVE-2023-32189 CVSS scores: * CVE-2023-31582 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2023-31582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: * SUSE Manager Proxy 4.3 * SUSE Manager Proxy 4.3 Module 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * SUSE Manager Server 4.3 Module 4.3 An update that solves two vulnerabilities, contains one feature and has 44 security fixes can now be installed. ## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3 ### Description: This update fixes the following issues: mgr-daemon: * Version 4.3.8-1 * Update translation strings patterns-suse-manager: * Add liberate-formula to the required packages for the server to get it installed by default spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renamingbzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to 4.3.11 susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key How to apply this update: 1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server. 2. Stop the proxy service: `spacewalk-proxy stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-proxy start` ## Security update for SUSE Manager Server 4.3 ### Description: This update fixes the following issues: cobbler: * Build the appendline correctly for RHEL-family = 8 * Do not strip if SUSE Linux Enterprise 15 SP3 * Build at least with with Go > = 1.18 on RHEL * Build with Go > = 1.20 elsewhere saltboot-formula: * Update to version 0.1.1701196218.b6b8ca1 * Remove f-formating to be compatible with python < 3.6 * Update packaging not to package salt directories * Update to version 0.1.1692188980.9aa0455 spacecmd: * Version 4.3.26-1 * Update translation strings spacewalk-backend: * Version 4.3.27-1 * Fixissue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151) * Version 4.3.26-1 * Fix decompressing and renaming bzip2 comps files in reposync * Update query to the new credentials structure * Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781) * Skip syncing packages with incorrect metadata (bsc#1213738) * Update translation strings spacewalk-certs-tools: * version 4.3.22-1 * Skip deploying the CA into the Salt directory on proxies (bsc#1219850) * Version 4.3.21-1 * Deploy the CA certificate also into the Salt filesystem (bsc#1219577) * Version 4.3.20-1 * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615) * Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588) spacewalk-client-tools: * Version 4.3.18-1 * Update translation strings spacewalk-java: * Version 4.3.71-1 * Generate server SSH key also when bootstrapping regular Minions (bsc#1219449) * Version 4.3.70-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue with disabling token check not working (bsc#1218669) * Enforce snakeyaml version requirement (bsc#1215166) * Improve the performance of paginated queries when syncing the reporting database (bsc#1211912, bsc#1213079) * Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server for SAP (bsc#1217069) * Use the base product file to show the correct SUSE Manager product in the subscription matching results page * Do not require entitlements if SUSE Manager is Pay-as-you-go * Exclude SUSE Manager from subscription matching if it's Pay-as-you-go * Refactor Credentials to a proper class hierarchy * Fix unit test about duplicated packages * Prevent installation of packages with same name in a single action (bsc#1214791) * When canceling an action which has prerequisites, return hints to get the first action id which can be canceled (bsc#1216988) * Fix exception when removing aDebian package (bsc#1216781) * Fix XSS in taskomatic XML RPC handler (bsc#1210911) * Improve logging for Product Migration (bsc#1218490) * Add only 1 IP for Cloud RMT Host in /etc/hosts * Change org for orphan vendor packages that an admin can delete (bsc#1216781) * Expose the monitoring data for the Salt queue handling the Salt results * Provide total number of CPUs for SUSE Linux Enterprise Micro systems to subscription matcher when it is not used as hypervisor to match vCore subscriptions correctly (bsc#1218074) * Try to download compressed Ubuntu USN database * Add user information to system organization transfer message (bsc#1216753) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Add notification in daily email in addition to in SUSE Manager home page when SUSE Manager Pay-as-you-go is not compliant * Fix apidoc link from #top to $call.name (bsc#1213507) * Add config option to disable remote commands from web UI (bsc#1217869) * Address high rating Sonar issues * Refactor SUSE Customer Center registration flow * Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560) * Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Handle not existing known_host file in permission check * Fix handling of proxy ssh public keys * Include reboot required indication for non-Suse distros spacewalk-setup: * Version 4.3.19-1 * Update query to the new credentials structure * Fix setting SUSE Customer Center password during setup spacewalk-utils: * Version 4.3.19-1 * Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels spacewalk-web: * Version 4.3.37-1 * Fix the use of page size preference in systems and packages lists (bsc#1217209) * Fix issue displaying Ansible playbook name (bsc#1216657) * Add support for `PaygNotCompliantWarning` notification * Bump web.version to4.3.11 subscription-matcher: * Version 0.35 * Added missing part number * Version 0.34 * Enabled support for Long Term Service Pack Support subscriptions (bsc#1218075) * Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074) * Added new SKUs and new bundles supportutils-plugin-susemanager: * Version 4.3.10-1 * Update query to the new credentials structure susemanager: * Version 4.3.34-1 * Rename Open Enterprise Server label to OES23.4 (bsc#1215514) * Verify in Yast FQDN with name returned via DNS reverse lookup * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) susemanager-build-keys: * Version 15.4.10 * Add new Almalinux 8 GPG Key (bsc#1218849) * Refresh extended Uyuni GPG public key susemanager-docs_en: * Removed obsolete traditional to Salt migration documentation from the System Types section of the Client Configuration Guide and updated the Migrate traditional clients to Salt clients section * Fixed navigation bar of Client Configuration Guide (bsc#1218089) * Added openSUSE Leap to Supported Features navigation list in Client Configuration Guide (bsc#1218094) * Described new monitoring metrics for Salt queue in Administration Guide * Fixed xrefs for internal book references * Removed mentioning that CVE number for CVE auditing is optional (bsc#1218019) * Corrected channel names for CentOS 7 Updates and Extras in CentOS Client Configuration Guide * Documented bootstrap settings for SUSE Linux Enterprise Micro in Client Configuration Guide (bsc#1216394) * Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810) * Updated Red Hat OVAL data URL and file in CentOS Clients Registration in Client Configution Guide * Added Pay-as-you-go for Azure documentation to the Specialized Guides book * Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide * Removed Ubuntu 18.04 from the list of supported clients * Fixed file location in Custom Salt Formulas section of Salt Guide * Documented usingVirtualization Host formula in Client Configuration susemanager-schema: * Version 4.3.24-1 * Refactor susecredentials to support the new hierarchy * Improve performance of System (bsc#1211254) * Change schedule of system-profile-refresh to run on the 2nd Saturday of a month to not collide with normal working times (bsc#1215769) susemanager-sls: * version 4.3.40-1 * Remove automatic reboot from transactional systems bootstrap (bsc#1218146) * Version 4.3.39-1 * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file (bsc#1219577) * Version 4.3.38-1 * Improve Pay-as-you-go instance detection (bsc#1217784) * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848) * Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981) * Include reboot required indication for non SUSE distros susemanager-sync-data: * Version 4.3.16-1 * Fix OES 23.4 internal name (bsc#1218837) * Version 4.3.15-1 * Update release status and repository description of Open Enterprise Server 23.4 (bsc#1215514) * Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families * Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL CentOS 8 from the name uyuni-reportdb-schema: * Version 4.3.9-1 * Provide reportdb upgrade schema path structure How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patchSUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1 ## Package List: * SUSE Manager Proxy 4.3 Module 4.3 (noarch) * spacewalk-base-minimal-4.3.37-150400.3.39.7 * mgr-daemon-4.3.8-150400.3.12.5 * susemanager-build-keys-15.4.10-150400.3.23.5 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-check-4.3.18-150400.3.24.7 * python3-spacewalk-client-setup-4.3.18-150400.3.24.7 * spacecmd-4.3.26-150400.3.33.5 * spacewalk-client-setup-4.3.18-150400.3.24.7 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * SUSE Manager Proxy 4.3 Module 4.3 (x86_64) * patterns-suma_proxy-4.3-150400.5.9.5 * SUSE Manager Server 4.3 Module 4.3 (noarch) * spacewalk-java-config-4.3.71-150400.3.74.2 * spacewalk-base-minimal-4.3.37-150400.3.39.7 * spacewalk-backend-iss-4.3.27-150400.3.38.2 * spacewalk-backend-tools-4.3.27-150400.3.38.2 * susemanager-build-keys-15.4.10-150400.3.23.5 * susemanager-sls-4.3.40-150400.3.44.1 * susemanager-build-keys-web-15.4.10-150400.3.23.5 * uyuni-config-modules-4.3.40-150400.3.44.1 * spacewalk-backend-applet-4.3.27-150400.3.38.2 * spacewalk-base-minimal-config-4.3.37-150400.3.39.7 * spacewalk-backend-4.3.27-150400.3.38.2 * spacewalk-backend-app-4.3.27-150400.3.38.2 * spacewalk-utils-4.3.19-150400.3.21.5 * susemanager-sync-data-4.3.16-150400.3.22.2 * spacewalk-backend-config-files-4.3.27-150400.3.38.2 * spacewalk-java-lib-4.3.71-150400.3.74.2 * cobbler-3.3.3-150400.5.39.5 * spacewalk-setup-4.3.19-150400.3.30.5 * spacewalk-utils-extras-4.3.19-150400.3.21.5 * spacewalk-backend-config-files-common-4.3.27-150400.3.38.2 * uyuni-reportdb-schema-4.3.9-150400.3.12.7 * spacecmd-4.3.26-150400.3.33.5 * susemanager-docs_en-4.3-150400.9.53.5 * susemanager-schema-4.3.24-150400.3.36.7 *spacewalk-java-4.3.71-150400.3.74.2 * spacewalk-html-4.3.37-150400.3.39.7 * spacewalk-base-4.3.37-150400.3.39.7 * spacewalk-certs-tools-4.3.22-150400.3.25.1 * grafana-formula-0.10.0-150400.3.15.5 * spacewalk-java-postgresql-4.3.71-150400.3.74.2 * supportutils-plugin-susemanager-4.3.10-150400.3.18.5 * spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2 * spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2 * spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2 * subscription-matcher-0.35-150400.3.19.5 * spacewalk-backend-iss-export-4.3.27-150400.3.38.2 * jose4j-0.5.1-150400.3.6.2 * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1 * liberate-formula-0.1.0-150400.10.3.3 * python3-spacewalk-client-tools-4.3.18-150400.3.24.7 * spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2 * spacewalk-client-tools-4.3.18-150400.3.24.7 * susemanager-schema-utility-4.3.24-150400.3.36.7 * susemanager-docs_en-pdf-4.3-150400.9.53.5 * spacewalk-backend-sql-4.3.27-150400.3.38.2 * prometheus-formula-0.8.0-150400.3.6.5 * spacewalk-backend-server-4.3.27-150400.3.38.2 * saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3 * spacewalk-backend-package-push-server-4.3.27-150400.3.38.2 * spacewalk-taskomatic-4.3.71-150400.3.74.2 * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64) * patterns-suma_retail-4.3-150400.5.9.5 * inter-server-sync-0.3.2-150400.3.27.5 * prometheus-postgres_exporter-0.10.1-150400.3.9.5 * susemanager-4.3.34-150400.3.45.5 * patterns-suma_server-4.3-150400.5.9.5 * inter-server-sync-debuginfo-0.3.2-150400.3.27.5 * susemanager-tools-4.3.34-150400.3.45.5 ## References: * https://www.suse.com/security/cve/CVE-2023-31582.html * https://www.suse.com/security/cve/CVE-2023-32189.html * https://bugzilla.suse.com/show_bug.cgi?id=1170848 * https://bugzilla.suse.com/show_bug.cgi?id=1210911 * https://bugzilla.suse.com/show_bug.cgi?id=1211254 * https://bugzilla.suse.com/show_bug.cgi?id=1211560 * https://bugzilla.suse.com/show_bug.cgi?id=1211912 *https://bugzilla.suse.com/show_bug.cgi?id=1213079 * https://bugzilla.suse.com/show_bug.cgi?id=1213507 * https://bugzilla.suse.com/show_bug.cgi?id=1213738 * https://bugzilla.suse.com/show_bug.cgi?id=1213981 * https://bugzilla.suse.com/show_bug.cgi?id=1214077 * https://bugzilla.suse.com/show_bug.cgi?id=1214791 * https://bugzilla.suse.com/show_bug.cgi?id=1215166 * https://bugzilla.suse.com/show_bug.cgi?id=1215514 * https://bugzilla.suse.com/show_bug.cgi?id=1215769 * https://bugzilla.suse.com/show_bug.cgi?id=1215810 * https://bugzilla.suse.com/show_bug.cgi?id=1215813 * https://bugzilla.suse.com/show_bug.cgi?id=1215982 * https://bugzilla.suse.com/show_bug.cgi?id=1216114 * https://bugzilla.suse.com/show_bug.cgi?id=1216394 * https://bugzilla.suse.com/show_bug.cgi?id=1216437 * https://bugzilla.suse.com/show_bug.cgi?id=1216550 * https://bugzilla.suse.com/show_bug.cgi?id=1216609 * https://bugzilla.suse.com/show_bug.cgi?id=1216657 * https://bugzilla.suse.com/show_bug.cgi?id=1216753 * https://bugzilla.suse.com/show_bug.cgi?id=1216781 * https://bugzilla.suse.com/show_bug.cgi?id=1216988 * https://bugzilla.suse.com/show_bug.cgi?id=1217069 * https://bugzilla.suse.com/show_bug.cgi?id=1217209 * https://bugzilla.suse.com/show_bug.cgi?id=1217588 * https://bugzilla.suse.com/show_bug.cgi?id=1217784 * https://bugzilla.suse.com/show_bug.cgi?id=1217869 * https://bugzilla.suse.com/show_bug.cgi?id=1218019 * https://bugzilla.suse.com/show_bug.cgi?id=1218074 * https://bugzilla.suse.com/show_bug.cgi?id=1218075 * https://bugzilla.suse.com/show_bug.cgi?id=1218089 * https://bugzilla.suse.com/show_bug.cgi?id=1218094 * https://bugzilla.suse.com/show_bug.cgi?id=1218146 * https://bugzilla.suse.com/show_bug.cgi?id=1218490 * https://bugzilla.suse.com/show_bug.cgi?id=1218615 * https://bugzilla.suse.com/show_bug.cgi?id=1218669 * https://bugzilla.suse.com/show_bug.cgi?id=1218837 * https://bugzilla.suse.com/show_bug.cgi?id=1218849 * https://bugzilla.suse.com/show_bug.cgi?id=1219151 *https://bugzilla.suse.com/show_bug.cgi?id=1219449 * https://bugzilla.suse.com/show_bug.cgi?id=1219577 * https://bugzilla.suse.com/show_bug.cgi?id=1219850 * . The latest release addresses key vulnerabilities in SUSE Manager 4.3, introducing enhanced functionalities and corrections aimed at bolstering security.. SUSE Manager Update, Server Security Fixes, Proxy Configuration Issues, Maintenance Release. . Severity: Important. LinuxSecurity.com Team

Feb 15, 2024 •Important SuSE