Stay Secure with the Latest Linux Advisories

security advisorymoderate severitysystem patching

SUSE: 2022:1397-1 Moderate: Two Issues in SUSE Manager Server

An update that solves two vulnerabilities and has 31 fixes is now available. . SUSE Security Update: Security update for SUSE Manager Server 4.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1397-1 Rating: moderate References: #1133198 #1173527 #1186336 #1191360 #1191597 #1192150 #1192822 #1193448 #1194363 #1194447 #1194464 #1194909 #1195043 #1195145 #1195271 #1195282 #1195294 #1195666 #1195712 #1195750 #1195757 #1195762 #1195765 #1195772 #1195920 #1196067 #1196094 #1196407 #1196455 #1196693 #1196704 #1196977 #1197007 Cross-References: CVE-2018-20433 CVE-2019-5427 CVSS scores: CVE-2018-20433 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20433 (SUSE): 4.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVE-2019-5427 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5427 (SUSE): 5.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Manager Server 4.2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 31 fixes is now available. Description: This update fixes the following issues: c3p0: - Update to version c3p0 0.9.5.5 and mchange-commons-java 0.2.19 * Address CVE-2018-20433 * Address CVE-2019-5427 - XML-config parsing related attacks (bsc#1133198) * Properly implement the JDBC 4.1 abort method grafana-formula: - Version 0.7.0 * Add SLES 15 SP4 and openSUSE Leap 15.4 to supported versions hub-xmlrpc-api: - Updated to build on Enterprise Linux 8. inter-server-sync: - Version 0.1.0 * Allow export and import of configurationchannels * Clean lookup cache after processing a channel (bsc#1195750) * Improve lookup method for generate foreign key export - Adapted for build on Enterprise Linux 8. mgr-osad: - Version 4.2.8-1 * Fix the condition for preventing building python 2 subpackage for SLE15 mgr-push: - Version 4.2.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 patterns-suse-manager: - golang-github-wrouesnel-postgres_exporter was renamed to prometheus-postgres_exporter prometheus-exporters-formula: - Version 1.2.0 * Postres exporter package was renamed for RedHat - Version 1.1.0 * Postgres exporter package was renamed for SLES/openSUSE py26-compat-msgpack-python: - Adapted to build on OBS for Enterprise Linux. rhnlib: - Version 4.2.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 saltboot-formula: - Update to version 0.1.1645440615.7f1328c * skip device lookup for correctly provided devices * improve image url modifications - preparation for ftp/http changes - Skip device lookup if correct path to device is already provided (bsc#1195757) - Improve image url modifications smdba: - Version 1.7.10 * adapt pgtune using new defaults for new postgres versions * support special configuration for SSD storage * make argument "--backup-dir" symlink aware - Version 1.7.9 - Allow different standard configuration file location for other OSes spacecmd: - Version 4.2.16-1 * implement system.bootstrap (bsc#1194909) * Fix interactive mode for "system_applyerrata" and "errata_apply" (bsc#1194363) spacewalk-admin: - Version 4.2.10-1 * wait after copying the CA to give systemd time to finish automation spacewalk-backend: - Version 4.2.20-1 * Fix reposync update notice formatting and date parsing (bsc#1194447) * implement more decompression algorithms for reposync (bsc#1196704) *enable check for client certificates in reposync * remove auto inherit of host entitlements for virtual guests spacewalk-branding: - Version 4.2.13-1 * Fix modal footer misalignment spacewalk-certs-tools: - Version 4.2.15-1 * Add dynamic version for bootstrap script header (bsc#1186336) spacewalk-client-tools: - Version 4.2.18-1 * Fix the condition for preventing building python 2 subpackage for SLE15 - Version 4.2.17-1 * Update translation strings spacewalk-config: - Version 4.2.6-1 * Upgrade build tooling, and corresponding cache configuration spacewalk-java: - Version 4.2.34-1 * Added new XML-RPC mathod: configchannel.syncSaltFilesOnDisk * update last checkin only if job is successful (bsc#1197007) * Fix NPE when accessing cancelled action via system history (bsc#1195762) * CVE Audit: Show patch as available in the currently installed product even if successor patch affects additional packages (bsc#1196455) * send notifications for new or changed ubuntu errata (bsc#1196977) * change directory owner and permissions only when needed * Fixed broken help link for system overview * Provide link to Sync page when unsynced patches message show up (bsc#1196094) * fix class cast exception during action chains (bsc#1195772) * Finding empty profiles by mac address must be case insensitive (bsc#1196407) * prepare to use new postgresql-jdbc driver with stringprep and saslprep support (bsc#1196693) * allow SCC to display the last check-in time for registered systems * generate the system ssh key when bootstrapping a salt-ssh client (bsc#1194909) * Provide link for CVEs * Fix lock/unlock scheduling on page Software Packages Lock (bsc#1195271) * When adding a product, check if the new vendor channels conflicts with any of the existing custom channel (bsc#1193448) * Fix disappearing metadata key files after channel change(bsc#1192822) * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360) * Add store info to Equals and hash methods to fix CVE audit process (bsc#1195282) * Fix virtualization list rendering for foreign systems (bsc#1195712) * FIX errors when an image profile / store is deleted during build / inspect action (bsc#1191597, bsc#1192150) * Remove verbose token log (bsc#1195666) * fix ClassCastException during action processing (bsc#1195043) spacewalk-web: - Version 4.2.26-1 * Provide link to Sync page when unsynced patches message show up (bsc#1196094) * Provide a search box on section name for Formulas content * Add expand/collapse all button for formula sections * Improved large data support in channel selection * Provide link for CVEs * Improved error handling in the product setup page * Suggest Product Migration when patch for CVE is in a successor Product (bsc#1191360) * susemanager-web-libs is now packaged as a part of spacewalk-html subscription-matcher: - Version 0.29 * Migration to log4j 2 - Version 0.28 * Support both antlr3-java and antlr3-runtime as dependencies * Make it obvious that log4j12 is used supportutils-plugin-susemanager: - Version 4.2.4-1 * Get version of bootstrap scripts for supportconfig (bsc#1186336) suseRegisterInfo: - Version 4.2.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 susemanager: - Version 4.2.28-1 * set default for registration batch size susemanager-doc-indexes: - Renamed golang-github-wrouesnel-postgres_exporter to prometheus-postgres_exporter in the Administration Guide - Clarified in Client Configuration Guide and Retail Guide that mandatory channels are automatically checked. Also recommended channels as long as they are not deactivated (bsc#1173527) - In Custom Channels chapter of the Administration Guide,provide information about creating metadata (bsc#1195294) - In the Client Configuration Guide, mark Yomi as unsupported on SUSE Linux Enterprise Server 11 and 12 - Documented GPG encrypted Salt Pillars in the Salt book - In Client Configuration Guide, fixed channel configuration and registration of Expanded Support clients - Clarified channel label name in Registering Clients with RHUI section of the Client Configuration Guide (bsc#1196067) - In Throubleshooting Synchronization chapter in the Administration Guide added instructions for GPG removal - In Client Configuration Guide, integrated SUSE Linux Enterprise Micro Client documentation next to SUSE Linux Enterprise Client documentation and other related documentation improvements (bsc#1195145) - Added a warning about the origin of the salt-minion package in the Register on the Command Line (Salt) section of the Client Configuration Guide - Add troubleshooting section about avoiding package conflicts with custom channels susemanager-docs_en: - Renamed golang-github-wrouesnel-postgres_exporter to prometheus-postgres_exporter in the Administration Guide - Clarified in Client Configuration Guide and Retail Guide that mandatory channels are automatically checked. Also recommended channels as long as they are not deactivated (bsc#1173527) - In Custom Channels chapter of the Administration Guide, provide information about creating metadata (bsc#1195294) - In the Client Configuration Guide, mark Yomi as unsupported on SUSE Linux Enterprise Server 11 and 12 - Documented GPG encrypted Salt Pillars in the Salt book - In Client Configuration Guide, fixed channel configuration and registration of Expanded Support clients - Clarified channel label name in Registering Clients with RHUI section of the Client Configuration Guide (bsc#1196067) - In Throubleshooting Synchronization chapter in the Administration Guide added instructionsfor GPG removal - In Client Configuration Guide, integrated SUSE Linux Enterprise Micro Client documentation next to SUSE Linux Enterprise Client documentation and other related documentation improvements (bsc#1195145) - Added a warning about the origin of the salt-minion package in the Register on the Command Line (Salt) section of the Client Configuration Guide - Add troubleshooting section about avoiding package conflicts with custom channels susemanager-schema: - Version 4.2.21-1 * fix check on allowVendorChange * fix advisory status migration (bsc#1195765) * FIX error when an image profile / store is deleted during build / inspect action (bsc#1191597, bsc#1192150) susemanager-sls: - Version 4.2.21-1 * Improve `pkgset` beacon with using `salt.cache` to notify about the changes made while the minion was stopped * Align the code of pkgset beacon to prevent warnings (bsc#1194464) * fixing how the return code is returned in mgrutil runner (bsc#1194909) * Fix errors on calling sed -E ... by force_restart_minion with action chains * Avoid using lscpu -J option in grains (bsc#1195920) * Postgres exporter package was renamed * fix deprecation warnings virtualization-formulas: - Update to version 0.6.2 * Ensure qemu-ksm is installed on host How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-1397=1 PackageList: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): hub-xmlrpc-api-0.7-150300.3.6.1 inter-server-sync-0.1.0-150300.8.12.1 inter-server-sync-debuginfo-0.1.0-150300.8.12.1 patterns-suma_retail-4.2-150300.4.9.1 patterns-suma_server-4.2-150300.4.9.1 py26-compat-msgpack-python-0.4.6-150300.4.3.1 py26-compat-msgpack-python-debuginfo-0.4.6-150300.4.3.1 py26-compat-msgpack-python-debugsource-0.4.6-150300.4.3.1 smdba-1.7.10-0.150300.3.3.1 spacewalk-branding-4.2.13-150300.3.9.1 susemanager-4.2.28-150300.3.22.1 susemanager-tools-4.2.28-150300.3.22.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): c3p0-0.9.5.5-150300.4.6.1 grafana-formula-0.7.0-150300.3.6.1 mgr-osa-dispatcher-4.2.8-150300.2.9.1 mgr-push-4.2.5-150300.2.9.1 prometheus-exporters-formula-1.2.0-150300.3.9.1 python3-mgr-osa-common-4.2.8-150300.2.9.1 python3-mgr-osa-dispatcher-4.2.8-150300.2.9.1 python3-mgr-push-4.2.5-150300.2.9.1 python3-rhnlib-4.2.6-150300.4.9.1 python3-spacewalk-certs-tools-4.2.15-150300.3.15.1 python3-spacewalk-client-tools-4.2.18-150300.4.18.1 python3-suseRegisterInfo-4.2.6-150300.4.9.1 saltboot-formula-0.1.1645440615.7f1328c-150300.3.9.1 spacecmd-4.2.16-150300.4.18.1 spacewalk-admin-4.2.10-150300.3.9.1 spacewalk-backend-4.2.20-150300.4.18.1 spacewalk-backend-app-4.2.20-150300.4.18.1 spacewalk-backend-applet-4.2.20-150300.4.18.1 spacewalk-backend-config-files-4.2.20-150300.4.18.1 spacewalk-backend-config-files-common-4.2.20-150300.4.18.1 spacewalk-backend-config-files-tool-4.2.20-150300.4.18.1 spacewalk-backend-iss-4.2.20-150300.4.18.1 spacewalk-backend-iss-export-4.2.20-150300.4.18.1 spacewalk-backend-package-push-server-4.2.20-150300.4.18.1 spacewalk-backend-server-4.2.20-150300.4.18.1 spacewalk-backend-sql-4.2.20-150300.4.18.1 spacewalk-backend-sql-postgresql-4.2.20-150300.4.18.1 spacewalk-backend-tools-4.2.20-150300.4.18.1 spacewalk-backend-xml-export-libs-4.2.20-150300.4.18.1 spacewalk-backend-xmlrpc-4.2.20-150300.4.18.1 spacewalk-base-4.2.26-150300.3.18.2 spacewalk-base-minimal-4.2.26-150300.3.18.2 spacewalk-base-minimal-config-4.2.26-150300.3.18.2 spacewalk-certs-tools-4.2.15-150300.3.15.1 spacewalk-client-tools-4.2.18-150300.4.18.1 spacewalk-config-4.2.6-150300.3.6.1 spacewalk-html-4.2.26-150300.3.18.2 spacewalk-java-4.2.34-150300.3.26.2 spacewalk-java-config-4.2.34-150300.3.26.2 spacewalk-java-lib-4.2.34-150300.3.26.2 spacewalk-java-postgresql-4.2.34-150300.3.26.2 spacewalk-taskomatic-4.2.34-150300.3.26.2 subscription-matcher-0.29-150300.6.6.1 supportutils-plugin-susemanager-4.2.4-150300.3.6.1 suseRegisterInfo-4.2.6-150300.4.9.1 susemanager-doc-indexes-4.2-150300.12.22.1 susemanager-docs_en-4.2-150300.12.22.1 susemanager-docs_en-pdf-4.2-150300.12.22.1 susemanager-schema-4.2.21-150300.3.18.1 susemanager-sls-4.2.21-150300.3.20.1 uyuni-config-modules-4.2.21-150300.3.20.1 virtualization-formulas-0.6.2-150300.8.6.1 References: https://www.suse.com/security/cve/CVE-2018-20433.html https://www.suse.com/security/cve/CVE-2019-5427.html https://bugzilla.suse.com/1133198 https://bugzilla.suse.com/1173527 https://bugzilla.suse.com/1186336 https://bugzilla.suse.com/1191360 https://bugzilla.suse.com/1191597 https://bugzilla.suse.com/1192150 https://bugzilla.suse.com/1192822 https://bugzilla.suse.com/1193448 https://bugzilla.suse.com/1194363 https://bugzilla.suse.com/1194447 https://bugzilla.suse.com/1194464 https://bugzilla.suse.com/1194909 https://bugzilla.suse.com/1195043 https://bugzilla.suse.com/1195145 https://bugzilla.suse.com/1195271 https://bugzilla.suse.com/1195282 https://bugzilla.suse.com/1195294 https://bugzilla.suse.com/1195666 https://bugzilla.suse.com/1195712 https://bugzilla.suse.com/1195750 https://bugzilla.suse.com/1195757 https://bugzilla.suse.com/1195762 https://bugzilla.suse.com/1195765 https://bugzilla.suse.com/1195772 https://bugzilla.suse.com/1195920 https://bugzilla.suse.com/1196067 https://bugzilla.suse.com/1196094 https://bugzilla.suse.com/1196407 https://bugzilla.suse.com/1196455 https://bugzilla.suse.com/1196693 https://bugzilla.suse.com/1196704 https://bugzilla.suse.com/1196977 https://bugzilla.suse.com/1197007 . New patch released for SUSE Manager Server 4.2, containing 31 improvements and security updates to mitigate vulnerabilities.. SUSE Manager Server, security update, software fixes, patch management. . Severity: Important. LinuxSecurity.com Team

Apr 25, 2022 •Important SuSE