Stay Secure with the Latest Linux Advisories

security advisorymoderatesoftware update

SUSE: 2021:0448-1 Moderate: XXE Injection in Manager Server 4.0

An update that solves one vulnerability and has 27 fixes is now available. . SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0448-1 Rating: moderate References: #1164227 #1164451 #1171836 #1176018 #1176417 #1176823 #1176898 #1176906 #1177031 #1177184 #1177336 #1177508 #1178303 #1178503 #1178647 #1178839 #1179087 #1179273 #1179410 #1179552 #1179589 #1179872 #1179990 #1180001 #1180127 #1180285 #1180803 #1181356 Cross-References: CVE-2021-23901 CVSS scores: CVE-2021-23901 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has 27 fixes is now available. Description: This update fixes the following issues: cpu-mitigations-formula: - Handle unsupported target systems gracefully (bsc#1179273) - add mitigations for Xen hypervisor nutch-core: - Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356) smdba: - Do not remove the database if there is no backup and deal with manifest - Fix smdba throws error on mgr-setup/installation - Raise an exception on failed external process call - Fix TablePrint formatting - Rename configuration parameter wal_keep_segments to wal_keep_size (jsc#SLE-17030) - Revert modifying cpu_tuple_cost - Adapted spec file for RHEL8 - Adapt recover mechanism for postgresql12 and later spacecmd: - Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#1176823) spacewalk-backend: - Reposync: Fixed Kickstart functionality. - Reposync: Fixed URLGrabber error handling. - Reposync: Fix modulardata handling for cloned channels (bsc#1177508) - Truncate author name in the changelog (bsc#1180285) - Drop Transfer-Encoding header from proxy respone to fix error response messages (bsc#1176906) - Prevent tracebacks on missing mail configuration (bsc#1179990) - Fix pycurl.error handling in suseLib.py (bsc#1179990) - Use sanitized repo label to build reposync repo cache path (bsc#1179410) - Quote the proxy settings to be used by Zypper (bsc#1179087) - Fix spacewalk-repo-sync to successfully manage and sync ULN repositories - Fix errors in spacewalk-debug and align postgresql queries to new DB version spacewalk-branding: - Set Copyright year to 2021 spacewalk-certs-tools: - Improve check for correct CA trust store directory (bsc#1176417) spacewalk-java: - Fix modular data handling for cloned channels (bsc#1177508) - Fix reboot action race condition (bsc#1177031) - Fix availability check for debian repositories (bsc#1180127) - Ignore duplicate NEVRAs in package profile update (bsc#1176018) - Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) - Register saltkey XMLRPC handler and fix behavior of delete salt key (bsc#1179872) - Add validation for custom repository labels - Fix expanded support detection based on CentOS installations (bsc#1179589) - Add translation strings for newly added countries and timezones (jsc#PM-2081) - Fix the activation key handling from kickstart profile (bsc#1178647) - Update exception message in findSyncedMandatoryChannels - Fix check for available products on ISS Slaves (bsc#1177184) - Get media.1/products for cloned channels (bsc#1178303) - Calculate size to truncate a history message based on the htmlified version (bsc#1178503) - Change message "Minion is down" to be more accurate - XMLRPC: Report architecture label in the list of installed packages (bsc#1176898) spacewalk-reports: - Fixes no filecontent in `spacewalk-report config-files` - Write ` ` placeholder instead of dumping binary data spacewalk-utils: - Fix modular data handling for cloned channels (bsc#1177508) spacewalk-web: - Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) - Fix mandatory channels JS API to finish loading in case of error (bsc#1178839) supportutils-plugin-susemanager: - Remove checks for obsolete packages - Gather new configfiles - Add more important informations susemanager-doc-indexes: - Added new section for bootstrap repository for end of life products in Client Configuration Guide - Remove old certs before renaming moved to Administration Guide (bsc#1171836) - Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) - Combining activation keys works only with traditional clients. Updated in Client Configuration Guide and Reference. (bsc#1164451) susemanager-docs_en: - Added new section for bootstrap repository for end of life products in Client Configuration Guide - Remove old certs before renaming moved to Administration Guide (bsc#1171836) - Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) - Combining activation keys works only with traditional clients. Updated Client Configuration Guide and Reference. (bsc#1164451) susemanager-frontend-libs: - Update Bootstrap to 3.1.0 susemanager-schema: - Add new valid countries and timezones (jsc#PM-2081) susemanager-sls: - Fix apt login for similar channel labels (bsc#1180803) - Change behavior of mgrcompat wrapper after deprecation changes on Salt 3002 - Make autoinstallation provisoning compatible with GRUB and ELILO in addition to GRUB2 only (bsc#1164227) - Fix: sync before start action chains (bsc#1177336) susemanager-sync-data: - Change centos 6 URLs tovault.centos.org - Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS - Remove duplicate repo definition How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): smdba-1.7.8-0.3.3.2 spacewalk-branding-4.0.19-3.21.3 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): cpu-mitigations-formula-0.3-4.9.2 nutch-core-1.0.1-4.5.2 python3-spacewalk-backend-libs-4.0.36-3.41.2 python3-spacewalk-certs-tools-4.0.18-3.24.2 spacecmd-4.0.22-3.25.2 spacewalk-backend-4.0.36-3.41.2 spacewalk-backend-app-4.0.36-3.41.2 spacewalk-backend-applet-4.0.36-3.41.2 spacewalk-backend-config-files-4.0.36-3.41.2 spacewalk-backend-config-files-common-4.0.36-3.41.2 spacewalk-backend-config-files-tool-4.0.36-3.41.2 spacewalk-backend-iss-4.0.36-3.41.2 spacewalk-backend-iss-export-4.0.36-3.41.2 spacewalk-backend-package-push-server-4.0.36-3.41.2 spacewalk-backend-server-4.0.36-3.41.2 spacewalk-backend-sql-4.0.36-3.41.2 spacewalk-backend-sql-postgresql-4.0.36-3.41.2 spacewalk-backend-tools-4.0.36-3.41.2 spacewalk-backend-xml-export-libs-4.0.36-3.41.2 spacewalk-backend-xmlrpc-4.0.36-3.41.2 spacewalk-base-4.0.26-3.39.3 spacewalk-base-minimal-4.0.26-3.39.3 spacewalk-base-minimal-config-4.0.26-3.39.3 spacewalk-certs-tools-4.0.18-3.24.2 spacewalk-html-4.0.26-3.39.3 spacewalk-java-4.0.41-3.51.2 spacewalk-java-config-4.0.41-3.51.2 spacewalk-java-lib-4.0.41-3.51.2 spacewalk-java-postgresql-4.0.41-3.51.2 spacewalk-reports-4.0.6-3.3.2 spacewalk-taskomatic-4.0.41-3.51.2 spacewalk-utils-4.0.19-3.24.2 supportutils-plugin-susemanager-4.0.5-3.6.2 susemanager-doc-indexes-4.0-10.30.2 susemanager-docs_en-4.0-10.30.2 susemanager-docs_en-pdf-4.0-10.30.2 susemanager-frontend-libs-4.0.3-4.6.2 susemanager-schema-4.0.24-3.35.2 susemanager-sls-4.0.32-3.40.2 susemanager-sync-data-4.0.20-3.32.2 susemanager-web-libs-4.0.26-3.39.3 References: https://www.suse.com/security/cve/CVE-2021-23901.html https://bugzilla.suse.com/1164227 https://bugzilla.suse.com/1164451 https://bugzilla.suse.com/1171836 https://bugzilla.suse.com/1176018 https://bugzilla.suse.com/1176417 https://bugzilla.suse.com/1176823 https://bugzilla.suse.com/1176898 https://bugzilla.suse.com/1176906 https://bugzilla.suse.com/1177031 https://bugzilla.suse.com/1177184 https://bugzilla.suse.com/1177336 https://bugzilla.suse.com/1177508 https://bugzilla.suse.com/1178303 https://bugzilla.suse.com/1178503 https://bugzilla.suse.com/1178647 https://bugzilla.suse.com/1178839 https://bugzilla.suse.com/1179087 https://bugzilla.suse.com/1179273 https://bugzilla.suse.com/1179410 https://bugzilla.suse.com/1179552 https://bugzilla.suse.com/1179589 https://bugzilla.suse.com/1179872 https://bugzilla.suse.com/1179990 https://bugzilla.suse.com/1180001 https://bugzilla.suse.com/1180127 https://bugzilla.suse.com/1180285 https://bugzilla.suse.com/1180803 https://bugzilla.suse.com/1181356 . A patch for SUSE Manager Server 4.0 introduces an urgent security remedy and improves overall system trustworthiness..SUSE Manager Server, software update, patch management, system security, server integrity. . LinuxSecurity.com Team

Feb 12, 2021 SuSE