SUSE-SU-2019:2930-1: moderate: Security update for SUSE Manager Server 4.0

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Nov 7 23:16:40 MST 2019


   SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:2930-1
Rating:             moderate
References:         #1133429 #1135442 #1136959 #1138358 #1138454 
                    #1142309 #1142764 #1142774 #1143016 #1143562 
                    #1143789 #1144300 #1144500 #1144510 #1144515 
                    #1144889 #1145086 #1145119 #1145551 #1145587 
                    #1145626 #1145744 #1145750 #1145753 #1145758 
                    #1145769 #1145873 #1146416 #1146419 #1146683 
                    #1146869 #1148169 #1149075 #1149210 #1149353 
                    #1149409 #1149425 #1149633 #1150113 #1150154 
                    #1150180 #1150314 #1150729 #1151097 #1151280 
                    #1151399 #1151467 #1151481 #1151666 #1151875 
                    #1152170 #1152290 #1152514 #1152735 #1153277 
                    #1153578 #1154275 #1155656 #1155794 
Cross-References:   CVE-2019-10088 CVE-2019-10093 CVE-2019-10094
                   
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves three vulnerabilities and has 56
   fixes is now available.

Description:


   This update fixes the following issues:

   cobbler:

   - Fix for install loop caused autoinstallation profiles (bsc#1151875)
   - Update module config description to match new parameters
   - Add config migration script and runs it in post-install script
   - Fix for config backups in post install script (bsc#1149075)
   - Move apache config file cobbler.conf to conf.d directory and remove the
     VirtualHost container as it overwrite rules already set in conf.d
   - Realignment with Cobbler 3.0.0 release candidate.
   - Fix for typo in settings for scm_track module.
   - Optimization for settings loading in scm_track module.

   cpu-mitigations-formula:

   - Fix grub entry changed for sle12* so it matches sle15* (bsc#1145873)

   mgr-osad:

   - Obsolete all old python2-osa* packages to avoid conflicts (bsc#1152290)

   patterns-suse-manager:

   - Add recommends for cpu-mitigations-formula

   pgjdbc-ng:

   - Allow dots in database name (bsc#1146416)

   prometheus-exporters-formula:

   - Allow to configure arbitrary arguments when running exporters
   - Add support for Debian/Ubuntu and Red Hat systems (RHEL/CentOS)
   - Install the LICENSE together with the package

   py26-compat-salt:

   - Get tornado dependency from the system on SLE12 (bsc#1149409)

   python-susemanager-retail:

   - Update to version 0.1.1568808472.be9f236
   - Parse parition type 82 as swap in SLEPOS migration (bsc#1136959)
   - Allow kernel command line for branches to be set as an option to
     retail_branch_init CLI
   - Automatically calculate dhcp dynamic range from branch ip if not set

   python-urlgrabber:

   - Allow non-integer values for URLGRABBER_DEBUG env variable (bsc#1152514)
   - Fixes usage of log level lookup for Python3 (bsc#1146683)

   spacecmd:

   - Java api expects content as encoded string instead of encode bytes like
     before (bsc#1153277)
   - Fix building and installing on CentOS8/RES8/RHEL8
   - Check that a channel doesn't have clones before deleting it (bsc#1138454)

   spacewalk-admin:

   - Avoid a "Permission denied" salt error when publisher_acl is set
     (bsc#1150154)

   spacewalk-backend:

   - Fix re-registration with re-activation key (bsc#1154275)
   - Change the default value of taskomatic maxmemory to 4GB
   - Add basic support for importing modular repositories
   - Import additional fields for Deb packages
   - Add script to update additional fields in the DB for existing Deb
     packages
   - Use active values for diskchecker mails
   - Parse restart_suggested flag from patches and set it as keywords
     (bsc#1151467)
   - Improve error message when deleting channel that's in a content
     lifecycle project (bsc#1145769)
   - Prevent "reposync" crash when handling metadata on RPM repos
     (bsc#1138358)
   - Do not show expected WARNING messages from "c_rehash"
   - Fix misspelling in spacewalk-repo-sync (bsc#1149633)
   - Remove credentials also from potential rhn.conf backup files in
     spacewalk-debug (bsc#1146419)
   - Do not crash 'rhn-satellite-exporter' with ModuleNotFound error
     (bsc#1146869)
   - Spacewalk-remove-channel check that channel doesn't have cloned channels
     before deleting it (bsc#1138454)
   - Fix broken spacewalk-data-fsck utility
   - Add '--latest' support for reposync on DEB based repositories
   - Do not try to download RPMs from the unresolved mirrorlist URL
   - Fix encoding issues with DB bytes values (bsc#1144300)
   - Fix import of rhnAuthPAM to avoid issues when using rhnpush.
   - Avoid traceback on mgr-inter-sync when there are problems with cache of
     packages (bsc#1143016)

   spacewalk-branding:

   - Improve menu scrollbar style for firefox
   - Add UI message when salt-formulas system folders are unreachable
     (bsc#1142309)

   spacewalk-certs-tools:

   - Require mgr-daemon (new name of spacewalksd) so we systems with
     spacewalksd get always the new package installed (bsc#1149353)

   spacewalk-client-tools:

   - Require mgr-daemon (new name of spacewalksd) so we systems with
     spacewalksd get always the new package installed (bsc#1149353)
   - Enable spacewalk-update-service on package installation (bsc#1143789)
   - Invalidate cache 5 minutes before actual expiration(bsc#1143562)

   spacewalk-config:

   - Change the default value of taskomatic maxmemory to 4GB
   - Resolve modules.yaml file for modular repositories

   spacewalk-java:

   - Change the default value of taskomatic maxmemory to 4GB
   - Silence cache strategy Hibernate warning
   - Return result in compatible type to what defined in database procedure
     (bsc#1150729)
   - Allow channels names to start with numbers
   - Fix: handle special deb package names (bsc#1150113)
   - Remove extra spaces in dependencies fields in Debian repo Packages file
     (bsc#1145551)
   - Allow monitoring for managed systems running Ubuntu 18.04 and RedHat 6/7
   - Improve performance for 'Manage Software Channels' view (bsc#1151399)
   - Import additional fields for Deb packages
   - Use value from systemd unit file if not set in /etc/rhn/rhn.conf
   - Implement "keyword" filter for Content Lifecycle Management
   - Add support for Azure, Amazon EC2, and Google Compute Engine as Virtual
     Host Manager.
   - Allow ssl connections from Tomcat to Postgres (bsc#1149210)
   - Use default in case taskomatic.java.maxmemory is unset
   - Fix parsing of /etc/rhn/rhn.conf for taskomatic.java.maxmemory
     (bsc#1151097)
   - Change form order and change project creation message (bsc#1145744)
   - Use 'SCC organization credentials' instead of 'SCC credentials' in error
     message (bsc#1149425)
   - Implement "regular expression" Filter for Content Lifecycle Management
     matching package names, patch name, patch synopsis and package names in
     patches
   - Implement provisioning for salt clients
   - Explicitly mention in API docs that to preserve LF/CR, user needs to
     encode the data(bsc#1135442)
   - New Single Page Application engine for the UI. It can be enabled with
     the config 'web.spa.enable' set to true
   - Check that a channel doesn't have clones before deleting it (bsc#1138454)
   - Fix documentation of contentmanagement handler (bsc#1145753)
   - Add new API endpoint to list available Filter Criteria
   - Improve API documentation of Filter Criteria
   - Implement "patch contains package" Filter for Content Lifecycle
     Management
   - Implement Filter Patch "by type" Content Lifecycle Management
   - Improve websocket authentication to prevent errors in logs (bsc#1138454)
   - Implement filtering errata by synopsis in Content Lifecycle Management
   - Normalize date formats for actions, notifications and clm (bsc#1142774)
   - Implement ALLOW filters in Content Lifecycle Management
   - Implement "by date" Filter for Content Lifecycle Management
   - UI render without error if salt-formulas system folders are unreachable
     (bsc#1142309)
   - Cloning Errata from a specific channel should not take packages from
     other channels (bsc#1142764)
   - Add susemanager as prerequired for spacewalk-java

   spacewalk-setup:

   - Fix cobbler authentication module configuration required for new cobbler
     package
   - Configure 150 Tomcat workers by default, matching httpds MaxClients

   spacewalk-utils:

   - Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578)
   - Common-channels: Fix repo type assignment for type YUM

   spacewalk-web:

   - Redirect to project when canceling creating a filter (bsc#1145750)
   - Better visualization of the filters attached to a CLM Project.
     Allow/deny are now split
   - Fix ui issues with content lifecycle project list page (bsc#1145587)
   - Implement "keyword" filter for Content Lifecycle Management
   - Enable Azure, Amazon EC2 and Google Compute Engine as available Virtual
     host Managers
   - Trim strings when creating/updating image stores/profiles (bsc#1133429)
   - Show loading spin while loading salt keys data (bsc#1150180)
   - CLM - Disable clones by default of the shown CLM Project sources
   - Change form order and change project creation message (bsc#1145744)
   - Add UI message when salt-formulas system folders are unreachable
     (bsc#1142309)
   - Implement "regular expression" Filter for Content Lifecycle Management
     matching package names, patch name, patch synopsis and package names in
     patches
   - New Single Page Application engine for the UI. It can be enabled with
     the config 'web.spa.enable' set to true
   - Add environment label when deleting environment (bsc#1145758)
   - Change color of disabled build button on clp page (bsc#1145626)
   - Fix the 'include recommended' button on channels selection in SSM
     (bsc#1145086)
   - Implement "patch contains package" Filter for Content Lifecycle
     Management
   - Implement Filter Patch "by type" Content Lifecycle Management
   - Implement filtering errata by synopsis in Content Lifecycle Management
   - Normalize date formats for actions, notifications and clm (bsc#1142774)
   - Implement ALLOW filters in Content Lifecycle Management
   - Implement "by date" Filter for Content Lifecycle Management

   susemanager:

   - Require dmidecode only for SLE12 aarch64 and x86_64 (bsc#1152170)
   - Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
   - Fix test for btrfs subvolume for new btrfs version (bsc#1151666)
   - Ensure working directory is /root during setup (bsc#1148169)
   - Dmidecode does not exist on s390x (bsc#1145119)

   susemanager-docs_en:

   - Update text and images (mu-4.0.3); many changes caused by Technical and
     Content Reviews.
   - Added partition permissions to Install Guide (bsc#1152735)
   - Move Disconnected Setup from Client Config to Admin Guide
   - Updated references to documentation.suse.com (was:
     www.suse.com/documentation)
   - Increase default value for taskomatic to 4GB
   - Registering to proxy information in Install Guide
   - Edits to Prometheus section in Admin Guide
   - Update database migration section in Upgrade Guide
   - Update server update, upgrade, and migration chapters in Upgrade Guide
   - Update server installation and setup chapters
   - Update proxy installation and setup chapters
   - Add section about maintenance window in Admin Guide
   - Update Kubernetes chapter
   - Admin Guide: ISS: Adapt the CA path to correspond to SLES 15.1
   - Update image management
   - Update channel management screenshot in Reference
   - Update CLM
   - Provide basic documentation on foreign clients
   - Update info on mgr-sync
   - New images added to Retail Guide
   - Minor edits in Salt Guide
   - Improvements to Troubleshooting section in Admin Guide
   - Removed reference to SLP in Install Guide
   - Minor edits to SSM in Client Config Guide

   susemanager-schema:

   - Fix in schema migration script when recreating the 'suseUserRoleView'
     (bsc#1151280)
   - Fix: handle special deb package names (bsc#1150113)
   - Refactor in suseChannelUserRoleView for retrieving the parent_channel_id
     (bsc#1151399)
   - Add tables rhnPackageExtraTag and rhnPackageExtraTagKey
   - Allow monitoring for Ubuntu systems
   - Add new types needed for Azure, Amazon EC2 and Google CE
   - Enable provisioning for salt clients
   - Allow package changelog entries with more than 3000 characters
     (bsc#1144889)

   susemanager-sls:

   - Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
   - Introduce dnf-susemanager-plugin for RHEL8 minions
   - Provide custom grain to report "instance id" when running on Public
     Cloud instances
   - Disable legacy startup events for new minions
   - Implement provisioning for salt clients
   - Dmidecode does not exist on ppc64le and s390x (bsc#1145119)
   - Update susemanager.conf to use adler32 for computing the server_id for
     new minions
   - Do not show errors when polling internal metadata API (bsc#1155794)
   - Add missing "public_cloud" custom grain (bsc#1155656)

   susemanager-sync-data:

   - Ubuntu repositories released

   tika-core:

   - New upstream version 1.2.2. Fixes:
     * OOM from a crafted Zip File in Apache Tika's RecursiveParserWrapper
       (CVE-2019-10088) (bsc#1144500).
     * Denial of Service in Apache Tika's 2003ml and 2006ml Parsers
       (CVE-2019-10093) (bsc#1144510).
     * StackOverflow from Crafted Package/Compressed Files in Apache Tika's
       RecursiveParserWrapper (CVE-2019-10094) (bsc#1144515).

   virtual-host-gatherer:

   - Add new modules to deal with Amazon EC2, Azure and Google Compute


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2019-2930=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):

      patterns-suma_retail-4.0-9.3.8
      patterns-suma_server-4.0-9.3.8
      spacewalk-branding-4.0.14-3.6.8
      susemanager-4.0.17-3.6.9
      susemanager-tools-4.0.17-3.6.9

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      cobbler-3.0.0+git20190806.32c4bae0-7.3.7
      cpu-mitigations-formula-0.1-4.6.7
      mgr-osa-dispatcher-4.0.10-3.6.8
      pgjdbc-ng-0.7.1-3.3.8
      prometheus-exporters-formula-0.4-3.3.7
      pxe-default-image-sle15-4.0.0-20191106084601
      py26-compat-salt-2016.11.10-10.8.8
      python3-mgr-osa-common-4.0.10-3.6.8
      python3-mgr-osa-dispatcher-4.0.10-3.6.8
      python3-spacewalk-backend-libs-4.0.27-3.13.9
      python3-spacewalk-certs-tools-4.0.12-3.6.8
      python3-spacewalk-client-tools-4.0.10-3.6.8
      python3-susemanager-retail-1.0.1568808472.be9f236-3.6.7
      python3-urlgrabber-3.10.2.1py2_3-6.22.6
      spacecmd-4.0.16-3.6.7
      spacewalk-admin-4.0.8-3.3.8
      spacewalk-backend-4.0.27-3.13.9
      spacewalk-backend-app-4.0.27-3.13.9
      spacewalk-backend-applet-4.0.27-3.13.9
      spacewalk-backend-config-files-4.0.27-3.13.9
      spacewalk-backend-config-files-common-4.0.27-3.13.9
      spacewalk-backend-config-files-tool-4.0.27-3.13.9
      spacewalk-backend-iss-4.0.27-3.13.9
      spacewalk-backend-iss-export-4.0.27-3.13.9
      spacewalk-backend-package-push-server-4.0.27-3.13.9
      spacewalk-backend-server-4.0.27-3.13.9
      spacewalk-backend-sql-4.0.27-3.13.9
      spacewalk-backend-sql-postgresql-4.0.27-3.13.9
      spacewalk-backend-tools-4.0.27-3.13.9
      spacewalk-backend-xml-export-libs-4.0.27-3.13.9
      spacewalk-backend-xmlrpc-4.0.27-3.13.9
      spacewalk-base-4.0.16-3.9.8
      spacewalk-base-minimal-4.0.16-3.9.8
      spacewalk-base-minimal-config-4.0.16-3.9.8
      spacewalk-certs-tools-4.0.12-3.6.8
      spacewalk-client-tools-4.0.10-3.6.8
      spacewalk-config-4.0.13-3.3.7
      spacewalk-html-4.0.16-3.9.8
      spacewalk-java-4.0.25-3.10.5
      spacewalk-java-config-4.0.25-3.10.5
      spacewalk-java-lib-4.0.25-3.10.5
      spacewalk-java-postgresql-4.0.25-3.10.5
      spacewalk-setup-4.0.11-3.6.7
      spacewalk-taskomatic-4.0.25-3.10.5
      spacewalk-utils-4.0.13-3.6.8
      susemanager-doc-indexes-4.0-10.9.8
      susemanager-docs_en-4.0-10.9.7
      susemanager-docs_en-pdf-4.0-10.9.7
      susemanager-retail-tools-1.0.1568808472.be9f236-3.6.7
      susemanager-schema-4.0.16-3.8.5
      susemanager-sls-4.0.22-3.10.4
      susemanager-sync-data-4.0.13-3.6.7
      susemanager-web-libs-4.0.16-3.9.8
      tika-core-1.22-3.3.7
      virtual-host-gatherer-1.0.19-3.3.8
      virtual-host-gatherer-Kubernetes-1.0.19-3.3.8
      virtual-host-gatherer-VMware-1.0.19-3.3.8
      virtual-host-gatherer-libcloud-1.0.19-3.3.8


References:

   https://www.suse.com/security/cve/CVE-2019-10088.html
   https://www.suse.com/security/cve/CVE-2019-10093.html
   https://www.suse.com/security/cve/CVE-2019-10094.html
   https://bugzilla.suse.com/1133429
   https://bugzilla.suse.com/1135442
   https://bugzilla.suse.com/1136959
   https://bugzilla.suse.com/1138358
   https://bugzilla.suse.com/1138454
   https://bugzilla.suse.com/1142309
   https://bugzilla.suse.com/1142764
   https://bugzilla.suse.com/1142774
   https://bugzilla.suse.com/1143016
   https://bugzilla.suse.com/1143562
   https://bugzilla.suse.com/1143789
   https://bugzilla.suse.com/1144300
   https://bugzilla.suse.com/1144500
   https://bugzilla.suse.com/1144510
   https://bugzilla.suse.com/1144515
   https://bugzilla.suse.com/1144889
   https://bugzilla.suse.com/1145086
   https://bugzilla.suse.com/1145119
   https://bugzilla.suse.com/1145551
   https://bugzilla.suse.com/1145587
   https://bugzilla.suse.com/1145626
   https://bugzilla.suse.com/1145744
   https://bugzilla.suse.com/1145750
   https://bugzilla.suse.com/1145753
   https://bugzilla.suse.com/1145758
   https://bugzilla.suse.com/1145769
   https://bugzilla.suse.com/1145873
   https://bugzilla.suse.com/1146416
   https://bugzilla.suse.com/1146419
   https://bugzilla.suse.com/1146683
   https://bugzilla.suse.com/1146869
   https://bugzilla.suse.com/1148169
   https://bugzilla.suse.com/1149075
   https://bugzilla.suse.com/1149210
   https://bugzilla.suse.com/1149353
   https://bugzilla.suse.com/1149409
   https://bugzilla.suse.com/1149425
   https://bugzilla.suse.com/1149633
   https://bugzilla.suse.com/1150113
   https://bugzilla.suse.com/1150154
   https://bugzilla.suse.com/1150180
   https://bugzilla.suse.com/1150314
   https://bugzilla.suse.com/1150729
   https://bugzilla.suse.com/1151097
   https://bugzilla.suse.com/1151280
   https://bugzilla.suse.com/1151399
   https://bugzilla.suse.com/1151467
   https://bugzilla.suse.com/1151481
   https://bugzilla.suse.com/1151666
   https://bugzilla.suse.com/1151875
   https://bugzilla.suse.com/1152170
   https://bugzilla.suse.com/1152290
   https://bugzilla.suse.com/1152514
   https://bugzilla.suse.com/1152735
   https://bugzilla.suse.com/1153277
   https://bugzilla.suse.com/1153578
   https://bugzilla.suse.com/1154275
   https://bugzilla.suse.com/1155656
   https://bugzilla.suse.com/1155794



More information about the sle-security-updates mailing list