SUSE-SU-2014:0223-1: moderate: Security update for Spacewalk stack

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Feb 11 11:07:24 MST 2014 

   SUSE Security Update: Security update for Spacewalk stack
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0223-1
Rating:             moderate
References:         #846356 #850925 #853913 #854090 #855610 
Cross-References:   CVE-2013-4415
Affected Products:
                    SUSE Manager Proxy 1.7 for SLE 11 SP2
______________________________________________________________________________

   An update that solves one vulnerability and has four fixes
   is now available. It includes four new package versions.

Description:


   This SUSE Manager Proxy update fixes the following security
   issue and bugs:

   spacewalk-backend:

   * Check for empty result before printing software
   entitlement. (bnc#853913)
   * Added extra log folder to spacewalk-debug.
   (bnc#854090)
   * Better detection for SUSE KVM and Cloud systems.

   spacewalk-certs-tools:

   * Older versions of ssh-copy-id do not support the -o
   switch.
   * ssh-keygen fails with an error when known_hosts
   doesn't exist.
   * Call the new script from the old one and print
   deprecation warning.
   * New ssh-push client initialization script.

   spacewalk-proxy:

   * Fixed client registration via proxy. (bnc#855610)

   spacewalk-web:

   * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
   scripting. (bnc#850925)
   * Put the given year in the valid range. (bnc#846356)
   * Paste event handler parsing CVE identifiers with
   Javascript. (bnc#846356)

   How to apply this update:

   1. Log in as root user to the SUSE Manager proxy. 2. Stop
   the proxy service: spacewalk-proxy stop 3. Apply the patch
   using either zypper patch or YaST Online Update. 4. Start
   the Spacewalk service: spacewalk-proxy start

   Security Issues:

   * CVE-2013-4415
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4415
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Proxy 1.7 for SLE 11 SP2:

      zypper in -t patch slemap17sp2-suse-manager-proxy-201401-8818

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager Proxy 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.38.31]:

      spacewalk-backend-1.7.38.31-0.5.1
      spacewalk-backend-libs-1.7.38.31-0.5.1

   - SUSE Manager Proxy 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.12.14,1.7.28.20 and 1.7.3.11]:

      spacewalk-base-minimal-1.7.28.20-0.5.1
      spacewalk-certs-tools-1.7.3.11-0.5.1
      spacewalk-proxy-broker-1.7.12.14-0.5.1
      spacewalk-proxy-common-1.7.12.14-0.5.1
      spacewalk-proxy-management-1.7.12.14-0.5.1
      spacewalk-proxy-package-manager-1.7.12.14-0.5.1
      spacewalk-proxy-redirect-1.7.12.14-0.5.1


References:

   http://support.novell.com/security/cve/CVE-2013-4415.html
   https://bugzilla.novell.com/846356
   https://bugzilla.novell.com/850925
   https://bugzilla.novell.com/853913
   https://bugzilla.novell.com/854090
   https://bugzilla.novell.com/855610
   http://download.novell.com/patch/finder/?keywords=1dc3b35801903770f664389364a3d72e

More information about the sle-security-updates mailing list