SUSE-SU-2016:1367-1: moderate: Security update for SUSE Manager Server 2.1

Thu May 19 18:11:40 MDT 2016

   SUSE Security Update: Security update for SUSE Manager Server 2.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:1367-1
Rating:             moderate
References:         #922740 #924298 #958923 #961002 #961565 #962253 
                    #966622 #966737 #966890 #968257 #968406 #968851 
                    #970223 #970425 #970550 #970672 #970901 #970989 
                    #971237 #972341 #973162 #973432 #973550 #974010 
                    #974011 #974315 #976194 #976826 #978166 
Cross-References:   CVE-2015-0284 CVE-2016-2103 CVE-2016-2104
                    CVE-2016-3079 CVE-2016-3097
Affected Products:
                    SUSE Manager 2.1
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has 24 fixes is
   now available.

Description:

   This update for SUSE Manager Server 2.1 fixes the following issues:

   cobbler:

   - Add logrotate file for cobbler (bsc#976826)
   - Fix cobbler yaboot handling (bsc#968406, bsc#966622)

   osad:

   - Fix file permissions (bsc#970550)

   rhnlib:

   - Use TLSv1_METHOD in SSL Context (bsc#970989)

   spacewalk-backend:

   - Mgr_ncc_sync: Adapt to bulk scheduling introduced in
     scheduleSingleSatRepoSync

   spacewalk-branding:

   - Fix link to "Schedule patch updates" (bsc#973432)
   - Fix link to scheduled action for SP migration (bsc#968257, bsc#974315)
   - Fix: 'Advanced Search' title consistency

   spacewalk-certs-tools:

   - Fix file permissions (bsc#970550)

   spacewalk-java:

   - Recreate upgrade paths on every refresh (bsc#978166)
   - Call cobbler sync after cobbler command is finished (bsc#966890)
   - Under high load, the service wrapper may incorrectly interpret the
     inability to get a response in time from taskomatic and kill it
     (bsc#962253)
   - Log permissions problems on channel access while SP migration
     (bsc#970223)
   - Unittests: support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194)
   - Mgr-sync: use bulk channel reposync (bsc#961002)
   - Double the backslashes when reading the config files from java
     (bsc#958923)
   - When generating repo metadata for a cloned channel, recursively fetch
     keywords from the original channel (bsc#970901)
   - Better logging for SP Migration feature (bsc#970223)
   - Fix: 'Advanced Search' title consistency
   - CVE-2015-0284: XSS when altering user details and going somewhere where
     you are choosing user (bsc#922740)
   - CVE-2016-3079, CVE-2016-2103, CVE-2016-2104, CVE-2016-3097: Fix multiple
     XSS vulnerabilities (bsc#973162, bsc#974011, bsc#974010, bsc#973550)
   - BugFix: 'Systems > Advanced Search' title and description consistency
     (bsc#966737)
   - Fix: correct behavior with visibility conditions of sub-tabs in
     Systems/Misc page
   - BugFix: add missing url mapping (bsc#961565)
   - Fix kernel and initrd pathes for creating autoinstallation tries
     (bsc#966622)
   - Fix tests for HAE-GEO on SLES 4 SAP (bsc#970425)
   - Add unit tests for SLE-Live-Patching12 (bsc#924298)

   spacewalk-utils:

   - Bugfix: don't repeat channel labels
   - Taskotop: a utility to monitor what Taskomatic is doing
   - Fix file permissions (bsc#970550)

   suseRegisterInfo:

   - Fix file permissions (bsc#970550)

   susemanager:

   - Add packages to bootstrap repo (bsc#971237)
   - Mgr-sync: use bulk channel reposync (bsc#961002)
   - Mgr_ncc_sync: adapt to bulk scheduling introduced in
     scheduleSingleSatRepoSync
   - Add SLES 4 SAP to mgr-create-bootstap-repo as an option (bsc#972341)
   - Put packages only available in SLE12 SP1 in a seperate list (bsc#970672)
   - Fix file permissions (bsc#970550)

   susemanager-sync-data:

   - Support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194)
   - HAE-GEO is an addon product for SLES 4 SAP (bsc#970425)
   - Add support for SLE-Live-Patching12 (bsc#924298, bsc#968851)

   susemanager-tftpsync:

   - Rename change_tftpd_proxies.py to sync_post_tftpd_proxies.py and change
     trigger type (bsc#966890)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Start the
   Spacewalk service: spacewalk-service start

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager 2.1:

      zypper in -t patch sleman21-suse-manager-21-201605-12567=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Manager 2.1 (s390x x86_64):

      cobbler-2.2.2-0.61.2
      rhnlib-2.5.69.8-11.2
      spacewalk-backend-2.1.55.25-24.5
      spacewalk-backend-app-2.1.55.25-24.5
      spacewalk-backend-applet-2.1.55.25-24.5
      spacewalk-backend-config-files-2.1.55.25-24.5
      spacewalk-backend-config-files-common-2.1.55.25-24.5
      spacewalk-backend-config-files-tool-2.1.55.25-24.5
      spacewalk-backend-iss-2.1.55.25-24.5
      spacewalk-backend-iss-export-2.1.55.25-24.5
      spacewalk-backend-libs-2.1.55.25-24.5
      spacewalk-backend-package-push-server-2.1.55.25-24.5
      spacewalk-backend-server-2.1.55.25-24.5
      spacewalk-backend-sql-2.1.55.25-24.5
      spacewalk-backend-sql-oracle-2.1.55.25-24.5
      spacewalk-backend-sql-postgresql-2.1.55.25-24.5
      spacewalk-backend-tools-2.1.55.25-24.5
      spacewalk-backend-xml-export-libs-2.1.55.25-24.5
      spacewalk-backend-xmlrpc-2.1.55.25-24.5
      spacewalk-branding-2.1.33.16-18.2
      suseRegisterInfo-2.1.12-14.2
      susemanager-2.1.24-23.1
      susemanager-tftpsync-2.1.2-11.2
      susemanager-tools-2.1.24-23.1

   - SUSE Manager 2.1 (noarch):

      osa-dispatcher-5.11.33.11-15.2
      spacewalk-certs-tools-2.1.6.10-18.3
      spacewalk-java-2.1.165.23-20.1
      spacewalk-java-config-2.1.165.23-20.1
      spacewalk-java-lib-2.1.165.23-20.1
      spacewalk-java-oracle-2.1.165.23-20.1
      spacewalk-java-postgresql-2.1.165.23-20.1
      spacewalk-taskomatic-2.1.165.23-20.1
      spacewalk-utils-2.1.27.15-12.7
      susemanager-sync-data-2.1.15-30.2

References:

   https://www.suse.com/security/cve/CVE-2015-0284.html
   https://www.suse.com/security/cve/CVE-2016-2103.html
   https://www.suse.com/security/cve/CVE-2016-2104.html
   https://www.suse.com/security/cve/CVE-2016-3079.html
   https://www.suse.com/security/cve/CVE-2016-3097.html
   https://bugzilla.suse.com/922740
   https://bugzilla.suse.com/924298
   https://bugzilla.suse.com/958923
   https://bugzilla.suse.com/961002
   https://bugzilla.suse.com/961565
   https://bugzilla.suse.com/962253
   https://bugzilla.suse.com/966622
   https://bugzilla.suse.com/966737
   https://bugzilla.suse.com/966890
   https://bugzilla.suse.com/968257
   https://bugzilla.suse.com/968406
   https://bugzilla.suse.com/968851
   https://bugzilla.suse.com/970223
   https://bugzilla.suse.com/970425
   https://bugzilla.suse.com/970550
   https://bugzilla.suse.com/970672
   https://bugzilla.suse.com/970901
   https://bugzilla.suse.com/970989
   https://bugzilla.suse.com/971237
   https://bugzilla.suse.com/972341
   https://bugzilla.suse.com/973162
   https://bugzilla.suse.com/973432
   https://bugzilla.suse.com/973550
   https://bugzilla.suse.com/974010
   https://bugzilla.suse.com/974011
   https://bugzilla.suse.com/974315
   https://bugzilla.suse.com/976194
   https://bugzilla.suse.com/976826
   https://bugzilla.suse.com/978166