SUSE-SU-2017:1346-1: moderate: Security update for SUSE Manager Proxy 3.0
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu May 18 22:11:55 MDT 2017
SUSE Security Update: Security update for SUSE Manager Proxy 3.0
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:1346-1
Rating: moderate
References: #1017422 #1017754 #1020904 #1023233 #1024714
#1025312 #1025758 #1026633 #1027873 #1029755
#1030342 #1031338 #1031659 #1031667 #1032256
#1033383 #1034956
Cross-References: CVE-2017-7470
Affected Products:
SUSE Manager Proxy 3.0
______________________________________________________________________________
An update that solves one vulnerability and has 16 fixes is
now available.
Description:
The following security issue in spacewalk-backend has been fixed:
- Non admin or disabled user cannot make changes to a system anymore using
spacewalk-channel. (bsc#1026633, CVE-2017-7470)
Additionally, the following non-security issues have been fixed:
rhnlib:
- Support all TLS versions in rpclib. (bsc#1025312)
spacewalk-backend:
- Do not fail with traceback when media.1 does not exist. (bsc#1032256)
- Create scap files dir beforehand. (bsc#1029755)
- Fix error if SPACEWALK_DEBUG_NO_REPORTS env variable is not present.
- Don't skip 'rhnErrataPackage' cleanup during an errata update.
(bsc#1023233)
- Add support for running spacewalk-debug without creating reports.
(bsc#1024714)
- Set scap store dir mod to 775 and group owner to susemanager.
- Incomplete_package_import: do import rhnPackageFile as it breaks some
package installations.
- Added traceback printing to the exception block.
- Change postgresql starting commands.
spacewalk-certs-tools:
- Always restart the minion regardless of its current state. (bsc#1034956)
- Correctly honor disabling of SSL in bootstrap script. (bsc#1033383)
- Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
- Exit for non-traditional bootstrap scripts. (bsc#1020904)
- Rename mgr-ssh-proxy-force-cmd -> mgr-proxy-ssh-force-cmd.
- Add mgr-proxy-ssh-force-cmd, mgr-proxy-ssh-push-init to rpm.
- Add option to configure only sshd.
- Restrictive ssh options for user mgrsshtunnel.
spacewalk-client-tools:
- Fix reboot message to use correct product name. (bsc#1031667)
spacewalk-proxy:
- Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
- Lower the use-file-instead-of-memory treshold. (bsc#1030342)
spacewalk-proxy-installer:
- Do not start firewall on proxy during configuration if not already
active. (bsc#1031338)
- Salt minions get repodata via a different URL; reflect by additional
squid rule. (bsc#1027873)
- Only warn if parent ssh-push pub key could not be retrieved.
- Generate and auth ssh push keys for user mgrsshtunnel.
- Authorize parent salt-ssh key on proxy.
- Generate proxy ssh-push key and authorize the previous proxy in the
chain.
- Generate own ssh-push key for proxy and authorize parent.
spacewalk-web:
- Remote Commands: Allow Web Socket to be opened on non-standard port.
- Improve remote cmd ui err handling.
- Show message when waiting for ssh minions times out.
- Fix remote cmd ui js err and timed out message.
- Remote cmd UI changes for salt-ssh minions.
- Fix broken help link for taskstatus. (bsc#1017422)
- Add js utility function to create Date objects in different timezones.
- Show proxy path in bootstrap UI.
- Clear proxy selection when clicking clear fields button.
- Check if proxy hostname is FQDN not name in UI.
- Show warn in bootstrap UI if proxy hostname is not a FQDN.
susemanager-sls:
- Add certificate state for CAASP.
- Add certificate state for SLES for SAP. (bsc#1031659)
- Pre-create empty top.sls with no-op. (bsc#1017754)
- Add xccdf result xslt.
- Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
- Set scap store dir mod to 775 and group owner to susemanager.
- Store uploaded scap files.
- Set minion own key owner to bootstrap ssh_push_sudo_user.
- Runner to generate ssh key and execute cmd via proxies.
- Change ssh bootstrap state to generate and auth keys for salt-ssh push
with tunnel.
- Authorize parent salt-ssh key on proxy.
How to apply this update: 1. Log in as root user to the SUSE Manager
proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch
using either zypper patch or YaST Online Update. 4. Start the Spacewalk
service: spacewalk-proxy start
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager Proxy 3.0:
zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2017-827=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager Proxy 3.0 (noarch):
rhnlib-2.5.84.4-6.1
spacewalk-backend-2.5.24.9-22.1
spacewalk-backend-libs-2.5.24.9-22.1
spacewalk-base-minimal-2.5.7.15-21.1
spacewalk-base-minimal-config-2.5.7.15-21.1
spacewalk-certs-tools-2.5.1.8-17.1
spacewalk-check-2.5.13.8-17.2
spacewalk-client-setup-2.5.13.8-17.2
spacewalk-client-tools-2.5.13.8-17.2
spacewalk-proxy-broker-2.5.1.7-15.1
spacewalk-proxy-common-2.5.1.7-15.1
spacewalk-proxy-installer-2.5.2.5-6.1
spacewalk-proxy-management-2.5.1.7-15.1
spacewalk-proxy-package-manager-2.5.1.7-15.1
spacewalk-proxy-redirect-2.5.1.7-15.1
spacewalk-proxy-salt-2.5.1.7-15.1
susemanager-sls-0.1.20-23.1
References:
https://www.suse.com/security/cve/CVE-2017-7470.html
https://bugzilla.suse.com/1017422
https://bugzilla.suse.com/1017754
https://bugzilla.suse.com/1020904
https://bugzilla.suse.com/1023233
https://bugzilla.suse.com/1024714
https://bugzilla.suse.com/1025312
https://bugzilla.suse.com/1025758
https://bugzilla.suse.com/1026633
https://bugzilla.suse.com/1027873
https://bugzilla.suse.com/1029755
https://bugzilla.suse.com/1030342
https://bugzilla.suse.com/1031338
https://bugzilla.suse.com/1031659
https://bugzilla.suse.com/1031667
https://bugzilla.suse.com/1032256
https://bugzilla.suse.com/1033383
https://bugzilla.suse.com/1034956
More information about the sle-security-updates
mailing list