SUSE-SU-2017:1346-1: moderate: Security update for SUSE Manager Proxy 3.0

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu May 18 22:11:55 MDT 2017


   SUSE Security Update: Security update for SUSE Manager Proxy 3.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1346-1
Rating:             moderate
References:         #1017422 #1017754 #1020904 #1023233 #1024714 
                    #1025312 #1025758 #1026633 #1027873 #1029755 
                    #1030342 #1031338 #1031659 #1031667 #1032256 
                    #1033383 #1034956 
Cross-References:   CVE-2017-7470
Affected Products:
                    SUSE Manager Proxy 3.0
______________________________________________________________________________

   An update that solves one vulnerability and has 16 fixes is
   now available.

Description:


   The following security issue in spacewalk-backend has been fixed:

   - Non admin or disabled user cannot make changes to a system anymore using
     spacewalk-channel. (bsc#1026633, CVE-2017-7470)

   Additionally, the following non-security issues have been fixed:

   rhnlib:

   - Support all TLS versions in rpclib. (bsc#1025312)

   spacewalk-backend:

   - Do not fail with traceback when media.1 does not exist. (bsc#1032256)
   - Create scap files dir beforehand. (bsc#1029755)
   - Fix error if SPACEWALK_DEBUG_NO_REPORTS env variable is not present.
   - Don't skip 'rhnErrataPackage' cleanup during an errata update.
     (bsc#1023233)
   - Add support for running spacewalk-debug without creating reports.
     (bsc#1024714)
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Incomplete_package_import: do import rhnPackageFile as it breaks some
     package installations.
   - Added traceback printing to the exception block.
   - Change postgresql starting commands.

   spacewalk-certs-tools:

   - Always restart the minion regardless of its current state. (bsc#1034956)
   - Correctly honor disabling of SSL in bootstrap script. (bsc#1033383)
   - Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
   - Exit for non-traditional bootstrap scripts. (bsc#1020904)
   - Rename mgr-ssh-proxy-force-cmd -> mgr-proxy-ssh-force-cmd.
   - Add mgr-proxy-ssh-force-cmd, mgr-proxy-ssh-push-init to rpm.
   - Add option to configure only sshd.
   - Restrictive ssh options for user mgrsshtunnel.

   spacewalk-client-tools:

   - Fix reboot message to use correct product name. (bsc#1031667)

   spacewalk-proxy:

   - Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
   - Lower the use-file-instead-of-memory treshold. (bsc#1030342)

   spacewalk-proxy-installer:

   - Do not start firewall on proxy during configuration if not already
     active. (bsc#1031338)
   - Salt minions get repodata via a different URL; reflect by additional
     squid rule. (bsc#1027873)
   - Only warn if parent ssh-push pub key could not be retrieved.
   - Generate and auth ssh push keys for user mgrsshtunnel.
   - Authorize parent salt-ssh key on proxy.
   - Generate proxy ssh-push key and authorize the previous proxy in the
     chain.
   - Generate own ssh-push key for proxy and authorize parent.

   spacewalk-web:

   - Remote Commands: Allow Web Socket to be opened on non-standard port.
   - Improve remote cmd ui err handling.
   - Show message when waiting for ssh minions times out.
   - Fix remote cmd ui js err and timed out message.
   - Remote cmd UI changes for salt-ssh minions.
   - Fix broken help link for taskstatus. (bsc#1017422)
   - Add js utility function to create Date objects in different timezones.
   - Show proxy path in bootstrap UI.
   - Clear proxy selection when clicking clear fields button.
   - Check if proxy hostname is FQDN not name in UI.
   - Show warn in bootstrap UI if proxy hostname is not a FQDN.

   susemanager-sls:

   - Add certificate state for CAASP.
   - Add certificate state for SLES for SAP. (bsc#1031659)
   - Pre-create empty top.sls with no-op. (bsc#1017754)
   - Add xccdf result xslt.
   - Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Store uploaded scap files.
   - Set minion own key owner to bootstrap ssh_push_sudo_user.
   - Runner to generate ssh key and execute cmd via proxies.
   - Change ssh bootstrap state to generate and auth keys for salt-ssh push
     with tunnel.
   - Authorize parent salt-ssh key on proxy.

   How to apply this update: 1. Log in as root user to the SUSE Manager
   proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch
   using either zypper patch or YaST Online Update. 4. Start the Spacewalk
   service: spacewalk-proxy start


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Proxy 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2017-827=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager Proxy 3.0 (noarch):

      rhnlib-2.5.84.4-6.1
      spacewalk-backend-2.5.24.9-22.1
      spacewalk-backend-libs-2.5.24.9-22.1
      spacewalk-base-minimal-2.5.7.15-21.1
      spacewalk-base-minimal-config-2.5.7.15-21.1
      spacewalk-certs-tools-2.5.1.8-17.1
      spacewalk-check-2.5.13.8-17.2
      spacewalk-client-setup-2.5.13.8-17.2
      spacewalk-client-tools-2.5.13.8-17.2
      spacewalk-proxy-broker-2.5.1.7-15.1
      spacewalk-proxy-common-2.5.1.7-15.1
      spacewalk-proxy-installer-2.5.2.5-6.1
      spacewalk-proxy-management-2.5.1.7-15.1
      spacewalk-proxy-package-manager-2.5.1.7-15.1
      spacewalk-proxy-redirect-2.5.1.7-15.1
      spacewalk-proxy-salt-2.5.1.7-15.1
      susemanager-sls-0.1.20-23.1


References:

   https://www.suse.com/security/cve/CVE-2017-7470.html
   https://bugzilla.suse.com/1017422
   https://bugzilla.suse.com/1017754
   https://bugzilla.suse.com/1020904
   https://bugzilla.suse.com/1023233
   https://bugzilla.suse.com/1024714
   https://bugzilla.suse.com/1025312
   https://bugzilla.suse.com/1025758
   https://bugzilla.suse.com/1026633
   https://bugzilla.suse.com/1027873
   https://bugzilla.suse.com/1029755
   https://bugzilla.suse.com/1030342
   https://bugzilla.suse.com/1031338
   https://bugzilla.suse.com/1031659
   https://bugzilla.suse.com/1031667
   https://bugzilla.suse.com/1032256
   https://bugzilla.suse.com/1033383
   https://bugzilla.suse.com/1034956



More information about the sle-security-updates mailing list