SUSE-SU-2017:1346-1: moderate: Security update for SUSE Manager Proxy 3.0

sle-security-updates at sle-security-updates at
Thu May 18 22:11:55 MDT 2017

   SUSE Security Update: Security update for SUSE Manager Proxy 3.0

Announcement ID:    SUSE-SU-2017:1346-1
Rating:             moderate
References:         #1017422 #1017754 #1020904 #1023233 #1024714 
                    #1025312 #1025758 #1026633 #1027873 #1029755 
                    #1030342 #1031338 #1031659 #1031667 #1032256 
                    #1033383 #1034956 
Cross-References:   CVE-2017-7470
Affected Products:
                    SUSE Manager Proxy 3.0

   An update that solves one vulnerability and has 16 fixes is
   now available.


   The following security issue in spacewalk-backend has been fixed:

   - Non admin or disabled user cannot make changes to a system anymore using
     spacewalk-channel. (bsc#1026633, CVE-2017-7470)

   Additionally, the following non-security issues have been fixed:


   - Support all TLS versions in rpclib. (bsc#1025312)


   - Do not fail with traceback when media.1 does not exist. (bsc#1032256)
   - Create scap files dir beforehand. (bsc#1029755)
   - Fix error if SPACEWALK_DEBUG_NO_REPORTS env variable is not present.
   - Don't skip 'rhnErrataPackage' cleanup during an errata update.
   - Add support for running spacewalk-debug without creating reports.
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Incomplete_package_import: do import rhnPackageFile as it breaks some
     package installations.
   - Added traceback printing to the exception block.
   - Change postgresql starting commands.


   - Always restart the minion regardless of its current state. (bsc#1034956)
   - Correctly honor disabling of SSL in bootstrap script. (bsc#1033383)
   - Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
   - Exit for non-traditional bootstrap scripts. (bsc#1020904)
   - Rename mgr-ssh-proxy-force-cmd -> mgr-proxy-ssh-force-cmd.
   - Add mgr-proxy-ssh-force-cmd, mgr-proxy-ssh-push-init to rpm.
   - Add option to configure only sshd.
   - Restrictive ssh options for user mgrsshtunnel.


   - Fix reboot message to use correct product name. (bsc#1031667)


   - Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
   - Lower the use-file-instead-of-memory treshold. (bsc#1030342)


   - Do not start firewall on proxy during configuration if not already
     active. (bsc#1031338)
   - Salt minions get repodata via a different URL; reflect by additional
     squid rule. (bsc#1027873)
   - Only warn if parent ssh-push pub key could not be retrieved.
   - Generate and auth ssh push keys for user mgrsshtunnel.
   - Authorize parent salt-ssh key on proxy.
   - Generate proxy ssh-push key and authorize the previous proxy in the
   - Generate own ssh-push key for proxy and authorize parent.


   - Remote Commands: Allow Web Socket to be opened on non-standard port.
   - Improve remote cmd ui err handling.
   - Show message when waiting for ssh minions times out.
   - Fix remote cmd ui js err and timed out message.
   - Remote cmd UI changes for salt-ssh minions.
   - Fix broken help link for taskstatus. (bsc#1017422)
   - Add js utility function to create Date objects in different timezones.
   - Show proxy path in bootstrap UI.
   - Clear proxy selection when clicking clear fields button.
   - Check if proxy hostname is FQDN not name in UI.
   - Show warn in bootstrap UI if proxy hostname is not a FQDN.


   - Add certificate state for CAASP.
   - Add certificate state for SLES for SAP. (bsc#1031659)
   - Pre-create empty top.sls with no-op. (bsc#1017754)
   - Add xccdf result xslt.
   - Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Store uploaded scap files.
   - Set minion own key owner to bootstrap ssh_push_sudo_user.
   - Runner to generate ssh key and execute cmd via proxies.
   - Change ssh bootstrap state to generate and auth keys for salt-ssh push
     with tunnel.
   - Authorize parent salt-ssh key on proxy.

   How to apply this update: 1. Log in as root user to the SUSE Manager
   proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch
   using either zypper patch or YaST Online Update. 4. Start the Spacewalk
   service: spacewalk-proxy start

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Proxy 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.0-2017-827=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Manager Proxy 3.0 (noarch):



More information about the sle-security-updates mailing list