SUSE-SU-2017:1349-1: moderate: Security update for SUSE Manager Server 3.0
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu May 18 22:17:23 MDT 2017
SUSE Security Update: Security update for SUSE Manager Server 3.0
______________________________________________________________________________
Announcement ID: SUSE-SU-2017:1349-1
Rating: moderate
References: #1000762 #1009545 #1011964 #1012784 #1013606
#1017418 #1017422 #1017754 #1017772 #1020659
#1020904 #1022530 #1023233 #1024066 #1024406
#1024456 #1024714 #1024863 #1024966 #1025000
#1025275 #1025291 #1025312 #1025421 #1025758
#1025761 #1025775 #1025908 #1026266 #1026301
#1026633 #1027426 #1027852 #1028062 #1028306
#1029755 #1029840 #1030716 #1031092 #1031453
#1031659 #1031667 #1031826 #1031885 #1032256
#1033383 #1033497 #1033731 #1034289 #1034465
#1034956
Cross-References: CVE-2017-7470
Affected Products:
SUSE Manager Server 3.0
______________________________________________________________________________
An update that solves one vulnerability and has 50 fixes is
now available.
Description:
The following security issue in spacewalk-backend has been fixed:
- Non admin or disabled user cannot make changes to a system anymore using
spacewalk-channel. (bsc#1026633, CVE-2017-7470)
Additionally, the following non-security issues have been fixed:
rhnlib:
- Support all TLS versions in rpclib. (bsc#1025312)
salt-netapi-client:
- Fix date format for Schedule module. (bsc#1034465)
spacecmd:
- Improve output on error for listrepo. (bsc#1027426)
- Reword spacecmd removal message. (bsc#1024406)
spacewalk-backend:
- Do not fail with traceback when media.1 does not exist. (bsc#1032256)
- Create scap files directory beforehand. (bsc#1029755)
- Fix error if SPACEWALK_DEBUG_NO_REPORTS environment variable is not
present.
- Don't skip 'rhnErrataPackage' cleanup during an errata update.
(bsc#1023233)
- Add support for running spacewalk-debug without creating reports.
(bsc#1024714)
- Set scap store directory mod to 775 and group owner to susemanager.
- incomplete_package_import: Do import rhnPackageFile as it breaks some
package installations.
- Added traceback printing to the exception block.
- Change postgresql starting commands.
spacewalk-certs-tools:
- Always restart the minion regardless of its current state. (bsc#1034956)
- Correctly honor disabling of SSL in bootstrap script. (bsc#1033383)
- Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
- Exit for non-traditional bootstrap scripts. (bsc#1020904)
- Rename mgr-ssh-proxy-force-cmd -> mgr-proxy-ssh-force-cmd.
- Add mgr-proxy-ssh-force-cmd, mgr-proxy-ssh-push-init to rpm.
- Add option to configure only sshd.
- Restrictive ssh options for user mgrsshtunnel.
spacewalk-client-tools:
- Fix reboot message to use correct product name. (bsc#1031667)
spacewalk-java:
- Fix missing IPs in Overview tab. (bsc#1031453)
- Fix scheduling VM deployment in future. (bsc#1034289)
- Handle empty set to not produce invalid sql. (bsc#1033497)
- Fix SSM group pagination. (bsc#1012784)
- Create PooledExecutor with pre-filled queue. (bsc#1030716)
- Make sure minion keys can only be seen/managed by appropriate user.
(bsc#1025908)
- Set action status to 'failed' on uncaught exceptions. (bsc#1013606)
- Add missing library to taskomatic classpath. (bsc#1024066)
- Set log level to DEBUG for EOFException when the Websocket connection is
aborted by the client. (bsc#1031826)
- Add a remote command with label as a script to the actionchain.
(bsc#1011964)
- Fix architecture for default channels lookup. (bsc#1025275)
- Change required salt-netapi-client to >= 0.11.
- Using stream() during collection processing.
- Making salt presence timeouts configurable via rhn.conf. (bsc#1025761)
- Avoid blocking synchronous calls if some minions are unreachable.
(bsc#1025761)
- Excludes unreachable minions from synchronous call to prevent blocking.
(bsc#1025761)
- Fix LocalDateTimeISOAdapter to parse date string with timezone.
(bsc#1024966)
- Create scap files directories beforehand. (bsc#1029755)
- Make country, state/province and city searchable for system location.
(bsc#1020659)
- Change incorrect help link. (bsc#1017418)
- Don't allow scheduling scap scan if openscap pkg missing from minion.
- Make salt aware of rescheduled actions. (bsc#1027852)
- Close hibernate session on async salt-ssh call.
- Use a small fixed pool so we don't overwhelm the salt-api with salt-ssh
executions
- Fix remote cmd ui js err and timed out message.
- Remote cmd UI changes for salt-ssh minions.
- Add support for salt ssh minions to remote cmd UI.
- Apply SessionFilter also for error pages. (bsc#1028062)
- Use correct logging class.
- Fix broken help link for taskstatus. (bsc#1017422)
- Test errata not removed from origin.
- Fix merge channels patches. (bsc#1025000)
- Change XccdfIdent.identifier mapping length to 100.
- Add xccdf result xslt.
- Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
- Use consistent spelling in UI. (bsc#1028306)
- Rewording distchannelmap text. (bsc#1017772)
- Javascript datepicker needs the timezone create a correct date object.
(bsc#1024966)
- Don't show audit tab for ssh-push minions.
- Set scap store dir mod to 775 and group owner to susemanager.
- Better error handling and more tests.
- Store uploaded scap files.
- Openscap action scheduling and handling.
- Grant scap capability to minion on registration.
- Enable audit tab for salt minions.
- Scap inital xccdfEval and hibernate mappings.
- Show proxy path in bootstrap UI.
- AuthFilter tests: Update expectations to reflect cookie update at end of
request.
- AuthFilter: Update cookie expiry date at end of HTTP request.
(bsc#1025775)
- MinionActionCleanup: Only call list_jobs once per action id.
(bsc#1025291)
- MinionActionCleanupTest: Expect that list_jobs is only called once.
- Feat: Allow salt-enabled bootstrap.sh via UI.
- Catch and display all bootstrap errors.
- Sync grains and beacons only for regular minions.
- Add new channel tokens to minion.accessTokens.
- Fix getting server path for a first level proxy.
- Fix bootstrap err when proxy not selected.
- Check if proxy hostname is FQDN not name in UI.
- Utility for runner to generate ssh key and execute cmd via proxies.
- Add proxy_pub_key to ssh bootstrap pillar.
- Add ssh timeout to temporary roster.
- Salt_ssh_connect_timeout configuration parameter.
- Authorize parent salt-ssh key on proxy.
- Java backend for salt ssh-push through proxy.
- Avoid deadlock with spacewalk-repo-sync. (bsc#1022530)
- Fix NPE when no SUSE Product was found for an installed product.
(bsc#1029840)
- Keep organization after migrating a system to salt. (bsc#1026301)
- Fix glob only for noarch rpm(s).
- Feat: Dynamically detect deployed CA certificate.
- Fix restore original default (certificate).
- Rename variable (cert provided by RPM).
- Fix uniform bootstrap.sh. (bsc#1000762)
spacewalk-reports:
- Remove legacy audit logging reports. (bsc#1009545)
spacewalk-setup:
- Create /var/spacewalk/systems in spacewalk-setup and ensure perms on
upgrade.
- Add xccdf result xslt.
- Authorize parent salt-ssh key on proxy.
spacewalk-web:
- Remote Commands: Allow Web Socket to be opened on non-standard port.
- Improve remote cmd ui error handling.
- Show message when waiting for ssh minions times out.
- Fix remote cmd ui js err and timed out message.
- Remote cmd UI changes for salt-ssh minions.
- Fix broken help link for taskstatus. (bsc#1017422)
- Add js utility function to create Date objects in different timezones.
- Show proxy path in bootstrap UI.
- Clear proxy selection when clicking clear fields button.
- Check if proxy hostname is FQDN not name in UI.
- Show warn in bootstrap UI if proxy hostname is not a FQDN.
subscription-matcher:
- Set -Xmx launch parameter based on customer data. (bsc#1024863)
- Small bugfixes and logging improvements.
susemanager:
- Add bootstrap repo data for SLES for SAP 12 SP2 ppc64le.
- Add python-setuptools to bootstrap repo. (bsc#1033731)
- Create directory manually if mksubvolume fails, so we now support btrfs
based systems with missing mksubvoume utility. (bsc#1031885)
- Create /var/spacewalk/systems in spacewalk-setup and ensure perms on
upgrade
- Fix typo in comment noting option with-custom-channels. (bsc#1031092)
- Pre require tomcat and salt.
- Fix %%pre and %%post scripts in susemanager.spec.
- Append salt,tomcat,wwwrung to susemanager group.
- Susemanager group and change owner and permissions for
/var/susemanager/systems.
susemanager-schema:
- Don't fail if capability already exists.
- Show update message only when updating the schema package. (bsc#1024456)
- Fix audit log disabling in Oracle.
- Grant minions scap capability.
- Clean up stale logging data and triggers. (bsc#1009545)
- Fix deduplicate to work with more than two duplicates.
susemanager-sls:
- Add certificate state for CAASP.
- Add certificate state for SLES for SAP. (bsc#1031659)
- Pre-create empty top.sls with no-op. (bsc#1017754)
- Add xccdf result xslt.
- Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
- Set scap store dir mod to 775 and group owner to susemanager.
- Store uploaded scap files.
- Set minion own key owner to bootstrap ssh_push_sudo_user.
- Runner to generate ssh key and execute cmd via proxies.
- Change ssh bootstrap state to generate and auth keys for salt-ssh push
with tunnel.
- Authorize parent salt-ssh key on proxy.
susemanager-sync-data:
- Support Cloud 7 - Magnum Orchestration (bsc#1026266) and SLES for SAP 12
SP2 ppc64le.
virtual-host-gatherer:
- Adding support for exploring 'vim.Folder'. (bsc#1025421)
How to apply this update: 1. Log in as root user to the SUSE Manager
server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
patch using either zypper patch or YaST Online Update. 4. Upgrade the
database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
spacewalk-service start
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager Server 3.0:
zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2017-827=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager Server 3.0 (x86_64):
susemanager-3.0.21-21.1
susemanager-tools-3.0.21-21.1
- SUSE Manager Server 3.0 (noarch):
rhnlib-2.5.84.4-6.1
salt-netapi-client-0.11.1-12.1
spacecmd-2.5.5.5-12.1
spacewalk-backend-2.5.24.9-22.1
spacewalk-backend-app-2.5.24.9-22.1
spacewalk-backend-applet-2.5.24.9-22.1
spacewalk-backend-config-files-2.5.24.9-22.1
spacewalk-backend-config-files-common-2.5.24.9-22.1
spacewalk-backend-config-files-tool-2.5.24.9-22.1
spacewalk-backend-iss-2.5.24.9-22.1
spacewalk-backend-iss-export-2.5.24.9-22.1
spacewalk-backend-libs-2.5.24.9-22.1
spacewalk-backend-package-push-server-2.5.24.9-22.1
spacewalk-backend-server-2.5.24.9-22.1
spacewalk-backend-sql-2.5.24.9-22.1
spacewalk-backend-sql-oracle-2.5.24.9-22.1
spacewalk-backend-sql-postgresql-2.5.24.9-22.1
spacewalk-backend-tools-2.5.24.9-22.1
spacewalk-backend-xml-export-libs-2.5.24.9-22.1
spacewalk-backend-xmlrpc-2.5.24.9-22.1
spacewalk-base-2.5.7.15-21.1
spacewalk-base-minimal-2.5.7.15-21.1
spacewalk-base-minimal-config-2.5.7.15-21.1
spacewalk-certs-tools-2.5.1.8-17.1
spacewalk-client-tools-2.5.13.8-17.2
spacewalk-html-2.5.7.15-21.1
spacewalk-java-2.5.59.14-23.2
spacewalk-java-config-2.5.59.14-23.2
spacewalk-java-lib-2.5.59.14-23.2
spacewalk-java-oracle-2.5.59.14-23.2
spacewalk-java-postgresql-2.5.59.14-23.2
spacewalk-reports-2.5.1.2-3.1
spacewalk-setup-2.5.3.12-15.1
spacewalk-taskomatic-2.5.59.14-23.2
subscription-matcher-0.18-5.1
susemanager-schema-3.0.19-21.2
susemanager-sls-0.1.20-23.1
susemanager-sync-data-3.0.16-24.1
virtual-host-gatherer-1.0.13-6.1
virtual-host-gatherer-VMware-1.0.13-6.1
References:
https://www.suse.com/security/cve/CVE-2017-7470.html
https://bugzilla.suse.com/1000762
https://bugzilla.suse.com/1009545
https://bugzilla.suse.com/1011964
https://bugzilla.suse.com/1012784
https://bugzilla.suse.com/1013606
https://bugzilla.suse.com/1017418
https://bugzilla.suse.com/1017422
https://bugzilla.suse.com/1017754
https://bugzilla.suse.com/1017772
https://bugzilla.suse.com/1020659
https://bugzilla.suse.com/1020904
https://bugzilla.suse.com/1022530
https://bugzilla.suse.com/1023233
https://bugzilla.suse.com/1024066
https://bugzilla.suse.com/1024406
https://bugzilla.suse.com/1024456
https://bugzilla.suse.com/1024714
https://bugzilla.suse.com/1024863
https://bugzilla.suse.com/1024966
https://bugzilla.suse.com/1025000
https://bugzilla.suse.com/1025275
https://bugzilla.suse.com/1025291
https://bugzilla.suse.com/1025312
https://bugzilla.suse.com/1025421
https://bugzilla.suse.com/1025758
https://bugzilla.suse.com/1025761
https://bugzilla.suse.com/1025775
https://bugzilla.suse.com/1025908
https://bugzilla.suse.com/1026266
https://bugzilla.suse.com/1026301
https://bugzilla.suse.com/1026633
https://bugzilla.suse.com/1027426
https://bugzilla.suse.com/1027852
https://bugzilla.suse.com/1028062
https://bugzilla.suse.com/1028306
https://bugzilla.suse.com/1029755
https://bugzilla.suse.com/1029840
https://bugzilla.suse.com/1030716
https://bugzilla.suse.com/1031092
https://bugzilla.suse.com/1031453
https://bugzilla.suse.com/1031659
https://bugzilla.suse.com/1031667
https://bugzilla.suse.com/1031826
https://bugzilla.suse.com/1031885
https://bugzilla.suse.com/1032256
https://bugzilla.suse.com/1033383
https://bugzilla.suse.com/1033497
https://bugzilla.suse.com/1033731
https://bugzilla.suse.com/1034289
https://bugzilla.suse.com/1034465
https://bugzilla.suse.com/1034956
More information about the sle-security-updates
mailing list