SUSE-SU-2017:2453-1: moderate: Security update for SUSE Manager Server 3.0

[sle-security-updates at lists.suse.com]

   SUSE Security Update: Security update for SUSE Manager Server 3.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2453-1
Rating:             moderate
References:         #1009118 #1017513 #1022286 #1024058 #1026930 
                    #1028098 #1030898 #1032350 #1033999 #1037609 
                    #1039458 #1045152 #1045575 #1046218 #1047155 
                    #1047656 #1048528 #1048762 #1048968 #1049170 
                    #1049471 #1051518 #1053850 #1054225 
Cross-References:   CVE-2017-7538
Affected Products:
                    SUSE Manager Server 3.0
______________________________________________________________________________

   An update that solves one vulnerability and has 23 fixes is
   now available.

Description:

   This update for the SUSE Manager Server 3.0 provides several fixes and
   improvements.

   The following security issue has been fixed:

   spacewalk-java:

   - CVE-2017-7538: Do not allow HTML code injection via Cross Site Scripting
     (XSS) in the Organization Name. (bsc#1048968)

   Additionally, the following non-security issues have been fixed:

   salt-netapi-client:

   - Fix date format for Schedule.
   - Fix sending kwarg in payload in RunnerCall.
   - Better error handling in Runner and Wheel calls.
   - Increase the default SOCKET_TIMEOUT to 20 seconds

   smdba:

   - Do not set default_statistics_target. (bsc#1022286)
   - Support postgresql96. (bsc#1045152)
   - Prevent use of /var/lib/pgsql/data. (bsc#1024058)
   - Remove copyright message every time shown.
   - On systemd-enabled systems use it for start/stop PostgreSQL.
     (bsc#1024058)

   spacewalk-backend:

   - Increase rpclib timeout to 10 minutes. (bsc#1026930)
   - Adapt for the new gpgcheck flag for the channels.

   spacewalk-branding:

   - Fix overlapping text narrow window. (bsc#1009118)

   spacewalk-config:

   - Resolve comps.xml file for repositories. (bsc#1048528)

   spacewalk-java:

   - Delete and create new ServerNetAddress if it already exists on Hardware
     refresh. (bsc#1054225)
   - Fix enter key submit on ListTag filter input. (bsc#1048762)
   - Create VirtpollerData object with JSON content instead null.
     (bsc#1049170)
   - Prevent malformed XML if 'arch' is set to NULL. (bsc#1045575)
   - Resolve comps.xml file for repositories. (bsc#1048528)
   - Don't add default channel if AK is not valid. (bsc#1047656)
   - Add 'Enable GPG check' function for channels.
   - Regenerate pillar for the minions using the channel being modified.
   - Remove executable bit from service files. (bsc#1051518)
   - Fix wrong openscap xid. (bsc#1030898)
   - Fix overlapping text narrow window. (bsc#1009118)
   - Fix broken link. (bsc#1033999)
   - Fix alignment on the org details. (bsc#1017513)
   - Update channels.xml with OpenStack Cloud Continuous Delivery 6.
     (bsc#1039458)
   - Handle possible wrong UUIDs on SLE 11 minions. (bsc#1046218)
   - Allow blank key generation. (bsc#1032350)

   spacewalk-search:

   - Remove executable bit from service files. (bsc#1051518)

   spacewalk-setup-jabberd:

   - Change default backend for jabberd to sqlite. (bsc#1047155)

   spacewalk-web:

   - Fix enter key submit on ListTag filter input. (bsc#1048762)

   susemanager:

   - Do not use checkpoint_segments parameter during migrations.
   - Enable migration from postgresql94 to postgresql96.
   - Create bootstrap repository for SUSE Linux Enterprise Server for SAP 11
     SP1. (bsc#1049471)
   - Adjust the bootstrap repository with SUSE Linux Enterprise 12 SP3
     repositories.

   susemanager-docs_en:

   - Update text and image files.

   susemanager-schema:

   - Adapt for the new gpgcheck flag for the channels.

   susemanager-sync-data:

   - Add SUSE Manager Proxy 3.0 channels for SUSE Linux Enterprise Server 12
     SP3. (bsc#1053850)
   - Support SUSE Enterprise Storage 5 and SUSE Linux Enterprise Server 12
     SP3 for SAP Applications
     on ppc64le. (bsc#1028098)
   - Update channels.xml with OpenStack Cloud Continuous Delivery 6.
     (bsc#1039458)
   - Add SUSE Linux Enterprise 12 SP3 related products. (bsc#1037609)

   virtual-host-gatherer:

   - Implement kubernetes gatherer module.

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2017-1520=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager Server 3.0 (s390x x86_64):

      smdba-1.6.0-0.7.3.1
      spacewalk-branding-2.5.2.14-16.3.1
      susemanager-3.0.23-25.3.1
      susemanager-tools-3.0.23-25.3.1

   - SUSE Manager Server 3.0 (noarch):

      salt-netapi-client-0.12.0-16.3.1
      spacewalk-backend-2.5.24.13-26.8.1
      spacewalk-backend-app-2.5.24.13-26.8.1
      spacewalk-backend-applet-2.5.24.13-26.8.1
      spacewalk-backend-config-files-2.5.24.13-26.8.1
      spacewalk-backend-config-files-common-2.5.24.13-26.8.1
      spacewalk-backend-config-files-tool-2.5.24.13-26.8.1
      spacewalk-backend-iss-2.5.24.13-26.8.1
      spacewalk-backend-iss-export-2.5.24.13-26.8.1
      spacewalk-backend-libs-2.5.24.13-26.8.1
      spacewalk-backend-package-push-server-2.5.24.13-26.8.1
      spacewalk-backend-server-2.5.24.13-26.8.1
      spacewalk-backend-sql-2.5.24.13-26.8.1
      spacewalk-backend-sql-oracle-2.5.24.13-26.8.1
      spacewalk-backend-sql-postgresql-2.5.24.13-26.8.1
      spacewalk-backend-tools-2.5.24.13-26.8.1
      spacewalk-backend-xml-export-libs-2.5.24.13-26.8.1
      spacewalk-backend-xmlrpc-2.5.24.13-26.8.1
      spacewalk-base-2.5.7.18-25.6.1
      spacewalk-base-minimal-2.5.7.18-25.6.1
      spacewalk-base-minimal-config-2.5.7.18-25.6.1
      spacewalk-config-2.5.2.8-13.3.1
      spacewalk-html-2.5.7.18-25.6.1
      spacewalk-java-2.5.59.17-27.6.1
      spacewalk-java-config-2.5.59.17-27.6.1
      spacewalk-java-lib-2.5.59.17-27.6.1
      spacewalk-java-oracle-2.5.59.17-27.6.1
      spacewalk-java-postgresql-2.5.59.17-27.6.1
      spacewalk-search-2.5.2.3-4.3.1
      spacewalk-setup-jabberd-2.5.0.3-2.3.1
      spacewalk-taskomatic-2.5.59.17-27.6.1
      susemanager-advanced-topics_en-pdf-3-25.3.1
      susemanager-best-practices_en-pdf-3-25.3.1
      susemanager-docs_en-3-25.3.1
      susemanager-getting-started_en-pdf-3-25.3.1
      susemanager-jsp_en-3-25.3.1
      susemanager-reference_en-pdf-3-25.3.1
      susemanager-schema-3.0.21-25.3.1
      susemanager-sync-data-3.0.18-28.3.1
      virtual-host-gatherer-1.0.14-7.3.1
      virtual-host-gatherer-VMware-1.0.14-7.3.1


References:

   https://www.suse.com/security/cve/CVE-2017-7538.html
   https://bugzilla.suse.com/1009118
   https://bugzilla.suse.com/1017513
   https://bugzilla.suse.com/1022286
   https://bugzilla.suse.com/1024058
   https://bugzilla.suse.com/1026930
   https://bugzilla.suse.com/1028098
   https://bugzilla.suse.com/1030898
   https://bugzilla.suse.com/1032350
   https://bugzilla.suse.com/1033999
   https://bugzilla.suse.com/1037609
   https://bugzilla.suse.com/1039458
   https://bugzilla.suse.com/1045152
   https://bugzilla.suse.com/1045575
   https://bugzilla.suse.com/1046218
   https://bugzilla.suse.com/1047155
   https://bugzilla.suse.com/1047656
   https://bugzilla.suse.com/1048528
   https://bugzilla.suse.com/1048762
   https://bugzilla.suse.com/1048968
   https://bugzilla.suse.com/1049170
   https://bugzilla.suse.com/1049471
   https://bugzilla.suse.com/1051518
   https://bugzilla.suse.com/1053850
   https://bugzilla.suse.com/1054225