SUSE-SU-2020:2650-1: moderate: Security update for SUSE Manager Proxy 4.0

Wed Sep 16 10:23:03 MDT 2020

   SUSE Security Update: Security update for SUSE Manager Proxy 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:2650-1
Rating:             moderate
References:         #1167907 #1169664 #1171281 #1172831 #1173535 
                    #1173554 #1174201 #1175224 #1175889 
Cross-References:   CVE-2020-11022
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0
______________________________________________________________________________

   An update that solves one vulnerability and has 8 fixes is
   now available.

Description:

   This update fixes the following issues:

   spacecmd:

   - Python3 fixes for errata in spacecmd (bsc#1169664)
   - Python3 fix for sorted usage (bsc#1167907)
   - Fix softwarechannel_listlatestpackages throwing error on empty channels
     (bsc#1175889)
   - Fix escaping of package names (bsc#1171281)

   spacewalk-certs-tools:

   - Add option --nostricthostkeychecking to spacewalk-ssh-push-init
   - Strip SSL Certificate Common Name after 63 Characters (bsc#1173535)

   spacewalk-proxy:

   - Python3 fix for loading pickle file during kickstart procedure
     (bsc#1174201)

   spacewalk-web:

   - Fix login page after jQuery upgrade (bsc#1175224)
   - Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
   - Warn when a system is in multiple groups that configure the same formula
     in the system formula's UI (bsc#1173554)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch
   using either zypper patch or YaST Online Update. 4. Start the Spacewalk
   service: spacewalk-proxy start

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.0-2020-2650=1

Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (noarch):

      python3-spacewalk-certs-tools-4.0.17-3.21.3
      spacecmd-4.0.20-3.19.2
      spacewalk-base-minimal-4.0.23-3.30.3
      spacewalk-base-minimal-config-4.0.23-3.30.3
      spacewalk-certs-tools-4.0.17-3.21.3
      spacewalk-proxy-broker-4.0.14-3.10.3
      spacewalk-proxy-common-4.0.14-3.10.3
      spacewalk-proxy-management-4.0.14-3.10.3
      spacewalk-proxy-package-manager-4.0.14-3.10.3
      spacewalk-proxy-redirect-4.0.14-3.10.3
      spacewalk-proxy-salt-4.0.14-3.10.3

References:

   https://www.suse.com/security/cve/CVE-2020-11022.html
   https://bugzilla.suse.com/1167907
   https://bugzilla.suse.com/1169664
   https://bugzilla.suse.com/1171281
   https://bugzilla.suse.com/1172831
   https://bugzilla.suse.com/1173535
   https://bugzilla.suse.com/1173554
   https://bugzilla.suse.com/1174201
   https://bugzilla.suse.com/1175224
   https://bugzilla.suse.com/1175889