SUSE-SU-2021:3901-1: moderate: Security Beta update for SUSE Manager Client Tools

sle-security-updates at sle-security-updates at
Fri Dec 3 14:19:27 UTC 2021

   SUSE Security Update: Security Beta update for SUSE Manager Client Tools

Announcement ID:    SUSE-SU-2021:3901-1
Rating:             moderate
References:         #1164192 #1167586 #1168327 #1173103 #1173692 
                    #1180650 #1181223 #1184659 #1185131 #1186287 
                    #1186310 #1186581 #1186674 #1186738 #1187787 
                    #1187813 #1188042 #1188170 #1188259 #1188647 
                    #1188977 #1189040 #1190265 #1190446 #1190512 
                    #1191412 #1191431 ECO-3212 ECO-3319 SLE-18028 
Cross-References:   CVE-2021-21996
CVSS scores:
                    CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Affected Products:
                    SUSE Manager Debian 10-CLIENT-TOOLS-BETA

   An update that solves one vulnerability, contains four
   features and has 26 fixes is now available.


   This update fixes the following issues:


   - Simplify "transactional_update" module to not use SSH wrapper and allow
     more flexible execution
   - Add "--no-return-event" option to salt-call to prevent sending return
     event back to master.
   - Make "state.highstate" to acts on concurrent flag.
   - Fix print regression for yumnotify plugin
   - Use dnfnotify instead yumnotify for relevant distros
   - Dnfnotify pkgset plugin implementation
   - Add rpm_vercmp python library support for version comparison
   - Prevent pkg plugins errors on missing cookie path (bsc#1186738)
   - Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
   - Make "salt-api" package to require python3-cherrypy on RHEL systems
   - Make "tar" as required for "salt-transactional-update" package
   - Fix issues with salt-ssh's extra-filerefs
   - Fix crash when calling manage.not_alive runners
   - Do not consider skipped targets as failed for ansible.playbooks state
   - Do not break master_tops for minion with version lower to 3003
   - Support querying for JSON data in external sql pillar
   - Update to Salt release version 3003.3
   - See release notes:
   - Exclude the full path of a download URL to prevent injection of
     malicious code (bsc#1190265) (CVE-2021-21996)
   - Fix wrong relative paths resolution with Jinja renderer when importing
   - Don't pass shell="/sbin/nologin" to onlyif/unless checks (bsc#1188259)
   - Add missing aarch64 to rpm package architectures
   - Backport of upstream PR#59492
   - Fix failing unit test for systemd
   - Fix error handling in openscap module (bsc#1188647)
   - Better handling of bad public keys from minions (bsc#1189040)
   - Define license macro as doc in spec file if not existing
   - Add standalone formulas configuration for salt minion and remove
     salt-master requirement (bsc#1168327)
   - Do noop for services states when running systemd in offline mode
   - Transactional_updates: do not execute states in parallel but use a queue
   - Handle "master tops" data when states are applied by
     "transactional_update" (bsc#1187787)
   - Enhance openscap module: add "xccdf_eval" call
   - Virt: pass emulator when getting domain capabilities from libvirt
   - Adding preliminary support for Rocky Linux
   - Implementation of held/unheld functions for state pkg (bsc#1187813)
   - Replace deprecated Thread.isAlive() with Thread.is_alive()
   - Fix exception in yumpkg.remove for not installed package
   - Fix save for iptables state module (bsc#1185131)
   - Virt: use /dev/kvm to detect KVM
   - Zypperpkg: improve logic for handling vendorchange flags
   - Add bundled provides for tornado to the spec file
   - Enhance logging when inotify beacon is missing pyinotify (bsc#1186310)
   - Add "python3-pyinotify" as a recommended package for Salt in
     SUSE/openSUSE distros
   - Fix tmpfiles.d configuration for salt to not use legacy paths
   - Detect Python version to use inside container (bsc#1167586) (bsc#1164192)
   - Handle volumes on stopped pools in virt.vm_info (bsc#1186287)
   - Grains.extra: support old non-intel kernels (bsc#1180650)
   - Fix missing minion returns in batch mode (bsc#1184659)
   - Parsing Epoch out of version provided during pkg remove (bsc#1173692)
   - Check if dpkgnotify is executable (bsc#1186674)
   - Update to Salt release version 3002.2 (jsc#ECO-3212) (jsc#SLE-18033)
   - Add subpackage salt-transactional-update (jsc#SLE-18028)


   - Fix SLE-12 build issue caused by '\xb0' character (bsc#1191431).
   - Updated to 0.1.58 release (jsc#ECO-3319)
   - Support for Script Checking Engine (SCE)
   - Split RHEL 8 CIS profile using new controls file format
   - CIS Profiles for SLE12
   - Initial Ubuntu 20.04 STIG Profiles
   - Addition of an automated CCE adder
   - Updated to 0.1.57 release (jsc#ECO-3319)
     - CIS profile for RHEL 7 is updated
     - initial CIS profiles for Ubuntu 20.04
     - Major improvement of RHEL 9 content
     - new release process implemented using Github actions
   - Specify the maintainer, for deb packages.
   - Updated to 0.1.56 release (jsc#ECO-3319)
     - Align ism_o profile with latest ISM SSP (#6878)
     - Align RHEL 7 STIG profile with DISA STIG V3R3
     - Creating new RHEL 7 STIG GUI profile (#6863)
     - Creating new RHEL 8 STIG GUI profile (#6862)
     - Add the RHEL9 product (#6801)
     - Initial support for SUSE SLE-15 (#6666)
     - add support for osbuild blueprint remediations (#6970)
   - Updated to a intermediate GIT snapshot of 20210323 (jsc#ECO-3319)
     - initial SLES15 STIG added
     - more SLES 12 STIG work
     - correct tables and cross references for SLES 12 and 15 STIG
   - Updated to 0.1.55 release (jsc#ECO-3319)
     - big update of rules used in SLES-12 STIG profile
     - Render policy to HTML (#6532)
     - Add variable support to yamlfile_value template (#6563)
     - Introduce new template for dconf configuration files (#6118)
   - Avoid some non sles12 sp2 available macros.


   - Version 4.3.4-1
     * Update translation strings
   - Version 4.3.3-1
     * Improved event history listing and added new system_eventdetails
       command to retrieve the details of an event
     * configchannel_updatefile handles directory properly (bsc#1190512)
   - Version 4.3.2-1
     * Add schedule_archivecompleted to mass archive actions (bsc#1181223)
     * Make schedule_deletearchived to get all actions without display limit
     * Allow passing a date limit for schedule_deletearchived on spacecmd
     * Remove whoami from the list of unauthenticated commands (bsc#1188977)
   - Version 4.3.1-1
   - Use correct API endpoint in list_proxies (bsc#1188042)
   - Add schedule_deletearchived to bulk delete archived actions (bsc#1181223)
   - Make spacecmd aware of retracted patches/packages
   - Version 4.2.10-1
   - Enhance help for installation types when creating distributions
   - Version 4.2.9-1
   - Parse empty argument when nothing in between the separator

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Debian 10-CLIENT-TOOLS-BETA:

      zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-BETA-2021-3901=1

Package List:

   - SUSE Manager Debian 10-CLIENT-TOOLS-BETA (all):



More information about the sle-security-updates mailing list