SUSE-SU-2021:2098-1: moderate: Security update for SUSE Manager Server 4.1
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jun 21 22:23:05 UTC 2021
SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:2098-1
Rating: moderate
References: #1151558 #1172711 #1175216 #1178767 #1180673
#1182744 #1183573 #1183649 #1183845 #1183864
#1184005 #1184286 #1184311 #1184332 #1184351
#1184361 #1184471 #1184475 #1184561 #1184617
#1184849 #1184892 #1184929 #1184940 #1185042
#1185097 #1185281 #1185506 #1185568 #1185965
#1186025 #1186124 #1186346 #1186508 #1186765
#1186852 #1186858
Cross-References: CVE-2021-28657 CVE-2021-31607
CVSS scores:
CVE-2021-28657 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-28657 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1
______________________________________________________________________________
An update that solves two vulnerabilities and has 35 fixes
is now available.
Description:
This update fixes the following issues:
cobbler:
- Make `fence_ipmitool` a wrapper for `fence_ipmilan` using always
`lanplus`. (bsc#1184361)
- Remove unused template for `fence_ipmitool`.
- Prevent some race conditions when writting tftpboot files and the
destination directory is not existing. (bsc#1186124)
- Fix trail stripping in case of using UTF symbols. (bsc#1184561)
golang-github-prometheus-node_exporter:
- Update to 1.1.2
* Bug fixes
+ Handle errors from disabled PSI subsystem
+ Sanitize strings from /sys/class/power_supply
+ Silence missing netclass errors
+ Fix ineffassign issue
+ Fix some noisy log lines
+ filesystem_freebsd: Fix label values
+ Fix various procfs parsing errors
+ Handle no data from powersupplyclass
+ udp_queues_linux.go: change upd to udp in two error strings
+ Fix node_scrape_collector_success behaviour
+ Fix NodeRAIDDegraded to not use a string rule expressions
+ Fix node_md_disks state label from fail to failed
+ Handle EPERM for syscall in timex collector
+ bcache: fix typo in a metric name
+ Fix XFS read/write stats
* Changes
+ Improve filter flag names
+ Add btrfs and powersupplyclass to list of exporters enabled by
default
* Features
+ Add fibre channel collector
+ Expose cpu bugs and flags as info metrics
+ Add network_route collector
+ Add zoneinfo collector
* Enhancements
+ Add more InfiniBand counters
+ Add flag to aggr ipvs metrics to avoid high cardinality metrics
+ Adding backlog/current queue length to qdisc collector
+ Include TCP OutRsts in netstat metrics
+ Add pool size to entropy collector
+ Remove CGO dependencies for OpenBSD amd64
+ bcache: add writeback_rate_debug status
+ Add check state for mdadm arrays via node_md_state metric
+ Expose XFS inode statistics
+ Expose zfs zpool state
+ Added an ability to pass collector.supervisord.url via
SUPERVISORD_URL environment variable
- Do not include sources (bsc#1151558)
- Remove rc symlink
grafana-formula:
- Fix Grafana dashboards requiring single series (bsc#1184471)
patterns-suse-manager:
- Add require for py27-compat-salt (salt 3002 does not provide
python2-salt anymore)
prometheus-exporter-formula:
- Add support for schema migration (bsc#1186025)
pxe-yomi-image-sle15:
- Remove PermitEmptyPasswords from SSH config (Fix bsc#1182744)
py26-compat-salt:
- Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
spacewalk-admin:
- Stop jabberd when osa-dispatcher is enabled (bsc#1185042)
spacewalk-backend:
- Fix binary blob corruptions in tradidional config file deployment
(bsc#1183864)
- Fix for GPG checking on synchonizing mirrored dpkg repo (bsc#1184351)
- switch to www group for satellite logs (bsc#1185097)
- Fail traditional errata and package actions when they act on retracted
items
- Add advisory_status to reposync and ISS
- Add minrate/timeout configuration values for downloading DEB/RPM packages
spacewalk-branding:
- Add the CSS class for retracted errata/packages
spacewalk-certs-tools:
- Add support of DISABLE_LOCAL_REPOS=0 for salt minions (bsc#1185568)
- Add missing environment variable SALT_RUNNING for pkg module to the
minion configuration
- Fix typo: activaion -> activation
spacewalk-java:
- Change Prometheus exporters formula data schema to make it more generic
and extendable
- Do not require advisory_status to be set in ErrataHandler.create
(bsc#1185965)
- Speed up pages to compare or add packages to channels (bsc#1178767)
- Bugfix: Remove the unneeded check that was stopping updating a virtual
instance type (bsc#1180673)
- Exclude minions from the list of locally-managed/sandbox systems when
copying config files (bsc#1184940)
- Lower case fqdn comparation when calculating minion connection path
(bsc#1184849)
- Bugfix: Retracted Patches: Filter minion correctly when executing
package install (bsc#1184929)
- Implement retracted patches
- For a SUSE system get metadata and package from same source (bsc#1184475)
- Check if the directory exists prior to modular data cleanup (bsc#1184311)
- Assign right base product for res8 (bsc#1184005)
- Fix docs link in my organization configuration (bsc#1184286)
- Only update the kickstart path in cobbler if necessary (bsc#1175216)
spacewalk-utils:
- Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports
- Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04
spacewalk-web:
- Upgrade react-select to 4.3.0 and lodash to 4.17.21
- Show the info about unsynced patches in the Content Lifecycle Management
screens
susemanager:
- Add bootstrap repo data for SUSE Manager 4.1 Proxy
- Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15
- Add bootstrap repo data for OES2018-SP3-x86_64 (bsc#1183845)
- Enable bootstrap repository creation for openSUSE Leap 15.3 for Uyuni
- Add python3-distro to RES8, SLE15, Ubuntu20.04 and Debian 10 bootstrap
repositories to fix bootstrapping issues (bsc#1184332)
- Add python3-pycryptodome to Ubuntu and Debian 10 bootstrap repos
(bsc#1186346)
- Add gnupg and its dependencies to debian 10 bootstrap repo
susemanager-build-keys:
- Add SUSE Linux Enterprise 15-SP3 Updates for openSUSE Leap 15.3 key
(bsc#1186852)
susemanager-doc-indexes:
- Adds additional dependencies for Debian client registration in Client
Configuration Guide (bsc#1183649)
- Remove some openSUSE Leap 15.1 references
- Add reposync configuration settings to Troubleshooting chapter of the
Administration Guide
- Update the entry about module.run for SAP Guide
susemanager-docs_en:
- Adds additional dependencies for Debian client registration in Client
Configuration Guide (bsc#1183649)
- Remove some openSUSE Leap 15.1 references
- Add reposync configuration settings to Troubleshooting chapter of the
Administration Guide
- Update the entry about module.run for SAP Guide
susemanager-schema:
- DB schema & migrations for retracted patches
susemanager-sls:
- Exclude openSUSE Leap 15.3 from product installation (bsc#1186858)
- Enable certificate deployment for Leap 15.3 clients which is needed for
bootstrapping (bsc#1186765)
- Do not install python2-salt on Salt 3002.2 Docker build hosts
(bsc#1185506)
- Add support for 'disable_local_repos' salt minion config
parameter(bsc#1185568)
- Fix insecure JMX configuration (bsc#1184617)
- Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711)
- Keep salt-minion when it is installed to prevent update problems with
dependend packages not available in the bootstrap repo (bsc#1183573)
- Fix installation of gnupg on Debian 10
susemanager-sync-data:
- Add OES2018 SP3 (bsc#1183845)
tika-core:
- New upstream version 1.26.
* Infinite loop in the MP3Parser (bsc#1184892 CVE-2021-28657)
* Out of memory error while loading a file in PDFBox before 2.0.23.
* Infinite loop while loading a file in PDFBox before 2.0.23.
* System.exit vulnerability in Tika's OneNote Parser; out of memory
errors and/or infinite loops in Tika's ICNSParser, MP3Parser,
MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser.
* Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser
* Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser
uyuni-common-libs:
- Maintainer field in debian packages are only recommended (bsc#1186508)
How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Start the Spacewalk service:
`spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-2098=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):
golang-github-prometheus-node_exporter-1.1.2-3.6.5
patterns-suma_retail-4.1-6.9.2
patterns-suma_server-4.1-6.9.2
python3-uyuni-common-libs-4.1.8-3.9.1
spacewalk-branding-4.1.12-3.12.2
susemanager-4.1.26-3.25.1
susemanager-tools-4.1.26-3.25.1
- SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):
cobbler-3.0.0+git20190806.32c4bae0-5.11.1
grafana-formula-0.4.1-3.9.2
prometheus-exporters-formula-0.9.1-3.22.1
py26-compat-salt-2016.11.10-6.14.2
py27-compat-salt-3000.3-6.3.2
python3-spacewalk-certs-tools-4.1.17-3.17.2
spacewalk-admin-4.1.9-3.12.2
spacewalk-backend-4.1.25-4.32.6
spacewalk-backend-app-4.1.25-4.32.6
spacewalk-backend-applet-4.1.25-4.32.6
spacewalk-backend-config-files-4.1.25-4.32.6
spacewalk-backend-config-files-common-4.1.25-4.32.6
spacewalk-backend-config-files-tool-4.1.25-4.32.6
spacewalk-backend-iss-4.1.25-4.32.6
spacewalk-backend-iss-export-4.1.25-4.32.6
spacewalk-backend-package-push-server-4.1.25-4.32.6
spacewalk-backend-server-4.1.25-4.32.6
spacewalk-backend-sql-4.1.25-4.32.6
spacewalk-backend-sql-postgresql-4.1.25-4.32.6
spacewalk-backend-tools-4.1.25-4.32.6
spacewalk-backend-xml-export-libs-4.1.25-4.32.6
spacewalk-backend-xmlrpc-4.1.25-4.32.6
spacewalk-base-4.1.26-3.24.8
spacewalk-base-minimal-4.1.26-3.24.8
spacewalk-base-minimal-config-4.1.26-3.24.8
spacewalk-certs-tools-4.1.17-3.17.2
spacewalk-html-4.1.26-3.24.8
spacewalk-java-4.1.36-3.44.1
spacewalk-java-config-4.1.36-3.44.1
spacewalk-java-lib-4.1.36-3.44.1
spacewalk-java-postgresql-4.1.36-3.44.1
spacewalk-taskomatic-4.1.36-3.44.1
spacewalk-utils-4.1.16-3.18.2
spacewalk-utils-extras-4.1.16-3.18.2
susemanager-build-keys-15.2.4-3.17.1
susemanager-build-keys-web-15.2.4-3.17.1
susemanager-doc-indexes-4.1-11.34.8
susemanager-docs_en-4.1-11.34.2
susemanager-docs_en-pdf-4.1-11.34.2
susemanager-schema-4.1.21-3.30.6
susemanager-sls-4.1.28-3.42.1
susemanager-sync-data-4.1.14-3.23.2
susemanager-web-libs-4.1.26-3.24.8
tika-core-1.26-3.5.2
uyuni-config-modules-4.1.28-3.42.1
References:
https://www.suse.com/security/cve/CVE-2021-28657.html
https://www.suse.com/security/cve/CVE-2021-31607.html
https://bugzilla.suse.com/1151558
https://bugzilla.suse.com/1172711
https://bugzilla.suse.com/1175216
https://bugzilla.suse.com/1178767
https://bugzilla.suse.com/1180673
https://bugzilla.suse.com/1182744
https://bugzilla.suse.com/1183573
https://bugzilla.suse.com/1183649
https://bugzilla.suse.com/1183845
https://bugzilla.suse.com/1183864
https://bugzilla.suse.com/1184005
https://bugzilla.suse.com/1184286
https://bugzilla.suse.com/1184311
https://bugzilla.suse.com/1184332
https://bugzilla.suse.com/1184351
https://bugzilla.suse.com/1184361
https://bugzilla.suse.com/1184471
https://bugzilla.suse.com/1184475
https://bugzilla.suse.com/1184561
https://bugzilla.suse.com/1184617
https://bugzilla.suse.com/1184849
https://bugzilla.suse.com/1184892
https://bugzilla.suse.com/1184929
https://bugzilla.suse.com/1184940
https://bugzilla.suse.com/1185042
https://bugzilla.suse.com/1185097
https://bugzilla.suse.com/1185281
https://bugzilla.suse.com/1185506
https://bugzilla.suse.com/1185568
https://bugzilla.suse.com/1185965
https://bugzilla.suse.com/1186025
https://bugzilla.suse.com/1186124
https://bugzilla.suse.com/1186346
https://bugzilla.suse.com/1186508
https://bugzilla.suse.com/1186765
https://bugzilla.suse.com/1186852
https://bugzilla.suse.com/1186858
More information about the sle-security-updates
mailing list