SUSE-SU-2021:2114-1: moderate: Security update for SUSE Manager Server 4.0
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Jun 21 22:57:48 UTC 2021
SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:2114-1
Rating: moderate
References: #1172711 #1182817 #1184005 #1184283 #1184311
#1184332 #1184361 #1184471 #1184475 #1184561
#1184617 #1184861 #1184892 #1185097 #1185281
#1185506 #1186124 #1186346 #1186508
Cross-References: CVE-2021-28657 CVE-2021-31607
CVSS scores:
CVE-2021-28657 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-28657 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________
An update that solves two vulnerabilities and has 17 fixes
is now available.
Description:
This update fixes the following issues:
cobbler:
- Make "fence_ipmitool" a wrapper for "fence_ipmilan" using always lanplus
(bsc#1184361)
- Remove unused template for fence_ipmitool.
- Prevent some race conditions when writing tftpboot files and the
destination directory is not existing (bsc#1186124)
- Fix trail stripping in case of using UTF symbols (bsc#1184561)
grafana-formula:
- Fix Grafana dashboards requiring single series (bsc#1184471)
patterns-suse-manager:
- Add require for py27-compat-salt (salt 3002 does not provide
python2-salt anymore)
prometheus-exporters-formula:
- Move exporters configurations to dedicated group `prometheus_exporters`
- Add formula data schema migration script
- This version changes the formula data schema and is not backwards
compatible. Downgrading from this version will require reconfiguring the
formula for all your minions.
- Add Ubuntu support for Prometheus exporters' reverse proxy
pxe-default-image-sle15:
- Adapt rpm-properties.xml for containment-rpm-pxe v0.2.1 and newer
py26-compat-salt:
- Prevent command injection in the snapper module (bsc#1185281)
(CVE-2021-31607)
spacewalk-backend:
- Maintainer field in debian packages are only recommended (bsc#1186508)
- Switch to www group for satellite logs (bsc#1185097)
spacewalk-java:
- Change Prometheus exporters formula data schema to make it more generic
and extendable
- Adapt logging for testing accessability of URLs (bsc#1182817)
- Fix problem reading product_tree.json from wrong location in offline
setups (bsc#1184283)
- For a SUSE system get metadata and package from same source (bsc#1184475)
- Check if the directory exists prior to modular data cleanup (bsc#1184311)
- Assign right base product for res8 (bsc#1184005)
- Fix check for for mirrorlist URLs when refreshing products (bsc#1184861)
spacewalk-utils:
- Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports
- Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04
spacewalk-web:
- Update the WebUI version to 4.0.14
susemanager:
- Add python3-pycryptodome to Ubuntu 18 and 20 bootstrap repos
(bsc#1186346)
- Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15
- Add python3-distro to RES8, SLE15 and Ubuntu20.04 bootstrap repositories
to fix bootstrapping issues (bsc#1184332)
susemanager-doc-indexes:
- Update for Disconnected Setup chapter in Administration Guide
susemanager-docs_en:
- Update for Disconnected Setup chapter in Administration Guide
susemanager-sls:
- Do not install python2-salt on Salt 3002.2 Docker build hosts
(bsc#1185506)
- Fix insecure JMX configuration (bsc#1184617)
- Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711)
tika-core:
- New upstream version 1.26. Fixes:
* Infinite loop in the MP3Parser (bsc#1184892, CVE-2021-28657)
* Out of memory error while loading a file in PDFBox before 2.0.23.
* Infinite loop while loading a file in PDFBox before 2.0.23.
* System.exit vulnerability in Tika's OneNote Parser; out of memory
errors and/or infinite loops in Tika's ICNSParser, MP3Parser,
MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser.
* Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser
* Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser
How to apply this update: 1. Log in as root user to the SUSE Manager
server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply
the patch using either zypper patch or YaST Online Update. 4. Upgrade the
database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk
service: `spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-2114=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):
patterns-suma_retail-4.0-9.19.3
patterns-suma_server-4.0-9.19.3
susemanager-4.0.34-3.52.3
susemanager-tools-4.0.34-3.52.3
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
cobbler-3.0.0+git20190806.32c4bae0-7.22.3
grafana-formula-0.2.3-4.16.3
prometheus-exporters-formula-0.7.6-3.19.3
pxe-default-image-sle15-4.0.1-20210621145802
py26-compat-salt-2016.11.10-10.28.3
py27-compat-salt-3000.3-4.3.3
python3-spacewalk-backend-libs-4.0.38-3.47.4
spacewalk-backend-4.0.38-3.47.4
spacewalk-backend-app-4.0.38-3.47.4
spacewalk-backend-applet-4.0.38-3.47.4
spacewalk-backend-config-files-4.0.38-3.47.4
spacewalk-backend-config-files-common-4.0.38-3.47.4
spacewalk-backend-config-files-tool-4.0.38-3.47.4
spacewalk-backend-iss-4.0.38-3.47.4
spacewalk-backend-iss-export-4.0.38-3.47.4
spacewalk-backend-package-push-server-4.0.38-3.47.4
spacewalk-backend-server-4.0.38-3.47.4
spacewalk-backend-sql-4.0.38-3.47.4
spacewalk-backend-sql-postgresql-4.0.38-3.47.4
spacewalk-backend-tools-4.0.38-3.47.4
spacewalk-backend-xml-export-libs-4.0.38-3.47.4
spacewalk-backend-xmlrpc-4.0.38-3.47.4
spacewalk-base-4.0.28-3.45.1
spacewalk-base-minimal-4.0.28-3.45.1
spacewalk-base-minimal-config-4.0.28-3.45.1
spacewalk-html-4.0.28-3.45.1
spacewalk-java-4.0.44-3.57.5
spacewalk-java-config-4.0.44-3.57.5
spacewalk-java-lib-4.0.44-3.57.5
spacewalk-java-postgresql-4.0.44-3.57.5
spacewalk-taskomatic-4.0.44-3.57.5
spacewalk-utils-4.0.21-3.30.3
susemanager-doc-indexes-4.0-10.36.4
susemanager-docs_en-4.0-10.36.3
susemanager-docs_en-pdf-4.0-10.36.3
susemanager-sls-4.0.35-3.48.3
susemanager-web-libs-4.0.28-3.45.1
tika-core-1.26-3.6.3
References:
https://www.suse.com/security/cve/CVE-2021-28657.html
https://www.suse.com/security/cve/CVE-2021-31607.html
https://bugzilla.suse.com/1172711
https://bugzilla.suse.com/1182817
https://bugzilla.suse.com/1184005
https://bugzilla.suse.com/1184283
https://bugzilla.suse.com/1184311
https://bugzilla.suse.com/1184332
https://bugzilla.suse.com/1184361
https://bugzilla.suse.com/1184471
https://bugzilla.suse.com/1184475
https://bugzilla.suse.com/1184561
https://bugzilla.suse.com/1184617
https://bugzilla.suse.com/1184861
https://bugzilla.suse.com/1184892
https://bugzilla.suse.com/1185097
https://bugzilla.suse.com/1185281
https://bugzilla.suse.com/1185506
https://bugzilla.suse.com/1186124
https://bugzilla.suse.com/1186346
https://bugzilla.suse.com/1186508
More information about the sle-security-updates
mailing list