SUSE-SU-2021:2114-1: moderate: Security update for SUSE Manager Server 4.0

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Jun 21 22:57:48 UTC 2021


   SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:2114-1
Rating:             moderate
References:         #1172711 #1182817 #1184005 #1184283 #1184311 
                    #1184332 #1184361 #1184471 #1184475 #1184561 
                    #1184617 #1184861 #1184892 #1185097 #1185281 
                    #1185506 #1186124 #1186346 #1186508 
Cross-References:   CVE-2021-28657 CVE-2021-31607
CVSS scores:
                    CVE-2021-28657 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-28657 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves two vulnerabilities and has 17 fixes
   is now available.

Description:


   This update fixes the following issues:

   cobbler:

   - Make "fence_ipmitool" a wrapper for "fence_ipmilan" using always lanplus
     (bsc#1184361)
   - Remove unused template for fence_ipmitool.
   - Prevent some race conditions when writing tftpboot files and the
     destination directory is not existing (bsc#1186124)
   - Fix trail stripping in case of using UTF symbols (bsc#1184561)

   grafana-formula:

   - Fix Grafana dashboards requiring single series (bsc#1184471)

   patterns-suse-manager:

   - Add require for py27-compat-salt (salt 3002 does not provide
     python2-salt anymore)

   prometheus-exporters-formula:

   - Move exporters configurations to dedicated group `prometheus_exporters`
   - Add formula data schema migration script
   - This version changes the formula data schema and is not backwards
     compatible. Downgrading from this version will require reconfiguring the
     formula for all your minions.
   - Add Ubuntu support for Prometheus exporters' reverse proxy

   pxe-default-image-sle15:

   - Adapt rpm-properties.xml for containment-rpm-pxe v0.2.1 and newer

   py26-compat-salt:

   - Prevent command injection in the snapper module (bsc#1185281)
     (CVE-2021-31607)

   spacewalk-backend:

   - Maintainer field in debian packages are only recommended (bsc#1186508)
   - Switch to www group for satellite logs (bsc#1185097)

   spacewalk-java:

   - Change Prometheus exporters formula data schema to make it more generic
     and extendable
   - Adapt logging for testing accessability of URLs (bsc#1182817)
   - Fix problem reading product_tree.json from wrong location in offline
     setups (bsc#1184283)
   - For a SUSE system get metadata and package from same source (bsc#1184475)
   - Check if the directory exists prior to modular data cleanup (bsc#1184311)
   - Assign right base product for res8 (bsc#1184005)
   - Fix check for for mirrorlist URLs when refreshing products (bsc#1184861)

   spacewalk-utils:

   - Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports
   - Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04

   spacewalk-web:

   - Update the WebUI version to 4.0.14

   susemanager:

   - Add python3-pycryptodome to Ubuntu 18 and 20 bootstrap repos
     (bsc#1186346)
   - Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15
   - Add python3-distro to RES8, SLE15 and Ubuntu20.04 bootstrap repositories
     to fix bootstrapping issues (bsc#1184332)

   susemanager-doc-indexes:

   - Update for Disconnected Setup chapter in Administration Guide

   susemanager-docs_en:

   - Update for Disconnected Setup chapter in Administration Guide

   susemanager-sls:

   - Do not install python2-salt on Salt 3002.2 Docker build hosts
     (bsc#1185506)
   - Fix insecure JMX configuration (bsc#1184617)
   - Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711)

   tika-core:

   - New upstream version 1.26. Fixes:
     * Infinite loop in the MP3Parser (bsc#1184892, CVE-2021-28657)
     * Out of memory error while loading a file in PDFBox before 2.0.23.
     * Infinite loop while loading a file in PDFBox before 2.0.23.
     * System.exit vulnerability in Tika's OneNote Parser; out of memory
       errors and/or infinite loops in Tika's ICNSParser, MP3Parser,
       MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser.
     * Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser
     * Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply
   the patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk
   service: `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-2114=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):

      patterns-suma_retail-4.0-9.19.3
      patterns-suma_server-4.0-9.19.3
      susemanager-4.0.34-3.52.3
      susemanager-tools-4.0.34-3.52.3

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      cobbler-3.0.0+git20190806.32c4bae0-7.22.3
      grafana-formula-0.2.3-4.16.3
      prometheus-exporters-formula-0.7.6-3.19.3
      pxe-default-image-sle15-4.0.1-20210621145802
      py26-compat-salt-2016.11.10-10.28.3
      py27-compat-salt-3000.3-4.3.3
      python3-spacewalk-backend-libs-4.0.38-3.47.4
      spacewalk-backend-4.0.38-3.47.4
      spacewalk-backend-app-4.0.38-3.47.4
      spacewalk-backend-applet-4.0.38-3.47.4
      spacewalk-backend-config-files-4.0.38-3.47.4
      spacewalk-backend-config-files-common-4.0.38-3.47.4
      spacewalk-backend-config-files-tool-4.0.38-3.47.4
      spacewalk-backend-iss-4.0.38-3.47.4
      spacewalk-backend-iss-export-4.0.38-3.47.4
      spacewalk-backend-package-push-server-4.0.38-3.47.4
      spacewalk-backend-server-4.0.38-3.47.4
      spacewalk-backend-sql-4.0.38-3.47.4
      spacewalk-backend-sql-postgresql-4.0.38-3.47.4
      spacewalk-backend-tools-4.0.38-3.47.4
      spacewalk-backend-xml-export-libs-4.0.38-3.47.4
      spacewalk-backend-xmlrpc-4.0.38-3.47.4
      spacewalk-base-4.0.28-3.45.1
      spacewalk-base-minimal-4.0.28-3.45.1
      spacewalk-base-minimal-config-4.0.28-3.45.1
      spacewalk-html-4.0.28-3.45.1
      spacewalk-java-4.0.44-3.57.5
      spacewalk-java-config-4.0.44-3.57.5
      spacewalk-java-lib-4.0.44-3.57.5
      spacewalk-java-postgresql-4.0.44-3.57.5
      spacewalk-taskomatic-4.0.44-3.57.5
      spacewalk-utils-4.0.21-3.30.3
      susemanager-doc-indexes-4.0-10.36.4
      susemanager-docs_en-4.0-10.36.3
      susemanager-docs_en-pdf-4.0-10.36.3
      susemanager-sls-4.0.35-3.48.3
      susemanager-web-libs-4.0.28-3.45.1
      tika-core-1.26-3.6.3


References:

   https://www.suse.com/security/cve/CVE-2021-28657.html
   https://www.suse.com/security/cve/CVE-2021-31607.html
   https://bugzilla.suse.com/1172711
   https://bugzilla.suse.com/1182817
   https://bugzilla.suse.com/1184005
   https://bugzilla.suse.com/1184283
   https://bugzilla.suse.com/1184311
   https://bugzilla.suse.com/1184332
   https://bugzilla.suse.com/1184361
   https://bugzilla.suse.com/1184471
   https://bugzilla.suse.com/1184475
   https://bugzilla.suse.com/1184561
   https://bugzilla.suse.com/1184617
   https://bugzilla.suse.com/1184861
   https://bugzilla.suse.com/1184892
   https://bugzilla.suse.com/1185097
   https://bugzilla.suse.com/1185281
   https://bugzilla.suse.com/1185506
   https://bugzilla.suse.com/1186124
   https://bugzilla.suse.com/1186346
   https://bugzilla.suse.com/1186508



More information about the sle-security-updates mailing list