SUSE-SU-2021:3621-1: moderate: Security update for SUSE Manager Server 4.1

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Nov 5 20:17:10 UTC 2021


   SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3621-1
Rating:             moderate
References:         #1185951 #1187998 #1188315 #1189609 #1189643 
                    #1189818 #1190151 #1190166 #1190265 #1190276 
                    #1190512 #1190665 #1190751 #1191144 #1191222 
                    #1191274 #1191444 #1191495 #1191538 #1191643 
                    #1191898 
Cross-References:   CVE-2021-21996
CVSS scores:
                    CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves one vulnerability and has 20 fixes is
   now available.

Description:

   This update fixes the following issues:

   grafana-formula:

   - Version 0.4.2
     * Add SSH blackbox status check panel to clients dashboard
     * Migrate deprecated panels in clients dashboard

   prometheus-formula:

   - Version 0.3.4
     * Fix opening Prometheus ports on proxy
   - Version 0.3.3
     * Add Prometheus targets configuration for minions SSH probing
     * Add blackbox exporter
     * Open Prometheus ports (bsc#1191144)

   py26-compat-salt:

   - Exclude the full path of a download URL to prevent injection of alicious
     code (bsc#1190265, CVE-2021-21996)

   py26-compat-tornado:

   - No relevant changes for users

   py27-compat-salt:

   - Fix the regression of docker_container state module
   - Support querying for JSON data in external sql pillar
   - Exclude the full path of a download URL to prevent injection of
     malicious code (bsc#1190265, CVE-2021-21996)
   - Fix wrong relative paths resolution with Jinja renderer when importing
     subdirectories

   spacecmd:

   - Version 4.1.15-1
     * configchannel_updatefile handles directory properly (bsc#1190512)

   spacewalk-backend:

   - Version 4.1.29-1
     * Avoid GPG errors messages in reposync caused by rpm not understanding
       signatures (bsc#1191538)
     * handle download of metadata filesnames with checksums (bsc#1188315)
     * Sanitize cached filename for custom SSL certs used by reposync
       (bsc#1190751)

   spacewalk-certs-tools:

   - Version 4.1.19-1
     * add GPG keys using apt-key on debian machines (bsc#1187998)
     * set key format to PEM when generating key for traditional clients push
       ssh (bsc#1189643)

   spacewalk-java:

   - Version 4.1.41-1
     * Move pickedup actions to history as soon as they are pickedup
       (bsc#1191444)
     * On salt-ssh minions, enforce package list refresh after state apply
     * Fix internal server error on DuplicateSystemsCompare (bsc#1191643)
     * mgr-sync refresh logs when a vendor channel is expire and shows how to
       remove it (bsc#1191222)
     * Remove NullPointerException in rhn_web_ui.log when building an image
       (bsc#1185951)
     * Add checksums to repository metadata filenames (bsc#1188315)
     * Fix ISE in product migration if base product is missing (bsc#1190151)
     * use TLSv1.3 if it is a supported Protocol
     * Adapt auto errata update to respect maintenance windows
     * Adapt auto errata update to skip during CLM build (bsc#1189609)
     * Update kernel live patch version on minion startup (bsc#1190276)

   spacewalk-reports:

   - Version 4.1.4-1
     * Improve performance of inventory report (bsc#1191495)

   spacewalk-web:

   - Version 4.1.30-1
     * Update Web UI version to 4.1.12

   subscription-matcher:

   - Version 0.27
     * update subscription rules for new SKUs (bsc#1189818)

   susemanager:

   - Version 4.1.31-1
     * Add the gnupg package for ubuntu which is then needed by apt-key
       (bsc#1187998)
     * Add python-mako, python-gnupg and gnupg1 to the Debian 9 bootstrap
       repository so bootstrapping without any enabled repositories is
       possible (bsc#1191898)

   susemanager-doc-indexes:

   - Add SLS state for keeping clients updated in Client Configuration Guide
   - Fixed unpublished patches note in the server update chapter of the
     Upgrade Guide
   - Added DNS resolution for minions to the troubleshooting section in the
     Client Configuration Guide
   - Documented low disc space warnings in the managing disk space chapter of
     the Administration Guide
   - In the ports section of the Installation Guide, mention tftpsync
     explicitly for port 443 (bsc#1190665)
   - In server upgrade procedure of the Upgrade Guide, add zypper ref step to
     refresh repositories reliably
   - Update effective_cache_size section of the Salt Guide (bsc#1191274)
   - Documented new filter in the content lifecycle management chapter of the
     Administration Guide
   - Added aarch64 support for clients in the Installation Guide and Client
     Configuration Guide
   - Documented AWS Permissions for Virtual Host Manager in VHM and Amazon
     Web Services chapter of the Client Configuration Guide
   - Removed an outdated patches note in the server update chapter of the
   - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the
     commands on the client (bsc#1190166)
   - Removed Portus and CaaSP references from the image management chapter

   susemanager-docs_en:

   - Add SLS state for keeping clients updated in Client Configuration Guide
   - Fixed unpublished patches note in the server update chapter of the
     Upgrade Guide
   - Added DNS resolution for minions to the troubleshooting section in the
     Client Configuration Guide
   - Documented low disc space warnings in the managing disk space chapter of
     the Administration Guide
   - In the ports section of the Installation Guide, mention tftpsync
     explicitly for port 443 (bsc#1190665)
   - In server upgrade procedure of the Upgrade Guide, add zypper ref step to
     refresh repositories reliably
   - Update effective_cache_size section of the Salt Guide (bsc#1191274)
   - Documented new filter in the content lifecycle management chapter of the
     Administration Guide
   - Added aarch64 support for clients in the Installation Guide and Client
     Configuration Guide
   - Documented AWS Permissions for Virtual Host Manager in VHM and Amazon
     Web Services chapter of the Client Configuration Guide
   - Removed an outdated patches note in the server update chapter of the
   - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the
     commands on the client (bsc#1190166)
   - Removed Portus and CaaSP references from the image management chapter

   susemanager-sls:

   - Version 4.1.31-1
     * Fix mgrcompat state module to work with Salt 3003 and 3004
     * Update kernel live patch version on minion startup (bsc#1190276)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3621=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      py26-compat-tornado-4.2.1-3.3.2
      py26-compat-tornado-debuginfo-4.2.1-3.3.2
      py26-compat-tornado-debugsource-4.2.1-3.3.2
      susemanager-4.1.31-3.39.2
      susemanager-tools-4.1.31-3.39.2

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      grafana-formula-0.4.2-3.12.2
      prometheus-formula-0.3.4-3.12.2
      py26-compat-salt-2016.11.10-17.2
      py27-compat-salt-3000.3-6.15.2
      python3-spacewalk-certs-tools-4.1.19-3.22.2
      spacecmd-4.1.15-4.30.2
      spacewalk-backend-4.1.29-4.44.2
      spacewalk-backend-app-4.1.29-4.44.2
      spacewalk-backend-applet-4.1.29-4.44.2
      spacewalk-backend-config-files-4.1.29-4.44.2
      spacewalk-backend-config-files-common-4.1.29-4.44.2
      spacewalk-backend-config-files-tool-4.1.29-4.44.2
      spacewalk-backend-iss-4.1.29-4.44.2
      spacewalk-backend-iss-export-4.1.29-4.44.2
      spacewalk-backend-package-push-server-4.1.29-4.44.2
      spacewalk-backend-server-4.1.29-4.44.2
      spacewalk-backend-sql-4.1.29-4.44.2
      spacewalk-backend-sql-postgresql-4.1.29-4.44.2
      spacewalk-backend-tools-4.1.29-4.44.2
      spacewalk-backend-xml-export-libs-4.1.29-4.44.2
      spacewalk-backend-xmlrpc-4.1.29-4.44.2
      spacewalk-base-4.1.30-3.36.1
      spacewalk-base-minimal-4.1.30-3.36.1
      spacewalk-base-minimal-config-4.1.30-3.36.1
      spacewalk-certs-tools-4.1.19-3.22.2
      spacewalk-html-4.1.30-3.36.1
      spacewalk-java-4.1.41-3.58.2
      spacewalk-java-config-4.1.41-3.58.2
      spacewalk-java-lib-4.1.41-3.58.2
      spacewalk-java-postgresql-4.1.41-3.58.2
      spacewalk-reports-4.1.4-3.6.2
      spacewalk-taskomatic-4.1.41-3.58.2
      subscription-matcher-0.27-3.12.2
      susemanager-doc-indexes-4.1-11.46.2
      susemanager-docs_en-4.1-11.46.2
      susemanager-docs_en-pdf-4.1-11.46.2
      susemanager-sls-4.1.31-3.51.2
      susemanager-web-libs-4.1.30-3.36.1
      uyuni-config-modules-4.1.31-3.51.2


References:

   https://www.suse.com/security/cve/CVE-2021-21996.html
   https://bugzilla.suse.com/1185951
   https://bugzilla.suse.com/1187998
   https://bugzilla.suse.com/1188315
   https://bugzilla.suse.com/1189609
   https://bugzilla.suse.com/1189643
   https://bugzilla.suse.com/1189818
   https://bugzilla.suse.com/1190151
   https://bugzilla.suse.com/1190166
   https://bugzilla.suse.com/1190265
   https://bugzilla.suse.com/1190276
   https://bugzilla.suse.com/1190512
   https://bugzilla.suse.com/1190665
   https://bugzilla.suse.com/1190751
   https://bugzilla.suse.com/1191144
   https://bugzilla.suse.com/1191222
   https://bugzilla.suse.com/1191274
   https://bugzilla.suse.com/1191444
   https://bugzilla.suse.com/1191495
   https://bugzilla.suse.com/1191538
   https://bugzilla.suse.com/1191643
   https://bugzilla.suse.com/1191898



More information about the sle-security-updates mailing list