SUSE-SU-2021:3170-1: critical: Security update for SUSE Manager Server 4.2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Sep 20 19:36:17 UTC 2021


   SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3170-1
Rating:             critical
References:         #1171483 #1173143 #1181223 #1186281 #1186339 
                    #1187335 #1187549 #1188032 #1188042 #1188136 
                    #1188163 #1188193 #1188260 #1188393 #1188400 
                    #1188503 #1188505 #1188551 #1188641 #1188647 
                    #1188656 #1188853 #1188855 #1189011 #1189040 
                    #1189167 #1189419 #1189458 
Cross-References:   CVE-2021-40323 CVE-2021-40324 CVE-2021-40325
                   
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves three vulnerabilities and has 25
   fixes is now available.

Description:

   This update fixes the following issues:

   branch-network-formula:

   - Use kernel parameters from PXE formula also for local boot

   cobbler - security issues fixed:

   - CVE-2021-40323: Fixed an arbitrary file disclosure/Template Injection
     (bsc#1189458)
   - CVE-2021-40324: Fixed an arbitrary file write (bsc#1189458)
   - CVE-2021-40325: Fixed a problem with the token validation (bsc#1189458)
   - Please note that with these changes, a valid log data from Anamon (Red
     Hat Autoinstallation Process) uploaded to cobbler may be rejected:

   cpu-mitigations-formula:

   - Add SLES 15 SP3 and openSUSE Leap 15.3 to supported versions

   openvpn-formula:

   - Changed package to noarch.

   prometheus-exporters-formula:

   - Fix formula data migration with missing exporter configuration
     (bsc#1188136)

   py26-compat-salt:

   - Fix error handling in openscap module (bsc#1188647)
   - Define license macro as doc in spec file if not existing

   py27-compat-salt:

   - Add missing aarch64 to rpm package architectures
   - Consolidate some state requisites (bsc#1188641)
   - Fix failing unit test for systemd
   - Fix error handling in openscap module (bsc#1188647)
   - Better handling of bad public keys from minions (bsc#1189040)
   - Define license macro as doc in spec file if not existing

   saltboot-formula:

   - Use kernel parameters from PXE formula also for local boot

   spacecmd:

   - Update translation strings
   - Make schedule_deletearchived to get all actions without display limit
   - Allow passing a date limit for schedule_deletearchived on spacecmd
     (bsc#1181223)
   - Use correct API endpoint in list_proxies (bsc#1188042)
   - Add schedule_deletearchived to bulk delete archived actions (bsc#1181223)

   spacewalk-backend:

   - Update translation strings
   - Fix typo "verfication" instead of "verification"

   spacewalk-certs-tools:

   - Prepare the bootstrap script generator for Rocky Linux 8

   spacewalk-client-tools:

   - Update translation strings

   spacewalk-java:

   - Show AppStreams tab just for modular channels
   - Fix Json null comparison in virtual network info parsing (bsc#1189167)
   - Update translation strings
   - 'AppStreams with defaults' filter template in CLM
   - Add a link to OS image store dir in image list page
   - Do not log XMLRPC fault exceptions as errors (bsc#1188853)
   - XMLRPC: Add call for listing application monitoring endpoints
   - AppStreams tab for modular channels
   - Link to CLM filter creation from system details page
   - Allow getting all archived actions via XMLRPC without display limit
     (bsc#1181223)
   - Fix NPE when no redhat info could be fetched
   - Java enablement for Rocky Linux 8
   - Delete ActionChains when the last action is a Reboot and it completes
     (bsc#1188163)
   - Properly handle virtual networks without defined bridge (bsc#1189167)
   - Mark SSH minion actions when they're picked up (bsc#1188505)
   - Add UEFI support for VM creation / editing
   - Add virt-tuner templates to VM creation
   - Fix cleanup always being executed on delete system (bsc#1189011)
   - Warning in Overview page for SLE Micro system (bsc#1188551)
   - Add support for Kiwi options
   - Ensure XMLRPC returns 'issue_date' in ISO format when listing erratas
     (bsc#1188260)
   - Fix NullPointerException in HardwareMapper.getUpdatedGuestMemory
   - Fix entitlements not being updated during system transfer (bsc#1188032)
   - Simplify the VM creation action in DB
   - Get CPU data for AArch64
   - Handle virtual machines running on pacemaker cluster
   - Refresh virtual host pillar to clear the virtpoller beacon (bsc#1188393)
   - Add Beijing timezone to selectable timezones (bsc#1188193)
   - Fix updating primary net interface on hardware refresh (bsc#1188400)
   - Fix issues when removing archived actions using XMLRPC api (bsc#1181223)
   - Readable error when "mgr-sync add channel" is called with a no-existing
     label (bsc#1173143)

   spacewalk-setup:

   - Enable logging for salt SSH
   - Increase max size for uploaded files to Salt master

   spacewalk-utils:

   - Add Rocky Linux 8 repositories

   spacewalk-web:

   - Don't capitalize acronyms
   - Update translation strings
   - 'AppStreams with defaults' filter template in CLM
   - Add a link to OS image store dir in image list page
   - Link to CLM filter creation from system details page
   - Expose UEFI parameters in the VM creation/editing pages
   - Add virt-tuner templates to VM creation
   - Fix cleanup always being executed on delete system (bsc#1189011)
   - Add support for Kiwi options
   - Fix virtualization guests to handle null HostInfo
   - Compare lowercase CPU arch with libvirt domain capabilities
   - Refresh JWT virtual console token before it expires
   - Handle virtual machines running on pacemaker cluster

   susemanager:

   - Abort migration if data_directory is defined at the PostgreSQL
     configuration file
   - Update translation strings
   - Add bootstrap repository definitions for Rocky Linux 8

   susemanager-build-keys:

   - Add Debian 11
   - Add Rocky Linux 8

   susemanager-doc-indexes:

   - Added SUSE Linux Enterprise 15 Service Pack 3 to clients list
   - Add information about pam service name limitations
   - Add SUSE Linux Enterprise Micro to supported features table
   - Add SUSE Linux Enterprise Micro client to support matrix page
   - Replaced remaining occurrences of "Service Pack Migration" to "Product
     Migration"
   - Reworded the Advanced virtual guest management description for clarity
     in Client Configuration Guide
   - Added missing Rocky instructions to the Client Configuration Guide
   - Updated setup section in the Installation Guide about troubleshooting
     freely available products
   - Added channel synchronization warning in the product migration chapter
     of the Client Configuration Guide
   - Removed Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server
     Expanded Support 6, Oracle Linux 6, CentOS 6, and Ubuntu 16.04 LTS as
     supported client systems in the Client Configuration Guide (bsc#1188656)
   - In the Prometheus chapter of the Administration Guide advise to store
     data locally (bsc#1188855)
   - Additional information added for Inter Server Sync v2 on limitations and
     configuration
   - Documented required SUSE Linux Enterprise Server version for the Ansible
     control node in the Ansible Integration chapter of the Administration
     Guide (bsc#1189419)
   - Added information about installing Python 3.6 on CentOS, Oracle Linux,
     Almalinux, SUSE Linux Enterprise Server with Expanded Support, and Red
     Hat in the Client Configuration Guide (bsc#1187335)
   - Corrected the package name for PAM authentication (bsc#1171483)
   - Client Configuration Guide: reorganized navigation bar to list SUSE
     Linux Enterprise Server, openSUSE and other clients in alphabetical
     order for better user experience
   - In the Ansible chapter of the Administration Guide mention that Ansible
     is available on Proxy and Retail Branch Server
   - Added a warning on Ansible hardware requirements to the Retail Guide
   - Improved warning on over-writing images in public cloud in the Client
     Configuration Guide
   - Reference Guide: removed underscores in page titles and nav bar links.
   - Provide more information about Salt SSH user configuration in the Salt
     Guide (bsc#1187549)
   - Documented KIWI options and profile selection in Administration Guide
   - Added note about autoinstallation kernel options and Azure clients
   - Added general information about SUSE Manager registration code that you
     can obtain from a "SUSE Manager Lifecycle Management+" subscription
   - Document new Salt SSH logs at the Client Configuration Guide,
     Troubleshooting section
   - In the monitoring chapter of the Administration Guide mention that
     Prometheus is available on Proxy and Retail Branch Server
   - Added warning on Prometheus hardware requirements in the Retail Guide
     (bsc#1186339)
   - Documented spacecmd installation on Ubuntu 18.04 and 20.04 in Client
     Configuration Guide
   - Amended Client Configuration Guide to exclude paragraphs that are Uyuni
     specific for CentOS, AlmaLinux and Oracle clients

   susemanager-docs_en:

   - Added SUSE Linux Enterprise 15 Service Pack 3 to clients list
   - Add information about pam service name limitations
   - Add SUSE Linux Enterprise Micro to supported features table
   - Add SUSE Linux Enterprise Micro client to support matrix page
   - Replaced remaining occurrences of "Service Pack Migration" to "Product
     Migration"
   - Reworded the Advanced virtual guest management description for clarity
     in Client Configuration Guide
   - Added missing Rocky instructions to the Client Configuration Guide
   - Updated setup section in the Installation Guide about troubleshooting
     freely available products
   - Added channel synchronization warning in the product migration chapter
     of the Client Configuration Guide
   - Removed Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server
     Expanded Support 6, Oracle Linux 6, CentOS 6, and Ubuntu 16.04 LTS as
     supported client systems in the Client Configuration Guide (bsc#1188656)
   - In the Prometheus chapter of the Administration Guide advise to store
     data locally (bsc#1188855)
   - Additional information added for Inter Server Sync v2 on limitations and
     configuration
   - Documented required SUSE Linux Enterprise Server version for the Ansible
     control node in the Ansible Integration chapter of the Administration
     Guide (bsc#1189419)
   - Added information about installing Python 3.6 on CentOS, Oracle Linux,
     Almalinux, SUSE Linux Enterprise Server with Expanded Support, and Red
     Hat in the Client Configuration Guide (bsc#1187335)
   - Corrected the package name for PAM authentication (bsc#1171483)
   - Client Configuration Guide: reorganized navigation bar to list SUSE
     Linux Enterprise Server, openSUSE and other clients in alphabetical
     order for better user experience
   - In the Ansible chapter of the Administration Guide mention that Ansible
     is available on Proxy and Retail Branch Server
   - Added a warning on Ansible hardware requirements to the Retail Guide
   - Improved warning on over-writing images in public cloud in the Client
     Configuration Guide
   - Reference Guide: removed underscores in page titles and nav bar links.
   - Provide more information about Salt SSH user configuration in the Salt
     Guide (bsc#1187549)
   - Documented KIWI options and profile selection in Administration Guide
   - Added note about autoinstallation kernel options and Azure clients
   - Added general information about SUSE Manager registration code that you
     can obtain from a "SUSE Manager Lifecycle Management+" subscription
   - Document new Salt SSH logs at the Client Configuration Guide,
     Troubleshooting section
   - In the monitoring chapter of the Administration Guide mention that
     Prometheus is available on Proxy and Retail Branch Server
   - Added warning on Prometheus hardware requirements in the Retail Guide
     (bsc#1186339)
   - Documented spacecmd installation on Ubuntu 18.04 and 20.04 in Client
     Configuration Guide
   - Amended Client Configuration Guide to exclude paragraphs that are Uyuni
     specific for CentOS, AlmaLinux and Oracle clients

   susemanager-schema:

   - Add Rocky Linux 8 key and vendor
   - Fix wrongly assigned entitlements due to system transfer (bsc#1188032)
   - Force a one-off VACUUM ANALYZE
   - Add Kiwi commandline options to Kiwi profile
   - Upgrade scripts idempotency fixes
   - Simplify the VM creation action in DB
   - Handle virtual machines running on pacemaker cluster
   - Refresh virtual host pillar to clear the virtpoller beacon (bsc#1188393)
   - Add Beijing timezone to selectable timezones (bsc#1188193)

   susemanager-sls:

   - Add Rocky Linux 8 support
   - Enable logrotate configuration for Salt SSH minion logs
   - Add UEFI support for VM creation
   - Add virt-tuner templates to VM creation
   - Handle more ocsf2 setups in virt_utils module
   - Add missing symlinks to generate the "certs" state for SLE Micro 5.0 and
     openSUSE MicroOS minions (bsc#1188503)
   - Add findutils to Kiwi bootstrap packages
   - Remove systemid file on salt client cleanup
   - Add support for Kiwi options
   - Skip 'update-ca-certificates' run if the certs are updated automatically
   - Use lscpu to provide more CPU grains for all architectures
   - Fix deleting stopped virtual network (bsc#1186281)
   - Handle virtual machines running on pacemaker cluster

   susemanager-sync-data:

   - Support Rocky Linux 8 x86_64
   - Add channel family for MicroOS Z
   - Set OES 2018 SP3 to released

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply
   the patch using either zypper patch or YaST Online Update. 4. Start the
   Spacewalk service: `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3170=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      inter-server-sync-0.0.5-8.3.2
      inter-server-sync-debuginfo-0.0.5-8.3.2
      susemanager-4.2.22-3.6.1
      susemanager-tools-4.2.22-3.6.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      branch-network-formula-0.1.1628156312.dbd0dec-3.3.1
      cobbler-3.1.2-5.8.1
      cpu-mitigations-formula-0.4.0-3.3.1
      openvpn-formula-0.1.2-3.3.1
      prometheus-exporters-formula-1.0.3-3.6.1
      py26-compat-salt-2016.11.10-11.28.6.1
      py27-compat-salt-3000.3-7.7.8.1
      python3-spacewalk-certs-tools-4.2.12-3.6.2
      python3-spacewalk-client-tools-4.2.13-4.6.3
      saltboot-formula-0.1.1628156312.dbd0dec-3.3.1
      spacecmd-4.2.12-4.6.2
      spacewalk-backend-4.2.16-4.6.3
      spacewalk-backend-app-4.2.16-4.6.3
      spacewalk-backend-applet-4.2.16-4.6.3
      spacewalk-backend-config-files-4.2.16-4.6.3
      spacewalk-backend-config-files-common-4.2.16-4.6.3
      spacewalk-backend-config-files-tool-4.2.16-4.6.3
      spacewalk-backend-iss-4.2.16-4.6.3
      spacewalk-backend-iss-export-4.2.16-4.6.3
      spacewalk-backend-package-push-server-4.2.16-4.6.3
      spacewalk-backend-server-4.2.16-4.6.3
      spacewalk-backend-sql-4.2.16-4.6.3
      spacewalk-backend-sql-postgresql-4.2.16-4.6.3
      spacewalk-backend-tools-4.2.16-4.6.3
      spacewalk-backend-xml-export-libs-4.2.16-4.6.3
      spacewalk-backend-xmlrpc-4.2.16-4.6.3
      spacewalk-base-4.2.21-3.6.3
      spacewalk-base-minimal-4.2.21-3.6.3
      spacewalk-base-minimal-config-4.2.21-3.6.3
      spacewalk-certs-tools-4.2.12-3.6.2
      spacewalk-client-tools-4.2.13-4.6.3
      spacewalk-html-4.2.21-3.6.3
      spacewalk-java-4.2.28-3.11.5
      spacewalk-java-config-4.2.28-3.11.5
      spacewalk-java-lib-4.2.28-3.11.5
      spacewalk-java-postgresql-4.2.28-3.11.5
      spacewalk-setup-4.2.8-3.6.1
      spacewalk-taskomatic-4.2.28-3.11.5
      spacewalk-utils-4.2.13-3.6.1
      spacewalk-utils-extras-4.2.13-3.6.1
      susemanager-build-keys-15.3.5-3.3.1
      susemanager-build-keys-web-15.3.5-3.3.1
      susemanager-doc-indexes-4.2-12.8.1
      susemanager-docs_en-4.2-12.8.1
      susemanager-docs_en-pdf-4.2-12.8.1
      susemanager-schema-4.2.17-3.6.2
      susemanager-sls-4.2.16-3.6.1
      susemanager-sync-data-4.2.8-3.6.1
      susemanager-web-libs-4.2.21-3.6.3
      uyuni-config-modules-4.2.16-3.6.1


References:

   https://www.suse.com/security/cve/CVE-2021-40323.html
   https://www.suse.com/security/cve/CVE-2021-40324.html
   https://www.suse.com/security/cve/CVE-2021-40325.html
   https://bugzilla.suse.com/1171483
   https://bugzilla.suse.com/1173143
   https://bugzilla.suse.com/1181223
   https://bugzilla.suse.com/1186281
   https://bugzilla.suse.com/1186339
   https://bugzilla.suse.com/1187335
   https://bugzilla.suse.com/1187549
   https://bugzilla.suse.com/1188032
   https://bugzilla.suse.com/1188042
   https://bugzilla.suse.com/1188136
   https://bugzilla.suse.com/1188163
   https://bugzilla.suse.com/1188193
   https://bugzilla.suse.com/1188260
   https://bugzilla.suse.com/1188393
   https://bugzilla.suse.com/1188400
   https://bugzilla.suse.com/1188503
   https://bugzilla.suse.com/1188505
   https://bugzilla.suse.com/1188551
   https://bugzilla.suse.com/1188641
   https://bugzilla.suse.com/1188647
   https://bugzilla.suse.com/1188656
   https://bugzilla.suse.com/1188853
   https://bugzilla.suse.com/1188855
   https://bugzilla.suse.com/1189011
   https://bugzilla.suse.com/1189040
   https://bugzilla.suse.com/1189167
   https://bugzilla.suse.com/1189419
   https://bugzilla.suse.com/1189458



More information about the sle-security-updates mailing list