SUSE-SU-2021:3170-1: critical: Security update for SUSE Manager Server 4.2
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Sep 20 19:36:17 UTC 2021
SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:3170-1
Rating: critical
References: #1171483 #1173143 #1181223 #1186281 #1186339
#1187335 #1187549 #1188032 #1188042 #1188136
#1188163 #1188193 #1188260 #1188393 #1188400
#1188503 #1188505 #1188551 #1188641 #1188647
#1188656 #1188853 #1188855 #1189011 #1189040
#1189167 #1189419 #1189458
Cross-References: CVE-2021-40323 CVE-2021-40324 CVE-2021-40325
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
______________________________________________________________________________
An update that solves three vulnerabilities and has 25
fixes is now available.
Description:
This update fixes the following issues:
branch-network-formula:
- Use kernel parameters from PXE formula also for local boot
cobbler - security issues fixed:
- CVE-2021-40323: Fixed an arbitrary file disclosure/Template Injection
(bsc#1189458)
- CVE-2021-40324: Fixed an arbitrary file write (bsc#1189458)
- CVE-2021-40325: Fixed a problem with the token validation (bsc#1189458)
- Please note that with these changes, a valid log data from Anamon (Red
Hat Autoinstallation Process) uploaded to cobbler may be rejected:
cpu-mitigations-formula:
- Add SLES 15 SP3 and openSUSE Leap 15.3 to supported versions
openvpn-formula:
- Changed package to noarch.
prometheus-exporters-formula:
- Fix formula data migration with missing exporter configuration
(bsc#1188136)
py26-compat-salt:
- Fix error handling in openscap module (bsc#1188647)
- Define license macro as doc in spec file if not existing
py27-compat-salt:
- Add missing aarch64 to rpm package architectures
- Consolidate some state requisites (bsc#1188641)
- Fix failing unit test for systemd
- Fix error handling in openscap module (bsc#1188647)
- Better handling of bad public keys from minions (bsc#1189040)
- Define license macro as doc in spec file if not existing
saltboot-formula:
- Use kernel parameters from PXE formula also for local boot
spacecmd:
- Update translation strings
- Make schedule_deletearchived to get all actions without display limit
- Allow passing a date limit for schedule_deletearchived on spacecmd
(bsc#1181223)
- Use correct API endpoint in list_proxies (bsc#1188042)
- Add schedule_deletearchived to bulk delete archived actions (bsc#1181223)
spacewalk-backend:
- Update translation strings
- Fix typo "verfication" instead of "verification"
spacewalk-certs-tools:
- Prepare the bootstrap script generator for Rocky Linux 8
spacewalk-client-tools:
- Update translation strings
spacewalk-java:
- Show AppStreams tab just for modular channels
- Fix Json null comparison in virtual network info parsing (bsc#1189167)
- Update translation strings
- 'AppStreams with defaults' filter template in CLM
- Add a link to OS image store dir in image list page
- Do not log XMLRPC fault exceptions as errors (bsc#1188853)
- XMLRPC: Add call for listing application monitoring endpoints
- AppStreams tab for modular channels
- Link to CLM filter creation from system details page
- Allow getting all archived actions via XMLRPC without display limit
(bsc#1181223)
- Fix NPE when no redhat info could be fetched
- Java enablement for Rocky Linux 8
- Delete ActionChains when the last action is a Reboot and it completes
(bsc#1188163)
- Properly handle virtual networks without defined bridge (bsc#1189167)
- Mark SSH minion actions when they're picked up (bsc#1188505)
- Add UEFI support for VM creation / editing
- Add virt-tuner templates to VM creation
- Fix cleanup always being executed on delete system (bsc#1189011)
- Warning in Overview page for SLE Micro system (bsc#1188551)
- Add support for Kiwi options
- Ensure XMLRPC returns 'issue_date' in ISO format when listing erratas
(bsc#1188260)
- Fix NullPointerException in HardwareMapper.getUpdatedGuestMemory
- Fix entitlements not being updated during system transfer (bsc#1188032)
- Simplify the VM creation action in DB
- Get CPU data for AArch64
- Handle virtual machines running on pacemaker cluster
- Refresh virtual host pillar to clear the virtpoller beacon (bsc#1188393)
- Add Beijing timezone to selectable timezones (bsc#1188193)
- Fix updating primary net interface on hardware refresh (bsc#1188400)
- Fix issues when removing archived actions using XMLRPC api (bsc#1181223)
- Readable error when "mgr-sync add channel" is called with a no-existing
label (bsc#1173143)
spacewalk-setup:
- Enable logging for salt SSH
- Increase max size for uploaded files to Salt master
spacewalk-utils:
- Add Rocky Linux 8 repositories
spacewalk-web:
- Don't capitalize acronyms
- Update translation strings
- 'AppStreams with defaults' filter template in CLM
- Add a link to OS image store dir in image list page
- Link to CLM filter creation from system details page
- Expose UEFI parameters in the VM creation/editing pages
- Add virt-tuner templates to VM creation
- Fix cleanup always being executed on delete system (bsc#1189011)
- Add support for Kiwi options
- Fix virtualization guests to handle null HostInfo
- Compare lowercase CPU arch with libvirt domain capabilities
- Refresh JWT virtual console token before it expires
- Handle virtual machines running on pacemaker cluster
susemanager:
- Abort migration if data_directory is defined at the PostgreSQL
configuration file
- Update translation strings
- Add bootstrap repository definitions for Rocky Linux 8
susemanager-build-keys:
- Add Debian 11
- Add Rocky Linux 8
susemanager-doc-indexes:
- Added SUSE Linux Enterprise 15 Service Pack 3 to clients list
- Add information about pam service name limitations
- Add SUSE Linux Enterprise Micro to supported features table
- Add SUSE Linux Enterprise Micro client to support matrix page
- Replaced remaining occurrences of "Service Pack Migration" to "Product
Migration"
- Reworded the Advanced virtual guest management description for clarity
in Client Configuration Guide
- Added missing Rocky instructions to the Client Configuration Guide
- Updated setup section in the Installation Guide about troubleshooting
freely available products
- Added channel synchronization warning in the product migration chapter
of the Client Configuration Guide
- Removed Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server
Expanded Support 6, Oracle Linux 6, CentOS 6, and Ubuntu 16.04 LTS as
supported client systems in the Client Configuration Guide (bsc#1188656)
- In the Prometheus chapter of the Administration Guide advise to store
data locally (bsc#1188855)
- Additional information added for Inter Server Sync v2 on limitations and
configuration
- Documented required SUSE Linux Enterprise Server version for the Ansible
control node in the Ansible Integration chapter of the Administration
Guide (bsc#1189419)
- Added information about installing Python 3.6 on CentOS, Oracle Linux,
Almalinux, SUSE Linux Enterprise Server with Expanded Support, and Red
Hat in the Client Configuration Guide (bsc#1187335)
- Corrected the package name for PAM authentication (bsc#1171483)
- Client Configuration Guide: reorganized navigation bar to list SUSE
Linux Enterprise Server, openSUSE and other clients in alphabetical
order for better user experience
- In the Ansible chapter of the Administration Guide mention that Ansible
is available on Proxy and Retail Branch Server
- Added a warning on Ansible hardware requirements to the Retail Guide
- Improved warning on over-writing images in public cloud in the Client
Configuration Guide
- Reference Guide: removed underscores in page titles and nav bar links.
- Provide more information about Salt SSH user configuration in the Salt
Guide (bsc#1187549)
- Documented KIWI options and profile selection in Administration Guide
- Added note about autoinstallation kernel options and Azure clients
- Added general information about SUSE Manager registration code that you
can obtain from a "SUSE Manager Lifecycle Management+" subscription
- Document new Salt SSH logs at the Client Configuration Guide,
Troubleshooting section
- In the monitoring chapter of the Administration Guide mention that
Prometheus is available on Proxy and Retail Branch Server
- Added warning on Prometheus hardware requirements in the Retail Guide
(bsc#1186339)
- Documented spacecmd installation on Ubuntu 18.04 and 20.04 in Client
Configuration Guide
- Amended Client Configuration Guide to exclude paragraphs that are Uyuni
specific for CentOS, AlmaLinux and Oracle clients
susemanager-docs_en:
- Added SUSE Linux Enterprise 15 Service Pack 3 to clients list
- Add information about pam service name limitations
- Add SUSE Linux Enterprise Micro to supported features table
- Add SUSE Linux Enterprise Micro client to support matrix page
- Replaced remaining occurrences of "Service Pack Migration" to "Product
Migration"
- Reworded the Advanced virtual guest management description for clarity
in Client Configuration Guide
- Added missing Rocky instructions to the Client Configuration Guide
- Updated setup section in the Installation Guide about troubleshooting
freely available products
- Added channel synchronization warning in the product migration chapter
of the Client Configuration Guide
- Removed Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server
Expanded Support 6, Oracle Linux 6, CentOS 6, and Ubuntu 16.04 LTS as
supported client systems in the Client Configuration Guide (bsc#1188656)
- In the Prometheus chapter of the Administration Guide advise to store
data locally (bsc#1188855)
- Additional information added for Inter Server Sync v2 on limitations and
configuration
- Documented required SUSE Linux Enterprise Server version for the Ansible
control node in the Ansible Integration chapter of the Administration
Guide (bsc#1189419)
- Added information about installing Python 3.6 on CentOS, Oracle Linux,
Almalinux, SUSE Linux Enterprise Server with Expanded Support, and Red
Hat in the Client Configuration Guide (bsc#1187335)
- Corrected the package name for PAM authentication (bsc#1171483)
- Client Configuration Guide: reorganized navigation bar to list SUSE
Linux Enterprise Server, openSUSE and other clients in alphabetical
order for better user experience
- In the Ansible chapter of the Administration Guide mention that Ansible
is available on Proxy and Retail Branch Server
- Added a warning on Ansible hardware requirements to the Retail Guide
- Improved warning on over-writing images in public cloud in the Client
Configuration Guide
- Reference Guide: removed underscores in page titles and nav bar links.
- Provide more information about Salt SSH user configuration in the Salt
Guide (bsc#1187549)
- Documented KIWI options and profile selection in Administration Guide
- Added note about autoinstallation kernel options and Azure clients
- Added general information about SUSE Manager registration code that you
can obtain from a "SUSE Manager Lifecycle Management+" subscription
- Document new Salt SSH logs at the Client Configuration Guide,
Troubleshooting section
- In the monitoring chapter of the Administration Guide mention that
Prometheus is available on Proxy and Retail Branch Server
- Added warning on Prometheus hardware requirements in the Retail Guide
(bsc#1186339)
- Documented spacecmd installation on Ubuntu 18.04 and 20.04 in Client
Configuration Guide
- Amended Client Configuration Guide to exclude paragraphs that are Uyuni
specific for CentOS, AlmaLinux and Oracle clients
susemanager-schema:
- Add Rocky Linux 8 key and vendor
- Fix wrongly assigned entitlements due to system transfer (bsc#1188032)
- Force a one-off VACUUM ANALYZE
- Add Kiwi commandline options to Kiwi profile
- Upgrade scripts idempotency fixes
- Simplify the VM creation action in DB
- Handle virtual machines running on pacemaker cluster
- Refresh virtual host pillar to clear the virtpoller beacon (bsc#1188393)
- Add Beijing timezone to selectable timezones (bsc#1188193)
susemanager-sls:
- Add Rocky Linux 8 support
- Enable logrotate configuration for Salt SSH minion logs
- Add UEFI support for VM creation
- Add virt-tuner templates to VM creation
- Handle more ocsf2 setups in virt_utils module
- Add missing symlinks to generate the "certs" state for SLE Micro 5.0 and
openSUSE MicroOS minions (bsc#1188503)
- Add findutils to Kiwi bootstrap packages
- Remove systemid file on salt client cleanup
- Add support for Kiwi options
- Skip 'update-ca-certificates' run if the certs are updated automatically
- Use lscpu to provide more CPU grains for all architectures
- Fix deleting stopped virtual network (bsc#1186281)
- Handle virtual machines running on pacemaker cluster
susemanager-sync-data:
- Support Rocky Linux 8 x86_64
- Add channel family for MicroOS Z
- Set OES 2018 SP3 to released
How to apply this update: 1. Log in as root user to the SUSE Manager
server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply
the patch using either zypper patch or YaST Online Update. 4. Start the
Spacewalk service: `spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3170=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):
inter-server-sync-0.0.5-8.3.2
inter-server-sync-debuginfo-0.0.5-8.3.2
susemanager-4.2.22-3.6.1
susemanager-tools-4.2.22-3.6.1
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):
branch-network-formula-0.1.1628156312.dbd0dec-3.3.1
cobbler-3.1.2-5.8.1
cpu-mitigations-formula-0.4.0-3.3.1
openvpn-formula-0.1.2-3.3.1
prometheus-exporters-formula-1.0.3-3.6.1
py26-compat-salt-2016.11.10-11.28.6.1
py27-compat-salt-3000.3-7.7.8.1
python3-spacewalk-certs-tools-4.2.12-3.6.2
python3-spacewalk-client-tools-4.2.13-4.6.3
saltboot-formula-0.1.1628156312.dbd0dec-3.3.1
spacecmd-4.2.12-4.6.2
spacewalk-backend-4.2.16-4.6.3
spacewalk-backend-app-4.2.16-4.6.3
spacewalk-backend-applet-4.2.16-4.6.3
spacewalk-backend-config-files-4.2.16-4.6.3
spacewalk-backend-config-files-common-4.2.16-4.6.3
spacewalk-backend-config-files-tool-4.2.16-4.6.3
spacewalk-backend-iss-4.2.16-4.6.3
spacewalk-backend-iss-export-4.2.16-4.6.3
spacewalk-backend-package-push-server-4.2.16-4.6.3
spacewalk-backend-server-4.2.16-4.6.3
spacewalk-backend-sql-4.2.16-4.6.3
spacewalk-backend-sql-postgresql-4.2.16-4.6.3
spacewalk-backend-tools-4.2.16-4.6.3
spacewalk-backend-xml-export-libs-4.2.16-4.6.3
spacewalk-backend-xmlrpc-4.2.16-4.6.3
spacewalk-base-4.2.21-3.6.3
spacewalk-base-minimal-4.2.21-3.6.3
spacewalk-base-minimal-config-4.2.21-3.6.3
spacewalk-certs-tools-4.2.12-3.6.2
spacewalk-client-tools-4.2.13-4.6.3
spacewalk-html-4.2.21-3.6.3
spacewalk-java-4.2.28-3.11.5
spacewalk-java-config-4.2.28-3.11.5
spacewalk-java-lib-4.2.28-3.11.5
spacewalk-java-postgresql-4.2.28-3.11.5
spacewalk-setup-4.2.8-3.6.1
spacewalk-taskomatic-4.2.28-3.11.5
spacewalk-utils-4.2.13-3.6.1
spacewalk-utils-extras-4.2.13-3.6.1
susemanager-build-keys-15.3.5-3.3.1
susemanager-build-keys-web-15.3.5-3.3.1
susemanager-doc-indexes-4.2-12.8.1
susemanager-docs_en-4.2-12.8.1
susemanager-docs_en-pdf-4.2-12.8.1
susemanager-schema-4.2.17-3.6.2
susemanager-sls-4.2.16-3.6.1
susemanager-sync-data-4.2.8-3.6.1
susemanager-web-libs-4.2.21-3.6.3
uyuni-config-modules-4.2.16-3.6.1
References:
https://www.suse.com/security/cve/CVE-2021-40323.html
https://www.suse.com/security/cve/CVE-2021-40324.html
https://www.suse.com/security/cve/CVE-2021-40325.html
https://bugzilla.suse.com/1171483
https://bugzilla.suse.com/1173143
https://bugzilla.suse.com/1181223
https://bugzilla.suse.com/1186281
https://bugzilla.suse.com/1186339
https://bugzilla.suse.com/1187335
https://bugzilla.suse.com/1187549
https://bugzilla.suse.com/1188032
https://bugzilla.suse.com/1188042
https://bugzilla.suse.com/1188136
https://bugzilla.suse.com/1188163
https://bugzilla.suse.com/1188193
https://bugzilla.suse.com/1188260
https://bugzilla.suse.com/1188393
https://bugzilla.suse.com/1188400
https://bugzilla.suse.com/1188503
https://bugzilla.suse.com/1188505
https://bugzilla.suse.com/1188551
https://bugzilla.suse.com/1188641
https://bugzilla.suse.com/1188647
https://bugzilla.suse.com/1188656
https://bugzilla.suse.com/1188853
https://bugzilla.suse.com/1188855
https://bugzilla.suse.com/1189011
https://bugzilla.suse.com/1189040
https://bugzilla.suse.com/1189167
https://bugzilla.suse.com/1189419
https://bugzilla.suse.com/1189458
More information about the sle-security-updates
mailing list