SUSE-SU-2022:2144-1: important: Security update for SUSE Manager Server 4.2

Tue Jun 21 10:22:08 UTC 2022

   SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2144-1
Rating:             important
References:         #1187333 #1191143 #1192550 #1193707 #1194594 
                    #1195710 #1196702 #1197400 #1197438 #1197449 
                    #1197488 #1197591 #1197689 #1198221 #1199089 
                    #1199142 #1199149 #1199512 #1199629 #1200212 
                    #1200606 
Cross-References:   CVE-2021-44906 CVE-2022-21952 CVE-2022-31248

CVSS scores:
                    CVE-2021-44906 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-44906 (SUSE): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
                    CVE-2022-31248 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves three vulnerabilities and has 18
   fixes is now available.

Description:

   This update fixes the following issues:

   inter-server-sync:

   - version 0.2.2
     * Parameter --channel-with-children didn't export data (bsc#1199089)
     * Clean rhnchannelcloned table to rebuild hierarchy (bsc#1197400)
   - Version 0.2.1
     * Correct sequence in use for table rhnpackagekey(bsc#1197400)
     * Make Docker image export compatible with Suse Manager 4.2
   - Version 0.2.0
     * Allow images export and import (os based and Docker)

   prometheus-formula:

   - Version 0.6.2
     * Allow prometheus-formula only for SUSE systems (bsc#1199149)

   salt-netapi-client:

   - Improve the hotfix for bsc#1192550 (bsc#1197449):

   smdba:

   - Don't package egg-info file for Enterprise Linux.

   spacecmd:

   - Version 4.2.17-1
     * parse boolean paramaters correctly (bsc#1197689)

   spacewalk-backend:

   - version 4.2.22-1
     * Do not raise error on file:// based DEB repo when looking for
       alternative Release files (bsc#1199142)
   - Version 4.2.21-1
     * Improve parsing deb packages dependencies (bsc#1194594)

   spacewalk-certs-tools:

   - Version 4.2.16-1
     * Add Salt Bundle support to bootstrap script generator

   spacewalk-java:

   - version 4.2.38-1
     * Remove unused gson-extras.jar during build
   - version 4.2.37-1
     * CVE-2022-31248: User enumeration via weak error message. (bsc#1199629)
   - version 4.2.36-1
     * CVE-2022-21952: Unauthenticated remote Denial of Service via resource
       exhaustion. (bsc#1199512)
   - Version 4.2.35-1
     * faster display installable packages list (bsc#1187333)
     * Pass ssh_salt_pre_flight_script and ssh_use_salt_thin parameters to
       the generated roster files to enable optional Salt Bundle support with
       Salt SSH
     * Fix reboot time on salt-ssh client(bsc#1197591)
     * detect free products in Alpha and Beta stage and prevent checks
       on openSUSE products (bsc#1197488)
     * Allow monitoring entitlement for debian 11 and 10
     * Hide private methods in XMLRPC handlers
     * Warning log when hardware refresh result is not serializable
     * Optimize adding new products function (bsc#1193707)

   spacewalk-utils:

   - Version 4.2.16-1
     * Add Debian 11 repositories

   spacewalk-web:

   - Version 4.2.27-1
     * increase web page default timeout (bsc#1187333)
     * Add ssh_salt_pre_flight_script and ssh_use_salt_thin parameters to
       default rhn_web.conf
     * Upgrade minimist to fix CVE-2021-44906
     * susemanager-nodejs-sdk-devel is now provided by spacewalk-web
     * Resolve race conditions in CLM (bsc#1195710)

   susemanager:

   - version 4.2.32-1
     * Add python3-contextvars and python3-immutables to missing bootstrap
       repos (bsc#1200606)
   - version 4.2.31-1
     * Add python3-gnupg to bootstrap repo definition for Ubuntu 20.04
       (bsc#1200212)
   - version 4.2.30-1
     * Fix a syntax problem at the bootstrap repository definitions
   - Version 4.2.29-1
     * Add Salt Bundle support to mgr-create-bootstrap-repo
     * Enable bootstrapping for Debian 11
     * fix SLE15 bootstrap repo definition (bsc#1197438)
     * Add SLES15SP4 and SUMA Proxy 4.3 to bootstrap repo definitions
       (bsc#1196702)
     * Add missing dependencies for Salt 3004 into bootstrap repository for
       SLE15 family (bsc#1198221)

   susemanager-doc-indexes:

   - Updated Salt version for Server and Proxy to 3004
   - Added details to Client Configuration Guide on using Salt Bundle as
     optional
   - Updated saltversion attribute from 3002 to 3004
   - In the Administration Guide, documented that monitoring tools are
     available in SUSE Linux Enterprise 12 and 15 and openSUSE Leap 15, but
     Grafana is not available on Proxy (bsc#1191143)
   - Documented Autoyast installation features in Autoyast section of the
     Client Configuration Guide
   - In Client Configuration Guide document Debian 11 as a supported OS as a
     client
   - In Client Configuration Guide, clarified client upgrade issues
   - In Client Configuration Guide, added information about registration
     of version 12 of SUSE Linux Enterprise clients
   - In Client Configuration Guide, mark the applying patches features as
     supported on Ubuntu
   - SLE Micro in Client Configuration Guide: Update version number from 5.0
     to 5.1, and warn about Salt installation.

   susemanager-docs_en:

   - Updated Salt version for Server and Proxy to 3004
   - Added details to Client Configuration Guide on using Salt Bundle as
     optional
   - In the Administration Guide, documented that monitoring tools are
     available in SUSE Linux Enterprise 12 and 15 and openSUSE Leap 15, but
     Grafana is not available on Proxy (bsc#1191143)
   - Documented Autoyast installation features in Autoyast section of the
     Client Configuration Guide
   - In Client Configuration Guide document Debian 11 as a supported OS as a
     client
   - In Client Configuration Guide, clarified client upgrade issues
   - In Client Configuration Guide, added information about registration
     of version 12 of SUSE Linux Enterprise clients
   - In Client Configuration Guide, mark the applying patches features as
     supported on Ubuntu
   - SLE Micro in Client Configuration Guide: Update version number from 5.0
     to 5.1, and warn about Salt installation.

   susemanager-schema:

   - Version 4.2.22-1
     * Add schema directory for susemanager-schema-4.2.21

   susemanager-sls:

   - version 4.2.23-1
     * Fix bootstrap repository URL resolution for Yum based clients with
       preflight script for Salt SSH
   - Version 4.2.22-1
     * Add Salt Bundle support on bootstrapping
     * Add Salt SSH with Salt Bundle support
     * Add util.mgr_switch_to_venv_minion state to switch salt minions to use
       the Salt Bundle
     * Fix bootstrap repository path resolution for Oracle Linux
     * Handle salt bundle in set_proxy.sls

   susemanager-sync-data:

   - Version 4.2.12-1
     * change release status of EL 7 and 8 aarch64 to released
     * change release status of Rocky Linux 8 x86_64 to released
     * add Debian 11 amd64

   supportutils-plugin-salt:

   - Update to version 1.2.0
     * Add support for Salt Bundle

   virtual-host-gatherer:

   - Version 1.0.23-1
     * reformat the first 3 groups of the UUID for hardware versions >=13 in
       VMWare environment.
     * Fix shebangs to use python3
     * Implement libvirt module

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-2144=1

Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      inter-server-sync-0.2.2-150300.8.17.1
      inter-server-sync-debuginfo-0.2.2-150300.8.17.1
      smdba-1.7.10-0.150300.3.6.1
      susemanager-4.2.32-150300.3.31.1
      susemanager-tools-4.2.32-150300.3.31.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      prometheus-formula-0.6.2-150300.3.14.1
      python3-spacewalk-certs-tools-4.2.16-150300.3.18.3
      salt-netapi-client-0.19.0-150300.3.6.1
      spacecmd-4.2.17-150300.4.21.4
      spacewalk-backend-4.2.22-150300.4.23.1
      spacewalk-backend-app-4.2.22-150300.4.23.1
      spacewalk-backend-applet-4.2.22-150300.4.23.1
      spacewalk-backend-config-files-4.2.22-150300.4.23.1
      spacewalk-backend-config-files-common-4.2.22-150300.4.23.1
      spacewalk-backend-config-files-tool-4.2.22-150300.4.23.1
      spacewalk-backend-iss-4.2.22-150300.4.23.1
      spacewalk-backend-iss-export-4.2.22-150300.4.23.1
      spacewalk-backend-package-push-server-4.2.22-150300.4.23.1
      spacewalk-backend-server-4.2.22-150300.4.23.1
      spacewalk-backend-sql-4.2.22-150300.4.23.1
      spacewalk-backend-sql-postgresql-4.2.22-150300.4.23.1
      spacewalk-backend-tools-4.2.22-150300.4.23.1
      spacewalk-backend-xml-export-libs-4.2.22-150300.4.23.1
      spacewalk-backend-xmlrpc-4.2.22-150300.4.23.1
      spacewalk-base-4.2.27-150300.3.21.7
      spacewalk-base-minimal-4.2.27-150300.3.21.7
      spacewalk-base-minimal-config-4.2.27-150300.3.21.7
      spacewalk-certs-tools-4.2.16-150300.3.18.3
      spacewalk-html-4.2.27-150300.3.21.7
      spacewalk-java-4.2.38-150300.3.35.1
      spacewalk-java-config-4.2.38-150300.3.35.1
      spacewalk-java-lib-4.2.38-150300.3.35.1
      spacewalk-java-postgresql-4.2.38-150300.3.35.1
      spacewalk-taskomatic-4.2.38-150300.3.35.1
      spacewalk-utils-4.2.16-150300.3.15.5
      spacewalk-utils-extras-4.2.16-150300.3.15.5
      supportutils-plugin-salt-1.2.0-150300.3.3.1
      susemanager-doc-indexes-4.2-150300.12.27.6
      susemanager-docs_en-4.2-150300.12.27.1
      susemanager-docs_en-pdf-4.2-150300.12.27.1
      susemanager-schema-4.2.22-150300.3.21.6
      susemanager-sls-4.2.23-150300.3.25.4
      susemanager-sync-data-4.2.12-150300.3.18.3
      uyuni-config-modules-4.2.23-150300.3.25.4
      virtual-host-gatherer-1.0.23-150300.3.3.1
      virtual-host-gatherer-Kubernetes-1.0.23-150300.3.3.1
      virtual-host-gatherer-Nutanix-1.0.23-150300.3.3.1
      virtual-host-gatherer-VMware-1.0.23-150300.3.3.1
      virtual-host-gatherer-libcloud-1.0.23-150300.3.3.1

References:

   https://www.suse.com/security/cve/CVE-2021-44906.html
   https://www.suse.com/security/cve/CVE-2022-21952.html
   https://www.suse.com/security/cve/CVE-2022-31248.html
   https://bugzilla.suse.com/1187333
   https://bugzilla.suse.com/1191143
   https://bugzilla.suse.com/1192550
   https://bugzilla.suse.com/1193707
   https://bugzilla.suse.com/1194594
   https://bugzilla.suse.com/1195710
   https://bugzilla.suse.com/1196702
   https://bugzilla.suse.com/1197400
   https://bugzilla.suse.com/1197438
   https://bugzilla.suse.com/1197449
   https://bugzilla.suse.com/1197488
   https://bugzilla.suse.com/1197591
   https://bugzilla.suse.com/1197689
   https://bugzilla.suse.com/1198221
   https://bugzilla.suse.com/1199089
   https://bugzilla.suse.com/1199142
   https://bugzilla.suse.com/1199149
   https://bugzilla.suse.com/1199512
   https://bugzilla.suse.com/1199629
   https://bugzilla.suse.com/1200212
   https://bugzilla.suse.com/1200606