SUSE-SU-2022:3878-1: critical: Security update for SUSE Manager Server 4.2
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Nov 4 17:30:59 UTC 2022
SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3878-1
Rating: critical
References: #1195624 #1197724 #1199726 #1200596 #1201059
#1201788 #1202167 #1202729 #1202785 #1203283
#1203406 #1203422 #1203564 #1203599 #1203611
#1203898 #1204146 #1204203 #1204543 #1204716
#1204741
Cross-References: CVE-2022-31255 CVE-2022-43753 CVE-2022-43754
CVSS scores:
CVE-2022-43753 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVE-2022-43754 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Manager Server 4.2
______________________________________________________________________________
An update that solves three vulnerabilities and has 18
fixes is now available.
Description:
This update fixes the following issues:
hub-xmlrpc-api:
- Use golang(API) = 1.18 for building on SUSE (bsc#1203599) This source
fails to build with the current go1.19 on SUSE and we need to use go1.18
instead.
inter-server-sync:
- Version 0.2.4
* Improve memory usage and log information #17193
* Conditional insert check for FK reference exists (bsc#1202785)
* Correct navigation path for table rhnerratafilechannel (bsc#1202785)
locale-formula:
- Update to version 0.3
* Remove .map.gz from kb_map dictionary (bsc#1203406)
py27-compat-salt:
- Fix state.apply in test mode with file state module
on user/group checking (bsc#1202167)
- Make zypperpkg to retry if RPM lock is temporarily unavailable
(bsc#1200596)
python-urlgrabber:
- Fix wrong logic on find_proxy method causing proxy not being used
(bsc#1201788)
spacecmd:
- Version 4.2.20-1
* Remove "Undefined return code" from debug messages (bsc#1203283)
spacewalk-backend:
- Version 4.2.25-1
* Enhance passwords cleanup and add extra files in spacewalk-debug
(bsc#1201059)
* Prevent mixing credentials for proxy and repository server while using
basic authentication and avoid hiding errors i.e. timeouts while
having proxy settings issues with extra logging in verbose mode
(bsc#1201788)
spacewalk-client-tools:
- Version 4.2.21-1
* Update translation strings
spacewalk-java:
- Version 4.2.43-1
* CVE-2022-31255: Fix directory path traversal vulnerability
(bsc#1204543)
* CVE-2022-43754: Fix reflected cross site scripting vulnerability
(bsc#1204741)
* CVE-2022-43753: Fix arbitrary file disclosure vulnerability
(bsc#1204716)
- Version 4.2.42-1
* Properly pass allow vendor change to salt state (bsc#1204203)
* add ongres requirements to spec file (bsc#1203898)
* Refresh pillar data (bsc#1197724)
* Fix hardware update where there is no DNS FQDN changes (bsc#1203611)
* Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
* Support Pay-as-you-go new CA location for SLES15SP4 and higher
(bsc#1202729)
* Detect the clients running on Amazon EC2 (bsc#1195624)
spacewalk-utils:
- Version 4.2.18-1
* Make spacewalk-hostname-rename working with settings.yaml cobbler
config file (bsc#1203564)
spacewalk-web:
- Version 4.2.30-1
* Upgrade moment-timezone
susemanager:
- Version 4.2.38-1
* add venv-salt-minion to bootstrap repo (bsc#1204146)
susemanager-doc-indexes:
- Documented that only SUSE clients are supported as monitoring servers in
the Administration Guide
- Fixed description of default notification settings (bsc#1203422)
- Added missing Debian 11 references
- Removed references to Debian 9, as it is EoL, and therefore unsupported
by SUSE Manager
- Document Helm deployment of the proxy on k3s and MetalLB in Installation
and Upgrade Guide
- Added secure mail communication settings in Administration Guide
- Fixed the incorrect path to state and pillar files in Salt Guide
- Documented how pxeboot works with Secure Boot enabled in Client
Configuration Guide
- Added SLE Micro 5.2 and 5.3 as available as a technology preview in the
Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
5.3
susemanager-docs_en:
- Documented that only SUSE clients are supported as monitoring servers in
the Administration Guide
- Fixed description of default notification settings (bsc#1203422)
- Added missing Debian 11 references
- Removed references to Debian 9, as it is EoL, and therefore unsupported
by SUSE Manager
- Document Helm deployment of the proxy on k3s and MetalLB in Installation
and Upgrade Guide
- Added secure mail communication settings in Administration Guide
- Fixed the incorrect path to state and pillar files in Salt Guide
- Documented how pxeboot works with Secure Boot enabled in Client
Configuration Guide
- Added SLE Micro 5.2 and 5.3 as available as a technology preview in the
Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
5.3
susemanager-schema:
- Version 4.2.25-1
* Add subtypes for Amazon EC2 virtual instances (bsc#1195624)
susemanager-sls:
- Version 4.2.28-1
* Fix mgrnet availability check
* Remove dependence on Kiwi libraries
* Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
* Add mgrnet salt module with mgrnet.dns_fqnd function implementation
allowing to get all possible FQDNs from DNS (bsc#1199726)
How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Start the Spacewalk service:
`spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3878=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):
hub-xmlrpc-api-0.7-150300.3.9.2
inter-server-sync-0.2.4-150300.8.25.2
inter-server-sync-debuginfo-0.2.4-150300.8.25.2
susemanager-4.2.38-150300.3.44.3
susemanager-tools-4.2.38-150300.3.44.3
- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):
locale-formula-0.3-150300.3.3.2
py27-compat-salt-3000.3-150300.7.7.26.2
python3-spacewalk-client-tools-4.2.21-150300.4.27.3
python3-urlgrabber-3.10.2.1py2_3-150300.3.3.2
spacecmd-4.2.20-150300.4.30.2
spacewalk-backend-4.2.25-150300.4.32.4
spacewalk-backend-app-4.2.25-150300.4.32.4
spacewalk-backend-applet-4.2.25-150300.4.32.4
spacewalk-backend-config-files-4.2.25-150300.4.32.4
spacewalk-backend-config-files-common-4.2.25-150300.4.32.4
spacewalk-backend-config-files-tool-4.2.25-150300.4.32.4
spacewalk-backend-iss-4.2.25-150300.4.32.4
spacewalk-backend-iss-export-4.2.25-150300.4.32.4
spacewalk-backend-package-push-server-4.2.25-150300.4.32.4
spacewalk-backend-server-4.2.25-150300.4.32.4
spacewalk-backend-sql-4.2.25-150300.4.32.4
spacewalk-backend-sql-postgresql-4.2.25-150300.4.32.4
spacewalk-backend-tools-4.2.25-150300.4.32.4
spacewalk-backend-xml-export-libs-4.2.25-150300.4.32.4
spacewalk-backend-xmlrpc-4.2.25-150300.4.32.4
spacewalk-base-4.2.30-150300.3.30.3
spacewalk-base-minimal-4.2.30-150300.3.30.3
spacewalk-base-minimal-config-4.2.30-150300.3.30.3
spacewalk-client-tools-4.2.21-150300.4.27.3
spacewalk-html-4.2.30-150300.3.30.3
spacewalk-java-4.2.43-150300.3.48.2
spacewalk-java-config-4.2.43-150300.3.48.2
spacewalk-java-lib-4.2.43-150300.3.48.2
spacewalk-java-postgresql-4.2.43-150300.3.48.2
spacewalk-taskomatic-4.2.43-150300.3.48.2
spacewalk-utils-4.2.18-150300.3.21.2
spacewalk-utils-extras-4.2.18-150300.3.21.2
susemanager-doc-indexes-4.2-150300.12.36.3
susemanager-docs_en-4.2-150300.12.36.2
susemanager-docs_en-pdf-4.2-150300.12.36.2
susemanager-schema-4.2.25-150300.3.30.3
susemanager-sls-4.2.28-150300.3.36.2
uyuni-config-modules-4.2.28-150300.3.36.2
References:
https://www.suse.com/security/cve/CVE-2022-31255.html
https://www.suse.com/security/cve/CVE-2022-43753.html
https://www.suse.com/security/cve/CVE-2022-43754.html
https://bugzilla.suse.com/1195624
https://bugzilla.suse.com/1197724
https://bugzilla.suse.com/1199726
https://bugzilla.suse.com/1200596
https://bugzilla.suse.com/1201059
https://bugzilla.suse.com/1201788
https://bugzilla.suse.com/1202167
https://bugzilla.suse.com/1202729
https://bugzilla.suse.com/1202785
https://bugzilla.suse.com/1203283
https://bugzilla.suse.com/1203406
https://bugzilla.suse.com/1203422
https://bugzilla.suse.com/1203564
https://bugzilla.suse.com/1203599
https://bugzilla.suse.com/1203611
https://bugzilla.suse.com/1203898
https://bugzilla.suse.com/1204146
https://bugzilla.suse.com/1204203
https://bugzilla.suse.com/1204543
https://bugzilla.suse.com/1204716
https://bugzilla.suse.com/1204741
More information about the sle-security-updates
mailing list