SUSE-SU-2022:3878-1: critical: Security update for SUSE Manager Server 4.2

Fri Nov 4 17:30:59 UTC 2022

   SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3878-1
Rating:             critical
References:         #1195624 #1197724 #1199726 #1200596 #1201059 
                    #1201788 #1202167 #1202729 #1202785 #1203283 
                    #1203406 #1203422 #1203564 #1203599 #1203611 
                    #1203898 #1204146 #1204203 #1204543 #1204716 
                    #1204741 
Cross-References:   CVE-2022-31255 CVE-2022-43753 CVE-2022-43754

CVSS scores:
                    CVE-2022-43753 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
                    CVE-2022-43754 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves three vulnerabilities and has 18
   fixes is now available.

Description:

   This update fixes the following issues:

   hub-xmlrpc-api:

   - Use golang(API) = 1.18 for building on SUSE (bsc#1203599) This source
     fails to build with the current go1.19 on SUSE and we need to use go1.18
     instead.

   inter-server-sync:

   - Version 0.2.4
     * Improve memory usage and log information #17193
     * Conditional insert check for FK reference exists (bsc#1202785)
     * Correct navigation path for table rhnerratafilechannel (bsc#1202785)

   locale-formula:

   - Update to version 0.3
     * Remove .map.gz from kb_map dictionary (bsc#1203406)

   py27-compat-salt:

   - Fix state.apply in test mode with file state module
     on user/group checking (bsc#1202167)
   - Make zypperpkg to retry if RPM lock is temporarily unavailable
     (bsc#1200596)

   python-urlgrabber:

   - Fix wrong logic on find_proxy method causing proxy not being used
     (bsc#1201788)

   spacecmd:

   - Version 4.2.20-1
     * Remove "Undefined return code" from debug messages (bsc#1203283)

   spacewalk-backend:

   - Version 4.2.25-1
     * Enhance passwords cleanup and add extra files in spacewalk-debug
       (bsc#1201059)
     * Prevent mixing credentials for proxy and repository server while using
       basic authentication and avoid hiding errors i.e. timeouts while
       having proxy settings issues with extra logging in verbose mode
       (bsc#1201788)

   spacewalk-client-tools:

   - Version 4.2.21-1
     * Update translation strings

   spacewalk-java:

   - Version 4.2.43-1
     * CVE-2022-31255: Fix directory path traversal vulnerability
       (bsc#1204543)
     * CVE-2022-43754: Fix reflected cross site scripting vulnerability
       (bsc#1204741)
     * CVE-2022-43753: Fix arbitrary file disclosure vulnerability
       (bsc#1204716)
   - Version 4.2.42-1
     * Properly pass allow vendor change to salt state (bsc#1204203)
     * add ongres requirements to spec file (bsc#1203898)
     * Refresh pillar data (bsc#1197724)
     * Fix hardware update where there is no DNS FQDN changes (bsc#1203611)
     * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
     * Support Pay-as-you-go new CA location for SLES15SP4 and higher
       (bsc#1202729)
     * Detect the clients running on Amazon EC2 (bsc#1195624)

   spacewalk-utils:

   - Version 4.2.18-1
     * Make spacewalk-hostname-rename working with settings.yaml cobbler
       config file (bsc#1203564)

   spacewalk-web:

   - Version 4.2.30-1
     * Upgrade moment-timezone

   susemanager:

   - Version 4.2.38-1
     * add venv-salt-minion to bootstrap repo (bsc#1204146)

   susemanager-doc-indexes:

   - Documented that only SUSE clients are supported as monitoring servers in
     the Administration Guide
   - Fixed description of default notification settings (bsc#1203422)
   - Added missing Debian 11 references
   - Removed references to Debian 9, as it is EoL, and therefore unsupported
     by SUSE Manager
   - Document Helm deployment of the proxy on k3s and MetalLB in Installation
     and Upgrade Guide
   - Added secure mail communication settings in Administration Guide
   - Fixed the incorrect path to state and pillar files in Salt Guide
   - Documented how pxeboot works with Secure Boot enabled in Client
     Configuration Guide
   - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the
     Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
     5.3

   susemanager-docs_en:

   - Documented that only SUSE clients are supported as monitoring servers in
     the Administration Guide
   - Fixed description of default notification settings (bsc#1203422)
   - Added missing Debian 11 references
   - Removed references to Debian 9, as it is EoL, and therefore unsupported
     by SUSE Manager
   - Document Helm deployment of the proxy on k3s and MetalLB in Installation
     and Upgrade Guide
   - Added secure mail communication settings in Administration Guide
   - Fixed the incorrect path to state and pillar files in Salt Guide
   - Documented how pxeboot works with Secure Boot enabled in Client
     Configuration Guide
   - Added SLE Micro 5.2 and 5.3 as available as a technology preview in the
     Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
     5.3

   susemanager-schema:

   - Version 4.2.25-1
     * Add subtypes for Amazon EC2 virtual instances (bsc#1195624)

   susemanager-sls:

   - Version 4.2.28-1
     * Fix mgrnet availability check
     * Remove dependence on Kiwi libraries
     * Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
     * Add mgrnet salt module with mgrnet.dns_fqnd function implementation
       allowing to get all possible FQDNs from DNS (bsc#1199726)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3878=1

Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      hub-xmlrpc-api-0.7-150300.3.9.2
      inter-server-sync-0.2.4-150300.8.25.2
      inter-server-sync-debuginfo-0.2.4-150300.8.25.2
      susemanager-4.2.38-150300.3.44.3
      susemanager-tools-4.2.38-150300.3.44.3

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      locale-formula-0.3-150300.3.3.2
      py27-compat-salt-3000.3-150300.7.7.26.2
      python3-spacewalk-client-tools-4.2.21-150300.4.27.3
      python3-urlgrabber-3.10.2.1py2_3-150300.3.3.2
      spacecmd-4.2.20-150300.4.30.2
      spacewalk-backend-4.2.25-150300.4.32.4
      spacewalk-backend-app-4.2.25-150300.4.32.4
      spacewalk-backend-applet-4.2.25-150300.4.32.4
      spacewalk-backend-config-files-4.2.25-150300.4.32.4
      spacewalk-backend-config-files-common-4.2.25-150300.4.32.4
      spacewalk-backend-config-files-tool-4.2.25-150300.4.32.4
      spacewalk-backend-iss-4.2.25-150300.4.32.4
      spacewalk-backend-iss-export-4.2.25-150300.4.32.4
      spacewalk-backend-package-push-server-4.2.25-150300.4.32.4
      spacewalk-backend-server-4.2.25-150300.4.32.4
      spacewalk-backend-sql-4.2.25-150300.4.32.4
      spacewalk-backend-sql-postgresql-4.2.25-150300.4.32.4
      spacewalk-backend-tools-4.2.25-150300.4.32.4
      spacewalk-backend-xml-export-libs-4.2.25-150300.4.32.4
      spacewalk-backend-xmlrpc-4.2.25-150300.4.32.4
      spacewalk-base-4.2.30-150300.3.30.3
      spacewalk-base-minimal-4.2.30-150300.3.30.3
      spacewalk-base-minimal-config-4.2.30-150300.3.30.3
      spacewalk-client-tools-4.2.21-150300.4.27.3
      spacewalk-html-4.2.30-150300.3.30.3
      spacewalk-java-4.2.43-150300.3.48.2
      spacewalk-java-config-4.2.43-150300.3.48.2
      spacewalk-java-lib-4.2.43-150300.3.48.2
      spacewalk-java-postgresql-4.2.43-150300.3.48.2
      spacewalk-taskomatic-4.2.43-150300.3.48.2
      spacewalk-utils-4.2.18-150300.3.21.2
      spacewalk-utils-extras-4.2.18-150300.3.21.2
      susemanager-doc-indexes-4.2-150300.12.36.3
      susemanager-docs_en-4.2-150300.12.36.2
      susemanager-docs_en-pdf-4.2-150300.12.36.2
      susemanager-schema-4.2.25-150300.3.30.3
      susemanager-sls-4.2.28-150300.3.36.2
      uyuni-config-modules-4.2.28-150300.3.36.2

References:

   https://www.suse.com/security/cve/CVE-2022-31255.html
   https://www.suse.com/security/cve/CVE-2022-43753.html
   https://www.suse.com/security/cve/CVE-2022-43754.html
   https://bugzilla.suse.com/1195624
   https://bugzilla.suse.com/1197724
   https://bugzilla.suse.com/1199726
   https://bugzilla.suse.com/1200596
   https://bugzilla.suse.com/1201059
   https://bugzilla.suse.com/1201788
   https://bugzilla.suse.com/1202167
   https://bugzilla.suse.com/1202729
   https://bugzilla.suse.com/1202785
   https://bugzilla.suse.com/1203283
   https://bugzilla.suse.com/1203406
   https://bugzilla.suse.com/1203422
   https://bugzilla.suse.com/1203564
   https://bugzilla.suse.com/1203599
   https://bugzilla.suse.com/1203611
   https://bugzilla.suse.com/1203898
   https://bugzilla.suse.com/1204146
   https://bugzilla.suse.com/1204203
   https://bugzilla.suse.com/1204543
   https://bugzilla.suse.com/1204716
   https://bugzilla.suse.com/1204741