SUSE-SU-2022:3750-1: moderate: Security update for SUSE Manager Proxy 4.3
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Oct 26 13:30:45 UTC 2022
SUSE Security Update: Security update for SUSE Manager Proxy 4.3
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3750-1
Rating: moderate
References: #1198168 #1198903 #1200480 #1201589 #1201788
#1203287 #1203288 #1203585
Cross-References: CVE-2021-42740 CVE-2021-43138 CVE-2022-31129
CVSS scores:
CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3
SUSE Manager Proxy 4.3
______________________________________________________________________________
An update that solves three vulnerabilities and has 5 fixes
is now available.
Description:
This update fixes the following issues:
mgr-daemon:
- Version 4.3.6-1
* Update translation strings
spacecmd:
- Version 4.3.15-1
* Process date values in spacecmd api calls (bsc#1198903)
spacewalk-backend:
- Version 4.3.16-1
* Prevent mixing credentials for proxy and repository server while using
basic authentication and avoid hiding errors i.e. timeouts while
having proxy settings issues with extra logging in verbose mode
(bsc#1201788)
* Fix the condition of hiding the token from URL on logging
* export armored GPG key to salt filesystem as well
* Upgrade Cobbler requirement to 3.3.3 or later
* Make reposync use the configured http proxy with mirrorlist
(bsc#1198168)
spacewalk-certs-tools:
- Version 4.3.15-1
* fix mgr-ssl-cert-setup for root CAs which do not set
authorityKeyIdentifier (bsc#1203585)
spacewalk-client-tools:
- Version 4.3.12-1
* Update translation strings
spacewalk-web:
- Version 4.3.24-1
* Upgrade moment-timezone
* CVE-2021-43138: Obtain privileges via the `mapValues()` method.
(bsc#1200480)
* CVE-2021-42740: Command injection in the shell-quote package.
(bsc#1203287)
* CVE-2022-31129: Denial-of-Service moment: inefficient parsing
algorithm (bsc#1203288)
* Fix table header layout for unselectable tables
susemanager-build-keys:
- Add release and auxiliary GPG keys for RedHat
- Add keys for Rocky Linux 9
* RPM-GPG-KEY-redhat-release
* RPM-GPG-KEY-redhat-auxiliary
* RPM-GPG-KEY-Rocky-9
susemanager-tftpsync-recv:
- Version 4.3.7-1
* Add missing IPv6 default configuration (bsc#1201589)
* fix problems with parallel running processes
uyuni-common-libs:
- Version 4.3.6-1
* Do not allow creating path if nonexistent user or group in fileutils.
How to apply this update:
1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy
service: spacewalk-proxy stop 3. Apply the patch using either zypper patch
or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy
start
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64):
python3-uyuni-common-libs-4.3.6-150400.3.6.4
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch):
mgr-daemon-4.3.6-150400.3.6.4
python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
python3-spacewalk-check-4.3.12-150400.3.6.6
python3-spacewalk-client-setup-4.3.12-150400.3.6.6
python3-spacewalk-client-tools-4.3.12-150400.3.6.6
spacecmd-4.3.15-150400.3.6.4
spacewalk-backend-4.3.16-150400.3.6.8
spacewalk-base-minimal-4.3.24-150400.3.6.4
spacewalk-base-minimal-config-4.3.24-150400.3.6.4
spacewalk-certs-tools-4.3.15-150400.3.6.2
spacewalk-check-4.3.12-150400.3.6.6
spacewalk-client-setup-4.3.12-150400.3.6.6
spacewalk-client-tools-4.3.12-150400.3.6.6
susemanager-build-keys-15.4.3-150400.3.6.1
susemanager-build-keys-web-15.4.3-150400.3.6.1
susemanager-tftpsync-recv-4.3.7-150400.3.3.3
References:
https://www.suse.com/security/cve/CVE-2021-42740.html
https://www.suse.com/security/cve/CVE-2021-43138.html
https://www.suse.com/security/cve/CVE-2022-31129.html
https://bugzilla.suse.com/1198168
https://bugzilla.suse.com/1198903
https://bugzilla.suse.com/1200480
https://bugzilla.suse.com/1201589
https://bugzilla.suse.com/1201788
https://bugzilla.suse.com/1203287
https://bugzilla.suse.com/1203288
https://bugzilla.suse.com/1203585
More information about the sle-security-updates
mailing list