SUSE-SU-2022:3750-1: moderate: Security update for SUSE Manager Server 4.3
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Oct 26 13:52:10 UTC 2022
SUSE Security Update: Security update for SUSE Manager Server 4.3
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3750-1
Rating: moderate
References: #1191857 #1195624 #1196729 #1197027 #1198168
#1198903 #1199726 #1200480 #1200573 #1200629
#1201210 #1201220 #1201260 #1201589 #1201626
#1201753 #1201788 #1201913 #1201918 #1202271
#1202272 #1202367 #1202455 #1202464 #1202602
#1202728 #1202729 #1202805 #1202899 #1203026
#1203049 #1203056 #1203169 #1203287 #1203288
#1203385 #1203406 #1203422 #1203449 #1203478
#1203484 #1203564 #1203585 #1203611 #1204208
SUMA-112
Cross-References: CVE-2021-41411 CVE-2021-42740 CVE-2021-43138
CVE-2022-0860 CVE-2022-31129
CVSS scores:
CVE-2021-41411 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41411 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-0860 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2022-0860 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3
SUSE Linux Enterprise Module for SUSE Manager Server 4.3
SUSE Manager Proxy 4.3
SUSE Manager Server 4.3
______________________________________________________________________________
An update that solves 5 vulnerabilities, contains one
feature and has 40 fixes is now available.
Description:
This update fixes the following issues:
cobbler:
- Consider case of "next_server" being a hostname during migration of
Cobbler collections.
- Fix problem with "proxy_url_ext" setting being None type.
- Fix settings migration schema to work while upgrading on existing
running Uyuni and SUSE Manager servers running with old Cobbler settings
(bsc#1203478)
- Do generate boot menus even if no profiles or systems - only local boot
- Avoid crashing running buildiso in certain conditions.
- Fix issue that a custom kernel with the extension ".kernel" is not
accepted by "cobbler distro add"
- Fix issue with "get_item_resolved_value" that prevented it from
returning in cases where a complex object would have been returned
- Fix issue where the logs would have been spammed with "grab_tree"
messages that are meant for debugging
- Buildiso - Fix DNS append line generation
- Change apache2 conf dir for SUSE distros to allow integration with Uyuni
and SUSE Manager
- Avoid permissions errors during cobbler sync
- Update to version 3.3.3
- Add UEFI capabilities to "cobbler buildiso" (jsc#SUMA-112)
- Relevant changes on this release:
* New:
* Uyuni Proxies can now be set with the schema validation.
* Cobbler should now build on AlmaLinux.
* The initrd is not required anymore as it is an optional file.
* XML-RPC: Added dump_vars endpoint. This is intended to replace
get_blended_data as of 3.4.0.
* XML-RPC: Added get_item_resolved_value & set_item_resolved_value
endpoints.
* Breaking Changes:
* The field virt_file_size is now a float and the related settings as
well.
* Changes:
* The error messages for duplicated objects now contains the name of
the duplicated object.
* Bugfixes:
* Dictionaries had the wrong value set for <<inherit>>.
* There were some cases in which the autoinstallation manager was
handed the wrong object and then crashed.
* The inheritance of the owners field was fixed.
* Serial Console options should not contain bogous -1 value anymore.
* HTTP API should not throw permission errors anymore.
* During build the log was not visible due to a custom logger without
output.
* cobbler mkloaders now also copies dependencies of menu.c32.
* We now generate the grub configuration for the architectures correct
again.
* virt_file_size now is a float at all times.
* Cobbler should restart successfully now if you have attached an
image to a system.
* If you have a system named default the bootloader was not removed
properly before.
* cobbler buildiso: The isolinux.cfg was not properly formatted.
* There were unharmful templating errors in the log related to
redhat_management_type. The parts depending on this were removed.
* The DNS managers were non-functional before because of a not
existing function call.
* cobbler buildiso failed with --tmpdirs that don't end in buildiso.
* cobbler buildiso had outdated docs and help messages for some
parameters.
* cobbler import: It was impossible to import Rocky Linux 8.5
successfully.
* Cobbler created duplicated settings files before.
* cobbler sync was broken by refactoring to shell=False before.
- CVE-2022-0860: Improper Authorization in Cobbler. (bsc#1197027)
- Version 3.3.0 fixed jsc#SUMA-112
- Update to version 3.3.2
* cobbler sync doesn't have to be executed no more after enable_ipxe
was flipped
* Auth: Support for Global Secure Catalog via LDAP provider
* Reposync now deletes old metadata to prevent metadata merge conflicts
* The automigration of the settings is now not enabled per default.
* We removed ppc from RedHat EL 7 as it is not supported
* Network interface is not subscriptable errors were fixed
* The stacktraces related to the package and file pre & post triggers
should no longer appear
* You should be able to add multiple initrds if needed again
* Debian: Fix regex for SHIM_FILE which now provides a working
reasonable default
drools:
- CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java
(bsc#1200629)
image-sync-formula:
- Update to version 0.1.1661440542.6cbe0da
* Sort boot images by version instead of name-version (bsc#1196729)
* Do not send events if syncing fails
inter-server-sync:
* Compress exported sql data and decompress during import
* Add gzip dependency to decompress data file during import process
locale-formula:
- Update to version 0.3
* Remove .map.gz from kb_map dictionary (bsc#1203406)
python-urlgrabber:
- Avoid crashing when setting URLGRABBER_DEBUG=1 environment variable
reprepro:
- Update from version 5.3.0 to version 5.4.0
* Add shunit2 based tests
* Support multiple versions
* Add the commands move, movesrc, movematched, movefilter
* Add Limit and Archive option
* fix manpage to add the behaviour if reprepro is linked against liblzma
* Mark 'dumpcontents' command as deprecated
saltboot-formula:
- Update to version 0.1.1661440542.6cbe0da
* Fallback to local boot if the configured image is not synced
* Support salt bundle
spacecmd:
- Version 4.3.15-1
* Process date values in spacecmd api calls (bsc#1198903)
spacewalk-admin:
- Version 4.3.10-1
* Ensure "cobbler mkloaders" is executed after restarting services
* Add --help option to mgr-monitoring-ctl
* reportdb access: force new report_db_sslrootcert if previous default
is set
spacewalk-backend:
- Version 4.3.16-1
* Prevent mixing credentials for proxy and repository server while using
basic authentication and avoid hiding errors i.e. timeouts while
having proxy settings issues with extra logging in verbose mode
(bsc#1201788)
* Fix the condition of hiding the token from URL on logging
* export armored GPG key to salt filesystem as well
* Upgrade Cobbler requirement to 3.3.3 or later
* Make reposync use the configured http proxy with mirrorlist
(bsc#1198168)
spacewalk-certs-tools:
- Version 4.3.15-1
* fix mgr-ssl-cert-setup for root CAs which do not set
authorityKeyIdentifier (bsc#1203585)
spacewalk-client-tools:
- Version 4.3.12-1
* Update translation strings
spacewalk-java:
- version 4.3.38-1
* delay hardware refresh action to avoid missing channels (bsc#1204208)
- Version 4.3.37-1
* Fix get_item_resolved_value call
- Version 4.3.36-1
* Fix prerequisite action serialization (bsc#1202899, bsc#1203484)
* Fix hardware update where there is no DNS FQDN changes (bsc#1203611)
* Fix UI crash when filtering on systems list (bsc#1203169)
* Filter out successors that have no repositories on SP migration
(bsc#1202367)
* Reduced the usage of deprecated Hibernate API
* Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
* Support Pay-as-you-go new CA location for SUSE Linux Enterprise Server
15 SP4 and higher (bsc#1202729)
* Fixed pagination for completed/failed systems in action details
* Add support in rhn.conf for smtp port, auth, ssl/tls config
* Calculate dependencies between cloned channels of vendor channels
(bsc#1201626)
* Fix sync for external repositories (bsc#1201753)
* Detect the clients running on Amazon EC2 (bsc#1195624)
* Adjust cobbler requirement to version 3.3.3
* Support inherited values for kernel options from Cobbler API
* Fix virtFileSize type after cobbler upgrade
* Redefine available power_management.types for cobbler >= 3.3.1
* fix state.apply result parsing in test mode (bsc#1201913)
* require tomcat native interface to prevent misleading warning in
tomcat startup log (bsc#1202455)
* Reduce the length of image channel URL (bsc#1201220)
* Fixed formula deselection in systemgroup (bsc#1202271)
* Added a new configuration property to allow custom channels to be
synced together with vendor channels.
* add onlyRelevant argument to addErrataUpdate API
* fix taskomatic task remain in progress
spacewalk-search:
- Version 4.3.7-1
* update dependencies after package rename
spacewalk-setup:
- version 4.3.12
* Fix detected issues to perform migration of Cobbler settings and
collections.
- Version 4.3.11-1
* Trigger migration of Cobbler settings and collections if necessary
during package installation (bsc#1203478)
* Execute "cobbler mkloaders" when setting up cobbler
* Adjust next_server cobbler settings for cobbler >= 3.3.1
* fix prototype missmatch in idn_to_ascii (bsc#1203385)
spacewalk-utils:
- Version 4.3.14-1
* Make spacewalk-hostname-rename working with settings.yaml cobbler
config file (bsc#1203564)
* spacewalk-common-channels now syncs the channels automatically
on creation, if the new configuration property named
'unify_custom_channel_management' is enabled
spacewalk-web:
- Version 4.3.24-1
* Upgrade moment-timezone
* CVE-2021-43138: Obtain privileges via the `mapValues()` method.
(bsc#1200480)
* CVE-2021-42740: Command injection in the shell-quote package.
(bsc#1203287)
* CVE-2022-31129: Denial-of-Service moment: inefficient parsing
algorithm (bsc#1203288)
* Fix table header layout for unselectable tables
subscription-matcher:
- Added Guava maximum version requirement
susemanager:
- Version 4.3.19-1
* mark new dependencies for python-py optional in bootstrap repo to fix
generation for older service packs (bsc#1203449)
* add bootstrap repository definition for OES2023 (bsc#1202602)
* add missing packages on SUSE Linux Enterprise Server 15
* remove server-migrator.sh from SUSE Manager installations (bsc#1202728)
* create bootstrap repository data for Ubuntu 22.04 Vendor Channels
* remove obsoleted sysv init script (bsc#1191857)
* mgr-create-bootstrap-repo: flush directory also when called for a
specific label (bsc#1200573)
* pg-migrate-x-to-y.sh: improve output (bsc#1201260)
* remove python-tornado from bootstrap repo, since no longer required
for salt version >= 3000
* add missing packages on SUSE Linux Enterprise Server 12 SP5 bootstrap
repo (bsc#1201918)
* revert "bootstrap repo: set optional packages"
susemanager-build-keys:
- Add release and auxiliary GPG keys for RedHat
- Add keys for Rocky Linux 9
* RPM-GPG-KEY-redhat-release
* RPM-GPG-KEY-redhat-auxiliary
* RPM-GPG-KEY-Rocky-9
susemanager-docs_en:
- Removed Debian 9 references due to end of life and added missing Debian
11 info
- Fixed description of default notification settings (bsc#1203422)
- Added missing Debian 11 references
- Documented helm deployment of the proxy on k3s and MetalLB in
Installation and Upgrade Guide
- Added secure mail communication settings in Administration Guide
- Fixed path to state and pillar files
- Documented how pxeboot works with Secure Boot enabled in Client
Configuration Guide
- Add repository via proxy issues troubleshooting page
- Change import GPG key description
- Added SLE Micro 5.2 and 5.3 as available as a technology preview in
Client Configuration Guide, and the IBM Z architecture for 5.1, 5.2, and
5.3
- Added command to remove the obsolete Python module on SUSE Manager
Server 4.1 in the Installation and Upgrade Guide (bsc#1203026)
- Mention CA certificate directory in the proxy setup description in the
Installation and Upgrade Guide (bsc#1202805)
- Documented mandatory channels in the Disconnected Setup chapter of the
Administration Guide (bsc#1202464)
- Documented how to onboard Ubuntu clients with the Salt bundle as a
regular user
- Documented how to onboard Debian clients with the Salt bundle or plain
Salt as a regular user
- Fixed the names of updates channels for Leap
- Fixed errors in OpenSCAP chapter of Administration Guide
- Removed CentOS 8 from the list of supported client systems
- Extend the notes about using noexec option for /tmp and /var/tmp
(bsc#1201210)
- Added Extend Salt Bundle functionality with Python packages using pip
- Salt Configuration Modules are no longer Technology Preview in the Salt
Guide
susemanager-schema:
- Version 4.3.14-1
* Add subtypes for Amazon EC2 virtual instances (bsc#1195624)
* Fix migration of image actions (bsc#1202272)
* improve schema compatibility with Amazon RDS
susemanager-sls:
- Version 4.3.25-1
* Fix mgrnet availability check
* Remove dependence on Kiwi libraries
* disable always the bootstrap repository also when
"mgr_disable_local_repos" is set to False
* Use mgrnet.dns_fqdns module to improve FQDN detection (bsc#1199726)
* fix syntax error - remove trailing colon (bsc#1203049)
* Add mgrnet salt module with mgrnet.dns_fqnd function implementation
allowing to get all possible FQDNs from DNS (bsc#1199726)
* Copy grains file with util.mgr_switch_to_venv_minion state apply
(bsc#1203056)
* Remove the message 'rpm: command not found' on using Salt SSH with
Debian based systems which has no Salt Bundle
susemanager-sync-data:
- Version 4.3.9-1
* add oes2023 (bsc#1202602)
* add Ubuntu 22.04 amd64
susemanager-tftpsync:
- Version 4.3.2-1
* Adjust sync_post_tftpd_proxies module to cobbler >= 3.3.1
uyuni-common-libs:
- Version 4.3.6-1
* Do not allow creating path if nonexistent user or group in fileutils.
uyuni-reportdb-schema:
- Version 4.3.6-1
* improve schema compatibility with Amazon RDS
How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Start the Spacewalk service:
`spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.3:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-3750=1
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2022-3750=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (ppc64le s390x x86_64):
inter-server-sync-0.2.3-150400.3.6.1
inter-server-sync-debuginfo-0.2.3-150400.3.6.1
python3-magic-5.32-150000.7.16.1
python3-uyuni-common-libs-4.3.6-150400.3.6.4
reprepro-5.4.0-150400.3.6.1
reprepro-debuginfo-5.4.0-150400.3.6.1
reprepro-debugsource-5.4.0-150400.3.6.1
susemanager-4.3.19-150400.3.6.4
susemanager-tftpsync-4.3.2-150400.3.3.4
susemanager-tools-4.3.19-150400.3.6.4
- SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch):
cobbler-3.3.3-150400.5.7.1
drools-7.17.0-150400.3.6.1
image-sync-formula-0.1.1661440542.6cbe0da-150400.3.6.1
locale-formula-0.3-150400.3.3.1
python3-schema-0.6.7-150400.10.3.1
python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
python3-spacewalk-client-tools-4.3.12-150400.3.6.6
python3-urlgrabber-4.1.0-150400.3.6.1
saltboot-formula-0.1.1661440542.6cbe0da-150400.3.3.1
spacecmd-4.3.15-150400.3.6.4
spacewalk-admin-4.3.10-150400.3.3.2
spacewalk-backend-4.3.16-150400.3.6.8
spacewalk-backend-app-4.3.16-150400.3.6.8
spacewalk-backend-applet-4.3.16-150400.3.6.8
spacewalk-backend-config-files-4.3.16-150400.3.6.8
spacewalk-backend-config-files-common-4.3.16-150400.3.6.8
spacewalk-backend-config-files-tool-4.3.16-150400.3.6.8
spacewalk-backend-iss-4.3.16-150400.3.6.8
spacewalk-backend-iss-export-4.3.16-150400.3.6.8
spacewalk-backend-package-push-server-4.3.16-150400.3.6.8
spacewalk-backend-server-4.3.16-150400.3.6.8
spacewalk-backend-sql-4.3.16-150400.3.6.8
spacewalk-backend-sql-postgresql-4.3.16-150400.3.6.8
spacewalk-backend-tools-4.3.16-150400.3.6.8
spacewalk-backend-xml-export-libs-4.3.16-150400.3.6.8
spacewalk-backend-xmlrpc-4.3.16-150400.3.6.8
spacewalk-base-4.3.24-150400.3.6.4
spacewalk-base-minimal-4.3.24-150400.3.6.4
spacewalk-base-minimal-config-4.3.24-150400.3.6.4
spacewalk-certs-tools-4.3.15-150400.3.6.2
spacewalk-client-tools-4.3.12-150400.3.6.6
spacewalk-html-4.3.24-150400.3.6.4
spacewalk-java-4.3.38-150400.3.8.3
spacewalk-java-config-4.3.38-150400.3.8.3
spacewalk-java-lib-4.3.38-150400.3.8.3
spacewalk-java-postgresql-4.3.38-150400.3.8.3
spacewalk-search-4.3.7-150400.3.6.2
spacewalk-setup-4.3.12-150400.3.8.1
spacewalk-taskomatic-4.3.38-150400.3.8.3
spacewalk-utils-4.3.14-150400.3.6.3
spacewalk-utils-extras-4.3.14-150400.3.6.3
subscription-matcher-0.29-150400.3.7.1
susemanager-build-keys-15.4.3-150400.3.6.1
susemanager-build-keys-web-15.4.3-150400.3.6.1
susemanager-docs_en-4.3-150400.9.6.1
susemanager-docs_en-pdf-4.3-150400.9.6.1
susemanager-schema-4.3.14-150400.3.6.5
susemanager-schema-utility-4.3.14-150400.3.6.5
susemanager-sls-4.3.25-150400.3.6.4
susemanager-sync-data-4.3.9-150400.3.3.1
uyuni-config-modules-4.3.25-150400.3.6.4
uyuni-reportdb-schema-4.3.6-150400.3.3.6
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (noarch):
mgr-daemon-4.3.6-150400.3.6.4
python3-spacewalk-certs-tools-4.3.15-150400.3.6.2
python3-spacewalk-check-4.3.12-150400.3.6.6
python3-spacewalk-client-setup-4.3.12-150400.3.6.6
python3-spacewalk-client-tools-4.3.12-150400.3.6.6
spacecmd-4.3.15-150400.3.6.4
spacewalk-backend-4.3.16-150400.3.6.8
spacewalk-base-minimal-4.3.24-150400.3.6.4
spacewalk-base-minimal-config-4.3.24-150400.3.6.4
spacewalk-certs-tools-4.3.15-150400.3.6.2
spacewalk-check-4.3.12-150400.3.6.6
spacewalk-client-setup-4.3.12-150400.3.6.6
spacewalk-client-tools-4.3.12-150400.3.6.6
susemanager-build-keys-15.4.3-150400.3.6.1
susemanager-build-keys-web-15.4.3-150400.3.6.1
susemanager-tftpsync-recv-4.3.7-150400.3.3.3
- SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (x86_64):
python3-uyuni-common-libs-4.3.6-150400.3.6.4
References:
https://www.suse.com/security/cve/CVE-2021-41411.html
https://www.suse.com/security/cve/CVE-2021-42740.html
https://www.suse.com/security/cve/CVE-2021-43138.html
https://www.suse.com/security/cve/CVE-2022-0860.html
https://www.suse.com/security/cve/CVE-2022-31129.html
https://bugzilla.suse.com/1191857
https://bugzilla.suse.com/1195624
https://bugzilla.suse.com/1196729
https://bugzilla.suse.com/1197027
https://bugzilla.suse.com/1198168
https://bugzilla.suse.com/1198903
https://bugzilla.suse.com/1199726
https://bugzilla.suse.com/1200480
https://bugzilla.suse.com/1200573
https://bugzilla.suse.com/1200629
https://bugzilla.suse.com/1201210
https://bugzilla.suse.com/1201220
https://bugzilla.suse.com/1201260
https://bugzilla.suse.com/1201589
https://bugzilla.suse.com/1201626
https://bugzilla.suse.com/1201753
https://bugzilla.suse.com/1201788
https://bugzilla.suse.com/1201913
https://bugzilla.suse.com/1201918
https://bugzilla.suse.com/1202271
https://bugzilla.suse.com/1202272
https://bugzilla.suse.com/1202367
https://bugzilla.suse.com/1202455
https://bugzilla.suse.com/1202464
https://bugzilla.suse.com/1202602
https://bugzilla.suse.com/1202728
https://bugzilla.suse.com/1202729
https://bugzilla.suse.com/1202805
https://bugzilla.suse.com/1202899
https://bugzilla.suse.com/1203026
https://bugzilla.suse.com/1203049
https://bugzilla.suse.com/1203056
https://bugzilla.suse.com/1203169
https://bugzilla.suse.com/1203287
https://bugzilla.suse.com/1203288
https://bugzilla.suse.com/1203385
https://bugzilla.suse.com/1203406
https://bugzilla.suse.com/1203422
https://bugzilla.suse.com/1203449
https://bugzilla.suse.com/1203478
https://bugzilla.suse.com/1203484
https://bugzilla.suse.com/1203564
https://bugzilla.suse.com/1203585
https://bugzilla.suse.com/1203611
https://bugzilla.suse.com/1204208
More information about the sle-security-updates
mailing list