SUSE-SU-2022:3314-1: critical: Security update for SUSE Manager Server 4.2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Sep 19 19:20:27 UTC 2022


   SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3314-1
Rating:             critical
References:         #1172705 #1187028 #1195455 #1195895 #1196729 
                    #1198168 #1198489 #1198738 #1198903 #1199372 
                    #1199659 #1199913 #1199950 #1200276 #1200296 
                    #1200480 #1200532 #1200573 #1200591 #1200629 
                    #1201142 #1201189 #1201210 #1201220 #1201224 
                    #1201527 #1201606 #1201607 #1201626 #1201753 
                    #1201913 #1201918 #1202142 #1202272 #1202464 
                    #1202728 #1203287 #1203288 #1203449 
Cross-References:   CVE-2021-41411 CVE-2021-42740 CVE-2021-43138
                    CVE-2022-31129
CVSS scores:
                    CVE-2021-41411 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41411 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-42740 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-42740 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-43138 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-31129 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-31129 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves four vulnerabilities and has 35 fixes
   is now available.

Description:

   This update fixes the following issues:

   drools:

   - CVE-2021-41411: XML External Entity injection in
     KieModuleModelImpl.java. (bsc#1200629)

   httpcomponents-asyncclient:

   - Provide maven metadata needed by other packages to build

   image-sync-formula:

   - Update to version 0.1.1661440526.b08d95b
     * Add option to sort boot images by version (bsc#1196729)

   inter-server-sync:

   - Version 0.2.3
     * Compress exported sql data #16631
     * Add gzip dependency to decompress data file during import process

   patterns-suse-manager:

   - Strictly require OpenJDK 11 (bsc#1202142)

   py27-compat-salt:

   - Add support for gpgautoimport in zypperpkg module
   - Fix salt.states.file.managed() for follow_symlinks=True and test=True
     (bsc#1199372)
   - Add support for name, pkgs and diff_attr parameters to upgrade function
     for zypper and yum (bsc#1198489)
   - Unify logic on using multiple requisites and add onfail_all (bsc#1198738)
   - Normalize package names once with pkg.installed/removed using yum
     (bsc#1195895)

   salt-netapi-client:

   - Declare the LICENSE file as license and not doc
   - Adapted for Enterprise Linux 9.
   - Version 0.20.0
     * See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.20.0

   saltboot-formula:

   - Update to version 0.1.1661440526.b08d95b
     * Fallback to local boot if the configured image is not synced
     * improve image url modifications - preparation for ftp/http changes

   spacecmd:

   - Version 4.2.19-1
     * Process date values in spacecmd api calls (bsc#1198903)
     * Show correct help on calling kickstart_importjson with no arguments
     * Fix tracebacks on spacecmd kickstart_export (bsc#1200591)

   spacewalk-admin:

   - Version 4.2.12-1
     * Add --help option to mgr-monitoring-ctl

   spacewalk-backend:

   - Version 4.2.24-1
     * Make reposync use the configured http proxy with mirrorlist
       (bsc#1198168)
     * Revert proxy listChannels token caching pr#4548
     * cleanup leftovers from removing unused xmlrpc endpoint

   spacewalk-certs-tools:

   - Version 4.2.18-1
     * traditional stack bootstrap: install product packages (bsc#1201142)

   spacewalk-client-tools:

   - Version 4.2.20-1
     * Update translation strings

   spacewalk-java:

   - Version 4.2.41-1
     * Fixed date format on scheduler related messages (bsc#1195455)
     * Support inherited values for kernel options from Cobbler API
       (bsc#1199913)
     * Add channel availability check for product migration (bsc#1200296)
     * Check if system has all formulas correctly assigned (bsc#1201607)
     * Remove group formula assignments and data on group delete (bsc#1201606)
     * Fix sync for external repositories (bsc#1201753)
     * fix state.apply result parsing in test mode (bsc#1201913)
     * Reduce the length of image channel URL (bsc#1201220)
     * Calculate dependencies between cloned channels of vendor channels
       (bsc#1201626)
     * fix symlinks pointing to ongres-stringprep
     * Modify parameter type when communicating with the search server
       (bsc#1187028)
     * Fix initial profile and build host on Image Build page (bsc#1199659)
     * Fix the confirm message on the refresh action by adding a link to
       pending actions on it (bsc#1172705)
     * require new salt-netapi-client version
     * Clean grub2 reinstall entry in autoyast snippet (bsc#1199950)

   spacewalk-search:

   - Version 4.2.8-1
     * Add methods to handle session id as String

   spacewalk-web:

   - Version 4.2.29-1
     * CVE-2021-43138: Obtain privileges via the `mapValues()` method.
       (bsc#1200480)
     * CVE-2021-42740: Command injection in the shell-quote package.
       (bsc#1203287)
     * CVE-2022-31129: Denial-of-Service moment: inefficient parsing
       algorithm (bsc#1203288)
     * Fix table header layout for unselectable tables
     * Fix initial profile and build host on Image Build page (bsc#1199659)

   subscription-matcher:

   - Added Guava maximum version requirement.

   susemanager:

   - Version 4.2.37-1
     * mark new dependencies for python-py optional in bootstrap repo to fix
       generation for older service packs (bsc#1203449)
   - Version 4.2.36-1
     * add missing packages on SLES 15
     * remove server-migrator.sh from SUSE Manager installations (bsc#1202728)
     * mgr-create-bootstrap-repo: flush directory also when called for a
       specific label (bsc#1200573)
     * add missing packages on SLES 12 SP5 bootstrap repo (bsc#1201918)
     * remove python-tornado from bootstrap repo, since no longer required
       for salt version >= 3000
     * add openSUSE 15.4 product (bsc#1201527)
     * add clients tool product to generate bootstrap repo on openSUSE 15.x
       (bsc#1201189)

   susemanager-doc-indexes:

   - Documented mandatory channels in the Disconnected Setup chapter of the
     Administration Guide (bsc#1202464)
   - Documented how to onboard Ubuntu clients with the Salt bundle as a
     regular user
   - Documented how to onboard Debian clients with the Salt bundle or plain
     Salt as a regular user
   - Fixed the names of updates channels for Leap
   - Fixed errors in OpenSCAP chapter of Administration Guide
   - Added exact command to create the bootstrap repo for Salt bundle and
     about how to disable salt-thin
   - Removed CentOS 8 from the list of supported client systems
   - Extend the notes about using noexec option for /tmp and /var/tmp
     (bsc#1201210)
   - Reverted single snippet change for two separate books
   - Added extend Salt Bundle functionality with Python packages using pip
   - Add missing part of the description to enable optional support of the
     Salt Bundle with Salt SSH
   - Added exact command to create the bootstrap repo for salt bundle and
     about how to disable salt-thin
   - Salt Configuration Modules are no longer Technology Preview in Salt
     Guide.
   - Fixed Ubuntu 18 Client registration in Client Configuration Guide
     (bsc#1201224)
   - Added ports 1232 and 1233 in the Ports section of the Installation and
     Upgrade Guide; required for Salt SSH Push (bsc#1200532)
   - In the Custom Channel section of the Administration Guide add a note
     about synchronizing repositories regularly.
   - Removed SUSE Linux Enterprise 11 from the list of supported client
     systems

   susemanager-docs_en:

   - Documented mandatory channels in the Disconnected Setup chapter of the
     Administration Guide (bsc#1202464)
   - Documented how to onboard Ubuntu clients with the Salt bundle as a
     regular user
   - Documented how to onboard Debian clients with the Salt bundle or plain
     Salt as a regular user
   - Fixed the names of updates channels for Leap
   - Fixed errors in OpenSCAP chapter of Administration Guide
   - Added exact command to create the bootstrap repo for Salt bundle and
     about how to disable salt-thin
   - Removed CentOS 8 from the list of supported client systems
   - Extend the notes about using noexec option for /tmp and /var/tmp
     (bsc#1201210)
   - Reverted single snippet change for two separate books
   - Added extend Salt Bundle functionality with Python packages using pip
   - Add missing part of the description to enable optional support of the
     Salt Bundle with Salt SSH
   - Added exact command to create the bootstrap repo for salt bundle and
     about how to disable salt-thin
   - Salt Configuration Modules are no longer Technology Preview in Salt
     Guide.
   - Fixed Ubuntu 18 Client registration in Client Configuration Guide
     (bsc#1201224)
   - Added ports 1232 and 1233 in the Ports section of the Installation and
     Upgrade Guide; required for Salt SSH Push (bsc#1200532)
   - In the Custom Channel section of the Administration Guide add a note
     about synchronizing repositories regularly.
   - Removed SUSE Linux Enterprise 11 from the list of supported client
     systems

   susemanager-schema:

   - Version 4.2.24-1
     * Fix migration of image actions (bsc#1202272)

   susemanager-sls:

   - Version 4.2.27-1
     * Copy grains file with util.mgr_switch_to_venv_minion state apply
     * Remove the message 'rpm: command not found' on using Salt SSH with
       Debian based systems which has no Salt Bundle
     * Prevent possible tracebacks on calling module.run from mgrcompat by
       setting proper globals with using LazyLoader
     * Fix deploy of SLE Micro CA Certificate (bsc#1200276)

   uyuni-common-libs:

   - Version 4.2.7-1
     * Do not allow creating path if nonexistent user or group in fileutils.

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3314=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      inter-server-sync-0.2.3-150300.8.22.2
      inter-server-sync-debuginfo-0.2.3-150300.8.22.2
      patterns-suma_retail-4.2-150300.4.12.2
      patterns-suma_server-4.2-150300.4.12.2
      python3-uyuni-common-libs-4.2.7-150300.3.9.2
      susemanager-4.2.37-150300.3.41.1
      susemanager-tools-4.2.37-150300.3.41.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

      drools-7.17.0-150300.4.6.2
      httpcomponents-asyncclient-4.1.4-150300.3.3.2
      image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2
      py27-compat-salt-3000.3-150300.7.7.23.2
      python3-spacewalk-certs-tools-4.2.18-150300.3.24.3
      python3-spacewalk-client-tools-4.2.20-150300.4.24.3
      salt-netapi-client-0.20.0-150300.3.9.4
      saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2
      spacecmd-4.2.19-150300.4.27.2
      spacewalk-admin-4.2.12-150300.3.15.3
      spacewalk-backend-4.2.24-150300.4.29.5
      spacewalk-backend-app-4.2.24-150300.4.29.5
      spacewalk-backend-applet-4.2.24-150300.4.29.5
      spacewalk-backend-config-files-4.2.24-150300.4.29.5
      spacewalk-backend-config-files-common-4.2.24-150300.4.29.5
      spacewalk-backend-config-files-tool-4.2.24-150300.4.29.5
      spacewalk-backend-iss-4.2.24-150300.4.29.5
      spacewalk-backend-iss-export-4.2.24-150300.4.29.5
      spacewalk-backend-package-push-server-4.2.24-150300.4.29.5
      spacewalk-backend-server-4.2.24-150300.4.29.5
      spacewalk-backend-sql-4.2.24-150300.4.29.5
      spacewalk-backend-sql-postgresql-4.2.24-150300.4.29.5
      spacewalk-backend-tools-4.2.24-150300.4.29.5
      spacewalk-backend-xml-export-libs-4.2.24-150300.4.29.5
      spacewalk-backend-xmlrpc-4.2.24-150300.4.29.5
      spacewalk-base-4.2.29-150300.3.27.3
      spacewalk-base-minimal-4.2.29-150300.3.27.3
      spacewalk-base-minimal-config-4.2.29-150300.3.27.3
      spacewalk-certs-tools-4.2.18-150300.3.24.3
      spacewalk-client-tools-4.2.20-150300.4.24.3
      spacewalk-html-4.2.29-150300.3.27.3
      spacewalk-java-4.2.41-150300.3.43.5
      spacewalk-java-config-4.2.41-150300.3.43.5
      spacewalk-java-lib-4.2.41-150300.3.43.5
      spacewalk-java-postgresql-4.2.41-150300.3.43.5
      spacewalk-search-4.2.8-150300.3.12.2
      spacewalk-taskomatic-4.2.41-150300.3.43.5
      subscription-matcher-0.29-150300.6.12.2
      susemanager-doc-indexes-4.2-150300.12.33.4
      susemanager-docs_en-4.2-150300.12.33.2
      susemanager-docs_en-pdf-4.2-150300.12.33.2
      susemanager-schema-4.2.24-150300.3.27.3
      susemanager-sls-4.2.27-150300.3.33.4
      uyuni-config-modules-4.2.27-150300.3.33.4


References:

   https://www.suse.com/security/cve/CVE-2021-41411.html
   https://www.suse.com/security/cve/CVE-2021-42740.html
   https://www.suse.com/security/cve/CVE-2021-43138.html
   https://www.suse.com/security/cve/CVE-2022-31129.html
   https://bugzilla.suse.com/1172705
   https://bugzilla.suse.com/1187028
   https://bugzilla.suse.com/1195455
   https://bugzilla.suse.com/1195895
   https://bugzilla.suse.com/1196729
   https://bugzilla.suse.com/1198168
   https://bugzilla.suse.com/1198489
   https://bugzilla.suse.com/1198738
   https://bugzilla.suse.com/1198903
   https://bugzilla.suse.com/1199372
   https://bugzilla.suse.com/1199659
   https://bugzilla.suse.com/1199913
   https://bugzilla.suse.com/1199950
   https://bugzilla.suse.com/1200276
   https://bugzilla.suse.com/1200296
   https://bugzilla.suse.com/1200480
   https://bugzilla.suse.com/1200532
   https://bugzilla.suse.com/1200573
   https://bugzilla.suse.com/1200591
   https://bugzilla.suse.com/1200629
   https://bugzilla.suse.com/1201142
   https://bugzilla.suse.com/1201189
   https://bugzilla.suse.com/1201210
   https://bugzilla.suse.com/1201220
   https://bugzilla.suse.com/1201224
   https://bugzilla.suse.com/1201527
   https://bugzilla.suse.com/1201606
   https://bugzilla.suse.com/1201607
   https://bugzilla.suse.com/1201626
   https://bugzilla.suse.com/1201753
   https://bugzilla.suse.com/1201913
   https://bugzilla.suse.com/1201918
   https://bugzilla.suse.com/1202142
   https://bugzilla.suse.com/1202272
   https://bugzilla.suse.com/1202464
   https://bugzilla.suse.com/1202728
   https://bugzilla.suse.com/1203287
   https://bugzilla.suse.com/1203288
   https://bugzilla.suse.com/1203449



More information about the sle-security-updates mailing list