SUSE-SU-2023:4737-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

null at suse.de null at suse.de
Thu Dec 14 12:31:10 UTC 2023



# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server

Announcement ID: SUSE-SU-2023:4737-1  
Rating: important  
References:

  * bsc#1191143
  * bsc#1204235
  * bsc#1207012
  * bsc#1207532
  * bsc#1210928
  * bsc#1210930
  * bsc#1211355
  * bsc#1211560
  * bsc#1211649
  * bsc#1212695
  * bsc#1212904
  * bsc#1213469
  * bsc#1214186
  * bsc#1214471
  * bsc#1214601
  * bsc#1214759
  * bsc#1215209
  * bsc#1215514
  * bsc#1215949
  * bsc#1216030
  * bsc#1216041
  * bsc#1216085
  * bsc#1216128
  * bsc#1216380
  * bsc#1216506
  * bsc#1216555
  * bsc#1216690
  * bsc#1216754
  * bsc#1217038
  * bsc#1217223
  * bsc#1217224
  * jsc#MSQA-708
  * jsc#SUMA-282

  
Cross-References:

  * CVE-2023-22644

  
CVSS scores:

  * CVE-2023-22644 ( NVD ):  3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

  
Affected Products:

  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * Public Cloud Module 15-SP4
  * Public Cloud Module 15-SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Proxy 4.3
  * SUSE Manager Proxy 4.3 Module 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3

  
  
An update that solves one vulnerability, contains two features and has 30
security fixes can now be installed.

## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

### Description:

This update fixes the following issues:

spacecmd:

  * Version 4.3.25-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.25-1
  * Use the new apache2-mod_wsgi package name
  * Set stricter file permissions for config file
  * Add table statistics and options to the support config database output
  * Add CLM data collection to spacewalk-debug

spacewalk-client-tools:

  * Version 4.3.17-1
  * Update translation strings

spacewalk-proxy:

  * Version 4.3.17-1
  * Use the new apache2-mod_wsgi package name

spacewalk-web:

  * Version 4.3.36-1
  * Safeguard request URLs against tempering (bsc#1216754)
  * Improve datetimepicker input formatting
  * Improve logging to better capture third-party library issues
  * Simplify and modernize password generation logic
  * Update webpack to 5.88.2
  * Handle new message from subscription-matcher (bsc#1216506)
  * Add sanity checks for FQDNs in proxy configuration dialog
  * Add option to filter packages by build time in CLM (jsc#SUMA-282)

susemanager-tftpsync-recv:

  * Version 4.3.9-1
  * Use the new apache2-mod_wsgi package name
  * Build with Python 3 and clean up references to Python 2

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: `spacewalk-proxy stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-proxy start`

## Security update for SUSE Manager Server 4.3

### Description:

This update fixes the following issues:

billing-data-service:

  * Version 4.3.2-1
  * Relax dependency to csp-billing-adapter-service

inter-server-sync:

  * Version 0.3.1
  * Require at least Go 1.20 for building SUSE packages

spacecmd:

  * Version 4.3.25-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.25-1
  * Use the new apache2-mod_wsgi package name
  * Set stricter file permissions for config file
  * Add table statistics and options to the support config database output
  * Add CLM data collection to spacewalk-debug

spacewalk-client-tools:

  * Version 4.3.17-1
  * Update translation strings

spacewalk-java:

  * Version 4.3.69-1

  * Security fixes:

    * CVE-2023-22644: Sanitize token before logging it (bsc#1210930)
    * CVE-2023-22644: Fix permissions for logfiles (bsc#1210928)
    * CVE-2023-22644: Log potential sensitive information only in debug mode (bsc#1210928)
  * Non security fixes:
    * Include in API response reboot_suggested and restart_suggested booleans
    * Fix filter ID comparison when attaching filters to a CLM project (bsc#1215949)
    * Fix validation of lists with empty defaults in formulas (bsc#1216555)
    * Safeguard request URLs against tempering (bsc#1216754)
    * Improve logging to better capture third-party library issues
    * Fix issue of non-installed package listed as errata package update candidates (bsc#1212904)
    * Fix issue with reporting database query pagination
    * Update tomcat jars to version greater than 9.0.75
    * Fix notification messages email content (bsc#1216041)
    * Look for the PAYG CA certificate location in different order to find and import the correct one (bsc#1214759)
    * Add salt-api socket timeout to abort stuck taskomatic jobs (bsc#1211649)
    * Fix SUSE Linux Enterprise Micro PAYG detection
    * Wait for lock to execute SCC sync task (bsc#1216030)
    * Fix url pointing to SCC (bsc#1216690)
    * Prevent download when a PAYG Server is not compliant
    * Fix system.provisionSystem xmlrpc endpoint to calculate host properly (bsc#1215209)
    * Include "uuid" as system search xmlrpc results (bsc#1216380)
    * Prevent losing Remote Command action result if returned JSON cannot be parsed
    * Add PAYG info to UI and rest API
    * Add management restrictions to SUMA PAYG when dealing with BYOS instances when no SCC credentials are set
    * Fix issue where bad SCC credentials were preventing other credentials to refresh (bsc#1211355)
    * Fix conversion to string if branchid is numeric in PXEEvent
    * Fix token validation for shared (public) child channels (bsc#1216128)
    * Prevent NullPointerException in updateSystemInfo (bsc#1217224)
    * Update SCC REST call to register systems in bulk
    * Enhance hardware data sent to SCC by memory
    * Fix FQDN machine name mapping on proxy configuration
    * Fix NullPointerException when creating PXE config for an unmanaged profile (bsc#1217223)
    * Add option to filter packages by build time in CLM (jsc#SUMA-282)
    * Consider server id when removing invalid erratas from rhnSet (bsc#1204235,bsc#1207012,bsc#1211560)
    * Fix createSystemRecord XML-RPC API call so the Cobbler UID is persisted (bsc#1207532)

spacewalk-search:

  * Version 4.3.10-1
  * Include "uuid" as system search result attribute (bsc#1216380)

spacewalk-web:

  * Version 4.3.36-1
  * Safeguard request URLs against tempering (bsc#1216754)
  * Improve datetimepicker input formatting
  * Improve logging to better capture third-party library issues
  * Simplify and modernize password generation logic
  * Update webpack to 5.88.2
  * Handle new message from subscription-matcher (bsc#1216506)
  * Add sanity checks for FQDNs in proxy configuration dialog
  * Add option to filter packages by build time in CLM (jsc#SUMA-282)

subscription-matcher:

  * Version 0.33
  * Added missing part numbers (bsc#1216506)
  * Ignore subscriptions without any associated products (bsc#1216506)
  * Update Guava to version 32.0

susemanager:

  * Version 4.3.33-1
  * Add bootstrap repository data for SUSE Linux Enterprise Micro 5.5
    (bsc#1217038)

susemanager-docs_en:

  * Add SUSE Liberty Linux versions 7 and 8 to the supported features matrix in
    the Client Configuration Guide
  * Add support for SUSE Linux Enterprise Micro 5.5 and openSUSE Leap Micro 5.5
    clients to the Installation and Upgrade Guide, and to the Client
    Configuration Guide
  * Update Twitter handle reference in documentation user interface
  * Update feature table and add legend in the Configuration Management section
    of the Client Configuration Guide
  * Fix parameter name in the Register clients section of the Client
    Configuration Guide
  * Fix links to HTML output of SUSE Linux Enterprise Server 15 SP4
    documentation
  * Add note about using short hostname in the Quick Start: SAP guide
    (bsc#1212695)
  * Mention the option to install Prometheus on Retail branch servers
    (bsc#1191143)
  * Fix link loop and clarify some server upgrade description details in the
    Installation and Upgrade Guide (bsc#1214471)
  * SUSE Manager 4.3 is based on SUSE Linux Enterprise 15 SP4; update the
    installation procedure (bsc#1213469)

susemanager-schema:

  * Version 4.3.22-1
  * Drop special versioned schema files
  * Add unique index for rhnpackagechangelogdata table

susemanager-sls:

  * Version 4.3.37-1
  * Disable dnf_rhui_plugin as it breaks our susemanagerplugin (bsc#1214601)
  * Fix susemanagerplugin to not overwrite header fields set by other plugins
  * Let the DNF plugin log when a token was set
  * Retry loading of pillars from DB on connection error (bsc#1214186)
  * Recognize squashfs build results from KIWI (bsc#1216085)

susemanager-sync-data:

  * Version 4.3.14-1
  * SUSE Linux Enterprise 15 SP4 Long Term Service Pack Support (LTSS)
  * Extended Service Pack Overlay Support (ESPOS) for High Performance Computing
    15 SP5
  * Long Term Service Pack Support (LTSS) for High Performance Computing 15 SP5
  * Update Open Enterprise Server to 2023.4 (bsc#1215514)

uyuni-reportdb-schema:

  * Version 4.3.8-1
  * Provide reportdb upgrade schema path structure

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: `spacewalk-service stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-service start`

## Recommended update for apache2-mod_wsgi

### Description:

This update fixes the following issues:

apache2-mod_wsgi:

  * Ensure the binaries are included in SUSE Manager Server

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2023-4737=1 openSUSE-SLE-15.4-2023-4737=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2023-4737=1

  * Public Cloud Module 15-SP4  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4737=1

  * Public Cloud Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4737=1

  * SUSE Manager Proxy 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-4737=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-4737=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  * SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  * SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    * spacecmd-4.3.25-150400.3.30.5
    * python3-spacewalk-client-tools-4.3.17-150400.3.21.6
    * spacewalk-proxy-redirect-4.3.17-150400.3.23.5
    * spacewalk-client-setup-4.3.17-150400.3.21.6
    * python3-spacewalk-check-4.3.17-150400.3.21.6
    * spacewalk-proxy-broker-4.3.17-150400.3.23.5
    * spacewalk-proxy-common-4.3.17-150400.3.23.5
    * spacewalk-backend-4.3.25-150400.3.33.7
    * spacewalk-proxy-salt-4.3.17-150400.3.23.5
    * spacewalk-check-4.3.17-150400.3.21.6
    * spacewalk-proxy-management-4.3.17-150400.3.23.5
    * spacewalk-proxy-package-manager-4.3.17-150400.3.23.5
    * python3-spacewalk-client-setup-4.3.17-150400.3.21.6
    * spacewalk-client-tools-4.3.17-150400.3.21.6
    * spacewalk-base-minimal-4.3.36-150400.3.36.7
    * susemanager-tftpsync-recv-4.3.9-150400.3.9.5
    * spacewalk-base-minimal-config-4.3.36-150400.3.36.7
  * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    * apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
    * apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
    * inter-server-sync-0.3.1-150400.3.24.5
    * susemanager-tools-4.3.33-150400.3.42.4
    * susemanager-4.3.33-150400.3.42.4
    * apache2-mod_wsgi-4.7.1-150400.3.9.4
    * inter-server-sync-debuginfo-0.3.1-150400.3.24.5
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * spacewalk-backend-config-files-tool-4.3.25-150400.3.33.7
    * spacewalk-search-4.3.10-150400.3.15.4
    * python3-spacewalk-client-tools-4.3.17-150400.3.21.6
    * susemanager-sync-data-4.3.14-150400.3.17.5
    * spacewalk-backend-config-files-common-4.3.25-150400.3.33.7
    * susemanager-docs_en-pdf-4.3-150400.9.50.5
    * spacewalk-backend-sql-postgresql-4.3.25-150400.3.33.7
    * spacewalk-base-4.3.36-150400.3.36.7
    * susemanager-schema-4.3.22-150400.3.30.5
    * spacewalk-backend-iss-4.3.25-150400.3.33.7
    * spacewalk-taskomatic-4.3.69-150400.3.69.5
    * susemanager-docs_en-4.3-150400.9.50.5
    * susemanager-sls-4.3.37-150400.3.37.5
    * spacewalk-client-tools-4.3.17-150400.3.21.6
    * spacecmd-4.3.25-150400.3.30.5
    * spacewalk-html-4.3.36-150400.3.36.7
    * spacewalk-backend-xmlrpc-4.3.25-150400.3.33.7
    * susemanager-schema-utility-4.3.22-150400.3.30.5
    * spacewalk-backend-iss-export-4.3.25-150400.3.33.7
    * spacewalk-base-minimal-config-4.3.36-150400.3.36.7
    * spacewalk-backend-xml-export-libs-4.3.25-150400.3.33.7
    * spacewalk-java-config-4.3.69-150400.3.69.5
    * spacewalk-backend-config-files-4.3.25-150400.3.33.7
    * spacewalk-backend-sql-4.3.25-150400.3.33.7
    * uyuni-reportdb-schema-4.3.8-150400.3.9.6
    * spacewalk-java-4.3.69-150400.3.69.5
    * spacewalk-backend-server-4.3.25-150400.3.33.7
    * subscription-matcher-0.33-150400.3.16.3
    * spacewalk-java-lib-4.3.69-150400.3.69.5
    * spacewalk-base-minimal-4.3.36-150400.3.36.7
    * spacewalk-java-postgresql-4.3.69-150400.3.69.5
    * billing-data-service-4.3.2-150400.10.12.5
    * spacewalk-backend-tools-4.3.25-150400.3.33.7
    * spacewalk-backend-applet-4.3.25-150400.3.33.7
    * spacewalk-backend-4.3.25-150400.3.33.7
    * uyuni-config-modules-4.3.37-150400.3.37.5
    * spacewalk-backend-package-push-server-4.3.25-150400.3.33.7
    * spacewalk-backend-app-4.3.25-150400.3.33.7

## References:

  * https://www.suse.com/security/cve/CVE-2023-22644.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1191143
  * https://bugzilla.suse.com/show_bug.cgi?id=1204235
  * https://bugzilla.suse.com/show_bug.cgi?id=1207012
  * https://bugzilla.suse.com/show_bug.cgi?id=1207532
  * https://bugzilla.suse.com/show_bug.cgi?id=1210928
  * https://bugzilla.suse.com/show_bug.cgi?id=1210930
  * https://bugzilla.suse.com/show_bug.cgi?id=1211355
  * https://bugzilla.suse.com/show_bug.cgi?id=1211560
  * https://bugzilla.suse.com/show_bug.cgi?id=1211649
  * https://bugzilla.suse.com/show_bug.cgi?id=1212695
  * https://bugzilla.suse.com/show_bug.cgi?id=1212904
  * https://bugzilla.suse.com/show_bug.cgi?id=1213469
  * https://bugzilla.suse.com/show_bug.cgi?id=1214186
  * https://bugzilla.suse.com/show_bug.cgi?id=1214471
  * https://bugzilla.suse.com/show_bug.cgi?id=1214601
  * https://bugzilla.suse.com/show_bug.cgi?id=1214759
  * https://bugzilla.suse.com/show_bug.cgi?id=1215209
  * https://bugzilla.suse.com/show_bug.cgi?id=1215514
  * https://bugzilla.suse.com/show_bug.cgi?id=1215949
  * https://bugzilla.suse.com/show_bug.cgi?id=1216030
  * https://bugzilla.suse.com/show_bug.cgi?id=1216041
  * https://bugzilla.suse.com/show_bug.cgi?id=1216085
  * https://bugzilla.suse.com/show_bug.cgi?id=1216128
  * https://bugzilla.suse.com/show_bug.cgi?id=1216380
  * https://bugzilla.suse.com/show_bug.cgi?id=1216506
  * https://bugzilla.suse.com/show_bug.cgi?id=1216555
  * https://bugzilla.suse.com/show_bug.cgi?id=1216690
  * https://bugzilla.suse.com/show_bug.cgi?id=1216754
  * https://bugzilla.suse.com/show_bug.cgi?id=1217038
  * https://bugzilla.suse.com/show_bug.cgi?id=1217223
  * https://bugzilla.suse.com/show_bug.cgi?id=1217224
  * https://jira.suse.com/browse/MSQA-708
  * https://jira.suse.com/browse/SUMA-282

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20231214/f35933b2/attachment.htm>


More information about the sle-security-updates mailing list