SUSE-SU-2023:4737-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
null at suse.de
null at suse.de
Thu Dec 14 12:31:10 UTC 2023
# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server
Announcement ID: SUSE-SU-2023:4737-1
Rating: important
References:
* bsc#1191143
* bsc#1204235
* bsc#1207012
* bsc#1207532
* bsc#1210928
* bsc#1210930
* bsc#1211355
* bsc#1211560
* bsc#1211649
* bsc#1212695
* bsc#1212904
* bsc#1213469
* bsc#1214186
* bsc#1214471
* bsc#1214601
* bsc#1214759
* bsc#1215209
* bsc#1215514
* bsc#1215949
* bsc#1216030
* bsc#1216041
* bsc#1216085
* bsc#1216128
* bsc#1216380
* bsc#1216506
* bsc#1216555
* bsc#1216690
* bsc#1216754
* bsc#1217038
* bsc#1217223
* bsc#1217224
* jsc#MSQA-708
* jsc#SUMA-282
Cross-References:
* CVE-2023-22644
CVSS scores:
* CVE-2023-22644 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected Products:
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Public Cloud Module 15-SP4
* Public Cloud Module 15-SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves one vulnerability, contains two features and has 30
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
### Description:
This update fixes the following issues:
spacecmd:
* Version 4.3.25-1
* Update translation strings
spacewalk-backend:
* Version 4.3.25-1
* Use the new apache2-mod_wsgi package name
* Set stricter file permissions for config file
* Add table statistics and options to the support config database output
* Add CLM data collection to spacewalk-debug
spacewalk-client-tools:
* Version 4.3.17-1
* Update translation strings
spacewalk-proxy:
* Version 4.3.17-1
* Use the new apache2-mod_wsgi package name
spacewalk-web:
* Version 4.3.36-1
* Safeguard request URLs against tempering (bsc#1216754)
* Improve datetimepicker input formatting
* Improve logging to better capture third-party library issues
* Simplify and modernize password generation logic
* Update webpack to 5.88.2
* Handle new message from subscription-matcher (bsc#1216506)
* Add sanity checks for FQDNs in proxy configuration dialog
* Add option to filter packages by build time in CLM (jsc#SUMA-282)
susemanager-tftpsync-recv:
* Version 4.3.9-1
* Use the new apache2-mod_wsgi package name
* Build with Python 3 and clean up references to Python 2
How to apply this update:
1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: `spacewalk-proxy stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-proxy start`
## Security update for SUSE Manager Server 4.3
### Description:
This update fixes the following issues:
billing-data-service:
* Version 4.3.2-1
* Relax dependency to csp-billing-adapter-service
inter-server-sync:
* Version 0.3.1
* Require at least Go 1.20 for building SUSE packages
spacecmd:
* Version 4.3.25-1
* Update translation strings
spacewalk-backend:
* Version 4.3.25-1
* Use the new apache2-mod_wsgi package name
* Set stricter file permissions for config file
* Add table statistics and options to the support config database output
* Add CLM data collection to spacewalk-debug
spacewalk-client-tools:
* Version 4.3.17-1
* Update translation strings
spacewalk-java:
* Version 4.3.69-1
* Security fixes:
* CVE-2023-22644: Sanitize token before logging it (bsc#1210930)
* CVE-2023-22644: Fix permissions for logfiles (bsc#1210928)
* CVE-2023-22644: Log potential sensitive information only in debug mode (bsc#1210928)
* Non security fixes:
* Include in API response reboot_suggested and restart_suggested booleans
* Fix filter ID comparison when attaching filters to a CLM project (bsc#1215949)
* Fix validation of lists with empty defaults in formulas (bsc#1216555)
* Safeguard request URLs against tempering (bsc#1216754)
* Improve logging to better capture third-party library issues
* Fix issue of non-installed package listed as errata package update candidates (bsc#1212904)
* Fix issue with reporting database query pagination
* Update tomcat jars to version greater than 9.0.75
* Fix notification messages email content (bsc#1216041)
* Look for the PAYG CA certificate location in different order to find and import the correct one (bsc#1214759)
* Add salt-api socket timeout to abort stuck taskomatic jobs (bsc#1211649)
* Fix SUSE Linux Enterprise Micro PAYG detection
* Wait for lock to execute SCC sync task (bsc#1216030)
* Fix url pointing to SCC (bsc#1216690)
* Prevent download when a PAYG Server is not compliant
* Fix system.provisionSystem xmlrpc endpoint to calculate host properly (bsc#1215209)
* Include "uuid" as system search xmlrpc results (bsc#1216380)
* Prevent losing Remote Command action result if returned JSON cannot be parsed
* Add PAYG info to UI and rest API
* Add management restrictions to SUMA PAYG when dealing with BYOS instances when no SCC credentials are set
* Fix issue where bad SCC credentials were preventing other credentials to refresh (bsc#1211355)
* Fix conversion to string if branchid is numeric in PXEEvent
* Fix token validation for shared (public) child channels (bsc#1216128)
* Prevent NullPointerException in updateSystemInfo (bsc#1217224)
* Update SCC REST call to register systems in bulk
* Enhance hardware data sent to SCC by memory
* Fix FQDN machine name mapping on proxy configuration
* Fix NullPointerException when creating PXE config for an unmanaged profile (bsc#1217223)
* Add option to filter packages by build time in CLM (jsc#SUMA-282)
* Consider server id when removing invalid erratas from rhnSet (bsc#1204235,bsc#1207012,bsc#1211560)
* Fix createSystemRecord XML-RPC API call so the Cobbler UID is persisted (bsc#1207532)
spacewalk-search:
* Version 4.3.10-1
* Include "uuid" as system search result attribute (bsc#1216380)
spacewalk-web:
* Version 4.3.36-1
* Safeguard request URLs against tempering (bsc#1216754)
* Improve datetimepicker input formatting
* Improve logging to better capture third-party library issues
* Simplify and modernize password generation logic
* Update webpack to 5.88.2
* Handle new message from subscription-matcher (bsc#1216506)
* Add sanity checks for FQDNs in proxy configuration dialog
* Add option to filter packages by build time in CLM (jsc#SUMA-282)
subscription-matcher:
* Version 0.33
* Added missing part numbers (bsc#1216506)
* Ignore subscriptions without any associated products (bsc#1216506)
* Update Guava to version 32.0
susemanager:
* Version 4.3.33-1
* Add bootstrap repository data for SUSE Linux Enterprise Micro 5.5
(bsc#1217038)
susemanager-docs_en:
* Add SUSE Liberty Linux versions 7 and 8 to the supported features matrix in
the Client Configuration Guide
* Add support for SUSE Linux Enterprise Micro 5.5 and openSUSE Leap Micro 5.5
clients to the Installation and Upgrade Guide, and to the Client
Configuration Guide
* Update Twitter handle reference in documentation user interface
* Update feature table and add legend in the Configuration Management section
of the Client Configuration Guide
* Fix parameter name in the Register clients section of the Client
Configuration Guide
* Fix links to HTML output of SUSE Linux Enterprise Server 15 SP4
documentation
* Add note about using short hostname in the Quick Start: SAP guide
(bsc#1212695)
* Mention the option to install Prometheus on Retail branch servers
(bsc#1191143)
* Fix link loop and clarify some server upgrade description details in the
Installation and Upgrade Guide (bsc#1214471)
* SUSE Manager 4.3 is based on SUSE Linux Enterprise 15 SP4; update the
installation procedure (bsc#1213469)
susemanager-schema:
* Version 4.3.22-1
* Drop special versioned schema files
* Add unique index for rhnpackagechangelogdata table
susemanager-sls:
* Version 4.3.37-1
* Disable dnf_rhui_plugin as it breaks our susemanagerplugin (bsc#1214601)
* Fix susemanagerplugin to not overwrite header fields set by other plugins
* Let the DNF plugin log when a token was set
* Retry loading of pillars from DB on connection error (bsc#1214186)
* Recognize squashfs build results from KIWI (bsc#1216085)
susemanager-sync-data:
* Version 4.3.14-1
* SUSE Linux Enterprise 15 SP4 Long Term Service Pack Support (LTSS)
* Extended Service Pack Overlay Support (ESPOS) for High Performance Computing
15 SP5
* Long Term Service Pack Support (LTSS) for High Performance Computing 15 SP5
* Update Open Enterprise Server to 2023.4 (bsc#1215514)
uyuni-reportdb-schema:
* Version 4.3.8-1
* Provide reportdb upgrade schema path structure
How to apply this update:
1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: `spacewalk-service stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-service start`
## Recommended update for apache2-mod_wsgi
### Description:
This update fixes the following issues:
apache2-mod_wsgi:
* Ensure the binaries are included in SUSE Manager Server
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2023-4737=1 openSUSE-SLE-15.4-2023-4737=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-4737=1
* Public Cloud Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4737=1
* Public Cloud Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4737=1
* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-4737=1
* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-4737=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* SUSE Manager Proxy 4.3 Module 4.3 (noarch)
* spacecmd-4.3.25-150400.3.30.5
* python3-spacewalk-client-tools-4.3.17-150400.3.21.6
* spacewalk-proxy-redirect-4.3.17-150400.3.23.5
* spacewalk-client-setup-4.3.17-150400.3.21.6
* python3-spacewalk-check-4.3.17-150400.3.21.6
* spacewalk-proxy-broker-4.3.17-150400.3.23.5
* spacewalk-proxy-common-4.3.17-150400.3.23.5
* spacewalk-backend-4.3.25-150400.3.33.7
* spacewalk-proxy-salt-4.3.17-150400.3.23.5
* spacewalk-check-4.3.17-150400.3.21.6
* spacewalk-proxy-management-4.3.17-150400.3.23.5
* spacewalk-proxy-package-manager-4.3.17-150400.3.23.5
* python3-spacewalk-client-setup-4.3.17-150400.3.21.6
* spacewalk-client-tools-4.3.17-150400.3.21.6
* spacewalk-base-minimal-4.3.36-150400.3.36.7
* susemanager-tftpsync-recv-4.3.9-150400.3.9.5
* spacewalk-base-minimal-config-4.3.36-150400.3.36.7
* SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
* apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
* apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
* inter-server-sync-0.3.1-150400.3.24.5
* susemanager-tools-4.3.33-150400.3.42.4
* susemanager-4.3.33-150400.3.42.4
* apache2-mod_wsgi-4.7.1-150400.3.9.4
* inter-server-sync-debuginfo-0.3.1-150400.3.24.5
* SUSE Manager Server 4.3 Module 4.3 (noarch)
* spacewalk-backend-config-files-tool-4.3.25-150400.3.33.7
* spacewalk-search-4.3.10-150400.3.15.4
* python3-spacewalk-client-tools-4.3.17-150400.3.21.6
* susemanager-sync-data-4.3.14-150400.3.17.5
* spacewalk-backend-config-files-common-4.3.25-150400.3.33.7
* susemanager-docs_en-pdf-4.3-150400.9.50.5
* spacewalk-backend-sql-postgresql-4.3.25-150400.3.33.7
* spacewalk-base-4.3.36-150400.3.36.7
* susemanager-schema-4.3.22-150400.3.30.5
* spacewalk-backend-iss-4.3.25-150400.3.33.7
* spacewalk-taskomatic-4.3.69-150400.3.69.5
* susemanager-docs_en-4.3-150400.9.50.5
* susemanager-sls-4.3.37-150400.3.37.5
* spacewalk-client-tools-4.3.17-150400.3.21.6
* spacecmd-4.3.25-150400.3.30.5
* spacewalk-html-4.3.36-150400.3.36.7
* spacewalk-backend-xmlrpc-4.3.25-150400.3.33.7
* susemanager-schema-utility-4.3.22-150400.3.30.5
* spacewalk-backend-iss-export-4.3.25-150400.3.33.7
* spacewalk-base-minimal-config-4.3.36-150400.3.36.7
* spacewalk-backend-xml-export-libs-4.3.25-150400.3.33.7
* spacewalk-java-config-4.3.69-150400.3.69.5
* spacewalk-backend-config-files-4.3.25-150400.3.33.7
* spacewalk-backend-sql-4.3.25-150400.3.33.7
* uyuni-reportdb-schema-4.3.8-150400.3.9.6
* spacewalk-java-4.3.69-150400.3.69.5
* spacewalk-backend-server-4.3.25-150400.3.33.7
* subscription-matcher-0.33-150400.3.16.3
* spacewalk-java-lib-4.3.69-150400.3.69.5
* spacewalk-base-minimal-4.3.36-150400.3.36.7
* spacewalk-java-postgresql-4.3.69-150400.3.69.5
* billing-data-service-4.3.2-150400.10.12.5
* spacewalk-backend-tools-4.3.25-150400.3.33.7
* spacewalk-backend-applet-4.3.25-150400.3.33.7
* spacewalk-backend-4.3.25-150400.3.33.7
* uyuni-config-modules-4.3.37-150400.3.37.5
* spacewalk-backend-package-push-server-4.3.25-150400.3.33.7
* spacewalk-backend-app-4.3.25-150400.3.33.7
## References:
* https://www.suse.com/security/cve/CVE-2023-22644.html
* https://bugzilla.suse.com/show_bug.cgi?id=1191143
* https://bugzilla.suse.com/show_bug.cgi?id=1204235
* https://bugzilla.suse.com/show_bug.cgi?id=1207012
* https://bugzilla.suse.com/show_bug.cgi?id=1207532
* https://bugzilla.suse.com/show_bug.cgi?id=1210928
* https://bugzilla.suse.com/show_bug.cgi?id=1210930
* https://bugzilla.suse.com/show_bug.cgi?id=1211355
* https://bugzilla.suse.com/show_bug.cgi?id=1211560
* https://bugzilla.suse.com/show_bug.cgi?id=1211649
* https://bugzilla.suse.com/show_bug.cgi?id=1212695
* https://bugzilla.suse.com/show_bug.cgi?id=1212904
* https://bugzilla.suse.com/show_bug.cgi?id=1213469
* https://bugzilla.suse.com/show_bug.cgi?id=1214186
* https://bugzilla.suse.com/show_bug.cgi?id=1214471
* https://bugzilla.suse.com/show_bug.cgi?id=1214601
* https://bugzilla.suse.com/show_bug.cgi?id=1214759
* https://bugzilla.suse.com/show_bug.cgi?id=1215209
* https://bugzilla.suse.com/show_bug.cgi?id=1215514
* https://bugzilla.suse.com/show_bug.cgi?id=1215949
* https://bugzilla.suse.com/show_bug.cgi?id=1216030
* https://bugzilla.suse.com/show_bug.cgi?id=1216041
* https://bugzilla.suse.com/show_bug.cgi?id=1216085
* https://bugzilla.suse.com/show_bug.cgi?id=1216128
* https://bugzilla.suse.com/show_bug.cgi?id=1216380
* https://bugzilla.suse.com/show_bug.cgi?id=1216506
* https://bugzilla.suse.com/show_bug.cgi?id=1216555
* https://bugzilla.suse.com/show_bug.cgi?id=1216690
* https://bugzilla.suse.com/show_bug.cgi?id=1216754
* https://bugzilla.suse.com/show_bug.cgi?id=1217038
* https://bugzilla.suse.com/show_bug.cgi?id=1217223
* https://bugzilla.suse.com/show_bug.cgi?id=1217224
* https://jira.suse.com/browse/MSQA-708
* https://jira.suse.com/browse/SUMA-282
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20231214/f35933b2/attachment.htm>
More information about the sle-security-updates
mailing list