SUSE-SU-2023:3861-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Sep 28 12:32:20 UTC 2023
# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server
Announcement ID: SUSE-SU-2023:3861-1
Rating: important
References:
* #1207330
* #1207330
* #1208692
* #1208692
* #1208692
* #1210935
* #1210935
* #1211525
* #1211525
* #1211525
* #1211874
* #1211874
* #1211884
* #1211884
* #1212246
* #1212246
* #1212730
* #1212730
* #1212814
* #1212814
* #1212827
* #1212827
* #1212856
* #1212856
* #1212856
* #1212943
* #1212943
* #1212943
* #1213009
* #1213009
* #1213077
* #1213077
* #1213288
* #1213288
* #1213445
* #1213445
* #1213445
* #1213675
* #1213675
* #1213675
* #1213716
* #1213716
* #1213880
* #1213880
* #1214002
* #1214002
* #1214121
* #1214121
* #1214124
* #1214124
* #1214187
* #1214187
* #1214266
* #1214266
* #1214280
* #1214280
* #1214889
* #1214889
* #1214982
* #1214982
* #1215352
* #1215352
* #1215362
* #1215362
* #1215373
* #1215373
* #1215413
* #1215413
* #1215497
* #1215497
* #1215756
* #1215756
* MSQA-699
* MSQA-699
* MSQA-699
* SUMA-158
* SUMA-158
* SUMA-280
* SUMA-280
Cross-References:
* CVE-2023-29409
* CVE-2023-29409
CVSS scores:
* CVE-2023-29409 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-29409 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves two vulnerabilities, contains seven features and has 70
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
### Description:
This update fixes the following issues:
spacecmd:
* Version 4.3.23-1
* Update translation strings
spacewalk-backend:
* Version 4.3.23-1
* Use a constant to get the product name in python code rather than reading
rhn.conf (bsc#1212943)
* Add key import debug logging to reposync (bsc#1213675)
* Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
* rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
* Implement new RHUI support in reposync
spacewalk-certs-tools:
* Version 4.3.19-1
* Support EC Cryptography with mgr-ssl-cert-setup
* mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)
spacewalk-web:
* Version 4.3.33-1
* Update the messages after syncing the products
* Fix issue that prevented to delete credentials
* Add warning message in login UI for Pay-as-you-go with SCC credentials and
no forward registration.
* Hide SSH info for `localhost` in Pay-as-you-go section
* Integrate @formatjs/intl as a replacement for t()
* Fix link interpolation in message maps
supportutils-plugin-susemanager-client:
* Version 4.3.3-1
* Write configured crypto-policy in supportconfig
* Add cloud and Pay-as-you-go checks
supportutils-plugin-susemanager-proxy:
* Version 4.3.3-1
* Write configured crypto-policy in supportconfig
uyuni-common-libs:
* Version 4.3.9-1
* Workaround for python3-debian bug about collecting control file
(bsc#1211525, bsc#1208692)
How to apply this update:
1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: `spacewalk-proxy stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-proxy start`
## Security update for SUSE Manager Server 4.3
### Description:
This update fixes the following issues:
billing-data-service:
* Version 0.3-1
* Add required dependencies to package and service
* Change billing api datastructure
* Require csp-billing-adapter service
cobbler:
* Fix EFI PXE boot regression (bsc#1214124)
* Fix isolinux.cfg generation in "cobbler buildiso" (bsc#1207330)
hub-xmlrpc-api:
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.
grafana-formula:
* Version 0.9.0
* Add SUSE Linux Enterprise 15 Service Pack 5 to the supported versions
(bsc#1215497)
image-sync-formula:
* Update to version 0.1.1692188980.9aa0455
* Fix boot image version compare to use numeric instead of string
(bsc#1214002)
* Add support to filter individual image versions in whitelist
* Delete cache files that are no longer needed
inter-server-sync:
* Version 0.3.0
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880)
* Require at least Go 1.19 for building due to CVE-2023-29409
* Require at least Go 1.18 for building Red Hat packages
prometheus-exporters-formula:
* Version 1.3.0
* Add support for Apache exporter >= 1.0.0 (bsc#1214266)
prometheus-postgres_exporter:
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.
saltboot-formula:
* Update to version 0.1.1692188980.9aa0455
* Add pillar based saltboot redeploy and repartitioning (jsc#SUMA-158)
spacecmd:
* Version 4.3.23-1
* Update translation strings
spacewalk-admin:
* Version 4.3.13-1
* Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
* Add checks for csp-billing-adapter in case of a Pay-as-you-go instance
spacewalk-backend:
* Version 4.3.23-1
* Use a constant to get the product name in python code rather than reading
rhn.conf (bsc#1212943)
* Add key import debug logging to reposync (bsc#1213675)
* Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
* rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
* Implement new RHUI support in reposync
spacewalk-certs-tools:
* Version 4.3.19-1
* Support EC Cryptography with mgr-ssl-cert-setup
* mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)
spacewalk-config:
* Version 4.3.11-1
* Allow calling instance-flavor-check via sudo
spacewalk-java:
* version 4.3.66-1
* Fix RHUI support for RHEL 7 clients (bsc#1215756)
* version 4.3.65-1
* Combine the PAYG credentials and the repository paths when they collide
(bsc#1215413)
* version 4.3.64-1
* Fix token issue with cloned deb channels (bsc#1214982)
* Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
* Improved detection of the best authentication for accessing a repository in
case of PAYG credentials (bsc#1215362)
* Do not warn about missing Client Tools Channel subscription in a PAYG
environment
* version 4.3.63-1
* Fix X-Instance-Identifier header when doing a product refresh at Cloud RMT
Server (bsc#1214889)
* Version 4.3.62-1
* Add environment build/promote date to CLM API output (jsc#SUMA-280)
* Call mgr-libmod with its absolute path
* Introduce new API to update the products page metadata
* Extract additional authentication information needed for Pay-as-you-go
* Fix handling of null credentials in RMT credentials check
* Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
* Add rule to count only servers with SUSE Manager Tools as managed clients
* Create flag to disable update status (bsc#1212730)
* Fix syntax error in sql query for source package search
* Catch exceptions and log a message when mailer setup failed (bsc#1213009)
* Fix logging of libraries using apache-commons-logging
* Invalidate Pay-as-you-go client credentials after repeated connection
failure (bsc#1213445)
* Restrict product migrations for Pay-as-you-go
* Add warning message in login UI for Pay-as-you-go with SCC credentials and
no forward registration
* Restrict cloning channels under different product channels for Pay-as-you-go
* Avoid sending data to SCC about Pay-as-you-go instances
* Add saltboot redeploy and repartition based on pillars (jsc#SUMA-158)
* Add system pillar API access {get|set}Pillar
* Consider the venv-salt-minion package update as Salt update to prevent
backtraces on upgrading Salt with itself (bsc#1211884)
* Fix processing of pkg.purged results (bsc#1213288)
* Fix Null Pointer Exception in auth endpoint when an empty body is provided
* Do not ignore scheduling error in Taskomatic
* Add compliance checks when running as Pay-as-you-go
* Add RHUI support to Pay-as-you-go connection feature
* Fix Debian Packages file generation (bsc#1213716)
* Fix action executor to prevent blocking Taskomatic for actions that are
already finished (bsc#1214121)
* Fix detection in case RHEL-based products (bsc#1214280)
* Improve error message when instance-flavor-check tool is not installed
* Fix auto product refresh in case of SUSE Manager Pay-as-you-go Server
* Optimize org channel accessibility query (bsc#1211874)
* Check csp billing adapter status
spacewalk-setup:
* Version 4.3.18-1
* Do not rely on rpm runtime status, rather check rhn.conf if is configured
(bsc#1210935)
* Remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup
(bsc#1212856)
spacewalk-web:
* Version 4.3.33-1
* Update the messages after syncing the products
* Fix issue that prevented to delete credentials
* Add warning message in login UI for Pay-as-you-go with SCC credentials and
no forward registration.
* Hide SSH info for `localhost` in Pay-as-you-go section
* Integrate @formatjs/intl as a replacement for t()
* Fix link interpolation in message maps
supportutils-plugin-susemanager:
* Version 4.3.9-1
* Add cloud and Pay-as-you-go checks
* Write configured crypto-policy in supportconfig
susemanager:
* Version 4.3.31-1
* Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)
susemanager-docs_en:
* Added a note for SUSE Linux Enterprise Micro clients only having Node and
Blackbox exporter for monitoring available, in the Administration Guide
(bsc#1212246)
* Added a warning about channel synchronization failure because of invalidated
credentials in Connect Pay-as-you-go instance section of the Installation
and Upgrade Guide
* Added a workflow describing channel removal to the Common Workflows Guide
* Added background information on Ansible playbooks in the Ansible chapter in
Administration Guide (bsc#1213077)
* Added Best practices and image pillars files to Retail Guide
* Added detailed information about all supported SUSE Linux Enterprise Micro
versions
* Added Saltboot redeployment subchapter in the Retail Guide
* Changed filename for configuring Tomcat memory usage in Specialized Guides
(bsc#1212814)
* Fixed Ubuntu channel names in Ubuntu chapter of the Client Configuration
Guide (bsc#1212827)
* Improved Red Hat Update Infrastructure documentation (bsc#1215373)
* Listed supported key types for SSL certificates in Import SSL Certificates
section of the Administation Guide
* Minimal memory requirement is now 16 GB for a SUSE Manager Server
installation
* Removed the step calling rhn-ssl-dbstore from the SSL setup as it is now
integrated into mgr-ssl-cert-setup in Administration Guide
* Replaced plain text with dedicated attribute for AutoYaST
* Typo correction for cobbler buildiso command in Client Configuration Guide
* Updated Ansible chapter in Administration Guide for clarity (bsc#1213077)
susemanager-schema:
* Version 4.3.20-1
* Add new credentials type RHUI
* Store the Pay-as-you-go products
susemanager-sls:
* Version 4.3.35-1
* Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
* Do not disable salt-minion on salt-ssh managed clients
* Keep original traditional stack tools for RHEL7 RHUI connection
* Include automatic migration from Salt 3000 to Salt Bundle in highstate
* Use recurse stratedy to merge formula pillar with existing pillars
* Mask Uyuni roster module password on logs
uyuni-common-libs:
* Version 4.3.9-1
* Workaround for python3-debian bug about collecting control file
(bsc#1211525, bsc#1208692)
How to apply this update:
1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: `spacewalk-service stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-service start`
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-3861=1
* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-3861=1
## Package List:
* SUSE Manager Proxy 4.3 Module 4.3 (noarch)
* spacewalk-base-minimal-config-4.3.33-150400.3.27.16
* python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
* supportutils-plugin-susemanager-client-4.3.3-150400.3.3.13
* spacewalk-backend-4.3.23-150400.3.27.19
* spacecmd-4.3.23-150400.3.24.13
* spacewalk-certs-tools-4.3.19-150400.3.18.13
* spacewalk-base-minimal-4.3.33-150400.3.27.16
* supportutils-plugin-susemanager-proxy-4.3.3-150400.3.3.13
* SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
* python3-uyuni-common-libs-4.3.9-150400.3.15.13
* SUSE Manager Server 4.3 Module 4.3 (noarch)
* susemanager-docs_en-pdf-4.3-150400.9.38.2
* susemanager-schema-4.3.20-150400.3.24.17
* spacewalk-base-4.3.33-150400.3.27.16
* spacewalk-config-4.3.11-150400.3.9.13
* prometheus-exporters-formula-1.3.0-150400.3.3.13
* spacewalk-backend-applet-4.3.23-150400.3.27.19
* spacewalk-base-minimal-config-4.3.33-150400.3.27.16
* billing-data-service-0.3-150400.10.6.13
* spacewalk-java-lib-4.3.66-150400.3.60.1
* python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
* spacewalk-backend-package-push-server-4.3.23-150400.3.27.19
* spacewalk-backend-xml-export-libs-4.3.23-150400.3.27.19
* spacewalk-backend-config-files-common-4.3.23-150400.3.27.19
* spacewalk-java-config-4.3.66-150400.3.60.1
* susemanager-docs_en-4.3-150400.9.38.2
* susemanager-schema-utility-4.3.20-150400.3.24.17
* saltboot-formula-0.1.1692188980.9aa0455-150400.3.12.13
* cobbler-3.3.3-150400.5.33.13
* spacewalk-backend-iss-4.3.23-150400.3.27.19
* spacewalk-base-minimal-4.3.33-150400.3.27.16
* image-sync-formula-0.1.1692188980.9aa0455-150400.3.15.13
* spacewalk-admin-4.3.13-150400.3.12.13
* spacewalk-java-4.3.66-150400.3.60.1
* spacewalk-backend-4.3.23-150400.3.27.19
* spacecmd-4.3.23-150400.3.24.13
* spacewalk-certs-tools-4.3.19-150400.3.18.13
* spacewalk-taskomatic-4.3.66-150400.3.60.1
* spacewalk-backend-iss-export-4.3.23-150400.3.27.19
* supportutils-plugin-susemanager-4.3.9-150400.3.15.13
* spacewalk-setup-4.3.18-150400.3.27.13
* uyuni-config-modules-4.3.35-150400.3.31.12
* spacewalk-backend-server-4.3.23-150400.3.27.19
* spacewalk-backend-app-4.3.23-150400.3.27.19
* spacewalk-backend-tools-4.3.23-150400.3.27.19
* spacewalk-html-4.3.33-150400.3.27.16
* susemanager-sls-4.3.35-150400.3.31.12
* grafana-formula-0.9.0-150400.3.12.1
* spacewalk-backend-sql-postgresql-4.3.23-150400.3.27.19
* spacewalk-backend-config-files-tool-4.3.23-150400.3.27.19
* spacewalk-backend-xmlrpc-4.3.23-150400.3.27.19
* spacewalk-backend-config-files-4.3.23-150400.3.27.19
* spacewalk-java-postgresql-4.3.66-150400.3.60.1
* spacewalk-backend-sql-4.3.23-150400.3.27.19
* SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
* inter-server-sync-0.3.0-150400.3.21.15
* hub-xmlrpc-api-0.7-150400.5.9.15
* python3-uyuni-common-libs-4.3.9-150400.3.15.13
* susemanager-4.3.31-150400.3.36.12
* prometheus-postgres_exporter-0.10.1-150400.3.6.17
* inter-server-sync-debuginfo-0.3.0-150400.3.21.15
* susemanager-tools-4.3.31-150400.3.36.12
## References:
* https://www.suse.com/security/cve/CVE-2023-29409.html
* https://www.suse.com/security/cve/CVE-2023-29409.html
* https://bugzilla.suse.com/show_bug.cgi?id=1207330
* https://bugzilla.suse.com/show_bug.cgi?id=1207330
* https://bugzilla.suse.com/show_bug.cgi?id=1208692
* https://bugzilla.suse.com/show_bug.cgi?id=1208692
* https://bugzilla.suse.com/show_bug.cgi?id=1208692
* https://bugzilla.suse.com/show_bug.cgi?id=1210935
* https://bugzilla.suse.com/show_bug.cgi?id=1210935
* https://bugzilla.suse.com/show_bug.cgi?id=1211525
* https://bugzilla.suse.com/show_bug.cgi?id=1211525
* https://bugzilla.suse.com/show_bug.cgi?id=1211525
* https://bugzilla.suse.com/show_bug.cgi?id=1211874
* https://bugzilla.suse.com/show_bug.cgi?id=1211874
* https://bugzilla.suse.com/show_bug.cgi?id=1211884
* https://bugzilla.suse.com/show_bug.cgi?id=1211884
* https://bugzilla.suse.com/show_bug.cgi?id=1212246
* https://bugzilla.suse.com/show_bug.cgi?id=1212246
* https://bugzilla.suse.com/show_bug.cgi?id=1212730
* https://bugzilla.suse.com/show_bug.cgi?id=1212730
* https://bugzilla.suse.com/show_bug.cgi?id=1212814
* https://bugzilla.suse.com/show_bug.cgi?id=1212814
* https://bugzilla.suse.com/show_bug.cgi?id=1212827
* https://bugzilla.suse.com/show_bug.cgi?id=1212827
* https://bugzilla.suse.com/show_bug.cgi?id=1212856
* https://bugzilla.suse.com/show_bug.cgi?id=1212856
* https://bugzilla.suse.com/show_bug.cgi?id=1212856
* https://bugzilla.suse.com/show_bug.cgi?id=1212943
* https://bugzilla.suse.com/show_bug.cgi?id=1212943
* https://bugzilla.suse.com/show_bug.cgi?id=1212943
* https://bugzilla.suse.com/show_bug.cgi?id=1213009
* https://bugzilla.suse.com/show_bug.cgi?id=1213009
* https://bugzilla.suse.com/show_bug.cgi?id=1213077
* https://bugzilla.suse.com/show_bug.cgi?id=1213077
* https://bugzilla.suse.com/show_bug.cgi?id=1213288
* https://bugzilla.suse.com/show_bug.cgi?id=1213288
* https://bugzilla.suse.com/show_bug.cgi?id=1213445
* https://bugzilla.suse.com/show_bug.cgi?id=1213445
* https://bugzilla.suse.com/show_bug.cgi?id=1213445
* https://bugzilla.suse.com/show_bug.cgi?id=1213675
* https://bugzilla.suse.com/show_bug.cgi?id=1213675
* https://bugzilla.suse.com/show_bug.cgi?id=1213675
* https://bugzilla.suse.com/show_bug.cgi?id=1213716
* https://bugzilla.suse.com/show_bug.cgi?id=1213716
* https://bugzilla.suse.com/show_bug.cgi?id=1213880
* https://bugzilla.suse.com/show_bug.cgi?id=1213880
* https://bugzilla.suse.com/show_bug.cgi?id=1214002
* https://bugzilla.suse.com/show_bug.cgi?id=1214002
* https://bugzilla.suse.com/show_bug.cgi?id=1214121
* https://bugzilla.suse.com/show_bug.cgi?id=1214121
* https://bugzilla.suse.com/show_bug.cgi?id=1214124
* https://bugzilla.suse.com/show_bug.cgi?id=1214124
* https://bugzilla.suse.com/show_bug.cgi?id=1214187
* https://bugzilla.suse.com/show_bug.cgi?id=1214187
* https://bugzilla.suse.com/show_bug.cgi?id=1214266
* https://bugzilla.suse.com/show_bug.cgi?id=1214266
* https://bugzilla.suse.com/show_bug.cgi?id=1214280
* https://bugzilla.suse.com/show_bug.cgi?id=1214280
* https://bugzilla.suse.com/show_bug.cgi?id=1214889
* https://bugzilla.suse.com/show_bug.cgi?id=1214889
* https://bugzilla.suse.com/show_bug.cgi?id=1214982
* https://bugzilla.suse.com/show_bug.cgi?id=1214982
* https://bugzilla.suse.com/show_bug.cgi?id=1215352
* https://bugzilla.suse.com/show_bug.cgi?id=1215352
* https://bugzilla.suse.com/show_bug.cgi?id=1215362
* https://bugzilla.suse.com/show_bug.cgi?id=1215362
* https://bugzilla.suse.com/show_bug.cgi?id=1215373
* https://bugzilla.suse.com/show_bug.cgi?id=1215373
* https://bugzilla.suse.com/show_bug.cgi?id=1215413
* https://bugzilla.suse.com/show_bug.cgi?id=1215413
* https://bugzilla.suse.com/show_bug.cgi?id=1215497
* https://bugzilla.suse.com/show_bug.cgi?id=1215497
* https://bugzilla.suse.com/show_bug.cgi?id=1215756
* https://bugzilla.suse.com/show_bug.cgi?id=1215756
* https://jira.suse.com/browse/MSQA-699
* https://jira.suse.com/browse/MSQA-699
* https://jira.suse.com/browse/MSQA-699
* https://jira.suse.com/browse/SUMA-158
* https://jira.suse.com/browse/SUMA-158
* https://jira.suse.com/browse/SUMA-280
* https://jira.suse.com/browse/SUMA-280
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230928/3164954d/attachment.htm>
More information about the sle-security-updates
mailing list