SUSE-SU-2023:3861-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Sep 28 12:32:20 UTC 2023



# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server

Announcement ID: SUSE-SU-2023:3861-1  
Rating: important  
References:

  * #1207330
  * #1207330
  * #1208692
  * #1208692
  * #1208692
  * #1210935
  * #1210935
  * #1211525
  * #1211525
  * #1211525
  * #1211874
  * #1211874
  * #1211884
  * #1211884
  * #1212246
  * #1212246
  * #1212730
  * #1212730
  * #1212814
  * #1212814
  * #1212827
  * #1212827
  * #1212856
  * #1212856
  * #1212856
  * #1212943
  * #1212943
  * #1212943
  * #1213009
  * #1213009
  * #1213077
  * #1213077
  * #1213288
  * #1213288
  * #1213445
  * #1213445
  * #1213445
  * #1213675
  * #1213675
  * #1213675
  * #1213716
  * #1213716
  * #1213880
  * #1213880
  * #1214002
  * #1214002
  * #1214121
  * #1214121
  * #1214124
  * #1214124
  * #1214187
  * #1214187
  * #1214266
  * #1214266
  * #1214280
  * #1214280
  * #1214889
  * #1214889
  * #1214982
  * #1214982
  * #1215352
  * #1215352
  * #1215362
  * #1215362
  * #1215373
  * #1215373
  * #1215413
  * #1215413
  * #1215497
  * #1215497
  * #1215756
  * #1215756
  * MSQA-699
  * MSQA-699
  * MSQA-699
  * SUMA-158
  * SUMA-158
  * SUMA-280
  * SUMA-280

  
Cross-References:

  * CVE-2023-29409
  * CVE-2023-29409

  
CVSS scores:

  * CVE-2023-29409 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-29409 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * SUSE Manager Proxy 4.3
  * SUSE Manager Proxy 4.3 Module 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3

  
  
An update that solves two vulnerabilities, contains seven features and has 70
security fixes can now be installed.

## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

### Description:

This update fixes the following issues:

spacecmd:

  * Version 4.3.23-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.23-1
  * Use a constant to get the product name in python code rather than reading
    rhn.conf (bsc#1212943)
  * Add key import debug logging to reposync (bsc#1213675)
  * Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
  * rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  * Implement new RHUI support in reposync

spacewalk-certs-tools:

  * Version 4.3.19-1
  * Support EC Cryptography with mgr-ssl-cert-setup
  * mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)

spacewalk-web:

  * Version 4.3.33-1
  * Update the messages after syncing the products
  * Fix issue that prevented to delete credentials
  * Add warning message in login UI for Pay-as-you-go with SCC credentials and
    no forward registration.
  * Hide SSH info for `localhost` in Pay-as-you-go section
  * Integrate @formatjs/intl as a replacement for t()
  * Fix link interpolation in message maps

supportutils-plugin-susemanager-client:

  * Version 4.3.3-1
  * Write configured crypto-policy in supportconfig
  * Add cloud and Pay-as-you-go checks

supportutils-plugin-susemanager-proxy:

  * Version 4.3.3-1
  * Write configured crypto-policy in supportconfig

uyuni-common-libs:

  * Version 4.3.9-1
  * Workaround for python3-debian bug about collecting control file
    (bsc#1211525, bsc#1208692)

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: `spacewalk-proxy stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-proxy start`

## Security update for SUSE Manager Server 4.3

### Description:

This update fixes the following issues:

billing-data-service:

  * Version 0.3-1
  * Add required dependencies to package and service
  * Change billing api datastructure
  * Require csp-billing-adapter service

cobbler:

  * Fix EFI PXE boot regression (bsc#1214124)
  * Fix isolinux.cfg generation in "cobbler buildiso" (bsc#1207330)

hub-xmlrpc-api:

  * CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
    8192 bits to avoid DoSing client/server while validating signatures for
    extremely large RSA keys. (bsc#1213880) There are no direct source changes.
    The CVE is fixed rebuilding the sources with the patched Go version.

grafana-formula:

  * Version 0.9.0
  * Add SUSE Linux Enterprise 15 Service Pack 5 to the supported versions
    (bsc#1215497)

image-sync-formula:

  * Update to version 0.1.1692188980.9aa0455
  * Fix boot image version compare to use numeric instead of string
    (bsc#1214002)
  * Add support to filter individual image versions in whitelist
  * Delete cache files that are no longer needed

inter-server-sync:

  * Version 0.3.0
  * CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
    8192 bits to avoid DoSing client/server while validating signatures for
    extremely large RSA keys. (bsc#1213880)
  * Require at least Go 1.19 for building due to CVE-2023-29409
  * Require at least Go 1.18 for building Red Hat packages

prometheus-exporters-formula:

  * Version 1.3.0
  * Add support for Apache exporter >= 1.0.0 (bsc#1214266)

prometheus-postgres_exporter:

  * CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
    8192 bits to avoid DoSing client/server while validating signatures for
    extremely large RSA keys. (bsc#1213880) There are no direct source changes.
    The CVE is fixed rebuilding the sources with the patched Go version.

saltboot-formula:

  * Update to version 0.1.1692188980.9aa0455
  * Add pillar based saltboot redeploy and repartitioning (jsc#SUMA-158)

spacecmd:

  * Version 4.3.23-1
  * Update translation strings

spacewalk-admin:

  * Version 4.3.13-1
  * Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  * Add checks for csp-billing-adapter in case of a Pay-as-you-go instance

spacewalk-backend:

  * Version 4.3.23-1
  * Use a constant to get the product name in python code rather than reading
    rhn.conf (bsc#1212943)
  * Add key import debug logging to reposync (bsc#1213675)
  * Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
  * rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  * Implement new RHUI support in reposync

spacewalk-certs-tools:

  * Version 4.3.19-1
  * Support EC Cryptography with mgr-ssl-cert-setup
  * mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)

spacewalk-config:

  * Version 4.3.11-1
  * Allow calling instance-flavor-check via sudo

spacewalk-java:

  * version 4.3.66-1
  * Fix RHUI support for RHEL 7 clients (bsc#1215756)
  * version 4.3.65-1
  * Combine the PAYG credentials and the repository paths when they collide
    (bsc#1215413)
  * version 4.3.64-1
  * Fix token issue with cloned deb channels (bsc#1214982)
  * Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
  * Improved detection of the best authentication for accessing a repository in
    case of PAYG credentials (bsc#1215362)
  * Do not warn about missing Client Tools Channel subscription in a PAYG
    environment
  * version 4.3.63-1
  * Fix X-Instance-Identifier header when doing a product refresh at Cloud RMT
    Server (bsc#1214889)
  * Version 4.3.62-1
  * Add environment build/promote date to CLM API output (jsc#SUMA-280)
  * Call mgr-libmod with its absolute path
  * Introduce new API to update the products page metadata
  * Extract additional authentication information needed for Pay-as-you-go
  * Fix handling of null credentials in RMT credentials check
  * Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  * Add rule to count only servers with SUSE Manager Tools as managed clients
  * Create flag to disable update status (bsc#1212730)
  * Fix syntax error in sql query for source package search
  * Catch exceptions and log a message when mailer setup failed (bsc#1213009)
  * Fix logging of libraries using apache-commons-logging
  * Invalidate Pay-as-you-go client credentials after repeated connection
    failure (bsc#1213445)
  * Restrict product migrations for Pay-as-you-go
  * Add warning message in login UI for Pay-as-you-go with SCC credentials and
    no forward registration
  * Restrict cloning channels under different product channels for Pay-as-you-go
  * Avoid sending data to SCC about Pay-as-you-go instances
  * Add saltboot redeploy and repartition based on pillars (jsc#SUMA-158)
  * Add system pillar API access {get|set}Pillar
  * Consider the venv-salt-minion package update as Salt update to prevent
    backtraces on upgrading Salt with itself (bsc#1211884)
  * Fix processing of pkg.purged results (bsc#1213288)
  * Fix Null Pointer Exception in auth endpoint when an empty body is provided
  * Do not ignore scheduling error in Taskomatic
  * Add compliance checks when running as Pay-as-you-go
  * Add RHUI support to Pay-as-you-go connection feature
  * Fix Debian Packages file generation (bsc#1213716)
  * Fix action executor to prevent blocking Taskomatic for actions that are
    already finished (bsc#1214121)
  * Fix detection in case RHEL-based products (bsc#1214280)
  * Improve error message when instance-flavor-check tool is not installed
  * Fix auto product refresh in case of SUSE Manager Pay-as-you-go Server
  * Optimize org channel accessibility query (bsc#1211874)
  * Check csp billing adapter status

spacewalk-setup:

  * Version 4.3.18-1
  * Do not rely on rpm runtime status, rather check rhn.conf if is configured
    (bsc#1210935)
  * Remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup
    (bsc#1212856)

spacewalk-web:

  * Version 4.3.33-1
  * Update the messages after syncing the products
  * Fix issue that prevented to delete credentials
  * Add warning message in login UI for Pay-as-you-go with SCC credentials and
    no forward registration.
  * Hide SSH info for `localhost` in Pay-as-you-go section
  * Integrate @formatjs/intl as a replacement for t()
  * Fix link interpolation in message maps

supportutils-plugin-susemanager:

  * Version 4.3.9-1
  * Add cloud and Pay-as-you-go checks
  * Write configured crypto-policy in supportconfig

susemanager:

  * Version 4.3.31-1
  * Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)

susemanager-docs_en:

  * Added a note for SUSE Linux Enterprise Micro clients only having Node and
    Blackbox exporter for monitoring available, in the Administration Guide
    (bsc#1212246)
  * Added a warning about channel synchronization failure because of invalidated
    credentials in Connect Pay-as-you-go instance section of the Installation
    and Upgrade Guide
  * Added a workflow describing channel removal to the Common Workflows Guide
  * Added background information on Ansible playbooks in the Ansible chapter in
    Administration Guide (bsc#1213077)
  * Added Best practices and image pillars files to Retail Guide
  * Added detailed information about all supported SUSE Linux Enterprise Micro
    versions
  * Added Saltboot redeployment subchapter in the Retail Guide
  * Changed filename for configuring Tomcat memory usage in Specialized Guides
    (bsc#1212814)
  * Fixed Ubuntu channel names in Ubuntu chapter of the Client Configuration
    Guide (bsc#1212827)
  * Improved Red Hat Update Infrastructure documentation (bsc#1215373)
  * Listed supported key types for SSL certificates in Import SSL Certificates
    section of the Administation Guide
  * Minimal memory requirement is now 16 GB for a SUSE Manager Server
    installation
  * Removed the step calling rhn-ssl-dbstore from the SSL setup as it is now
    integrated into mgr-ssl-cert-setup in Administration Guide
  * Replaced plain text with dedicated attribute for AutoYaST
  * Typo correction for cobbler buildiso command in Client Configuration Guide
  * Updated Ansible chapter in Administration Guide for clarity (bsc#1213077)

susemanager-schema:

  * Version 4.3.20-1
  * Add new credentials type RHUI
  * Store the Pay-as-you-go products

susemanager-sls:

  * Version 4.3.35-1
  * Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  * Do not disable salt-minion on salt-ssh managed clients
  * Keep original traditional stack tools for RHEL7 RHUI connection
  * Include automatic migration from Salt 3000 to Salt Bundle in highstate
  * Use recurse stratedy to merge formula pillar with existing pillars
  * Mask Uyuni roster module password on logs

uyuni-common-libs:

  * Version 4.3.9-1
  * Workaround for python3-debian bug about collecting control file
    (bsc#1211525, bsc#1208692)

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: `spacewalk-service stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-service start`

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Manager Proxy 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-3861=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-3861=1

## Package List:

  * SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    * spacewalk-base-minimal-config-4.3.33-150400.3.27.16
    * python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
    * supportutils-plugin-susemanager-client-4.3.3-150400.3.3.13
    * spacewalk-backend-4.3.23-150400.3.27.19
    * spacecmd-4.3.23-150400.3.24.13
    * spacewalk-certs-tools-4.3.19-150400.3.18.13
    * spacewalk-base-minimal-4.3.33-150400.3.27.16
    * supportutils-plugin-susemanager-proxy-4.3.3-150400.3.3.13
  * SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    * python3-uyuni-common-libs-4.3.9-150400.3.15.13
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * susemanager-docs_en-pdf-4.3-150400.9.38.2
    * susemanager-schema-4.3.20-150400.3.24.17
    * spacewalk-base-4.3.33-150400.3.27.16
    * spacewalk-config-4.3.11-150400.3.9.13
    * prometheus-exporters-formula-1.3.0-150400.3.3.13
    * spacewalk-backend-applet-4.3.23-150400.3.27.19
    * spacewalk-base-minimal-config-4.3.33-150400.3.27.16
    * billing-data-service-0.3-150400.10.6.13
    * spacewalk-java-lib-4.3.66-150400.3.60.1
    * python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
    * spacewalk-backend-package-push-server-4.3.23-150400.3.27.19
    * spacewalk-backend-xml-export-libs-4.3.23-150400.3.27.19
    * spacewalk-backend-config-files-common-4.3.23-150400.3.27.19
    * spacewalk-java-config-4.3.66-150400.3.60.1
    * susemanager-docs_en-4.3-150400.9.38.2
    * susemanager-schema-utility-4.3.20-150400.3.24.17
    * saltboot-formula-0.1.1692188980.9aa0455-150400.3.12.13
    * cobbler-3.3.3-150400.5.33.13
    * spacewalk-backend-iss-4.3.23-150400.3.27.19
    * spacewalk-base-minimal-4.3.33-150400.3.27.16
    * image-sync-formula-0.1.1692188980.9aa0455-150400.3.15.13
    * spacewalk-admin-4.3.13-150400.3.12.13
    * spacewalk-java-4.3.66-150400.3.60.1
    * spacewalk-backend-4.3.23-150400.3.27.19
    * spacecmd-4.3.23-150400.3.24.13
    * spacewalk-certs-tools-4.3.19-150400.3.18.13
    * spacewalk-taskomatic-4.3.66-150400.3.60.1
    * spacewalk-backend-iss-export-4.3.23-150400.3.27.19
    * supportutils-plugin-susemanager-4.3.9-150400.3.15.13
    * spacewalk-setup-4.3.18-150400.3.27.13
    * uyuni-config-modules-4.3.35-150400.3.31.12
    * spacewalk-backend-server-4.3.23-150400.3.27.19
    * spacewalk-backend-app-4.3.23-150400.3.27.19
    * spacewalk-backend-tools-4.3.23-150400.3.27.19
    * spacewalk-html-4.3.33-150400.3.27.16
    * susemanager-sls-4.3.35-150400.3.31.12
    * grafana-formula-0.9.0-150400.3.12.1
    * spacewalk-backend-sql-postgresql-4.3.23-150400.3.27.19
    * spacewalk-backend-config-files-tool-4.3.23-150400.3.27.19
    * spacewalk-backend-xmlrpc-4.3.23-150400.3.27.19
    * spacewalk-backend-config-files-4.3.23-150400.3.27.19
    * spacewalk-java-postgresql-4.3.66-150400.3.60.1
    * spacewalk-backend-sql-4.3.23-150400.3.27.19
  * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    * inter-server-sync-0.3.0-150400.3.21.15
    * hub-xmlrpc-api-0.7-150400.5.9.15
    * python3-uyuni-common-libs-4.3.9-150400.3.15.13
    * susemanager-4.3.31-150400.3.36.12
    * prometheus-postgres_exporter-0.10.1-150400.3.6.17
    * inter-server-sync-debuginfo-0.3.0-150400.3.21.15
    * susemanager-tools-4.3.31-150400.3.36.12

## References:

  * https://www.suse.com/security/cve/CVE-2023-29409.html
  * https://www.suse.com/security/cve/CVE-2023-29409.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1207330
  * https://bugzilla.suse.com/show_bug.cgi?id=1207330
  * https://bugzilla.suse.com/show_bug.cgi?id=1208692
  * https://bugzilla.suse.com/show_bug.cgi?id=1208692
  * https://bugzilla.suse.com/show_bug.cgi?id=1208692
  * https://bugzilla.suse.com/show_bug.cgi?id=1210935
  * https://bugzilla.suse.com/show_bug.cgi?id=1210935
  * https://bugzilla.suse.com/show_bug.cgi?id=1211525
  * https://bugzilla.suse.com/show_bug.cgi?id=1211525
  * https://bugzilla.suse.com/show_bug.cgi?id=1211525
  * https://bugzilla.suse.com/show_bug.cgi?id=1211874
  * https://bugzilla.suse.com/show_bug.cgi?id=1211874
  * https://bugzilla.suse.com/show_bug.cgi?id=1211884
  * https://bugzilla.suse.com/show_bug.cgi?id=1211884
  * https://bugzilla.suse.com/show_bug.cgi?id=1212246
  * https://bugzilla.suse.com/show_bug.cgi?id=1212246
  * https://bugzilla.suse.com/show_bug.cgi?id=1212730
  * https://bugzilla.suse.com/show_bug.cgi?id=1212730
  * https://bugzilla.suse.com/show_bug.cgi?id=1212814
  * https://bugzilla.suse.com/show_bug.cgi?id=1212814
  * https://bugzilla.suse.com/show_bug.cgi?id=1212827
  * https://bugzilla.suse.com/show_bug.cgi?id=1212827
  * https://bugzilla.suse.com/show_bug.cgi?id=1212856
  * https://bugzilla.suse.com/show_bug.cgi?id=1212856
  * https://bugzilla.suse.com/show_bug.cgi?id=1212856
  * https://bugzilla.suse.com/show_bug.cgi?id=1212943
  * https://bugzilla.suse.com/show_bug.cgi?id=1212943
  * https://bugzilla.suse.com/show_bug.cgi?id=1212943
  * https://bugzilla.suse.com/show_bug.cgi?id=1213009
  * https://bugzilla.suse.com/show_bug.cgi?id=1213009
  * https://bugzilla.suse.com/show_bug.cgi?id=1213077
  * https://bugzilla.suse.com/show_bug.cgi?id=1213077
  * https://bugzilla.suse.com/show_bug.cgi?id=1213288
  * https://bugzilla.suse.com/show_bug.cgi?id=1213288
  * https://bugzilla.suse.com/show_bug.cgi?id=1213445
  * https://bugzilla.suse.com/show_bug.cgi?id=1213445
  * https://bugzilla.suse.com/show_bug.cgi?id=1213445
  * https://bugzilla.suse.com/show_bug.cgi?id=1213675
  * https://bugzilla.suse.com/show_bug.cgi?id=1213675
  * https://bugzilla.suse.com/show_bug.cgi?id=1213675
  * https://bugzilla.suse.com/show_bug.cgi?id=1213716
  * https://bugzilla.suse.com/show_bug.cgi?id=1213716
  * https://bugzilla.suse.com/show_bug.cgi?id=1213880
  * https://bugzilla.suse.com/show_bug.cgi?id=1213880
  * https://bugzilla.suse.com/show_bug.cgi?id=1214002
  * https://bugzilla.suse.com/show_bug.cgi?id=1214002
  * https://bugzilla.suse.com/show_bug.cgi?id=1214121
  * https://bugzilla.suse.com/show_bug.cgi?id=1214121
  * https://bugzilla.suse.com/show_bug.cgi?id=1214124
  * https://bugzilla.suse.com/show_bug.cgi?id=1214124
  * https://bugzilla.suse.com/show_bug.cgi?id=1214187
  * https://bugzilla.suse.com/show_bug.cgi?id=1214187
  * https://bugzilla.suse.com/show_bug.cgi?id=1214266
  * https://bugzilla.suse.com/show_bug.cgi?id=1214266
  * https://bugzilla.suse.com/show_bug.cgi?id=1214280
  * https://bugzilla.suse.com/show_bug.cgi?id=1214280
  * https://bugzilla.suse.com/show_bug.cgi?id=1214889
  * https://bugzilla.suse.com/show_bug.cgi?id=1214889
  * https://bugzilla.suse.com/show_bug.cgi?id=1214982
  * https://bugzilla.suse.com/show_bug.cgi?id=1214982
  * https://bugzilla.suse.com/show_bug.cgi?id=1215352
  * https://bugzilla.suse.com/show_bug.cgi?id=1215352
  * https://bugzilla.suse.com/show_bug.cgi?id=1215362
  * https://bugzilla.suse.com/show_bug.cgi?id=1215362
  * https://bugzilla.suse.com/show_bug.cgi?id=1215373
  * https://bugzilla.suse.com/show_bug.cgi?id=1215373
  * https://bugzilla.suse.com/show_bug.cgi?id=1215413
  * https://bugzilla.suse.com/show_bug.cgi?id=1215413
  * https://bugzilla.suse.com/show_bug.cgi?id=1215497
  * https://bugzilla.suse.com/show_bug.cgi?id=1215497
  * https://bugzilla.suse.com/show_bug.cgi?id=1215756
  * https://bugzilla.suse.com/show_bug.cgi?id=1215756
  * https://jira.suse.com/browse/MSQA-699
  * https://jira.suse.com/browse/MSQA-699
  * https://jira.suse.com/browse/MSQA-699
  * https://jira.suse.com/browse/SUMA-158
  * https://jira.suse.com/browse/SUMA-158
  * https://jira.suse.com/browse/SUMA-280
  * https://jira.suse.com/browse/SUMA-280

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230928/3164954d/attachment.htm>


More information about the sle-security-updates mailing list