SUSE-SU-2024:0485-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
SLE-SECURITY-UPDATES
null at suse.de
Thu Feb 15 16:32:18 UTC 2024
# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server
Announcement ID: SUSE-SU-2024:0485-1
Rating: important
References:
* bsc#1170848
* bsc#1210911
* bsc#1211254
* bsc#1211560
* bsc#1211912
* bsc#1213079
* bsc#1213507
* bsc#1213738
* bsc#1213981
* bsc#1214077
* bsc#1214791
* bsc#1215166
* bsc#1215514
* bsc#1215769
* bsc#1215810
* bsc#1215813
* bsc#1215982
* bsc#1216114
* bsc#1216394
* bsc#1216437
* bsc#1216550
* bsc#1216609
* bsc#1216657
* bsc#1216753
* bsc#1216781
* bsc#1216988
* bsc#1217069
* bsc#1217209
* bsc#1217588
* bsc#1217784
* bsc#1217869
* bsc#1218019
* bsc#1218074
* bsc#1218075
* bsc#1218089
* bsc#1218094
* bsc#1218146
* bsc#1218490
* bsc#1218615
* bsc#1218669
* bsc#1218837
* bsc#1218849
* bsc#1219151
* bsc#1219449
* bsc#1219577
* bsc#1219850
* jsc#MSQA-719
Cross-References:
* CVE-2023-31582
* CVE-2023-32189
CVSS scores:
* CVE-2023-31582 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-31582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves two vulnerabilities, contains one feature and has 44
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
### Description:
This update fixes the following issues:
mgr-daemon:
* Version 4.3.8-1
* Update translation strings
patterns-suse-manager:
* Add liberate-formula to the required packages for the server to get it
installed by default
spacecmd:
* Version 4.3.26-1
* Update translation strings
spacewalk-backend:
* Version 4.3.27-1
* Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
size greater than 4GB (bsc#1219151)
* Version 4.3.26-1
* Fix decompressing and renaming bzip2 comps files in reposync
* Update query to the new credentials structure
* Remove normalize_orphan_vendor_packages and move it to taskomatic
(bsc#1216781)
* Skip syncing packages with incorrect metadata (bsc#1213738)
* Update translation strings
spacewalk-certs-tools:
* version 4.3.22-1
* Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
* Version 4.3.21-1
* Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
* Version 4.3.20-1
* Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
* Include reboot info beacon in the bootstrap script for transactional systems
(bsc#1217588)
spacewalk-client-tools:
* Version 4.3.18-1
* Update translation strings
spacewalk-web:
* Version 4.3.37-1
* Fix the use of page size preference in systems and packages lists
(bsc#1217209)
* Fix issue displaying Ansible playbook name (bsc#1216657)
* Add support for `PaygNotCompliantWarning` notification
* Bump web.version to 4.3.11
susemanager-build-keys:
* Version 15.4.10
* Add new Almalinux 8 GPG Key (bsc#1218849)
* Refresh extended Uyuni GPG public key
How to apply this update:
1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: `spacewalk-proxy stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-proxy start`
## Security update for SUSE Manager Server 4.3
### Description:
This update fixes the following issues:
cobbler:
* Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)
* Notify to "systemd" when cobblerd startup is finished (bsc#1215982)
* Enable ppc64(le) buildiso support (bsc#1214077)
grafana-formula:
* Version 0.10.0
* Replace legacy message queue metrics with Salt queue metrics
* Grafana formula should not be supported in a Proxy/Retail
inter-server-sync:
* Version 0.3.2-1
* Fix conflict in rhndistchannelmap (bsc#1216114)
jose4j:
* CVE-2023-31582: Insecure Password-Based Encryption Iteration Count
(bsc#1216609)
liberate-formula:
* Version 0.1.0
* Provide liberate-formula, a formula for converting a system to SUSE Liberty
Linux
patterns-suse-manager:
* Add liberate-formula to the required packages for the server to get it
installed by default
prometheus-formula:
* Version 0.8.0
* Fix federation endpoint
* Add remote write configuration
* Add group filtering for service discovery relabeling configuration
* Version 0.7.1
* Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550)
prometheus-postgres_exporter:
* Do not build debug if RHEL >= 8
* Do not strip if SUSE Linux Enterprise 15 SP3
* Build at least with with Go >= 1.18 on RHEL
* Build with Go >= 1.20 elsewhere
saltboot-formula:
* Update to version 0.1.1701196218.b6b8ca1
* Remove f-formating to be compatible with python < 3.6
* Update packaging not to package salt directories
* Update to version 0.1.1692188980.9aa0455
spacecmd:
* Version 4.3.26-1
* Update translation strings
spacewalk-backend:
* Version 4.3.27-1
* Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
size greater than 4GB (bsc#1219151)
* Version 4.3.26-1
* Fix decompressing and renaming bzip2 comps files in reposync
* Update query to the new credentials structure
* Remove normalize_orphan_vendor_packages and move it to taskomatic
(bsc#1216781)
* Skip syncing packages with incorrect metadata (bsc#1213738)
* Update translation strings
spacewalk-certs-tools:
* version 4.3.22-1
* Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
* Version 4.3.21-1
* Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
* Version 4.3.20-1
* Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
* Include reboot info beacon in the bootstrap script for transactional systems
(bsc#1217588)
spacewalk-client-tools:
* Version 4.3.18-1
* Update translation strings
spacewalk-java:
* Version 4.3.71-1
* Generate server SSH key also when bootstrapping regular Minions
(bsc#1219449)
* Version 4.3.70-1
* Fix the use of page size preference in systems and packages lists
(bsc#1217209)
* Fix issue with disabling token check not working (bsc#1218669)
* Enforce snakeyaml version requirement (bsc#1215166)
* Improve the performance of paginated queries when syncing the reporting
database (bsc#1211912, bsc#1213079)
* Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server
for SAP (bsc#1217069)
* Use the base product file to show the correct SUSE Manager product in the
subscription matching results page
* Do not require entitlements if SUSE Manager is Pay-as-you-go
* Exclude SUSE Manager from subscription matching if it's Pay-as-you-go
* Refactor Credentials to a proper class hierarchy
* Fix unit test about duplicated packages
* Prevent installation of packages with same name in a single action
(bsc#1214791)
* When canceling an action which has prerequisites, return hints to get the
first action id which can be canceled (bsc#1216988)
* Fix exception when removing a Debian package (bsc#1216781)
* Fix XSS in taskomatic XML RPC handler (bsc#1210911)
* Improve logging for Product Migration (bsc#1218490)
* Add only 1 IP for Cloud RMT Host in /etc/hosts
* Change org for orphan vendor packages that an admin can delete (bsc#1216781)
* Expose the monitoring data for the Salt queue handling the Salt results
* Provide total number of CPUs for SUSE Linux Enterprise Micro systems to
subscription matcher when it is not used as hypervisor to match vCore
subscriptions correctly (bsc#1218074)
* Try to download compressed Ubuntu USN database
* Add user information to system organization transfer message (bsc#1216753)
* CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
(bsc#1170848)
* Add notification in daily email in addition to in SUSE Manager home page
when SUSE Manager Pay-as-you-go is not compliant
* Fix apidoc link from #top to $call.name (bsc#1213507)
* Add config option to disable remote commands from web UI (bsc#1217869)
* Address high rating Sonar issues
* Refactor SUSE Customer Center registration flow
* Avoid blocking Taskomatic thread when waiting for queued action
(bsc#1211560)
* Fix modify kickstart profile when using "Always newest tree" option
(bsc#1215813)
* Configure reboot method for SUSE Linux Enterprise Micro when applying
bootstrap state (bsc#1213981)
* Handle not existing known_host file in permission check
* Fix handling of proxy ssh public keys
* Include reboot required indication for non-Suse distros
spacewalk-setup:
* Version 4.3.19-1
* Update query to the new credentials structure
* Fix setting SUSE Customer Center password during setup
spacewalk-utils:
* Version 4.3.19-1
* Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels
spacewalk-web:
* Version 4.3.37-1
* Fix the use of page size preference in systems and packages lists
(bsc#1217209)
* Fix issue displaying Ansible playbook name (bsc#1216657)
* Add support for `PaygNotCompliantWarning` notification
* Bump web.version to 4.3.11
subscription-matcher:
* Version 0.35
* Added missing part number
* Version 0.34
* Enabled support for Long Term Service Pack Support subscriptions
(bsc#1218075)
* Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074)
* Added new SKUs and new bundles
supportutils-plugin-susemanager:
* Version 4.3.10-1
* Update query to the new credentials structure
susemanager:
* Version 4.3.34-1
* Rename Open Enterprise Server label to OES23.4 (bsc#1215514)
* Verify in Yast FQDN with name returned via DNS reverse lookup
* CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
(bsc#1170848)
susemanager-build-keys:
* Version 15.4.10
* Add new Almalinux 8 GPG Key (bsc#1218849)
* Refresh extended Uyuni GPG public key
susemanager-docs_en:
* Removed obsolete traditional to Salt migration documentation from the System
Types section of the Client Configuration Guide and updated the Migrate
traditional clients to Salt clients section
* Fixed navigation bar of Client Configuration Guide (bsc#1218089)
* Added openSUSE Leap to Supported Features navigation list in Client
Configuration Guide (bsc#1218094)
* Described new monitoring metrics for Salt queue in Administration Guide
* Fixed xrefs for internal book references
* Removed mentioning that CVE number for CVE auditing is optional
(bsc#1218019)
* Corrected channel names for CentOS 7 Updates and Extras in CentOS Client
Configuration Guide
* Documented bootstrap settings for SUSE Linux Enterprise Micro in Client
Configuration Guide (bsc#1216394)
* Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810)
* Updated Red Hat OVAL data URL and file in CentOS Clients Registration in
Client Configution Guide
* Added Pay-as-you-go for Azure documentation to the Specialized Guides book
* Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
* Removed Ubuntu 18.04 from the list of supported clients
* Fixed file location in Custom Salt Formulas section of Salt Guide
* Documented using Virtualization Host formula in Client Configuration
susemanager-schema:
* Version 4.3.24-1
* Refactor susecredentials to support the new hierarchy
* Improve performance of System (bsc#1211254)
* Change schedule of system-profile-refresh to run on the 2nd Saturday of a
month to not collide with normal working times (bsc#1215769)
susemanager-sls:
* version 4.3.40-1
* Remove automatic reboot from transactional systems bootstrap (bsc#1218146)
* Version 4.3.39-1
* Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file
(bsc#1219577)
* Version 4.3.38-1
* Improve Pay-as-you-go instance detection (bsc#1217784)
* CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
(bsc#1170848)
* Configure reboot method for SUSE Linux Enterprise Micro when applying
bootstrap state (bsc#1213981)
* Include reboot required indication for non SUSE distros
susemanager-sync-data:
* Version 4.3.16-1
* Fix OES 23.4 internal name (bsc#1218837)
* Version 4.3.15-1
* Update release status and repository description of Open Enterprise Server
23.4 (bsc#1215514)
* Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families
* Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL
CentOS 8 from the name
uyuni-reportdb-schema:
* Version 4.3.9-1
* Provide reportdb upgrade schema path structure
How to apply this update:
1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: `spacewalk-service stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-service start`
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1
* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1
## Package List:
* SUSE Manager Proxy 4.3 Module 4.3 (noarch)
* spacewalk-base-minimal-4.3.37-150400.3.39.7
* mgr-daemon-4.3.8-150400.3.12.5
* susemanager-build-keys-15.4.10-150400.3.23.5
* spacewalk-client-tools-4.3.18-150400.3.24.7
* susemanager-build-keys-web-15.4.10-150400.3.23.5
* spacewalk-check-4.3.18-150400.3.24.7
* python3-spacewalk-check-4.3.18-150400.3.24.7
* python3-spacewalk-client-setup-4.3.18-150400.3.24.7
* spacecmd-4.3.26-150400.3.33.5
* spacewalk-client-setup-4.3.18-150400.3.24.7
* spacewalk-base-minimal-config-4.3.37-150400.3.39.7
* spacewalk-backend-4.3.27-150400.3.38.2
* python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
* spacewalk-certs-tools-4.3.22-150400.3.25.1
* python3-spacewalk-client-tools-4.3.18-150400.3.24.7
* SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
* patterns-suma_proxy-4.3-150400.5.9.5
* SUSE Manager Server 4.3 Module 4.3 (noarch)
* spacewalk-java-config-4.3.71-150400.3.74.2
* spacewalk-base-minimal-4.3.37-150400.3.39.7
* spacewalk-backend-iss-4.3.27-150400.3.38.2
* spacewalk-backend-tools-4.3.27-150400.3.38.2
* susemanager-build-keys-15.4.10-150400.3.23.5
* susemanager-sls-4.3.40-150400.3.44.1
* susemanager-build-keys-web-15.4.10-150400.3.23.5
* uyuni-config-modules-4.3.40-150400.3.44.1
* spacewalk-backend-applet-4.3.27-150400.3.38.2
* spacewalk-base-minimal-config-4.3.37-150400.3.39.7
* spacewalk-backend-4.3.27-150400.3.38.2
* spacewalk-backend-app-4.3.27-150400.3.38.2
* spacewalk-utils-4.3.19-150400.3.21.5
* susemanager-sync-data-4.3.16-150400.3.22.2
* spacewalk-backend-config-files-4.3.27-150400.3.38.2
* spacewalk-java-lib-4.3.71-150400.3.74.2
* cobbler-3.3.3-150400.5.39.5
* spacewalk-setup-4.3.19-150400.3.30.5
* spacewalk-utils-extras-4.3.19-150400.3.21.5
* spacewalk-backend-config-files-common-4.3.27-150400.3.38.2
* uyuni-reportdb-schema-4.3.9-150400.3.12.7
* spacecmd-4.3.26-150400.3.33.5
* susemanager-docs_en-4.3-150400.9.53.5
* susemanager-schema-4.3.24-150400.3.36.7
* spacewalk-java-4.3.71-150400.3.74.2
* spacewalk-html-4.3.37-150400.3.39.7
* spacewalk-base-4.3.37-150400.3.39.7
* spacewalk-certs-tools-4.3.22-150400.3.25.1
* grafana-formula-0.10.0-150400.3.15.5
* spacewalk-java-postgresql-4.3.71-150400.3.74.2
* supportutils-plugin-susemanager-4.3.10-150400.3.18.5
* spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2
* spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2
* spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2
* subscription-matcher-0.35-150400.3.19.5
* spacewalk-backend-iss-export-4.3.27-150400.3.38.2
* jose4j-0.5.1-150400.3.6.2
* python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
* liberate-formula-0.1.0-150400.10.3.3
* python3-spacewalk-client-tools-4.3.18-150400.3.24.7
* spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2
* spacewalk-client-tools-4.3.18-150400.3.24.7
* susemanager-schema-utility-4.3.24-150400.3.36.7
* susemanager-docs_en-pdf-4.3-150400.9.53.5
* spacewalk-backend-sql-4.3.27-150400.3.38.2
* prometheus-formula-0.8.0-150400.3.6.5
* spacewalk-backend-server-4.3.27-150400.3.38.2
* saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3
* spacewalk-backend-package-push-server-4.3.27-150400.3.38.2
* spacewalk-taskomatic-4.3.71-150400.3.74.2
* SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
* patterns-suma_retail-4.3-150400.5.9.5
* inter-server-sync-0.3.2-150400.3.27.5
* prometheus-postgres_exporter-0.10.1-150400.3.9.5
* susemanager-4.3.34-150400.3.45.5
* patterns-suma_server-4.3-150400.5.9.5
* inter-server-sync-debuginfo-0.3.2-150400.3.27.5
* susemanager-tools-4.3.34-150400.3.45.5
## References:
* https://www.suse.com/security/cve/CVE-2023-31582.html
* https://www.suse.com/security/cve/CVE-2023-32189.html
* https://bugzilla.suse.com/show_bug.cgi?id=1170848
* https://bugzilla.suse.com/show_bug.cgi?id=1210911
* https://bugzilla.suse.com/show_bug.cgi?id=1211254
* https://bugzilla.suse.com/show_bug.cgi?id=1211560
* https://bugzilla.suse.com/show_bug.cgi?id=1211912
* https://bugzilla.suse.com/show_bug.cgi?id=1213079
* https://bugzilla.suse.com/show_bug.cgi?id=1213507
* https://bugzilla.suse.com/show_bug.cgi?id=1213738
* https://bugzilla.suse.com/show_bug.cgi?id=1213981
* https://bugzilla.suse.com/show_bug.cgi?id=1214077
* https://bugzilla.suse.com/show_bug.cgi?id=1214791
* https://bugzilla.suse.com/show_bug.cgi?id=1215166
* https://bugzilla.suse.com/show_bug.cgi?id=1215514
* https://bugzilla.suse.com/show_bug.cgi?id=1215769
* https://bugzilla.suse.com/show_bug.cgi?id=1215810
* https://bugzilla.suse.com/show_bug.cgi?id=1215813
* https://bugzilla.suse.com/show_bug.cgi?id=1215982
* https://bugzilla.suse.com/show_bug.cgi?id=1216114
* https://bugzilla.suse.com/show_bug.cgi?id=1216394
* https://bugzilla.suse.com/show_bug.cgi?id=1216437
* https://bugzilla.suse.com/show_bug.cgi?id=1216550
* https://bugzilla.suse.com/show_bug.cgi?id=1216609
* https://bugzilla.suse.com/show_bug.cgi?id=1216657
* https://bugzilla.suse.com/show_bug.cgi?id=1216753
* https://bugzilla.suse.com/show_bug.cgi?id=1216781
* https://bugzilla.suse.com/show_bug.cgi?id=1216988
* https://bugzilla.suse.com/show_bug.cgi?id=1217069
* https://bugzilla.suse.com/show_bug.cgi?id=1217209
* https://bugzilla.suse.com/show_bug.cgi?id=1217588
* https://bugzilla.suse.com/show_bug.cgi?id=1217784
* https://bugzilla.suse.com/show_bug.cgi?id=1217869
* https://bugzilla.suse.com/show_bug.cgi?id=1218019
* https://bugzilla.suse.com/show_bug.cgi?id=1218074
* https://bugzilla.suse.com/show_bug.cgi?id=1218075
* https://bugzilla.suse.com/show_bug.cgi?id=1218089
* https://bugzilla.suse.com/show_bug.cgi?id=1218094
* https://bugzilla.suse.com/show_bug.cgi?id=1218146
* https://bugzilla.suse.com/show_bug.cgi?id=1218490
* https://bugzilla.suse.com/show_bug.cgi?id=1218615
* https://bugzilla.suse.com/show_bug.cgi?id=1218669
* https://bugzilla.suse.com/show_bug.cgi?id=1218837
* https://bugzilla.suse.com/show_bug.cgi?id=1218849
* https://bugzilla.suse.com/show_bug.cgi?id=1219151
* https://bugzilla.suse.com/show_bug.cgi?id=1219449
* https://bugzilla.suse.com/show_bug.cgi?id=1219577
* https://bugzilla.suse.com/show_bug.cgi?id=1219850
* https://jira.suse.com/browse/MSQA-719
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240215/9749cec3/attachment.htm>
More information about the sle-security-updates
mailing list