SUSE-SU-2024:0485-1: important: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

SLE-SECURITY-UPDATES null at suse.de
Thu Feb 15 16:32:18 UTC 2024



# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server

Announcement ID: SUSE-SU-2024:0485-1  
Rating: important  
References:

  * bsc#1170848
  * bsc#1210911
  * bsc#1211254
  * bsc#1211560
  * bsc#1211912
  * bsc#1213079
  * bsc#1213507
  * bsc#1213738
  * bsc#1213981
  * bsc#1214077
  * bsc#1214791
  * bsc#1215166
  * bsc#1215514
  * bsc#1215769
  * bsc#1215810
  * bsc#1215813
  * bsc#1215982
  * bsc#1216114
  * bsc#1216394
  * bsc#1216437
  * bsc#1216550
  * bsc#1216609
  * bsc#1216657
  * bsc#1216753
  * bsc#1216781
  * bsc#1216988
  * bsc#1217069
  * bsc#1217209
  * bsc#1217588
  * bsc#1217784
  * bsc#1217869
  * bsc#1218019
  * bsc#1218074
  * bsc#1218075
  * bsc#1218089
  * bsc#1218094
  * bsc#1218146
  * bsc#1218490
  * bsc#1218615
  * bsc#1218669
  * bsc#1218837
  * bsc#1218849
  * bsc#1219151
  * bsc#1219449
  * bsc#1219577
  * bsc#1219850
  * jsc#MSQA-719

  
Cross-References:

  * CVE-2023-31582
  * CVE-2023-32189

  
CVSS scores:

  * CVE-2023-31582 ( SUSE ):  3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2023-31582 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

  
Affected Products:

  * SUSE Manager Proxy 4.3
  * SUSE Manager Proxy 4.3 Module 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3

  
  
An update that solves two vulnerabilities, contains one feature and has 44
security fixes can now be installed.

## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

### Description:

This update fixes the following issues:

mgr-daemon:

  * Version 4.3.8-1
  * Update translation strings

patterns-suse-manager:

  * Add liberate-formula to the required packages for the server to get it
    installed by default

spacecmd:

  * Version 4.3.26-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.27-1
  * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
    size greater than 4GB (bsc#1219151)
  * Version 4.3.26-1
  * Fix decompressing and renaming bzip2 comps files in reposync
  * Update query to the new credentials structure
  * Remove normalize_orphan_vendor_packages and move it to taskomatic
    (bsc#1216781)
  * Skip syncing packages with incorrect metadata (bsc#1213738)
  * Update translation strings

spacewalk-certs-tools:

  * version 4.3.22-1
  * Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  * Version 4.3.21-1
  * Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  * Version 4.3.20-1
  * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  * Include reboot info beacon in the bootstrap script for transactional systems
    (bsc#1217588)

spacewalk-client-tools:

  * Version 4.3.18-1
  * Update translation strings

spacewalk-web:

  * Version 4.3.37-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue displaying Ansible playbook name (bsc#1216657)
  * Add support for `PaygNotCompliantWarning` notification
  * Bump web.version to 4.3.11

susemanager-build-keys:

  * Version 15.4.10
  * Add new Almalinux 8 GPG Key (bsc#1218849)
  * Refresh extended Uyuni GPG public key

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: `spacewalk-proxy stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-proxy start`

## Security update for SUSE Manager Server 4.3

### Description:

This update fixes the following issues:

cobbler:

  * Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)
  * Notify to "systemd" when cobblerd startup is finished (bsc#1215982)
  * Enable ppc64(le) buildiso support (bsc#1214077)

grafana-formula:

  * Version 0.10.0
  * Replace legacy message queue metrics with Salt queue metrics
  * Grafana formula should not be supported in a Proxy/Retail

inter-server-sync:

  * Version 0.3.2-1
  * Fix conflict in rhndistchannelmap (bsc#1216114)

jose4j:

  * CVE-2023-31582: Insecure Password-Based Encryption Iteration Count
    (bsc#1216609)

liberate-formula:

  * Version 0.1.0
  * Provide liberate-formula, a formula for converting a system to SUSE Liberty
    Linux

patterns-suse-manager:

  * Add liberate-formula to the required packages for the server to get it
    installed by default

prometheus-formula:

  * Version 0.8.0
  * Fix federation endpoint
  * Add remote write configuration
  * Add group filtering for service discovery relabeling configuration
  * Version 0.7.1
  * Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550)

prometheus-postgres_exporter:

  * Do not build debug if RHEL >= 8
  * Do not strip if SUSE Linux Enterprise 15 SP3
  * Build at least with with Go >= 1.18 on RHEL
  * Build with Go >= 1.20 elsewhere

saltboot-formula:

  * Update to version 0.1.1701196218.b6b8ca1
  * Remove f-formating to be compatible with python < 3.6
  * Update packaging not to package salt directories
  * Update to version 0.1.1692188980.9aa0455

spacecmd:

  * Version 4.3.26-1
  * Update translation strings

spacewalk-backend:

  * Version 4.3.27-1
  * Fix issue in "spacewalk-repo-sync" when RPM packages contains files with
    size greater than 4GB (bsc#1219151)
  * Version 4.3.26-1
  * Fix decompressing and renaming bzip2 comps files in reposync
  * Update query to the new credentials structure
  * Remove normalize_orphan_vendor_packages and move it to taskomatic
    (bsc#1216781)
  * Skip syncing packages with incorrect metadata (bsc#1213738)
  * Update translation strings

spacewalk-certs-tools:

  * version 4.3.22-1
  * Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  * Version 4.3.21-1
  * Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  * Version 4.3.20-1
  * Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  * Include reboot info beacon in the bootstrap script for transactional systems
    (bsc#1217588)

spacewalk-client-tools:

  * Version 4.3.18-1
  * Update translation strings

spacewalk-java:

  * Version 4.3.71-1
  * Generate server SSH key also when bootstrapping regular Minions
    (bsc#1219449)
  * Version 4.3.70-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue with disabling token check not working (bsc#1218669)
  * Enforce snakeyaml version requirement (bsc#1215166)
  * Improve the performance of paginated queries when syncing the reporting
    database (bsc#1211912, bsc#1213079)
  * Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server
    for SAP (bsc#1217069)
  * Use the base product file to show the correct SUSE Manager product in the
    subscription matching results page
  * Do not require entitlements if SUSE Manager is Pay-as-you-go
  * Exclude SUSE Manager from subscription matching if it's Pay-as-you-go
  * Refactor Credentials to a proper class hierarchy
  * Fix unit test about duplicated packages
  * Prevent installation of packages with same name in a single action
    (bsc#1214791)
  * When canceling an action which has prerequisites, return hints to get the
    first action id which can be canceled (bsc#1216988)
  * Fix exception when removing a Debian package (bsc#1216781)
  * Fix XSS in taskomatic XML RPC handler (bsc#1210911)
  * Improve logging for Product Migration (bsc#1218490)
  * Add only 1 IP for Cloud RMT Host in /etc/hosts
  * Change org for orphan vendor packages that an admin can delete (bsc#1216781)
  * Expose the monitoring data for the Salt queue handling the Salt results
  * Provide total number of CPUs for SUSE Linux Enterprise Micro systems to
    subscription matcher when it is not used as hypervisor to match vCore
    subscriptions correctly (bsc#1218074)
  * Try to download compressed Ubuntu USN database
  * Add user information to system organization transfer message (bsc#1216753)
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)
  * Add notification in daily email in addition to in SUSE Manager home page
    when SUSE Manager Pay-as-you-go is not compliant
  * Fix apidoc link from #top to $call.name (bsc#1213507)
  * Add config option to disable remote commands from web UI (bsc#1217869)
  * Address high rating Sonar issues
  * Refactor SUSE Customer Center registration flow
  * Avoid blocking Taskomatic thread when waiting for queued action
    (bsc#1211560)
  * Fix modify kickstart profile when using "Always newest tree" option
    (bsc#1215813)
  * Configure reboot method for SUSE Linux Enterprise Micro when applying
    bootstrap state (bsc#1213981)
  * Handle not existing known_host file in permission check
  * Fix handling of proxy ssh public keys
  * Include reboot required indication for non-Suse distros

spacewalk-setup:

  * Version 4.3.19-1
  * Update query to the new credentials structure
  * Fix setting SUSE Customer Center password during setup

spacewalk-utils:

  * Version 4.3.19-1
  * Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels

spacewalk-web:

  * Version 4.3.37-1
  * Fix the use of page size preference in systems and packages lists
    (bsc#1217209)
  * Fix issue displaying Ansible playbook name (bsc#1216657)
  * Add support for `PaygNotCompliantWarning` notification
  * Bump web.version to 4.3.11

subscription-matcher:

  * Version 0.35
  * Added missing part number
  * Version 0.34
  * Enabled support for Long Term Service Pack Support subscriptions
    (bsc#1218075)
  * Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074)
  * Added new SKUs and new bundles

supportutils-plugin-susemanager:

  * Version 4.3.10-1
  * Update query to the new credentials structure

susemanager:

  * Version 4.3.34-1
  * Rename Open Enterprise Server label to OES23.4 (bsc#1215514)
  * Verify in Yast FQDN with name returned via DNS reverse lookup
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)

susemanager-build-keys:

  * Version 15.4.10
  * Add new Almalinux 8 GPG Key (bsc#1218849)
  * Refresh extended Uyuni GPG public key

susemanager-docs_en:

  * Removed obsolete traditional to Salt migration documentation from the System
    Types section of the Client Configuration Guide and updated the Migrate
    traditional clients to Salt clients section
  * Fixed navigation bar of Client Configuration Guide (bsc#1218089)
  * Added openSUSE Leap to Supported Features navigation list in Client
    Configuration Guide (bsc#1218094)
  * Described new monitoring metrics for Salt queue in Administration Guide
  * Fixed xrefs for internal book references
  * Removed mentioning that CVE number for CVE auditing is optional
    (bsc#1218019)
  * Corrected channel names for CentOS 7 Updates and Extras in CentOS Client
    Configuration Guide
  * Documented bootstrap settings for SUSE Linux Enterprise Micro in Client
    Configuration Guide (bsc#1216394)
  * Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810)
  * Updated Red Hat OVAL data URL and file in CentOS Clients Registration in
    Client Configution Guide
  * Added Pay-as-you-go for Azure documentation to the Specialized Guides book
  * Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
  * Removed Ubuntu 18.04 from the list of supported clients
  * Fixed file location in Custom Salt Formulas section of Salt Guide
  * Documented using Virtualization Host formula in Client Configuration

susemanager-schema:

  * Version 4.3.24-1
  * Refactor susecredentials to support the new hierarchy
  * Improve performance of System (bsc#1211254)
  * Change schedule of system-profile-refresh to run on the 2nd Saturday of a
    month to not collide with normal working times (bsc#1215769)

susemanager-sls:

  * version 4.3.40-1
  * Remove automatic reboot from transactional systems bootstrap (bsc#1218146)
  * Version 4.3.39-1
  * Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file
    (bsc#1219577)
  * Version 4.3.38-1
  * Improve Pay-as-you-go instance detection (bsc#1217784)
  * CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions
    (bsc#1170848)
  * Configure reboot method for SUSE Linux Enterprise Micro when applying
    bootstrap state (bsc#1213981)
  * Include reboot required indication for non SUSE distros

susemanager-sync-data:

  * Version 4.3.16-1
  * Fix OES 23.4 internal name (bsc#1218837)
  * Version 4.3.15-1
  * Update release status and repository description of Open Enterprise Server
    23.4 (bsc#1215514)
  * Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families
  * Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL
    CentOS 8 from the name

uyuni-reportdb-schema:

  * Version 4.3.9-1
  * Provide reportdb upgrade schema path structure

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: `spacewalk-service stop`
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: `spacewalk-service start`

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Manager Proxy 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1

## Package List:

  * SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    * spacewalk-base-minimal-4.3.37-150400.3.39.7
    * mgr-daemon-4.3.8-150400.3.12.5
    * susemanager-build-keys-15.4.10-150400.3.23.5
    * spacewalk-client-tools-4.3.18-150400.3.24.7
    * susemanager-build-keys-web-15.4.10-150400.3.23.5
    * spacewalk-check-4.3.18-150400.3.24.7
    * python3-spacewalk-check-4.3.18-150400.3.24.7
    * python3-spacewalk-client-setup-4.3.18-150400.3.24.7
    * spacecmd-4.3.26-150400.3.33.5
    * spacewalk-client-setup-4.3.18-150400.3.24.7
    * spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    * spacewalk-backend-4.3.27-150400.3.38.2
    * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    * spacewalk-certs-tools-4.3.22-150400.3.25.1
    * python3-spacewalk-client-tools-4.3.18-150400.3.24.7
  * SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    * patterns-suma_proxy-4.3-150400.5.9.5
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * spacewalk-java-config-4.3.71-150400.3.74.2
    * spacewalk-base-minimal-4.3.37-150400.3.39.7
    * spacewalk-backend-iss-4.3.27-150400.3.38.2
    * spacewalk-backend-tools-4.3.27-150400.3.38.2
    * susemanager-build-keys-15.4.10-150400.3.23.5
    * susemanager-sls-4.3.40-150400.3.44.1
    * susemanager-build-keys-web-15.4.10-150400.3.23.5
    * uyuni-config-modules-4.3.40-150400.3.44.1
    * spacewalk-backend-applet-4.3.27-150400.3.38.2
    * spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    * spacewalk-backend-4.3.27-150400.3.38.2
    * spacewalk-backend-app-4.3.27-150400.3.38.2
    * spacewalk-utils-4.3.19-150400.3.21.5
    * susemanager-sync-data-4.3.16-150400.3.22.2
    * spacewalk-backend-config-files-4.3.27-150400.3.38.2
    * spacewalk-java-lib-4.3.71-150400.3.74.2
    * cobbler-3.3.3-150400.5.39.5
    * spacewalk-setup-4.3.19-150400.3.30.5
    * spacewalk-utils-extras-4.3.19-150400.3.21.5
    * spacewalk-backend-config-files-common-4.3.27-150400.3.38.2
    * uyuni-reportdb-schema-4.3.9-150400.3.12.7
    * spacecmd-4.3.26-150400.3.33.5
    * susemanager-docs_en-4.3-150400.9.53.5
    * susemanager-schema-4.3.24-150400.3.36.7
    * spacewalk-java-4.3.71-150400.3.74.2
    * spacewalk-html-4.3.37-150400.3.39.7
    * spacewalk-base-4.3.37-150400.3.39.7
    * spacewalk-certs-tools-4.3.22-150400.3.25.1
    * grafana-formula-0.10.0-150400.3.15.5
    * spacewalk-java-postgresql-4.3.71-150400.3.74.2
    * supportutils-plugin-susemanager-4.3.10-150400.3.18.5
    * spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2
    * spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2
    * spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2
    * subscription-matcher-0.35-150400.3.19.5
    * spacewalk-backend-iss-export-4.3.27-150400.3.38.2
    * jose4j-0.5.1-150400.3.6.2
    * python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    * liberate-formula-0.1.0-150400.10.3.3
    * python3-spacewalk-client-tools-4.3.18-150400.3.24.7
    * spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2
    * spacewalk-client-tools-4.3.18-150400.3.24.7
    * susemanager-schema-utility-4.3.24-150400.3.36.7
    * susemanager-docs_en-pdf-4.3-150400.9.53.5
    * spacewalk-backend-sql-4.3.27-150400.3.38.2
    * prometheus-formula-0.8.0-150400.3.6.5
    * spacewalk-backend-server-4.3.27-150400.3.38.2
    * saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3
    * spacewalk-backend-package-push-server-4.3.27-150400.3.38.2
    * spacewalk-taskomatic-4.3.71-150400.3.74.2
  * SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    * patterns-suma_retail-4.3-150400.5.9.5
    * inter-server-sync-0.3.2-150400.3.27.5
    * prometheus-postgres_exporter-0.10.1-150400.3.9.5
    * susemanager-4.3.34-150400.3.45.5
    * patterns-suma_server-4.3-150400.5.9.5
    * inter-server-sync-debuginfo-0.3.2-150400.3.27.5
    * susemanager-tools-4.3.34-150400.3.45.5

## References:

  * https://www.suse.com/security/cve/CVE-2023-31582.html
  * https://www.suse.com/security/cve/CVE-2023-32189.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1170848
  * https://bugzilla.suse.com/show_bug.cgi?id=1210911
  * https://bugzilla.suse.com/show_bug.cgi?id=1211254
  * https://bugzilla.suse.com/show_bug.cgi?id=1211560
  * https://bugzilla.suse.com/show_bug.cgi?id=1211912
  * https://bugzilla.suse.com/show_bug.cgi?id=1213079
  * https://bugzilla.suse.com/show_bug.cgi?id=1213507
  * https://bugzilla.suse.com/show_bug.cgi?id=1213738
  * https://bugzilla.suse.com/show_bug.cgi?id=1213981
  * https://bugzilla.suse.com/show_bug.cgi?id=1214077
  * https://bugzilla.suse.com/show_bug.cgi?id=1214791
  * https://bugzilla.suse.com/show_bug.cgi?id=1215166
  * https://bugzilla.suse.com/show_bug.cgi?id=1215514
  * https://bugzilla.suse.com/show_bug.cgi?id=1215769
  * https://bugzilla.suse.com/show_bug.cgi?id=1215810
  * https://bugzilla.suse.com/show_bug.cgi?id=1215813
  * https://bugzilla.suse.com/show_bug.cgi?id=1215982
  * https://bugzilla.suse.com/show_bug.cgi?id=1216114
  * https://bugzilla.suse.com/show_bug.cgi?id=1216394
  * https://bugzilla.suse.com/show_bug.cgi?id=1216437
  * https://bugzilla.suse.com/show_bug.cgi?id=1216550
  * https://bugzilla.suse.com/show_bug.cgi?id=1216609
  * https://bugzilla.suse.com/show_bug.cgi?id=1216657
  * https://bugzilla.suse.com/show_bug.cgi?id=1216753
  * https://bugzilla.suse.com/show_bug.cgi?id=1216781
  * https://bugzilla.suse.com/show_bug.cgi?id=1216988
  * https://bugzilla.suse.com/show_bug.cgi?id=1217069
  * https://bugzilla.suse.com/show_bug.cgi?id=1217209
  * https://bugzilla.suse.com/show_bug.cgi?id=1217588
  * https://bugzilla.suse.com/show_bug.cgi?id=1217784
  * https://bugzilla.suse.com/show_bug.cgi?id=1217869
  * https://bugzilla.suse.com/show_bug.cgi?id=1218019
  * https://bugzilla.suse.com/show_bug.cgi?id=1218074
  * https://bugzilla.suse.com/show_bug.cgi?id=1218075
  * https://bugzilla.suse.com/show_bug.cgi?id=1218089
  * https://bugzilla.suse.com/show_bug.cgi?id=1218094
  * https://bugzilla.suse.com/show_bug.cgi?id=1218146
  * https://bugzilla.suse.com/show_bug.cgi?id=1218490
  * https://bugzilla.suse.com/show_bug.cgi?id=1218615
  * https://bugzilla.suse.com/show_bug.cgi?id=1218669
  * https://bugzilla.suse.com/show_bug.cgi?id=1218837
  * https://bugzilla.suse.com/show_bug.cgi?id=1218849
  * https://bugzilla.suse.com/show_bug.cgi?id=1219151
  * https://bugzilla.suse.com/show_bug.cgi?id=1219449
  * https://bugzilla.suse.com/show_bug.cgi?id=1219577
  * https://bugzilla.suse.com/show_bug.cgi?id=1219850
  * https://jira.suse.com/browse/MSQA-719

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240215/9749cec3/attachment.htm>


More information about the sle-security-updates mailing list