SUSE-SU-2024:1507-1: moderate: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
SLE-SECURITY-UPDATES
null at suse.de
Mon May 6 12:31:22 UTC 2024
# Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch
Server
Announcement ID: SUSE-SU-2024:1507-1
Rating: moderate
References:
* bsc#1170848
* bsc#1208572
* bsc#1214340
* bsc#1214387
* bsc#1216085
* bsc#1217204
* bsc#1217874
* bsc#1218764
* bsc#1218805
* bsc#1218931
* bsc#1218957
* bsc#1219061
* bsc#1219233
* bsc#1219634
* bsc#1219875
* bsc#1220101
* bsc#1220169
* bsc#1220194
* bsc#1220221
* bsc#1220376
* bsc#1220705
* bsc#1220726
* bsc#1220903
* bsc#1220980
* bsc#1221111
* bsc#1221182
* bsc#1221279
* bsc#1221465
* bsc#1221571
* bsc#1221784
* bsc#1221922
* bsc#1222110
* bsc#1222347
* jsc#MSQA-760
Cross-References:
* CVE-2023-51775
CVSS scores:
* CVE-2023-51775 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves one vulnerability, contains one feature and has 32
security fixes can now be installed.
## Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3
### Description:
This update fixes the following issues:
mgr-daemon:
* Version 4.3.9-0
* Update translation strings
spacecmd:
* Version 4.3.27-0
* Update translation strings
spacewalk-backend:
* Version 4.3.28-0
* Strip whitespace from .deb package metadata (bsc#1214387)
* Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980)
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
* Unquote HTML-encoded credentials before synchronizing repositories
(bsc#1217204)
spacewalk-certs-tools:
* Version 4.3.23-0
* Fix liberty bootstrapping when zypper is installed (bsc#1222347)
* Apply reboot method changes for transactional systems in the bootstrap
script
spacewalk-client-tools:
* Version 4.3.19-0
* Update translation strings
spacewalk-web:
* Version 4.3.38-0
* Upgrade json5 to 2.2.3
* Upgrade semver to 7.6.0
* Add one-shot action execution to recurring custom state create/edit
* Add two filters for rpmlint in package spacewalk-web: explicit-lib-
dependency and filename-too-long-for-joliet
* Fix virtual systems filters (bsc#1208572)
* Improve CLM Create New Filter button
* Bump the WebUI version to 4.3.12
uyuni-common-libs:
* Version 4.3.10-0
* Add support for package signature type V4 RSA/SHA384
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
uyuni-proxy-systemd-services:
* Version 4.3.12-0
* Update to SUSE Manager 4.3.12
* Version 4.3.11-1
* Update the image version
How to apply this update:
1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: `spacewalk-proxy stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-proxy start`
## Security update for SUSE Manager Server 4.3
### Description:
This update fixes the following issues:
cobbler:
* Provide option to use pre-built GRUB bootloader
* Prevent parallel executions of cobbler sync actions (bsc#1218764)
image-sync-formula:
* Update to version 0.1.1711646883.4a44375
* Add missing URL tag
* Update license to SPDX syntax
inter-server-sync:
* Version 0.3.3-1
* Correct primary key export for table suseproductsccrepository (bsc#1220169)
jose4j:
* CVE-2023-51775: Fix denial of service (CPU consumption) via a large p2c (aka
PBES2 Count) value (bsc#1220726)
smdba:
* Version 1.7.13
* postmaster no longer exists from >=16 and it's an alias for postgresql,
using postgresql command
spacecmd:
* Version 4.3.27-0
* Update translation strings
spacewalk-backend:
* Version 4.3.28-0
* Strip whitespace from .deb package metadata (bsc#1214387)
* Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980)
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
* Unquote HTML-encoded credentials before synchronizing repositories
(bsc#1217204)
spacewalk-certs-tools:
* Version 4.3.23-0
* Fix liberty bootstrapping when zypper is installed (bsc#1222347)
* Apply reboot method changes for transactional systems in the bootstrap
script
spacewalk-client-tools:
* Version 4.3.19-0
* Update translation strings
spacewalk-config:
* Version 4.3.13-0
* Be explicit about default Apache configs being overwritten on updates and
point to making custom configs. (bsc#1219061)
spacewalk-java:
* Version 4.3.73-0
* New API endpoint for getRelevantErrata. It takes multiple servers as
argument and it returns an array of maps representing the errata that can be
applied to each system
* Version 4.3.72-0
* Use execution module call to detect client instance flavor (PAYG/BYOS) in
public cloud (bsc#1218805)
* Update help text for the custom repo filter field (bsc#1217874)
* Fix issue where Salt cannot access autoinstallation files (bsc#1220221)
* Fix issue when checking for credential duplication (bsc#1218957)
* Fix matching epoch while creating Ubuntu erratas
* When an action that belongs to an action chain is unscheduled, unschedule
the action chain as well (bsc#1221784)
* Reschedule failed SSH actions caused by a connection error due to a
scheduled reboot
* Fix removal of old IPv6 addresses (bsc#1214340)
* Do not automatically add child channels outside of selected base channel
(bsc#1220101)
* Fix listProxies API call (bsc#1219233)
* Fix system.provisionSystem when called via HTTP API (bsc#1219875)
* Remove package sync not available message in Software > Packages > Profile
since it is no longer available for supported clients (bsc#1221279)
* Fix login for read-only users when using HTTP API (bsc#1221111)
* Add one-shot action execution to recurring custom state create/edit
* Fix a typo in 'Deploy Files' page
* Drop system password as identifier on SCC system registration (bsc#1219634,
bsc#1221182)
* Fix memory size extraction in virtual instances (bsc#1219634)
* Fix virtual systems filters (bsc#1208572)
* Update license to include the year 2024
* Add timeout for SMTP server connection (bsc#1218931)
* Commit Salt event removal in case of process failure (bsc#1218931)
* Users with API read only are only allowed to make GET requests
* Ignore retry suffix when getting recurring action id from schedule name
* Sort CLM project filters by filter name
spacewalk-web:
* Version 4.3.38-0
* Upgrade json5 to 2.2.3
* Upgrade semver to 7.6.0
* Add one-shot action execution to recurring custom state create/edit
* Fix virtual systems filters (bsc#1208572)
* Improve CLM Create New Filter button
* Bump the WebUI version to 4.3.12
subscription-matcher:
* Version 0.37
* add missing part number (bsc#1221922)
* Fix penalties logging by initializing the score director consistently
* Removed wrong apache-commons-lang dependency
* Version 0.36
* Fixed Log4j 2 initialization
supportutils-plugin-susemanager:
* Version 4.3.11-0
* Add Salt and Reposync connections to minimum required DB connections
calculation
susemanager:
* Version 4.3.35-0
* Add bootstrap repository definition for openSUSE Leap 15.6
* Add bootstrap repository definition for SUSE Linux Enterprise 15 SP6
susemanager-docs_en:
* Removed Debian 10 from the list of supported clients
* Added new workflow describing updating of clients using recurring actions to
Commown Workflows
* Added documentation on adding a storage device for VMWare
* Documented registercloudguest tools for registering public cloud
installation (BYOS) by adding a reference to the Public Cloud Guide
* Added information about requirements for the PostgreSQL database to the
Installation and Upgrade Guide (bsc#1220376)
* Fixed the instructions for SSL Certificates (bsc#1219061)
* Remove package sync paragraph in package-management doc since it is not
available for Salt clients and traditional clients are no longer supported
(bsc#1221279)
* Fixed incorrect reference to SUSE Linux Enterprise Server 15 SP5 as base
product for SUSE Manager 4.3, even in public cloud
* Updated VM based installation for 4.3 VM image with ignition or cloudinit in
Installation and Upgrade Guide
* Added reference from Hub documentation to Inter-Server Synchronization in
Large Deployment Guide
* Documented Virtualization Guest and Virtualization Host Formula
* Reformatted Supported Clients tables in Client Configuration Guide and
Installation and Upgrade Guide
* Add documentation about SMTP timeout configuration
* Documented SSH key rotation in Salt Guide (bsc#1170848)
* Documented liberate formula in Salt Guide
* Fixed Prepare on-demand images section in Client Configuration
* Fixed a changed configuration parameter for salt-ssh
* Added Pay-as-you-go on the Cloud: FAQ document
* Updated max-connections tuning recommendation in Large Deployment
* Added troubleshooting instructions for setting up in public cloud (BYOS) to
Administration Guide
* Added section about migrating Enterprise Linux (EL) clients to SUSE Liberty
Linux to Client Configuration Guide
* Added detailed information about the messages produced by subscription
matcher
* Added Pay-as-you-go as supported service on Azure to the Public Cloud Guide
* Added and fixed configuration details in Troubleshooting Renaming Server in
Administration Guide
susemanager-schema:
* Version 4.3.25-0
* Add update-salt to internal state table
susemanager-sls:
* Version 4.3.41-0
* Use execution module call to detect client instance flavor (PAYG/BYOS) in
public cloud (bsc#1218805)
* Do not log dnf needs-restarting output in Salt's log (bsc#1220194)
* Dynamically load an SELinux policy for "Push via SSH tunnel" for SELinux
enabled clients. This policy allows communication over a custom SSH port
* Fix reboot needed detection for SUSE systems
* Fix SUSE Liberty Linux bootstrapping when Zypper is installed (bsc#1222347)
* Distinguish between different SUSE versions when detecting if a reboot is
needed (bsc#1220903, bsc#1221571)
* Improve updatestack update in uptodate state
* Add a standalone update-salt state
* Add pillar check to skip reboot_if_needed state
* Recognize .tar.xz and .ext4 image files (bsc#1216085)
* Avoid issues on reactivating traditional clients as Salt managed
* Fix the case of missing requisites on bootstrap (bsc#1220705)
susemanager-sync-data:
* Version 4.3.17-0
* AlmaLinux 9 PowerTools was renamed into CRB (bsc#1222110)
uyuni-common-libs:
* Version 4.3.10-0
* Add support for package signature type V4 RSA/SHA384
* Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
uyuni-reportdb-schema:
* Version 4.3.10-0
* Provide reportdb upgrade schema path structure
How to apply this update:
1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: `spacewalk-service stop`
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: `spacewalk-service start`
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-1507=1
* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-1507=1
## Package List:
* SUSE Manager Proxy 4.3 Module 4.3 (noarch)
* spacewalk-base-minimal-4.3.38-150400.3.42.6
* python3-spacewalk-certs-tools-4.3.23-150400.3.28.5
* python3-spacewalk-client-setup-4.3.19-150400.3.27.5
* python3-spacewalk-client-tools-4.3.19-150400.3.27.5
* mgr-daemon-4.3.9-150400.3.15.5
* spacewalk-backend-4.3.28-150400.3.41.7
* spacecmd-4.3.27-150400.3.36.5
* spacewalk-certs-tools-4.3.23-150400.3.28.5
* spacewalk-client-setup-4.3.19-150400.3.27.5
* spacewalk-client-tools-4.3.19-150400.3.27.5
* python3-spacewalk-check-4.3.19-150400.3.27.5
* spacewalk-check-4.3.19-150400.3.27.5
* spacewalk-base-minimal-config-4.3.38-150400.3.42.6
* SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
* python3-uyuni-common-libs-4.3.10-150400.3.18.4
* SUSE Manager Server 4.3 Module 4.3 (noarch)
* spacewalk-java-lib-4.3.73-150400.3.79.1
* susemanager-docs_en-4.3-150400.9.56.4
* spacewalk-backend-package-push-server-4.3.28-150400.3.41.7
* spacewalk-backend-4.3.28-150400.3.41.7
* spacewalk-java-4.3.73-150400.3.79.1
* spacewalk-backend-iss-export-4.3.28-150400.3.41.7
* spacewalk-backend-xmlrpc-4.3.28-150400.3.41.7
* spacewalk-base-4.3.38-150400.3.42.6
* spacewalk-taskomatic-4.3.73-150400.3.79.1
* spacewalk-backend-sql-4.3.28-150400.3.41.7
* spacewalk-backend-sql-postgresql-4.3.28-150400.3.41.7
* python3-spacewalk-certs-tools-4.3.23-150400.3.28.5
* python3-spacewalk-client-tools-4.3.19-150400.3.27.5
* susemanager-docs_en-pdf-4.3-150400.9.56.4
* jose4j-0.5.1-150400.3.9.4
* spacewalk-backend-config-files-tool-4.3.28-150400.3.41.7
* spacecmd-4.3.27-150400.3.36.5
* spacewalk-certs-tools-4.3.23-150400.3.28.5
* susemanager-schema-4.3.25-150400.3.39.5
* spacewalk-backend-config-files-common-4.3.28-150400.3.41.7
* supportutils-plugin-susemanager-4.3.11-150400.3.21.4
* spacewalk-java-config-4.3.73-150400.3.79.1
* image-sync-formula-0.1.1711646883.4a44375-150400.3.18.4
* spacewalk-base-minimal-config-4.3.38-150400.3.42.6
* spacewalk-java-postgresql-4.3.73-150400.3.79.1
* subscription-matcher-0.37-150400.3.22.4
* susemanager-schema-utility-4.3.25-150400.3.39.5
* uyuni-reportdb-schema-4.3.10-150400.3.15.6
* spacewalk-backend-xml-export-libs-4.3.28-150400.3.41.7
* spacewalk-backend-iss-4.3.28-150400.3.41.7
* susemanager-sync-data-4.3.17-150400.3.25.4
* cobbler-3.3.3-150400.5.42.5
* spacewalk-backend-config-files-4.3.28-150400.3.41.7
* spacewalk-backend-applet-4.3.28-150400.3.41.7
* spacewalk-base-minimal-4.3.38-150400.3.42.6
* spacewalk-backend-app-4.3.28-150400.3.41.7
* uyuni-config-modules-4.3.41-150400.3.47.6
* susemanager-sls-4.3.41-150400.3.47.6
* spacewalk-html-4.3.38-150400.3.42.6
* spacewalk-client-tools-4.3.19-150400.3.27.5
* spacewalk-backend-tools-4.3.28-150400.3.41.7
* spacewalk-backend-server-4.3.28-150400.3.41.7
* spacewalk-config-4.3.13-150400.3.15.5
* SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
* smdba-1.7.13-0.150400.4.12.4
* susemanager-4.3.35-150400.3.48.6
* inter-server-sync-debuginfo-0.3.3-150400.3.30.4
* inter-server-sync-0.3.3-150400.3.30.4
* susemanager-tools-4.3.35-150400.3.48.6
* python3-uyuni-common-libs-4.3.10-150400.3.18.4
## References:
* https://www.suse.com/security/cve/CVE-2023-51775.html
* https://bugzilla.suse.com/show_bug.cgi?id=1170848
* https://bugzilla.suse.com/show_bug.cgi?id=1208572
* https://bugzilla.suse.com/show_bug.cgi?id=1214340
* https://bugzilla.suse.com/show_bug.cgi?id=1214387
* https://bugzilla.suse.com/show_bug.cgi?id=1216085
* https://bugzilla.suse.com/show_bug.cgi?id=1217204
* https://bugzilla.suse.com/show_bug.cgi?id=1217874
* https://bugzilla.suse.com/show_bug.cgi?id=1218764
* https://bugzilla.suse.com/show_bug.cgi?id=1218805
* https://bugzilla.suse.com/show_bug.cgi?id=1218931
* https://bugzilla.suse.com/show_bug.cgi?id=1218957
* https://bugzilla.suse.com/show_bug.cgi?id=1219061
* https://bugzilla.suse.com/show_bug.cgi?id=1219233
* https://bugzilla.suse.com/show_bug.cgi?id=1219634
* https://bugzilla.suse.com/show_bug.cgi?id=1219875
* https://bugzilla.suse.com/show_bug.cgi?id=1220101
* https://bugzilla.suse.com/show_bug.cgi?id=1220169
* https://bugzilla.suse.com/show_bug.cgi?id=1220194
* https://bugzilla.suse.com/show_bug.cgi?id=1220221
* https://bugzilla.suse.com/show_bug.cgi?id=1220376
* https://bugzilla.suse.com/show_bug.cgi?id=1220705
* https://bugzilla.suse.com/show_bug.cgi?id=1220726
* https://bugzilla.suse.com/show_bug.cgi?id=1220903
* https://bugzilla.suse.com/show_bug.cgi?id=1220980
* https://bugzilla.suse.com/show_bug.cgi?id=1221111
* https://bugzilla.suse.com/show_bug.cgi?id=1221182
* https://bugzilla.suse.com/show_bug.cgi?id=1221279
* https://bugzilla.suse.com/show_bug.cgi?id=1221465
* https://bugzilla.suse.com/show_bug.cgi?id=1221571
* https://bugzilla.suse.com/show_bug.cgi?id=1221784
* https://bugzilla.suse.com/show_bug.cgi?id=1221922
* https://bugzilla.suse.com/show_bug.cgi?id=1222110
* https://bugzilla.suse.com/show_bug.cgi?id=1222347
* https://jira.suse.com/browse/MSQA-760
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240506/703caff9/attachment.htm>
More information about the sle-security-updates
mailing list