SUSE-SU-2012:0821-1: moderate: Security update for SUSE Manager

Tue Jul 3 22:08:30 MDT 2012

   SUSE Security Update: Security update for SUSE Manager
______________________________________________________________________________

Announcement ID:    SUSE-SU-2012:0821-1
Rating:             moderate
References:         #753326 #760306 #760771 #761165 #763878 #763891 
                    #764532 #764544 #765053 
Cross-References:   CVE-2012-0414
Affected Products:
                    SUSE Manager 1.2 for SLE 11 SP1
______________________________________________________________________________

   An update that solves one vulnerability and has 8 fixes is
   now available. It includes one version update.

Description:

   This update fixes the following issues:

   * new function signature for image deployment
   * ignore ip6addr if provided with hw_refresh from newer
   client versions
   * do not add a bootstrap repository on SLES 11-SP2
   * escape image names to prevent XSS (CVE-2012-0414)
   * spacewalk-dobby now requires oracle-update
   * fix owner and permissions of /etc/rhn for
   spacewalk-dobby
   * make values in suseProductChannel unique before
   adding an unique index
   * added desktop file for susemanager_setup YaST module
   * add missing schema migration for rhnErrataBuglistTmp.
   * add option to migrate channels to RES subscriptions
   (bnc#765053)
   * fix schema upgrade
   * improved performance for repomd generation
   * fix ISE during registration because of duplicate ids
   * fix wrong transaction name in unsubscribe_channels
   * fix saving of SUSE Product names

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop
   the Spacewalk service:    spacewalk-service stop If the
   SUSE Manager database is running on the same machine as the
   SUSE Manager server, this command also stops the SUSE
   Manager database instance. 3. Apply the patch using either
   zypper patch or YaST Online Update. 4. If the SUSE Manager
   database is running on the same machine as your SUSE
   Manager server, start the database instance with
   /etc/init.d/oracle-xe start or    /etc/init.d/oracle start
   5. Upgrade the database schema with
   spacewalk-schema-upgrade 6. Start the Spacewalk
   service:     spacewalk-service start

   Security Issue reference:

   * CVE-2012-0414
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0414
   >

Indications:

   Everbody should update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager 1.2 for SLE 11 SP1:

      zypper in -t patch sleman12sp1-spacewalk-backend-6445

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Manager 1.2 for SLE 11 SP1 (x86_64):

      spacewalk-backend-1.2.74-0.58.1
      spacewalk-backend-app-1.2.74-0.58.1
      spacewalk-backend-applet-1.2.74-0.58.1
      spacewalk-backend-config-files-1.2.74-0.58.1
      spacewalk-backend-config-files-common-1.2.74-0.58.1
      spacewalk-backend-config-files-tool-1.2.74-0.58.1
      spacewalk-backend-iss-1.2.74-0.58.1
      spacewalk-backend-iss-export-1.2.74-0.58.1
      spacewalk-backend-libs-1.2.74-0.58.1
      spacewalk-backend-package-push-server-1.2.74-0.58.1
      spacewalk-backend-server-1.2.74-0.58.1
      spacewalk-backend-sql-1.2.74-0.58.1
      spacewalk-backend-sql-oracle-1.2.74-0.58.1
      spacewalk-backend-tools-1.2.74-0.58.1
      spacewalk-backend-xml-export-libs-1.2.74-0.58.1
      spacewalk-backend-xmlrpc-1.2.74-0.58.1
      spacewalk-backend-xp-1.2.74-0.58.1
      susemanager-1.2.0-0.58.1
      susemanager-tools-1.2.0-0.58.1

   - SUSE Manager 1.2 for SLE 11 SP1 (noarch) [New Version: 1.2.75]:

      spacewalk-base-1.2.31-0.39.3
      spacewalk-base-minimal-1.2.31-0.39.3
      spacewalk-certs-tools-1.2.2-0.28.3
      spacewalk-dobby-1.2.31-0.39.3
      spacewalk-grail-1.2.31-0.39.3
      spacewalk-html-1.2.31-0.39.3
      spacewalk-java-1.2.115-0.60.1
      spacewalk-java-config-1.2.115-0.60.1
      spacewalk-java-lib-1.2.115-0.60.1
      spacewalk-java-oracle-1.2.115-0.60.1
      spacewalk-pxt-1.2.31-0.39.3
      spacewalk-sniglets-1.2.31-0.39.3
      spacewalk-taskomatic-1.2.115-0.60.1
      susemanager-schema-1.2.75-0.5.1

References:

   http://support.novell.com/security/cve/CVE-2012-0414.html
   https://bugzilla.novell.com/753326
   https://bugzilla.novell.com/760306
   https://bugzilla.novell.com/760771
   https://bugzilla.novell.com/761165
   https://bugzilla.novell.com/763878
   https://bugzilla.novell.com/763891
   https://bugzilla.novell.com/764532
   https://bugzilla.novell.com/764544
   https://bugzilla.novell.com/765053
   http://download.novell.com/patch/finder/?keywords=3fbb4edf5375671fbc21e432ba8996c4