SUSE-SU-2014:0222-1: moderate: Security update for Spacewalk stack

sle-updates at lists.suse.com sle-updates at lists.suse.com
Tue Feb 11 11:04:47 MST 2014


   SUSE Security Update: Security update for Spacewalk stack
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0222-1
Rating:             moderate
References:         #834415 #846356 #850925 #850927 #850928 #850929 
                    #850930 #853913 #854090 #858197 #858652 
Cross-References:   CVE-2010-2236 CVE-2012-6149 CVE-2013-1869
                    CVE-2013-1871 CVE-2013-4415
Affected Products:
                    SUSE Manager 1.7 for SLE 11 SP2
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has 6 fixes is
   now available. It includes 8 new package versions.

Description:


   This Spacewalk stack update fixes the following security
   issues and bugs:

   spacewalk-backend:

   * Check for empty result before printing software
   entitlement. (bnc#853913)
   * Added extra log folder to spacewalk-debug.
   (bnc#854090)
   * Better detection for SUSE KVM and Cloud systems.

   spacewalk-branding:

   * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
   scripting. (bnc#850925)

   spacewalk-certs-tools:

   * Older versions of ssh-copy-id do not support the -o
   switch.
   * ssh-keygen fails with an error when known_hosts
   doesn't exist.
   * Call the new script from the old one and print
   deprecation warning.
   * New ssh-push client initialization script.

   spacewalk-java:

   * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
   scripting. (bnc#850925)
   * CVE-2010-2236: Clean backticks from monitoring-probes
   where appropriate. (bnc#850930)
   * CVE-2012-6149: Fix XSS in notes.jsp. (bnc#850929)
   * CVE-2013-1869: Only follow internal return_urls to
   fix header injection flaw. (bnc#850928)
   * CVE-2013-1871: Fix XSS in edit-address JSPs.
   (bnc#850927)
   * Add the paste event handler in 'onload'. (bnc#846356)

   spacewalk-search:

   * Allow NULL as createdBy and lastModifiedBy to fix
   custom info value index. (bnc#834415)

   spacewalk-utils:

   * clone-by-date: Fix with dependency check enabled.
   (bnc#858652)

   spacewalk-web:

   * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
   scripting. (bnc#850925)
   * Put the given year in the valid range. (bnc#846356)
   * Paste event handler parsing CVE identifiers with
   Javascript. (bnc#846356)

   susemanager:

   * Create bootstrap repositories from SLES4SAP repos.
   (bnc#858197)

   How to apply this update: 1. Log in as root user to the
   SUSE Manager  server. 2. Stop the Spacewalk service:
   spacewalk-service stop 3. Apply the  patch using either
   zypper patch or YaST Online Update. 4. Start the  Spacewalk
   service: spacewalk-service start

   Security Issues:

   * CVE-2010-2236
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2236
   >
   * CVE-2012-6149
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6149
   >
   * CVE-2013-1869
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1869
   >
   * CVE-2013-1871
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1871
   >
   * CVE-2013-4415
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4415
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager 1.7 for SLE 11 SP2:

      zypper in -t patch sleman17sp2-suse-manager-201401-8817

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.1.11,1.7.27 and 1.7.38.31]:

      spacewalk-backend-1.7.38.31-0.5.1
      spacewalk-backend-app-1.7.38.31-0.5.1
      spacewalk-backend-applet-1.7.38.31-0.5.1
      spacewalk-backend-config-files-1.7.38.31-0.5.1
      spacewalk-backend-config-files-common-1.7.38.31-0.5.1
      spacewalk-backend-config-files-tool-1.7.38.31-0.5.1
      spacewalk-backend-iss-1.7.38.31-0.5.1
      spacewalk-backend-iss-export-1.7.38.31-0.5.1
      spacewalk-backend-libs-1.7.38.31-0.5.1
      spacewalk-backend-package-push-server-1.7.38.31-0.5.1
      spacewalk-backend-server-1.7.38.31-0.5.1
      spacewalk-backend-sql-1.7.38.31-0.5.1
      spacewalk-backend-sql-oracle-1.7.38.31-0.5.1
      spacewalk-backend-sql-postgresql-1.7.38.31-0.5.1
      spacewalk-backend-tools-1.7.38.31-0.5.1
      spacewalk-backend-xml-export-libs-1.7.38.31-0.5.1
      spacewalk-backend-xmlrpc-1.7.38.31-0.5.1
      spacewalk-backend-xp-1.7.38.31-0.5.1
      spacewalk-branding-1.7.1.11-0.5.1
      susemanager-1.7.27-0.5.2
      susemanager-tools-1.7.27-0.5.2

   - SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.15.12,1.7.28.20,1.7.3.11,1.7.3.12 and 1.7.54.30]:

      spacewalk-base-1.7.28.20-0.5.1
      spacewalk-base-minimal-1.7.28.20-0.5.1
      spacewalk-certs-tools-1.7.3.11-0.5.1
      spacewalk-grail-1.7.28.20-0.5.1
      spacewalk-html-1.7.28.20-0.5.1
      spacewalk-java-1.7.54.30-0.5.1
      spacewalk-java-config-1.7.54.30-0.5.1
      spacewalk-java-lib-1.7.54.30-0.5.1
      spacewalk-java-oracle-1.7.54.30-0.5.1
      spacewalk-java-postgresql-1.7.54.30-0.5.1
      spacewalk-pxt-1.7.28.20-0.5.1
      spacewalk-search-1.7.3.12-0.5.1
      spacewalk-sniglets-1.7.28.20-0.5.1
      spacewalk-taskomatic-1.7.54.30-0.5.1
      spacewalk-utils-1.7.15.12-0.5.3


References:

   http://support.novell.com/security/cve/CVE-2010-2236.html
   http://support.novell.com/security/cve/CVE-2012-6149.html
   http://support.novell.com/security/cve/CVE-2013-1869.html
   http://support.novell.com/security/cve/CVE-2013-1871.html
   http://support.novell.com/security/cve/CVE-2013-4415.html
   https://bugzilla.novell.com/834415
   https://bugzilla.novell.com/846356
   https://bugzilla.novell.com/850925
   https://bugzilla.novell.com/850927
   https://bugzilla.novell.com/850928
   https://bugzilla.novell.com/850929
   https://bugzilla.novell.com/850930
   https://bugzilla.novell.com/853913
   https://bugzilla.novell.com/854090
   https://bugzilla.novell.com/858197
   https://bugzilla.novell.com/858652
   http://download.novell.com/patch/finder/?keywords=c86d2c06c2403e2323a238c376ec6f16



More information about the sle-updates mailing list