SUSE-SU-2017:1349-1: moderate: Security update for SUSE Manager Server 3.0

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu May 18 22:17:23 MDT 2017


   SUSE Security Update: Security update for SUSE Manager Server 3.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:1349-1
Rating:             moderate
References:         #1000762 #1009545 #1011964 #1012784 #1013606 
                    #1017418 #1017422 #1017754 #1017772 #1020659 
                    #1020904 #1022530 #1023233 #1024066 #1024406 
                    #1024456 #1024714 #1024863 #1024966 #1025000 
                    #1025275 #1025291 #1025312 #1025421 #1025758 
                    #1025761 #1025775 #1025908 #1026266 #1026301 
                    #1026633 #1027426 #1027852 #1028062 #1028306 
                    #1029755 #1029840 #1030716 #1031092 #1031453 
                    #1031659 #1031667 #1031826 #1031885 #1032256 
                    #1033383 #1033497 #1033731 #1034289 #1034465 
                    #1034956 
Cross-References:   CVE-2017-7470
Affected Products:
                    SUSE Manager Server 3.0
______________________________________________________________________________

   An update that solves one vulnerability and has 50 fixes is
   now available.

Description:


   The following security issue in spacewalk-backend has been fixed:

   - Non admin or disabled user cannot make changes to a system anymore using
     spacewalk-channel. (bsc#1026633, CVE-2017-7470)

   Additionally, the following non-security issues have been fixed:

   rhnlib:

   - Support all TLS versions in rpclib. (bsc#1025312)

   salt-netapi-client:

   - Fix date format for Schedule module. (bsc#1034465)

   spacecmd:

   - Improve output on error for listrepo. (bsc#1027426)
   - Reword spacecmd removal message. (bsc#1024406)

   spacewalk-backend:

   - Do not fail with traceback when media.1 does not exist. (bsc#1032256)
   - Create scap files directory beforehand. (bsc#1029755)
   - Fix error if SPACEWALK_DEBUG_NO_REPORTS environment variable is not
     present.
   - Don't skip 'rhnErrataPackage' cleanup during an errata update.
     (bsc#1023233)
   - Add support for running spacewalk-debug without creating reports.
     (bsc#1024714)
   - Set scap store directory mod to 775 and group owner to susemanager.
   - incomplete_package_import: Do import rhnPackageFile as it breaks some
     package installations.
   - Added traceback printing to the exception block.
   - Change postgresql starting commands.

   spacewalk-certs-tools:

   - Always restart the minion regardless of its current state. (bsc#1034956)
   - Correctly honor disabling of SSL in bootstrap script. (bsc#1033383)
   - Add curl dependency and move mgr-proxy-ssh* to spacewalk-proxy package.
   - Exit for non-traditional bootstrap scripts. (bsc#1020904)
   - Rename mgr-ssh-proxy-force-cmd -> mgr-proxy-ssh-force-cmd.
   - Add mgr-proxy-ssh-force-cmd, mgr-proxy-ssh-push-init to rpm.
   - Add option to configure only sshd.
   - Restrictive ssh options for user mgrsshtunnel.

   spacewalk-client-tools:

   - Fix reboot message to use correct product name. (bsc#1031667)

   spacewalk-java:

   - Fix missing IPs in Overview tab. (bsc#1031453)
   - Fix scheduling VM deployment in future. (bsc#1034289)
   - Handle empty set to not produce invalid sql. (bsc#1033497)
   - Fix SSM group pagination. (bsc#1012784)
   - Create PooledExecutor with pre-filled queue. (bsc#1030716)
   - Make sure minion keys can only be seen/managed by appropriate user.
     (bsc#1025908)
   - Set action status to 'failed' on uncaught exceptions. (bsc#1013606)
   - Add missing library to taskomatic classpath. (bsc#1024066)
   - Set log level to DEBUG for EOFException when the Websocket connection is
     aborted by the client. (bsc#1031826)
   - Add a remote command with label as a script to the actionchain.
     (bsc#1011964)
   - Fix architecture for default channels lookup. (bsc#1025275)
   - Change required salt-netapi-client to >= 0.11.
   - Using stream() during collection processing.
   - Making salt presence timeouts configurable via rhn.conf. (bsc#1025761)
   - Avoid blocking synchronous calls if some minions are unreachable.
     (bsc#1025761)
   - Excludes unreachable minions from synchronous call to prevent blocking.
     (bsc#1025761)
   - Fix LocalDateTimeISOAdapter to parse date string with timezone.
     (bsc#1024966)
   - Create scap files directories beforehand. (bsc#1029755)
   - Make country, state/province and city searchable for system location.
     (bsc#1020659)
   - Change incorrect help link. (bsc#1017418)
   - Don't allow scheduling scap scan if openscap pkg missing from minion.
   - Make salt aware of rescheduled actions. (bsc#1027852)
   - Close hibernate session on async salt-ssh call.
   - Use a small fixed pool so we don't overwhelm the salt-api with salt-ssh
     executions
   - Fix remote cmd ui js err and timed out message.
   - Remote cmd UI changes for salt-ssh minions.
   - Add support for salt ssh minions to remote cmd UI.
   - Apply SessionFilter also for error pages. (bsc#1028062)
   - Use correct logging class.
   - Fix broken help link for taskstatus. (bsc#1017422)
   - Test errata not removed from origin.
   - Fix merge channels patches. (bsc#1025000)
   - Change XccdfIdent.identifier mapping length to 100.
   - Add xccdf result xslt.
   - Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
   - Use consistent spelling in UI. (bsc#1028306)
   - Rewording distchannelmap text. (bsc#1017772)
   - Javascript datepicker needs the timezone create a correct date object.
     (bsc#1024966)
   - Don't show audit tab for ssh-push minions.
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Better error handling and more tests.
   - Store uploaded scap files.
   - Openscap action scheduling and handling.
   - Grant scap capability to minion on registration.
   - Enable audit tab for salt minions.
   - Scap inital xccdfEval and hibernate mappings.
   - Show proxy path in bootstrap UI.
   - AuthFilter tests: Update expectations to reflect cookie update at end of
     request.
   - AuthFilter: Update cookie expiry date at end of HTTP request.
     (bsc#1025775)
   - MinionActionCleanup: Only call list_jobs once per action id.
     (bsc#1025291)
   - MinionActionCleanupTest: Expect that list_jobs is only called once.
   - Feat: Allow salt-enabled bootstrap.sh via UI.
   - Catch and display all bootstrap errors.
   - Sync grains and beacons only for regular minions.
   - Add new channel tokens to minion.accessTokens.
   - Fix getting server path for a first level proxy.
   - Fix bootstrap err when proxy not selected.
   - Check if proxy hostname is FQDN not name in UI.
   - Utility for runner to generate ssh key and execute cmd via proxies.
   - Add proxy_pub_key to ssh bootstrap pillar.
   - Add ssh timeout to temporary roster.
   - Salt_ssh_connect_timeout configuration parameter.
   - Authorize parent salt-ssh key on proxy.
   - Java backend for salt ssh-push through proxy.
   - Avoid deadlock with spacewalk-repo-sync. (bsc#1022530)
   - Fix NPE when no SUSE Product was found for an installed product.
     (bsc#1029840)
   - Keep organization after migrating a system to salt. (bsc#1026301)
   - Fix glob only for noarch rpm(s).
   - Feat: Dynamically detect deployed CA certificate.
   - Fix restore original default (certificate).
   - Rename variable (cert provided by RPM).
   - Fix uniform bootstrap.sh. (bsc#1000762)

   spacewalk-reports:

   - Remove legacy audit logging reports. (bsc#1009545)

   spacewalk-setup:

   - Create /var/spacewalk/systems in spacewalk-setup and ensure perms on
     upgrade.
   - Add xccdf result xslt.
   - Authorize parent salt-ssh key on proxy.

   spacewalk-web:

   - Remote Commands: Allow Web Socket to be opened on non-standard port.
   - Improve remote cmd ui error handling.
   - Show message when waiting for ssh minions times out.
   - Fix remote cmd ui js err and timed out message.
   - Remote cmd UI changes for salt-ssh minions.
   - Fix broken help link for taskstatus. (bsc#1017422)
   - Add js utility function to create Date objects in different timezones.
   - Show proxy path in bootstrap UI.
   - Clear proxy selection when clicking clear fields button.
   - Check if proxy hostname is FQDN not name in UI.
   - Show warn in bootstrap UI if proxy hostname is not a FQDN.

   subscription-matcher:

   - Set -Xmx launch parameter based on customer data. (bsc#1024863)
   - Small bugfixes and logging improvements.

   susemanager:

   - Add bootstrap repo data for SLES for SAP 12 SP2 ppc64le.
   - Add python-setuptools to bootstrap repo. (bsc#1033731)
   - Create directory manually if mksubvolume fails, so we now support btrfs
     based systems with missing mksubvoume utility. (bsc#1031885)
   - Create /var/spacewalk/systems in spacewalk-setup and ensure perms on
     upgrade
   - Fix typo in comment noting option with-custom-channels. (bsc#1031092)
   - Pre require tomcat and salt.
   - Fix %%pre and %%post scripts in susemanager.spec.
   - Append salt,tomcat,wwwrung to susemanager group.
   - Susemanager group and change owner and permissions for
     /var/susemanager/systems.

   susemanager-schema:

   - Don't fail if capability already exists.
   - Show update message only when updating the schema package. (bsc#1024456)
   - Fix audit log disabling in Oracle.
   - Grant minions scap capability.
   - Clean up stale logging data and triggers. (bsc#1009545)
   - Fix deduplicate to work with more than two duplicates.

   susemanager-sls:

   - Add certificate state for CAASP.
   - Add certificate state for SLES for SAP. (bsc#1031659)
   - Pre-create empty top.sls with no-op. (bsc#1017754)
   - Add xccdf result xslt.
   - Fix mainframesysinfo module to use /proc/sysinfo on SLES11. (bsc#1025758)
   - Set scap store dir mod to 775 and group owner to susemanager.
   - Store uploaded scap files.
   - Set minion own key owner to bootstrap ssh_push_sudo_user.
   - Runner to generate ssh key and execute cmd via proxies.
   - Change ssh bootstrap state to generate and auth keys for salt-ssh push
     with tunnel.
   - Authorize parent salt-ssh key on proxy.

   susemanager-sync-data:

   - Support Cloud 7 - Magnum Orchestration (bsc#1026266) and SLES for SAP 12
     SP2 ppc64le.

   virtual-host-gatherer:

   - Adding support for exploring 'vim.Folder'. (bsc#1025421)

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.0:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.0-2017-827=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager Server 3.0 (x86_64):

      susemanager-3.0.21-21.1
      susemanager-tools-3.0.21-21.1

   - SUSE Manager Server 3.0 (noarch):

      rhnlib-2.5.84.4-6.1
      salt-netapi-client-0.11.1-12.1
      spacecmd-2.5.5.5-12.1
      spacewalk-backend-2.5.24.9-22.1
      spacewalk-backend-app-2.5.24.9-22.1
      spacewalk-backend-applet-2.5.24.9-22.1
      spacewalk-backend-config-files-2.5.24.9-22.1
      spacewalk-backend-config-files-common-2.5.24.9-22.1
      spacewalk-backend-config-files-tool-2.5.24.9-22.1
      spacewalk-backend-iss-2.5.24.9-22.1
      spacewalk-backend-iss-export-2.5.24.9-22.1
      spacewalk-backend-libs-2.5.24.9-22.1
      spacewalk-backend-package-push-server-2.5.24.9-22.1
      spacewalk-backend-server-2.5.24.9-22.1
      spacewalk-backend-sql-2.5.24.9-22.1
      spacewalk-backend-sql-oracle-2.5.24.9-22.1
      spacewalk-backend-sql-postgresql-2.5.24.9-22.1
      spacewalk-backend-tools-2.5.24.9-22.1
      spacewalk-backend-xml-export-libs-2.5.24.9-22.1
      spacewalk-backend-xmlrpc-2.5.24.9-22.1
      spacewalk-base-2.5.7.15-21.1
      spacewalk-base-minimal-2.5.7.15-21.1
      spacewalk-base-minimal-config-2.5.7.15-21.1
      spacewalk-certs-tools-2.5.1.8-17.1
      spacewalk-client-tools-2.5.13.8-17.2
      spacewalk-html-2.5.7.15-21.1
      spacewalk-java-2.5.59.14-23.2
      spacewalk-java-config-2.5.59.14-23.2
      spacewalk-java-lib-2.5.59.14-23.2
      spacewalk-java-oracle-2.5.59.14-23.2
      spacewalk-java-postgresql-2.5.59.14-23.2
      spacewalk-reports-2.5.1.2-3.1
      spacewalk-setup-2.5.3.12-15.1
      spacewalk-taskomatic-2.5.59.14-23.2
      subscription-matcher-0.18-5.1
      susemanager-schema-3.0.19-21.2
      susemanager-sls-0.1.20-23.1
      susemanager-sync-data-3.0.16-24.1
      virtual-host-gatherer-1.0.13-6.1
      virtual-host-gatherer-VMware-1.0.13-6.1


References:

   https://www.suse.com/security/cve/CVE-2017-7470.html
   https://bugzilla.suse.com/1000762
   https://bugzilla.suse.com/1009545
   https://bugzilla.suse.com/1011964
   https://bugzilla.suse.com/1012784
   https://bugzilla.suse.com/1013606
   https://bugzilla.suse.com/1017418
   https://bugzilla.suse.com/1017422
   https://bugzilla.suse.com/1017754
   https://bugzilla.suse.com/1017772
   https://bugzilla.suse.com/1020659
   https://bugzilla.suse.com/1020904
   https://bugzilla.suse.com/1022530
   https://bugzilla.suse.com/1023233
   https://bugzilla.suse.com/1024066
   https://bugzilla.suse.com/1024406
   https://bugzilla.suse.com/1024456
   https://bugzilla.suse.com/1024714
   https://bugzilla.suse.com/1024863
   https://bugzilla.suse.com/1024966
   https://bugzilla.suse.com/1025000
   https://bugzilla.suse.com/1025275
   https://bugzilla.suse.com/1025291
   https://bugzilla.suse.com/1025312
   https://bugzilla.suse.com/1025421
   https://bugzilla.suse.com/1025758
   https://bugzilla.suse.com/1025761
   https://bugzilla.suse.com/1025775
   https://bugzilla.suse.com/1025908
   https://bugzilla.suse.com/1026266
   https://bugzilla.suse.com/1026301
   https://bugzilla.suse.com/1026633
   https://bugzilla.suse.com/1027426
   https://bugzilla.suse.com/1027852
   https://bugzilla.suse.com/1028062
   https://bugzilla.suse.com/1028306
   https://bugzilla.suse.com/1029755
   https://bugzilla.suse.com/1029840
   https://bugzilla.suse.com/1030716
   https://bugzilla.suse.com/1031092
   https://bugzilla.suse.com/1031453
   https://bugzilla.suse.com/1031659
   https://bugzilla.suse.com/1031667
   https://bugzilla.suse.com/1031826
   https://bugzilla.suse.com/1031885
   https://bugzilla.suse.com/1032256
   https://bugzilla.suse.com/1033383
   https://bugzilla.suse.com/1033497
   https://bugzilla.suse.com/1033731
   https://bugzilla.suse.com/1034289
   https://bugzilla.suse.com/1034465
   https://bugzilla.suse.com/1034956



More information about the sle-updates mailing list