SUSE-SU-2018:3811-1: moderate: Security update for SUSE Manager Server 3.1

Mon Nov 19 13:08:31 MST 2018

   SUSE Security Update: Security update for SUSE Manager Server 3.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3811-1
Rating:             moderate
References:         #1034030 #1037389 #1042184 #1080474 #1090676 
                    #1094524 #1094992 #1095220 #1095942 #1095972 
                    #1096511 #1098970 #1099857 #1100852 #1101033 
                    #1104120 #1104487 #1105045 #1105074 #1105720 
                    #1105724 #1105886 #1106164 #1106875 #1107117 
                    #1107302 #1107850 #1107869 #1109235 #1111249 
                    #1111542 #1112163 #1113557 #1113698 #1113699 

Cross-References:   CVE-2017-14695 CVE-2017-14696
Affected Products:
                    SUSE Manager Server 3.1
______________________________________________________________________________

   An update that solves two vulnerabilities and has 33 fixes
   is now available.

Description:

   This update includes the following new features:

   - Add support for postgresql 10 (fate#325659)

   This update fixes the following issues:

   py26-compat-salt:

   - Update Salt version to 2016.11.10

   - CVE-2018-15750: Fixed directory traversal vulnerability in salt-api
     (bsc#1113698).
   - CVE-2018-15751: Fixed remote authentication bypass in salt-api(netapi)
     that allows to execute arbitrary commands (bsc#1113699).

   - Fix wrong recurse behavior on for linux_acl.present (bsc#1106164)
   - Adding backport for string arg normalization and fix for SUSE ES os
   - Prepend current directory when path is just filename (bsc#1095942)

   smdba:

   - Add support for postgresql 10 (fate#325659)

   spacecmd:

   - Show group id on group_details (bsc#1111542)
   - State channels handling: Existing commands configchannel_create and
     configchannel_import were updated while
     system_scheduleapplyconfigchannels and configchannel_updateinitsls were
     added.

   spacewalk:

   - Add support for postgresql10 (fate#325659)

   spacewalk-backend:

   - Channels to be actually un-subscribed from the assigned systems when
     being removed using spacewalk-remove-channel tool(bsc#1104120)

   spacewalk-branding:

   - New messages are added for XMLRPC API for state channels

   spacewalk-doc-indexes:

   - Use nutch-core dependency instead of nutch

   spacewalk-java:

   - Change Requires to allow installing with both Tomcat 8 (SLE-12SP3) and 9
     (SLE12-SP4)
   - Fix typo in messages (bsc#1111249)
   - Remove restrictions on SUSE Manager Channel subscriptions (bsc#1105724)
   - Added shortcut for editing Software Channel
   - Fix NullPointerException when refreshing deleted software channel
     (bsc#1094992)
   - Add last_boot to listSystems() API call
   - Check valid postgresql database version
   - Fix displayed number of systems requiring reboot in Tasks pane
     (bsc#1106875)
   - Changed localization strings for file summaries (bsc#1090676)
   - Added menu item entries for creating/deleting file preservation lists
     (bsc#1034030)
   - Better error handling when a websocket connection is aborted
     (bsc#1080474)
   - Remove the reference of channel from revision before deleting
     it(bsc#1107850)
   - Added link from virtualization tab to Scheduled > Pending Actions
     (bsc#1037389)
   - Speedup package listings(bsc#1100852)
   - Method to Unsubscribe channel from system(bsc#1104120)
   - Fix mgr-sync refresh when subscription was removed (bsc#1105720)
   - Fix an error in the system software channels UI due to SUSE product
     channels missing a corresponding synced channel (bsc#1105886)
   - XMLRPC API for state channels
   - Optimize execution of actions in minions (bsc#1099857)
   - Reschedule taskomatic jobs if task threads limit reached (bsc#1096511)
   - Logic constraint: results must be ordered and grouped by systemId first
     (bsc#1101033)
   - Do not wrap output if stderr is not present (bsc#1105074)

   spacewalk-search:

   - Discard commons-logging.properties removal on spec file, as OBS package
     does not contain it
   - Upgrade tika-core to 0.19.1 and adjust nutch-core (bsc#1109235)
   - Remove lib jar files and add them as build dependencies on spec
   - Limit number of old java logfiles (bsc#1107869)

   spacewalk-utils:

   - Fix typo at --phases option help

   spacewalk-web:

   - Fix typo in messages (bsc#1111249)
   - Fix Sles name in base channel filter (Visualization tab) (bsc#1042184)

   subscription-matcher:

   - Set core dumps location for IBM java (bsc#1107302)
   - Fix OutOfMemoryError crashes (bsc#1094524)
   - Updated to version 0.20
   - Update partnumbers rule file (bsc#1095972)
   - Use intermediate object to store confirmed matches within a penalty
     group and prevent infinite reactivation of Inherited virtualization rule
     (bsc#1094524)

   susemanager:

   - Add new option --with-parent-channel to mgr-create-bootrap-repo to
     specify parent channel to use if multiple options are available
     (bsc#1104487)
   - Add support for postgresql10 (fate#325659)
   - Bootstrap repos for SLE12 SP4 (bsc#1107117)

   susemanager-branding-oss:

   - Use ASCII quotation marks in license file (bsc#1098970)

   susemanager-schema:

   - Check valid postgresql database version

   susemanager-sls:

   - Deploy SSL certificate during onboarding of openSUSE Leap 15.0
     (bsc#1112163)
   - Removed the ssl certificate verification while checking bootstrap repo
     URL (bsc#1095220)
   - Removed the need for curl to be present at bootstrap phase (bsc#1095220)

   susemanager-sync-data:

   - SUSE OpenStack Cloud 9 enablement (bsc#1113557)
   - Add SUSE Manager 3.1 on SLES12 SP4
   - Support SLE12 SP4 product family (bsc#1107117)
   - Add CaaSP 3.0 channels (bsc#1105045)

   Additionally some Java components have been split out of existing packages
   for better maintenance:

   - apache-mybatis
   - hadoop
   - icu4j
   - lucene
   - nekohtml
   - nutch-core
   - picocontainer
   - tagsoup
   - tika-core

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.1:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.1-2018-2708=1

Package List:

   - SUSE Manager Server 3.1 (ppc64le s390x x86_64):

      smdba-1.6.2-0.2.9.1
      spacewalk-branding-2.7.2.15-2.25.1
      susemanager-3.1.16-2.26.1
      susemanager-tools-3.1.16-2.26.1

   - SUSE Manager Server 3.1 (noarch):

      apache-mybatis-3.2.3-1.3.1
      hadoop-0.18.1-1.3.1
      icu4j-55.1-1.3.1
      lucene-2.4.1-1.3.1
      nekohtml-1.9.21-1.3.1
      nutch-core-1.0.1-1.3.1
      picocontainer-1.3.7-1.3.1
      py26-compat-salt-2016.11.10-1.16.1
      spacecmd-2.7.8.13-2.26.1
      spacewalk-backend-2.7.73.15-2.26.1
      spacewalk-backend-app-2.7.73.15-2.26.1
      spacewalk-backend-applet-2.7.73.15-2.26.1
      spacewalk-backend-config-files-2.7.73.15-2.26.1
      spacewalk-backend-config-files-common-2.7.73.15-2.26.1
      spacewalk-backend-config-files-tool-2.7.73.15-2.26.1
      spacewalk-backend-iss-2.7.73.15-2.26.1
      spacewalk-backend-iss-export-2.7.73.15-2.26.1
      spacewalk-backend-libs-2.7.73.15-2.26.1
      spacewalk-backend-package-push-server-2.7.73.15-2.26.1
      spacewalk-backend-server-2.7.73.15-2.26.1
      spacewalk-backend-sql-2.7.73.15-2.26.1
      spacewalk-backend-sql-oracle-2.7.73.15-2.26.1
      spacewalk-backend-sql-postgresql-2.7.73.15-2.26.1
      spacewalk-backend-tools-2.7.73.15-2.26.1
      spacewalk-backend-xml-export-libs-2.7.73.15-2.26.1
      spacewalk-backend-xmlrpc-2.7.73.15-2.26.1
      spacewalk-base-2.7.1.19-2.29.1
      spacewalk-base-minimal-2.7.1.19-2.29.1
      spacewalk-base-minimal-config-2.7.1.19-2.29.1
      spacewalk-common-2.7.0.6-2.6.1
      spacewalk-doc-indexes-2.7.0.4-2.6.1
      spacewalk-html-2.7.1.19-2.29.1
      spacewalk-java-2.7.46.17-2.35.1
      spacewalk-java-config-2.7.46.17-2.35.1
      spacewalk-java-lib-2.7.46.17-2.35.1
      spacewalk-java-oracle-2.7.46.17-2.35.1
      spacewalk-java-postgresql-2.7.46.17-2.35.1
      spacewalk-oracle-2.7.0.6-2.6.1
      spacewalk-postgresql-2.7.0.6-2.6.1
      spacewalk-search-2.7.3.6-2.16.1
      spacewalk-taskomatic-2.7.46.17-2.35.1
      spacewalk-utils-2.7.10.9-2.17.1
      subscription-matcher-0.21-4.6.1
      susemanager-branding-oss-3.1.2-3.3.1
      susemanager-schema-3.1.20-2.33.1
      susemanager-sls-3.1.19-2.30.1
      susemanager-sync-data-3.1.16-2.29.1
      tagsoup-1.2.1-1.3.1
      tika-core-1.19.1-1.3.1

References:

   https://www.suse.com/security/cve/CVE-2017-14695.html
   https://www.suse.com/security/cve/CVE-2017-14696.html
   https://bugzilla.suse.com/1034030
   https://bugzilla.suse.com/1037389
   https://bugzilla.suse.com/1042184
   https://bugzilla.suse.com/1080474
   https://bugzilla.suse.com/1090676
   https://bugzilla.suse.com/1094524
   https://bugzilla.suse.com/1094992
   https://bugzilla.suse.com/1095220
   https://bugzilla.suse.com/1095942
   https://bugzilla.suse.com/1095972
   https://bugzilla.suse.com/1096511
   https://bugzilla.suse.com/1098970
   https://bugzilla.suse.com/1099857
   https://bugzilla.suse.com/1100852
   https://bugzilla.suse.com/1101033
   https://bugzilla.suse.com/1104120
   https://bugzilla.suse.com/1104487
   https://bugzilla.suse.com/1105045
   https://bugzilla.suse.com/1105074
   https://bugzilla.suse.com/1105720
   https://bugzilla.suse.com/1105724
   https://bugzilla.suse.com/1105886
   https://bugzilla.suse.com/1106164
   https://bugzilla.suse.com/1106875
   https://bugzilla.suse.com/1107117
   https://bugzilla.suse.com/1107302
   https://bugzilla.suse.com/1107850
   https://bugzilla.suse.com/1107869
   https://bugzilla.suse.com/1109235
   https://bugzilla.suse.com/1111249
   https://bugzilla.suse.com/1111542
   https://bugzilla.suse.com/1112163
   https://bugzilla.suse.com/1113557
   https://bugzilla.suse.com/1113698
   https://bugzilla.suse.com/1113699