ESB-2019.0467 - [SUSE] SUSE: Denial of service - Remote with user interaction 2019-02-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0467
     SUSE Security Update: Security update for SUSE Manager Server 3.2
                             14 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE Manager Server 3.2
                   SUSE Manager Proxy 3.2
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17197  

Reference:         ESB-2019.0031

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20190341-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0341-1
Rating:             moderate
References:         #1089121 #1098826 #1099988 #1104680 #1105720 
                    #1105791 #1110427 #1110757 #1110772 #1111191 
                    #1111686 #1111910 #1111963 #1112121 #1114029 
                    #1114059 #1114115 #1114268 #1114877 #1115029 
                    #1115978 #1116365 #1116566 #1116610 #1116826 
                    #1117759 #1118112 #1118478 #1118917 #1119233 
                    #1119271 #1119320 #1119727 #1119807 #1121038 
                    #1121424 #1122565 #1123902 #1123983 #1124794 
                    #1125097 #987798 
Cross-References:   CVE-2018-17197
Affected Products:
                    SUSE Manager Server 3.2
                    SUSE Manager Proxy 3.2
______________________________________________________________________________

   An update that solves one vulnerability and has 41 fixes is
   now available.

Description:


   This update fixes the following issues:

   branch-network-formula:

   - Netconfig update requires bind directory to exists for bind forward,
     ensure it (bsc#1116365)
   - Rework network update in branch-network formula (bsc#1116365)

   py26-compat-salt:

   - Remove arch from name when pkg.list_pkgs is called with 'attr'
     (bsc#1114029)

   python-susemanager-retail:

   - Force one python version for SLE12 (python2) and SLE15 (python3)
   - Add disklabel: none to migrated RAID

   saltboot-formula:

   - Use FTP active mode for image download
   - Always deploy image when image is specified in partitioning pillar
     (bsc#1119807)
   - Call blockdev.formatted with force=True
   - Allow RAID images to be defined by saltboot formula
     - image information can be provided directly for disk
     - allow "none"  disk label in formula and in that case hide partitioning
       information

   smdba:

   - Tuning: add cpu_tuple_cost (bsc#1105791)

   spacecmd:

   - Fix importing state channels using configchannel_import
   - Fix getting file info for latest revision (via configchannel_filedetails)
   - Add functions to merge errata (softwarechannel_errata_merge) and
     packages (softwarechannel_mergepackages) through spacecmd (bsc#987798)

   spacewalk-admin:

   - Use a Salt engine to process return results (bsc#1099988)

   spacewalk-backend:

   - Move channel update close to commit to avoid long lock (bsc#1121424)
   - Adapt Inter Server Sync code to new SCC sync backend
   - Fix issue raising exceptions 'with_traceback' on Python 2
   - Hide Python traceback and show only error message (bsc#1110427)
   - Honor renamed postgresql10 log directory for supportconfig

   spacewalk-branding:

   - Better label visualization when the input is disabled. (bsc#1110772)

   spacewalk-client-tools:

   - Fix XML-RPC type serialization (bsc#1116610)

   spacewalk-java:

   - Improve salt events processing performance (bsc#1125097)
   - Prevent an error when onboarding a RES 6 minion (bsc#1124794)
   - Support products with multiple base channels
   - Fix ordering of base channels to prevent synchronization errors
     (bsc#1123902)
   - Support products with multiple base channels
   - Avoid a NullPointerException error in Taskomatic (bsc#1119271)
   - Reset channel assignments when base channel changes on registration
     (bsc#1118917)
   - Allow bootstrapping minions with a pending minion key being present
     (bsc#1119727)
   - Hide 'unknown virtual host manager' when virtual host manager of all
     hosts is known (bsc#1119320)
   - Disable notification types with 'java.notifications_type_disabled' in
     rhn.conf (bsc#1111910)
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
     (bsc#1089121)
   - Read OEM Orderitems from DB instead of create always new items
     (bsc#1098826)
   - Fix mgr-sync refresh when subscription was removed (bsc#1105720)
   - XMLRPC API: Include init.sls in channel file list (bsc#1111191)
   - Fix the config channels assignment via SSM (bsc#1117759)
   - Install product packages during bootstrapping minions (bsc#1104680)
   - Fix cloning channels when managing the same errata for both vendor and
     private orgs (bsc#1111686)
   - Introduce Loggerhead-module.js to store logs from the frontend
   - Removed 'Manage Channels' shortcut for vendor channels (bsc#1115978)
   - Hide already applied errata and channel entries from the output list in
     audit.listSystemsByPatchStatus (bsc#1111963)
   - Prevent failing KickstartCommand when customPosition is null
     (bsc#1112121)
   - Automatically schedule an Action to refresh minion repos after deletion
     of an assigned channel (bsc#1115029)
   - Performance improvements in channel management functionalities
     (bsc#1114877)
   - Handle with an error message if state file fails to render (bsc#1110757)
   - When changing basechannel the compatible old childchannels are now
     selected by default. (bsc#1110772)
   - Add check for yast autoinstall profiles when setting kickstartTree
     (bsc#1114115)
   - Use a Salt engine to process return results (bsc#1099988)
   - Fix handling of CVEs including multiple patches in CVE audit
     (bsc#1111963)
   - Fix synchronizing Expanded Support Channel with missing architecture
     (bsc#1122565)

   spacewalk-setup:

   - Use a Salt engine to process return results (bsc#1099988)

   spacewalk-utils:

   - Exit with an error if spacewalk-common-channels does not match any
     channel

   spacewalk-web:

   - Show feedback messages after using the retry option on the notification
     messages page
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Fix wording for taskotop (cosmetical only)(bsc#1118112)
   - When changing basechannel the compatible old childchannels are now
     selected by default. (bsc#1110772)

   subscription-matcher:

   - Old style hard bundle merging fix (bsc#1114059)

   susemanager:

   - Add bootstrap repo definition for OES 2018 SP1 (bsc#1116826)
   - Rhnlib was renamed to python2-rhnlib. Change bootstrap data accordingly.
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Adapt mgr-create-bootstrap-repo for Uyuni and let it create bootstrap
     repos for openSUSE and CentOS
   - Fetch packages from correct channel when creating a bootstrap repository
   - Fix not found package on mgr-create-bootstrap-repo for SLE-15-s390x
     (bsc#1116566)
   - Add python3-six to bootstrap repo for SLES15 (bsc#1118478)

   susemanager-docs_en:

   - Update text and image files.
   - Enhance forms documentation (more attributes).
   - Proxy: for example,  migration from traditional to Salt not supported.
   - RAM requirements for host running kiwi OS images.
   - Notification properties.
   - Update scalability documentation.

   susemanager-schema:

   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Performance improvements in channel management functionalities
     (bsc#1114877)
   - Use a Salt engine to process return results (bsc#1099988)

   susemanager-sls:

   - Improve salt events processing performance (bsc#1125097)
   - Allow bootstrapping minions with a pending minion key being present
     (bsc#1119727)
   - Use a Salt engine to process return results (bsc#1099988)

   susemanager-sync-data:

   - Make SUSE Manager Tools channel mandatory (bsc#1123983)
   - Add sle-module-web-scripting for OES2018 (bsc#1119233)
   - Add new set of data for the new SCC sync backend
   - Enable SLE15 SP1 family (bsc#1114268)
   - Enable OES2018 SP1 (bsc#1116826)

   tika-core:

   - CVE-2018-17197: Fixed an infinite loop in the SQLite3Parser of Apache
     Tika (bsc#1121038)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-341=1

   - SUSE Manager Proxy 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2019-341=1



Package List:

   - SUSE Manager Server 3.2 (ppc64le s390x x86_64):

      smdba-1.6.3-0.3.6.13
      spacewalk-branding-2.8.5.13-3.13.14
      susemanager-3.2.15-3.16.13
      susemanager-tools-3.2.15-3.16.13

   - SUSE Manager Server 3.2 (noarch):

      branch-network-formula-0.1.1545038754.c983fa6-3.6.13
      netty-4.1.8.Final-2.7.4
      py26-compat-salt-2016.11.10-6.18.14
      python-susemanager-retail-1.0.1544459934.07229ad-2.9.13
      python2-spacewalk-client-tools-2.8.22.4-3.3.13
      saltboot-formula-0.1.1546527519.591e925-3.9.13
      spacecmd-2.8.25.8-3.12.13
      spacewalk-admin-2.8.4.3-3.3.13
      spacewalk-backend-2.8.57.8-3.10.14
      spacewalk-backend-app-2.8.57.8-3.10.14
      spacewalk-backend-applet-2.8.57.8-3.10.14
      spacewalk-backend-config-files-2.8.57.8-3.10.14
      spacewalk-backend-config-files-common-2.8.57.8-3.10.14
      spacewalk-backend-config-files-tool-2.8.57.8-3.10.14
      spacewalk-backend-iss-2.8.57.8-3.10.14
      spacewalk-backend-iss-export-2.8.57.8-3.10.14
      spacewalk-backend-libs-2.8.57.8-3.10.14
      spacewalk-backend-package-push-server-2.8.57.8-3.10.14
      spacewalk-backend-server-2.8.57.8-3.10.14
      spacewalk-backend-sql-2.8.57.8-3.10.14
      spacewalk-backend-sql-oracle-2.8.57.8-3.10.14
      spacewalk-backend-sql-postgresql-2.8.57.8-3.10.14
      spacewalk-backend-tools-2.8.57.8-3.10.14
      spacewalk-backend-xml-export-libs-2.8.57.8-3.10.14
      spacewalk-backend-xmlrpc-2.8.57.8-3.10.14
      spacewalk-base-2.8.7.12-3.16.12
      spacewalk-base-minimal-2.8.7.12-3.16.12
      spacewalk-base-minimal-config-2.8.7.12-3.16.12
      spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-html-2.8.7.12-3.16.12
      spacewalk-java-2.8.78.18-3.21.1
      spacewalk-java-config-2.8.78.18-3.21.1
      spacewalk-java-lib-2.8.78.18-3.21.1
      spacewalk-java-oracle-2.8.78.18-3.21.1
      spacewalk-java-postgresql-2.8.78.18-3.21.1
      spacewalk-setup-2.8.7.6-3.13.13
      spacewalk-taskomatic-2.8.78.18-3.21.1
      spacewalk-utils-2.8.18.4-3.6.13
      subscription-matcher-0.22-4.9.13
      susemanager-advanced-topics_en-pdf-3.2-11.15.12
      susemanager-best-practices_en-pdf-3.2-11.15.12
      susemanager-docs_en-3.2-11.15.12
      susemanager-getting-started_en-pdf-3.2-11.15.12
      susemanager-jsp_en-3.2-11.15.12
      susemanager-reference_en-pdf-3.2-11.15.12
      susemanager-retail-tools-1.0.1544459934.07229ad-2.9.13
      susemanager-schema-3.2.16-3.16.13
      susemanager-sls-3.2.20-3.18.1
      susemanager-sync-data-3.2.12-3.14.2
      susemanager-web-libs-2.8.7.12-3.16.12
      tika-core-1.20-3.6.13

   - SUSE Manager Proxy 3.2 (noarch):

      python2-spacewalk-check-2.8.22.4-3.3.13
      python2-spacewalk-client-setup-2.8.22.4-3.3.13
      python2-spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-backend-2.8.57.8-3.10.14
      spacewalk-backend-libs-2.8.57.8-3.10.14
      spacewalk-base-minimal-2.8.7.12-3.16.12
      spacewalk-base-minimal-config-2.8.7.12-3.16.12
      spacewalk-check-2.8.22.4-3.3.13
      spacewalk-client-setup-2.8.22.4-3.3.13
      spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-proxy-installer-2.8.6.4-3.6.13
      susemanager-web-libs-2.8.7.12-3.16.12


References:

   https://www.suse.com/security/cve/CVE-2018-17197.html
   https://bugzilla.suse.com/1089121
   https://bugzilla.suse.com/1098826
   https://bugzilla.suse.com/1099988
   https://bugzilla.suse.com/1104680
   https://bugzilla.suse.com/1105720
   https://bugzilla.suse.com/1105791
   https://bugzilla.suse.com/1110427
   https://bugzilla.suse.com/1110757
   https://bugzilla.suse.com/1110772
   https://bugzilla.suse.com/1111191
   https://bugzilla.suse.com/1111686
   https://bugzilla.suse.com/1111910
   https://bugzilla.suse.com/1111963
   https://bugzilla.suse.com/1112121
   https://bugzilla.suse.com/1114029
   https://bugzilla.suse.com/1114059
   https://bugzilla.suse.com/1114115
   https://bugzilla.suse.com/1114268
   https://bugzilla.suse.com/1114877
   https://bugzilla.suse.com/1115029
   https://bugzilla.suse.com/1115978
   https://bugzilla.suse.com/1116365
   https://bugzilla.suse.com/1116566
   https://bugzilla.suse.com/1116610
   https://bugzilla.suse.com/1116826
   https://bugzilla.suse.com/1117759
   https://bugzilla.suse.com/1118112
   https://bugzilla.suse.com/1118478
   https://bugzilla.suse.com/1118917
   https://bugzilla.suse.com/1119233
   https://bugzilla.suse.com/1119271
   https://bugzilla.suse.com/1119320
   https://bugzilla.suse.com/1119727
   https://bugzilla.suse.com/1119807
   https://bugzilla.suse.com/1121038
   https://bugzilla.suse.com/1121424
   https://bugzilla.suse.com/1122565
   https://bugzilla.suse.com/1123902
   https://bugzilla.suse.com/1123983
   https://bugzilla.suse.com/1124794
   https://bugzilla.suse.com/1125097
   https://bugzilla.suse.com/987798

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXGS0w2aOgq3Tt24GAQgXAQ/+Kdbq5D28XZPNSkv7SuZGV7b1VtwsBgqZ
qANKgyGszuDgOrKF3NRo8E03R6/qwX0ss9rRuvmETYIcC6nAok+pUn1aOe/9xOGk
5sdhbzC6NXxD7hNXZI7x0PoBqu7G6s6qvcamPV7XqzQAThf5hZ1+8H4jx5i313+t
Nc6cWoubsY7BkFiYzI+a+ICwGqcptVbo9OJcjWS7LqiPKLhHoXnnU7mUePuZ1QJ6
gaj8cCQpmnhkF3a+w0rrFdeG/NxbEFS9TGQOQiFPk++5pybVtagT+5bEiOVz1iob
xvh+LYQxrhMKV4lBER6kLkFZ9b0A8tTcvd9BIRL+23POhUajUiobWVIRwmqQ6O7e
USTx8xK14np21YYZGrz3+lLPTFaxZ9a3vZ5c7dw8xhBMtbA15yOXYOZ7oo7SKLHP
qdraAnqbupc2rBbmhS10NzEiYyr47zXeD4ad7CIdUHqp3gFwLt/O2PvZ+zB1KWRP
nLm1Oopi0He14UbJ7DGcCwb+88j+VpHVpFH5JxwfXRP+4PhCDcu578e4CL5V6qLG
Q5KVxh/NOxB0AjmVcDd5xejUNtNCwDd2NTqvv4WSHeVBud/sRLfF4FuqxWLvHcY8
FyablnjHYCC9De/ZQTiwbkB9LkSVepFaBf86DmvYM00u9dWUwEPoPfm1hjrPCbj6
JALNhN856aA=
=3moh
-----END PGP SIGNATURE-----

« Back to bulletins