Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4225
SUSE-SU-2019:2930-1 Security update for SUSE Manager Server 4.0
11 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Server
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10094 CVE-2019-10093 CVE-2019-10088
Reference: ESB-2019.3706
ESB-2019.2910
Original Bulletin:
https://www.suse.com/support/update/announcement/2019/suse-su-20192930-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:2930-1
Rating: moderate
References: #1133429 #1135442 #1136959 #1138358 #1138454 #1142309
#1142764 #1142774 #1143016 #1143562 #1143789 #1144300
#1144500 #1144510 #1144515 #1144889 #1145086 #1145119
#1145551 #1145587 #1145626 #1145744 #1145750 #1145753
#1145758 #1145769 #1145873 #1146416 #1146419 #1146683
#1146869 #1148169 #1149075 #1149210 #1149353 #1149409
#1149425 #1149633 #1150113 #1150154 #1150180 #1150314
#1150729 #1151097 #1151280 #1151399 #1151467 #1151481
#1151666 #1151875 #1152170 #1152290 #1152514 #1152735
#1153277 #1153578 #1154275 #1155656 #1155794
Cross-References: CVE-2019-10088 CVE-2019-10093 CVE-2019-10094
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________
An update that solves three vulnerabilities and has 56 fixes is now available.
Description:
This update fixes the following issues:
cobbler:
o Fix for install loop caused autoinstallation profiles (bsc#1151875)
o Update module config description to match new parameters
o Add config migration script and runs it in post-install script
o Fix for config backups in post install script (bsc#1149075)
o Move apache config file cobbler.conf to conf.d directory and remove the
VirtualHost container as it overwrite rules already set in conf.d
o Realignment with Cobbler 3.0.0 release candidate.
o Fix for typo in settings for scm_track module.
o Optimization for settings loading in scm_track module.
cpu-mitigations-formula:
o Fix grub entry changed for sle12* so it matches sle15* (bsc#1145873)
mgr-osad:
o Obsolete all old python2-osa* packages to avoid conflicts (bsc#1152290)
patterns-suse-manager:
o Add recommends for cpu-mitigations-formula
pgjdbc-ng:
o Allow dots in database name (bsc#1146416)
prometheus-exporters-formula:
o Allow to configure arbitrary arguments when running exporters
o Add support for Debian/Ubuntu and Red Hat systems (RHEL/CentOS)
o Install the LICENSE together with the package
py26-compat-salt:
o Get tornado dependency from the system on SLE12 (bsc#1149409)
python-susemanager-retail:
o Update to version 0.1.1568808472.be9f236
o Parse parition type 82 as swap in SLEPOS migration (bsc#1136959)
o Allow kernel command line for branches to be set as an option to
retail_branch_init CLI
o Automatically calculate dhcp dynamic range from branch ip if not set
python-urlgrabber:
o Allow non-integer values for URLGRABBER_DEBUG env variable (bsc#1152514)
o Fixes usage of log level lookup for Python3 (bsc#1146683)
spacecmd:
o Java api expects content as encoded string instead of encode bytes like
before (bsc#1153277)
o Fix building and installing on CentOS8/RES8/RHEL8
o Check that a channel doesn't have clones before deleting it (bsc#1138454)
spacewalk-admin:
o Avoid a "Permission denied" salt error when publisher_acl is set (bsc#
1150154)
spacewalk-backend:
o Fix re-registration with re-activation key (bsc#1154275)
o Change the default value of taskomatic maxmemory to 4GB
o Add basic support for importing modular repositories
o Import additional fields for Deb packages
o Add script to update additional fields in the DB for existing Deb packages
o Use active values for diskchecker mails
o Parse restart_suggested flag from patches and set it as keywords (bsc#
1151467)
o Improve error message when deleting channel that's in a content lifecycle
project (bsc#1145769)
o Prevent "reposync" crash when handling metadata on RPM repos (bsc#1138358)
o Do not show expected WARNING messages from "c_rehash"
o Fix misspelling in spacewalk-repo-sync (bsc#1149633)
o Remove credentials also from potential rhn.conf backup files in
spacewalk-debug (bsc#1146419)
o Do not crash 'rhn-satellite-exporter' with ModuleNotFound error (bsc#
1146869)
o Spacewalk-remove-channel check that channel doesn't have cloned channels
before deleting it (bsc#1138454)
o Fix broken spacewalk-data-fsck utility
o Add '--latest' support for reposync on DEB based repositories
o Do not try to download RPMs from the unresolved mirrorlist URL
o Fix encoding issues with DB bytes values (bsc#1144300)
o Fix import of rhnAuthPAM to avoid issues when using rhnpush.
o Avoid traceback on mgr-inter-sync when there are problems with cache of
packages (bsc#1143016)
spacewalk-branding:
o Improve menu scrollbar style for firefox
o Add UI message when salt-formulas system folders are unreachable (bsc#
1142309)
spacewalk-certs-tools:
o Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd
get always the new package installed (bsc#1149353)
spacewalk-client-tools:
o Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd
get always the new package installed (bsc#1149353)
o Enable spacewalk-update-service on package installation (bsc#1143789)
o Invalidate cache 5 minutes before actual expiration(bsc#1143562)
spacewalk-config:
o Change the default value of taskomatic maxmemory to 4GB
o Resolve modules.yaml file for modular repositories
spacewalk-java:
o Change the default value of taskomatic maxmemory to 4GB
o Silence cache strategy Hibernate warning
o Return result in compatible type to what defined in database procedure (bsc
#1150729)
o Allow channels names to start with numbers
o Fix: handle special deb package names (bsc#1150113)
o Remove extra spaces in dependencies fields in Debian repo Packages file
(bsc#1145551)
o Allow monitoring for managed systems running Ubuntu 18.04 and RedHat 6/7
o Improve performance for 'Manage Software Channels' view (bsc#1151399)
o Import additional fields for Deb packages
o Use value from systemd unit file if not set in /etc/rhn/rhn.conf
o Implement "keyword" filter for Content Lifecycle Management
o Add support for Azure, Amazon EC2, and Google Compute Engine as Virtual
Host Manager.
o Allow ssl connections from Tomcat to Postgres (bsc#1149210)
o Use default in case taskomatic.java.maxmemory is unset
o Fix parsing of /etc/rhn/rhn.conf for taskomatic.java.maxmemory (bsc#
1151097)
o Change form order and change project creation message (bsc#1145744)
o Use 'SCC organization credentials' instead of 'SCC credentials' in error
message (bsc#1149425)
o Implement "regular expression" Filter for Content Lifecycle Management
matching package names, patch name, patch synopsis and package names in
patches
o Implement provisioning for salt clients
o Explicitly mention in API docs that to preserve LF/CR, user needs to encode
the data(bsc#1135442)
o New Single Page Application engine for the UI. It can be enabled with the
config 'web.spa.enable' set to true
o Check that a channel doesn't have clones before deleting it (bsc#1138454)
o Fix documentation of contentmanagement handler (bsc#1145753)
o Add new API endpoint to list available Filter Criteria
o Improve API documentation of Filter Criteria
o Implement "patch contains package" Filter for Content Lifecycle Management
o Implement Filter Patch "by type" Content Lifecycle Management
o Improve websocket authentication to prevent errors in logs (bsc#1138454)
o Implement filtering errata by synopsis in Content Lifecycle Management
o Normalize date formats for actions, notifications and clm (bsc#1142774)
o Implement ALLOW filters in Content Lifecycle Management
o Implement "by date" Filter for Content Lifecycle Management
o UI render without error if salt-formulas system folders are unreachable
(bsc#1142309)
o Cloning Errata from a specific channel should not take packages from other
channels (bsc#1142764)
o Add susemanager as prerequired for spacewalk-java
spacewalk-setup:
o Fix cobbler authentication module configuration required for new cobbler
package
o Configure 150 Tomcat workers by default, matching httpds MaxClients
spacewalk-utils:
o Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578)
o Common-channels: Fix repo type assignment for type YUM
spacewalk-web:
o Redirect to project when canceling creating a filter (bsc#1145750)
o Better visualization of the filters attached to a CLM Project. Allow/deny
are now split
o Fix ui issues with content lifecycle project list page (bsc#1145587)
o Implement "keyword" filter for Content Lifecycle Management
o Enable Azure, Amazon EC2 and Google Compute Engine as available Virtual
host Managers
o Trim strings when creating/updating image stores/profiles (bsc#1133429)
o Show loading spin while loading salt keys data (bsc#1150180)
o CLM - Disable clones by default of the shown CLM Project sources
o Change form order and change project creation message (bsc#1145744)
o Add UI message when salt-formulas system folders are unreachable (bsc#
1142309)
o Implement "regular expression" Filter for Content Lifecycle Management
matching package names, patch name, patch synopsis and package names in
patches
o New Single Page Application engine for the UI. It can be enabled with the
config 'web.spa.enable' set to true
o Add environment label when deleting environment (bsc#1145758)
o Change color of disabled build button on clp page (bsc#1145626)
o Fix the 'include recommended' button on channels selection in SSM (bsc#
1145086)
o Implement "patch contains package" Filter for Content Lifecycle Management
o Implement Filter Patch "by type" Content Lifecycle Management
o Implement filtering errata by synopsis in Content Lifecycle Management
o Normalize date formats for actions, notifications and clm (bsc#1142774)
o Implement ALLOW filters in Content Lifecycle Management
o Implement "by date" Filter for Content Lifecycle Management
susemanager:
o Require dmidecode only for SLE12 aarch64 and x86_64 (bsc#1152170)
o Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
o Fix test for btrfs subvolume for new btrfs version (bsc#1151666)
o Ensure working directory is /root during setup (bsc#1148169)
o Dmidecode does not exist on s390x (bsc#1145119)
susemanager-docs_en:
o Update text and images (mu-4.0.3); many changes caused by Technical and
Content Reviews.
o Added partition permissions to Install Guide (bsc#1152735)
o Move Disconnected Setup from Client Config to Admin Guide
o Updated references to documentation.suse.com (was: www.suse.com/
documentation)
o Increase default value for taskomatic to 4GB
o Registering to proxy information in Install Guide
o Edits to Prometheus section in Admin Guide
o Update database migration section in Upgrade Guide
o Update server update, upgrade, and migration chapters in Upgrade Guide
o Update server installation and setup chapters
o Update proxy installation and setup chapters
o Add section about maintenance window in Admin Guide
o Update Kubernetes chapter
o Admin Guide: ISS: Adapt the CA path to correspond to SLES 15.1
o Update image management
o Update channel management screenshot in Reference
o Update CLM
o Provide basic documentation on foreign clients
o Update info on mgr-sync
o New images added to Retail Guide
o Minor edits in Salt Guide
o Improvements to Troubleshooting section in Admin Guide
o Removed reference to SLP in Install Guide
o Minor edits to SSM in Client Config Guide
susemanager-schema:
o Fix in schema migration script when recreating the 'suseUserRoleView' (bsc#
1151280)
o Fix: handle special deb package names (bsc#1150113)
o Refactor in suseChannelUserRoleView for retrieving the parent_channel_id
(bsc#1151399)
o Add tables rhnPackageExtraTag and rhnPackageExtraTagKey
o Allow monitoring for Ubuntu systems
o Add new types needed for Azure, Amazon EC2 and Google CE
o Enable provisioning for salt clients
o Allow package changelog entries with more than 3000 characters (bsc#
1144889)
susemanager-sls:
o Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
o Introduce dnf-susemanager-plugin for RHEL8 minions
o Provide custom grain to report "instance id" when running on Public Cloud
instances
o Disable legacy startup events for new minions
o Implement provisioning for salt clients
o Dmidecode does not exist on ppc64le and s390x (bsc#1145119)
o Update susemanager.conf to use adler32 for computing the server_id for new
minions
o Do not show errors when polling internal metadata API (bsc#1155794)
o Add missing "public_cloud" custom grain (bsc#1155656)
susemanager-sync-data:
o Ubuntu repositories released
tika-core:
o New upstream version 1.2.2. Fixes: * OOM from a crafted Zip File in Apache
Tika's RecursiveParserWrapper (CVE-2019-10088) (bsc#1144500). * Denial of
Service in Apache Tika's 2003ml and 2006ml Parsers (CVE-2019-10093) (bsc#
1144510). * StackOverflow from Crafted Package/Compressed Files in Apache
Tika's RecursiveParserWrapper (CVE-2019-10094) (bsc#1144515).
virtual-host-gatherer:
o Add new modules to deal with Amazon EC2, Azure and Google Compute
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2019-2930=1
Package List:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
x86_64):
patterns-suma_retail-4.0-9.3.8
patterns-suma_server-4.0-9.3.8
spacewalk-branding-4.0.14-3.6.8
susemanager-4.0.17-3.6.9
susemanager-tools-4.0.17-3.6.9
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
cobbler-3.0.0+git20190806.32c4bae0-7.3.7
cpu-mitigations-formula-0.1-4.6.7
mgr-osa-dispatcher-4.0.10-3.6.8
pgjdbc-ng-0.7.1-3.3.8
prometheus-exporters-formula-0.4-3.3.7
pxe-default-image-sle15-4.0.0-20191106084601
py26-compat-salt-2016.11.10-10.8.8
python3-mgr-osa-common-4.0.10-3.6.8
python3-mgr-osa-dispatcher-4.0.10-3.6.8
python3-spacewalk-backend-libs-4.0.27-3.13.9
python3-spacewalk-certs-tools-4.0.12-3.6.8
python3-spacewalk-client-tools-4.0.10-3.6.8
python3-susemanager-retail-1.0.1568808472.be9f236-3.6.7
python3-urlgrabber-3.10.2.1py2_3-6.22.6
spacecmd-4.0.16-3.6.7
spacewalk-admin-4.0.8-3.3.8
spacewalk-backend-4.0.27-3.13.9
spacewalk-backend-app-4.0.27-3.13.9
spacewalk-backend-applet-4.0.27-3.13.9
spacewalk-backend-config-files-4.0.27-3.13.9
spacewalk-backend-config-files-common-4.0.27-3.13.9
spacewalk-backend-config-files-tool-4.0.27-3.13.9
spacewalk-backend-iss-4.0.27-3.13.9
spacewalk-backend-iss-export-4.0.27-3.13.9
spacewalk-backend-package-push-server-4.0.27-3.13.9
spacewalk-backend-server-4.0.27-3.13.9
spacewalk-backend-sql-4.0.27-3.13.9
spacewalk-backend-sql-postgresql-4.0.27-3.13.9
spacewalk-backend-tools-4.0.27-3.13.9
spacewalk-backend-xml-export-libs-4.0.27-3.13.9
spacewalk-backend-xmlrpc-4.0.27-3.13.9
spacewalk-base-4.0.16-3.9.8
spacewalk-base-minimal-4.0.16-3.9.8
spacewalk-base-minimal-config-4.0.16-3.9.8
spacewalk-certs-tools-4.0.12-3.6.8
spacewalk-client-tools-4.0.10-3.6.8
spacewalk-config-4.0.13-3.3.7
spacewalk-html-4.0.16-3.9.8
spacewalk-java-4.0.25-3.10.5
spacewalk-java-config-4.0.25-3.10.5
spacewalk-java-lib-4.0.25-3.10.5
spacewalk-java-postgresql-4.0.25-3.10.5
spacewalk-setup-4.0.11-3.6.7
spacewalk-taskomatic-4.0.25-3.10.5
spacewalk-utils-4.0.13-3.6.8
susemanager-doc-indexes-4.0-10.9.8
susemanager-docs_en-4.0-10.9.7
susemanager-docs_en-pdf-4.0-10.9.7
susemanager-retail-tools-1.0.1568808472.be9f236-3.6.7
susemanager-schema-4.0.16-3.8.5
susemanager-sls-4.0.22-3.10.4
susemanager-sync-data-4.0.13-3.6.7
susemanager-web-libs-4.0.16-3.9.8
tika-core-1.22-3.3.7
virtual-host-gatherer-1.0.19-3.3.8
virtual-host-gatherer-Kubernetes-1.0.19-3.3.8
virtual-host-gatherer-VMware-1.0.19-3.3.8
virtual-host-gatherer-libcloud-1.0.19-3.3.8
References:
o https://www.suse.com/security/cve/CVE-2019-10088.html
o https://www.suse.com/security/cve/CVE-2019-10093.html
o https://www.suse.com/security/cve/CVE-2019-10094.html
o https://bugzilla.suse.com/1133429
o https://bugzilla.suse.com/1135442
o https://bugzilla.suse.com/1136959
o https://bugzilla.suse.com/1138358
o https://bugzilla.suse.com/1138454
o https://bugzilla.suse.com/1142309
o https://bugzilla.suse.com/1142764
o https://bugzilla.suse.com/1142774
o https://bugzilla.suse.com/1143016
o https://bugzilla.suse.com/1143562
o https://bugzilla.suse.com/1143789
o https://bugzilla.suse.com/1144300
o https://bugzilla.suse.com/1144500
o https://bugzilla.suse.com/1144510
o https://bugzilla.suse.com/1144515
o https://bugzilla.suse.com/1144889
o https://bugzilla.suse.com/1145086
o https://bugzilla.suse.com/1145119
o https://bugzilla.suse.com/1145551
o https://bugzilla.suse.com/1145587
o https://bugzilla.suse.com/1145626
o https://bugzilla.suse.com/1145744
o https://bugzilla.suse.com/1145750
o https://bugzilla.suse.com/1145753
o https://bugzilla.suse.com/1145758
o https://bugzilla.suse.com/1145769
o https://bugzilla.suse.com/1145873
o https://bugzilla.suse.com/1146416
o https://bugzilla.suse.com/1146419
o https://bugzilla.suse.com/1146683
o https://bugzilla.suse.com/1146869
o https://bugzilla.suse.com/1148169
o https://bugzilla.suse.com/1149075
o https://bugzilla.suse.com/1149210
o https://bugzilla.suse.com/1149353
o https://bugzilla.suse.com/1149409
o https://bugzilla.suse.com/1149425
o https://bugzilla.suse.com/1149633
o https://bugzilla.suse.com/1150113
o https://bugzilla.suse.com/1150154
o https://bugzilla.suse.com/1150180
o https://bugzilla.suse.com/1150314
o https://bugzilla.suse.com/1150729
o https://bugzilla.suse.com/1151097
o https://bugzilla.suse.com/1151280
o https://bugzilla.suse.com/1151399
o https://bugzilla.suse.com/1151467
o https://bugzilla.suse.com/1151481
o https://bugzilla.suse.com/1151666
o https://bugzilla.suse.com/1151875
o https://bugzilla.suse.com/1152170
o https://bugzilla.suse.com/1152290
o https://bugzilla.suse.com/1152514
o https://bugzilla.suse.com/1152735
o https://bugzilla.suse.com/1153277
o https://bugzilla.suse.com/1153578
o https://bugzilla.suse.com/1154275
o https://bugzilla.suse.com/1155656
o https://bugzilla.suse.com/1155794
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXci/CmaOgq3Tt24GAQhIUw//c1whVnl0V2dmYVpLkpkKrlKxoCIjRYua
y2M0RCuv1XneldqsEg+8bSua/RM4rNBSiVgu9EvJkTz/d6gx7gWLiO5jzWhw9/LR
+lNvY1q6JS3qHzf7sJ4oQQ3EeFFUSmzpH+tLpGVWLRFV1+4opdyd25ABFNrBP9DO
i8GtpxtbS/mN80JnqMP7423DD9ox8M3WFedcNX2oXpQ+7yzFofAp+pSiAos+aWjH
8yo+e7GJfFhvdYUVEvwAq3XK20Tk7Tf8JN2h44/rXuD4aizB0ixMSVQgmbeZpbpE
EhDKw7fPakYU6RK0TsI8De1+sqpWEBRKFrCypG5wFfzu6Fj/1pCg73emXu9Z2c6r
njUqmj3NmGGx4jllKnIv1k0uFsyZByh35j5mAXR+l0DVLixculkaRfBC3qB6RQmZ
EIvUbOimU6T3NVJ20bKx4ElhsNxl9r4hvjEgLs8Zi+iDsXjXPGxjytSZR59erARI
D+OTgGBWuBWqckGWRoNbMGCWPDNfW17ghok2xqeZ7weWU6YpwkZkaaOwtQFIJYlZ
bLg+bOTvuqJzsn/7uP9SkQwRrupYTxCymOVii9tNpgQ/g90Syroi4zqLyTRfR9Kc
IHQPqAU+Tpdq/URuO4vXz8zsUs8MQAXF1W3hEW+6Ua6rvBWAGgmvtK8Gaqn0Bflz
S+wVqdJUyzE=
=xaOo
-----END PGP SIGNATURE-----