Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0922
SUSE-SU-2020:0671-1 Security update for SUSE Manager Server 4.0
16 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Linux Enterprise Module for SUSE Manager Server 4.0
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1693 CVE-2019-16769 CVE-2018-1077
Reference: ESB-2018.2870
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-20200671-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:0671-1
Rating: moderate
References: #1083326 #1085414 #1121640 #1123274 #1137248 #1140332
#1144176 #1152673 #1152795 #1153269 #1154246 #1154590
#1154599 #1155281 #1155372 #1156751 #1157317 #1157346
#1157447 #1157700 #1157975 #1158178 #1158181 #1158283
#1158480 #1158564 #1158672 #1158697 #1158754 #1158818
#1158899 #1158943 #1159012 #1159023 #1159076 #1159184
#1159492 #1159553 #1160184 #1160940 #1161755 #1161862
#1162609 #1162683 #1164120 #1164309 #1164452 #1164649
#1164875 #1165425 #1165541 #1165927 #1166061 #1166388
Cross-References: CVE-2018-1077 CVE-2019-16769 CVE-2020-1693
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0
______________________________________________________________________________
An update that solves three vulnerabilities and has 51 fixes is now available.
Description:
This update fixes the following issues:
branch-network-formula:
o Update formula to include terminal naming and identification
image-sync-formula:
o Prevent installing xdelta3 package and disable delta functionality on SLE12
branch servers (bsc#1159553)
mgr-osad:
o Take care that osad is not disabled nor deactivated during update (bsc#
1157700, bsc#1158697)
patterns-suse-manager:
o Add recommends for virtualization-host-formula to suma_server pattern
o Add recommends for virtualization-host-formula to retail
prometheus-formula:
o Bugfix: disabled fields not enabled when checkbox is checked
pxe-default-image-sle15:
o Adapt to new kiwi version to fix pre registration in the bare-metal image
(bsc#1153269)
pxe-formula:
o Add support for new features in terminal naming
o Remove branch_id from pxe form, moved to branch-network form
py26-compat-salt:
o Replace pycrypto with M2Crypto as dependency for SLE15+
python-susemanager-retail:
o Add support for terminal naming block
o Add delta support for SLE15 tar.xz bundles
redstone-xmlrpc:
o Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
o Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)
salt-netapi-client:
o Version 0.17.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag
/v0.17.0
spacecmd:
o Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
spacewalk-admin:
o Spell correctly "successful" and "successfully"
spacewalk-backend:
o Fix mgrcfg-client python3 breakage (bsc#1164309)
o Update doc link to point to new documentation server
o Prevent timestamp format exception on mgr-inter-sync while processing comps
(bsc#1157346)
o When downloading repo metadata, don't add "/" to the repo url if it already
ends with one (bsc#1158899)
o Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync
(bsc#1159076)
o Enhance suseProducts via ISS to fix SP migration on slave server (bsc#
1159184)
o Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672)
o Close config files after reading them (bsc#1158283)
o Associate VMs and systems with the same machine ID at bootstrap (bsc#
1144176)
spacewalk-certs-tools:
o Add 'start_event_grains' minion option to configfile when generated by
bootstrap script
o Forbid multiple activation keys for salt minions during bootstrap (bsc#
1164452)
o Add additional minion options to configfile when generated by bootstrap
script (bsc#1159492)
o Change the order to check the version correctly for RES (bsc#1152795)
spacewalk-client-tools:
o Spell correctly "successful" and "successfully"
system-lock-formula:
o Clarified terms along documentation and product (bsc#1166061)
spacewalk-java:
o Feat: enable Salt system lock when CaaSP node is onboarded and add
depedency to 'system-lock-formula' (bsc#1165541)
o Support non discoverable fqdns via custom grain (bsc#1155281)
o Handle the non-existent requested grains gracefully
o Get the machineid grain from the minion startup event
o Use term 'patch' instead of 'errata' (bsc#1164649)
o Enable provisioning API with salt and bootstrap entitled systems
o Fix a problem with removing the monitoring entitlement from a system
o Improve performance when adding systems to system groups (bsc#1158754)
o Migrate pillar and formula data on minion id change (bsc#1161755)
o Change doc links pointing to new documentation server
o Call saltutil.sync_all before calling highstate (bsc#1152673)
o Exclude base products from PAYG (Pay-As-You-Go) instances when doing
subscription matching
o Show additional headers and dependencies for deb packages
o Show adequate message on saving formulas that change only pillar data
o Fix mgr-sync add channel when fromdir is configured (bsc#1160184)
o Handle not found re-activation key (bsc#1159012)
o Write a list of formulas sorted by execution order (bsc#1083326)
o Use channel name from product tree instead of constructing it (bsc#1157317)
o Read the subscriptions from the output instead of input (bsc#1140332)
o Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248)
o Fix container image import (bsc#1154246)
o Add missing permission checks on formula api (bsc#1123274)
o Generate metadata with empty vendor (bsc#1158480)
o Remove undefined variable from redhat_register snippet
o Add a method in API to check if the provided session key is a valid one.
o Associate VMs and systems with the same machine ID at bootstrap (bsc#
1144176)
o Fix minion id when applying engine-events state (bsc#1158181)
o Remove unnecessary WARN log entries from Kubernetes integration
o Fix for pillar not being refreshed when CaaSP pattern is detected upon
software profile update (bsc#1166061)
spacewalk-search:
o Make rhn-search log to correct file (bsc#1156751)
spacewalk-setup:
o Spell correctly "successful" and "successfully"
o create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#
1166388)
spacewalk-utils:
o Spell "successfully" correctly
spacewalk-web:
o Don't validate mandatory fields that are not visible (bsc#1158943)
o Fix count of changes to build (bsc#1160940)
o Report merge_subscriptions message in a readable way (bsc#1140332)
o Fix ordering by date (bsc#1158818)
subscription-matcher:
o Add missing library for SLE15 SP2 (slf4j-log4j12)
o Make the code usable with Math3 on SLES
o Use log4j12 package on newer SLE versions
o Aggregate stackable subscriptions with same parameters
o Implement new "swap move" used in optaplanner (bsc#1140332)
o Enable aarch64 builds, except for SLE
susemanager:
o Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos (bsc#
1164875)
o Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
o Add bootstrap-repo data for SLE15 SP2 Family
o Fix documentation URL in installer (bsc#1154590)
o Update requirements to match documented values (bsc#1154599)
susemanager-doc-indexes:
o Adding Additional FQDNS for Proxies with Salt
o Reference guide review and update moving content into tabular format
o Autogenerate pdf index from antora html nav lists
o Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
o Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#
1158564)
o Remove auditlog-keeper from list
o Removed duplicate client requirements entries
o Fix missing spaces throughout docs
o Added the complete path for using manager-setup
o Fix typo in vhm-kubernetes
o Cleaned up client registration documents
o Improved ubuntu instructions
o Explain how to compose a DSN string for monitoring
o Added publishing dates to individual book intros
o Updated common spacewalk-common-channels usage
o Adding Additional FQDNS for Proxies with Salt
o Reference guide review and update moving content into tabular format
o Autogenerate pdf index from antora html nav lists
o Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
o Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#
1158564)
o Remove auditlog-keeper from list
o Removed duplicate client requirements entries
o Fix missing spaces throughout docs
o Added the complete path for using manager-setup
o Fix typo in vhm-kubernetes
o Cleaned up client registration documents
o Improved ubuntu instructions
o Explain how to compose a DSN string for monitoring
o Added publishing dates to individual book intros
o Updated common spacewalk-common-channels usage
susemanager-docs_en:
o Adding Additional FQDNS for Proxies with Salt
o Reference guide review and update moving content into tabular format
o Autogenerate pdf index from antora html nav lists
o Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
o Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#
1158564)
o Remove auditlog-keeper from list
o Removed duplicate client requirements entries
o Fix missing spaces throughout docs
o Added the complete path for using manager-setup
o Fix typo in vhm-kubernetes
o Cleaned up client registration documents
o Improved ubuntu instructions
o Explain how to compose a DSN string for monitoring
o Added publishing dates to individual book intros
o Updated common spacewalk-common-channels usage
o Adding Additional FQDNS for Proxies with Salt
o Reference guide review and update moving content into tabular format
o Autogenerate pdf index from antora html nav lists
o Documentation needs to address using RHEL8 in the correct way (bsc#1159023)
o Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#
1158564)
o Remove auditlog-keeper from list
o Removed duplicate client requirements entries
o Fix missing spaces throughout docs
o Added the complete path for using manager-setup
o Fix typo in vhm-kubernetes
o Cleaned up client registration documents
o Improved ubuntu instructions
o Explain how to compose a DSN string for monitoring
o Added publishing dates to individual book intros
o Updated common spacewalk-common-channels usage
susemanager-schema:
o Add new 'payg' attribute to rhnServer table
o Enable re-activation keys for salt managed systems (bsc#1159012)
o Generate metadata with empty vendor (bsc#1158480)
o Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178)
susemanager-sls:
o Install dmidecode before HW profile update when missing
o Add mgr_start_event_grains.sls to update minion config
o Add 'product' custom state module to handle installation of SUSE products
at client side (bsc#1157447)
o Support reading of pillar data for minions from multiple files (bsc#
1158754)
o Do not workaround util.syncmodules for SSH minions (bsc#1162609)
o Force to run util.synccustomall when triggering action chains on SSH
minions (bsc#1162683).
o Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS.
o Adapt sls file for pre-downloading in Ubuntu minions
o Sort formulas by execution order (bsc#1083326)
o Split remove_traditional_stack into two parts. One for all systems and
another for clients not being a Uyuni Server or Proxy (bsc#1121640)
o Change the order to check the version correctly for RES (bsc#1152795)
o Do not break Servers registering to a Server
o Remove the virt-poller cache when applying Virtualization entitlement
o Force HTTP request timeout on public cloud grain (bsc#1157975)
susemanager-sync-data:
o Add OES 2018 SP2 (bsc#1161862)
o Rename RHEL 8 Base product
o Change channel family name according to SCC data
How to apply this update: 1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using
either zypper patch or YaST Online Update. 4. Upgrade the database schema:
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service
start
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-671=1
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.0-2020-671=1
Package List:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
x86_64):
patterns-suma_retail-4.0-9.10.2
patterns-suma_server-4.0-9.10.2
susemanager-4.0.22-3.20.3
susemanager-tools-4.0.22-3.20.3
o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
branch-network-formula-0.1.1580471316.1839544-3.10.2
image-sync-formula-0.1.1579102150.4716559-3.11.2
mgr-osa-dispatcher-4.0.11-3.9.2
prometheus-formula-0.1-4.7.2
pxe-default-image-sle15-4.0.1-20200305173027
pxe-formula-0.1.1580384994.6076a7e-3.11.2
py26-compat-salt-2016.11.10-10.11.2
python3-mgr-osa-common-4.0.11-3.9.2
python3-mgr-osa-dispatcher-4.0.11-3.9.2
python3-spacewalk-backend-libs-4.0.30-3.23.3
python3-spacewalk-certs-tools-4.0.15-3.15.2
python3-spacewalk-client-tools-4.0.12-3.13.2
python3-susemanager-retail-1.0.1580471316.1839544-3.13.2
redstone-xmlrpc-1.1_20071120-0.11.3.2
salt-netapi-client-0.17.0-4.3.2
spacecmd-4.0.18-3.13.2
spacewalk-admin-4.0.9-3.6.2
spacewalk-backend-4.0.30-3.23.3
spacewalk-backend-app-4.0.30-3.23.3
spacewalk-backend-applet-4.0.30-3.23.3
spacewalk-backend-config-files-4.0.30-3.23.3
spacewalk-backend-config-files-common-4.0.30-3.23.3
spacewalk-backend-config-files-tool-4.0.30-3.23.3
spacewalk-backend-iss-4.0.30-3.23.3
spacewalk-backend-iss-export-4.0.30-3.23.3
spacewalk-backend-package-push-server-4.0.30-3.23.3
spacewalk-backend-server-4.0.30-3.23.3
spacewalk-backend-sql-4.0.30-3.23.3
spacewalk-backend-sql-postgresql-4.0.30-3.23.3
spacewalk-backend-tools-4.0.30-3.23.3
spacewalk-backend-xml-export-libs-4.0.30-3.23.3
spacewalk-backend-xmlrpc-4.0.30-3.23.3
spacewalk-base-4.0.19-3.18.3
spacewalk-base-minimal-4.0.19-3.18.3
spacewalk-base-minimal-config-4.0.19-3.18.3
spacewalk-certs-tools-4.0.15-3.15.2
spacewalk-client-tools-4.0.12-3.13.2
spacewalk-html-4.0.19-3.18.3
spacewalk-java-4.0.31-3.23.1
spacewalk-java-config-4.0.31-3.23.1
spacewalk-java-lib-4.0.31-3.23.1
spacewalk-java-postgresql-4.0.31-3.23.1
spacewalk-search-4.0.9-3.11.2
spacewalk-setup-4.0.13-3.11.1
spacewalk-taskomatic-4.0.31-3.23.1
spacewalk-utils-4.0.16-3.15.2
subscription-matcher-0.25-3.3.2
susemanager-doc-indexes-4.0-10.18.2
susemanager-docs_en-4.0-10.18.2
susemanager-docs_en-pdf-4.0-10.18.2
susemanager-retail-tools-1.0.1580471316.1839544-3.13.2
susemanager-schema-4.0.18-3.17.2
susemanager-sls-4.0.24-3.17.2
susemanager-sync-data-4.0.16-3.15.2
susemanager-web-libs-4.0.19-3.18.3
system-lock-formula-0.2-4.5.1
virtualization-host-formula-0.2-4.3.2
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (ppc64le s390x
x86_64):
patterns-suma_proxy-4.0-9.10.2
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (noarch):
mgr-osad-4.0.11-3.9.2
python3-mgr-osa-common-4.0.11-3.9.2
python3-mgr-osad-4.0.11-3.9.2
python3-spacewalk-backend-libs-4.0.30-3.23.3
python3-spacewalk-certs-tools-4.0.15-3.15.2
python3-spacewalk-check-4.0.12-3.13.2
python3-spacewalk-client-setup-4.0.12-3.13.2
python3-spacewalk-client-tools-4.0.12-3.13.2
spacecmd-4.0.18-3.13.2
spacewalk-backend-4.0.30-3.23.3
spacewalk-base-minimal-4.0.19-3.18.3
spacewalk-base-minimal-config-4.0.19-3.18.3
spacewalk-certs-tools-4.0.15-3.15.2
spacewalk-check-4.0.12-3.13.2
spacewalk-client-setup-4.0.12-3.13.2
spacewalk-client-tools-4.0.12-3.13.2
supportutils-plugin-susemanager-client-4.0.3-3.3.2
supportutils-plugin-susemanager-proxy-4.0.3-3.3.2
References:
o https://www.suse.com/security/cve/CVE-2018-1077.html
o https://www.suse.com/security/cve/CVE-2019-16769.html
o https://www.suse.com/security/cve/CVE-2020-1693.html
o https://bugzilla.suse.com/1083326
o https://bugzilla.suse.com/1085414
o https://bugzilla.suse.com/1121640
o https://bugzilla.suse.com/1123274
o https://bugzilla.suse.com/1137248
o https://bugzilla.suse.com/1140332
o https://bugzilla.suse.com/1144176
o https://bugzilla.suse.com/1152673
o https://bugzilla.suse.com/1152795
o https://bugzilla.suse.com/1153269
o https://bugzilla.suse.com/1154246
o https://bugzilla.suse.com/1154590
o https://bugzilla.suse.com/1154599
o https://bugzilla.suse.com/1155281
o https://bugzilla.suse.com/1155372
o https://bugzilla.suse.com/1156751
o https://bugzilla.suse.com/1157317
o https://bugzilla.suse.com/1157346
o https://bugzilla.suse.com/1157447
o https://bugzilla.suse.com/1157700
o https://bugzilla.suse.com/1157975
o https://bugzilla.suse.com/1158178
o https://bugzilla.suse.com/1158181
o https://bugzilla.suse.com/1158283
o https://bugzilla.suse.com/1158480
o https://bugzilla.suse.com/1158564
o https://bugzilla.suse.com/1158672
o https://bugzilla.suse.com/1158697
o https://bugzilla.suse.com/1158754
o https://bugzilla.suse.com/1158818
o https://bugzilla.suse.com/1158899
o https://bugzilla.suse.com/1158943
o https://bugzilla.suse.com/1159012
o https://bugzilla.suse.com/1159023
o https://bugzilla.suse.com/1159076
o https://bugzilla.suse.com/1159184
o https://bugzilla.suse.com/1159492
o https://bugzilla.suse.com/1159553
o https://bugzilla.suse.com/1160184
o https://bugzilla.suse.com/1160940
o https://bugzilla.suse.com/1161755
o https://bugzilla.suse.com/1161862
o https://bugzilla.suse.com/1162609
o https://bugzilla.suse.com/1162683
o https://bugzilla.suse.com/1164120
o https://bugzilla.suse.com/1164309
o https://bugzilla.suse.com/1164452
o https://bugzilla.suse.com/1164649
o https://bugzilla.suse.com/1164875
o https://bugzilla.suse.com/1165425
o https://bugzilla.suse.com/1165541
o https://bugzilla.suse.com/1165927
o https://bugzilla.suse.com/1166061
o https://bugzilla.suse.com/1166388
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXm7SCGaOgq3Tt24GAQjoyxAAxi/7LKh6C/ER7Yw5T2H1srHD74kXw0en
WyCiRa5MohfFN+Vd7i7GCiGJgiyJYxINVHJRXD82fc9A2ve15UqFXqmtuzAuXFC+
QEkZHHaXo9HbEVLIh9sDyCa/6oWQmzzcEhLV1VmmDTTU4bCq9W95t/9gBSpVG5qI
+30LxlZWI/7xnaMNHeaIrEL+iBCPWMZLu037h2eGieQ/l6S9KNFWGgpmgVQedd2m
I9is2HaTI5hb2Tb27/WWy4S19v9/jMBiCfuIpHp6JVhZsftfz5rsE9Ov9OKDxxlh
oS176OZBplXGaI/b7M1adt5xnmaaTb88YN9ZNiayLPoMTMjcRpgDI3cC3vDTuTuE
xRZ/GHwQnTmT5ccgVgqoZ2NIyMktB9dJ3HTB82V8ob4EXRLppPYwYknyjlKlfblN
y9xPcchMML2lE6JLb/xAgwp9cEdTwQmVgGjkV1C8aOFpIfB90PoG7ZkxjYmeGotG
HPg61EIQ7RpYXYZKXFKhp0IiBs9mEwdYKu3gj+tmc8Oia5EZ/LB38mV3druf0M7H
5xojBMKp5cZ6uFMySmAzxgZTeZpqVpXnKeAKsAn381JfdSqb1T7HUbOQ6DRfoMFd
FVW5vf7O2eVo4NQUbbQ3CCqouqNQeA1MuhiT0iW1i1gIc3hn3t0Hl51r7+VDKPuu
UYusvAf0SgQ=
=0hoP
-----END PGP SIGNATURE-----