Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1197 SUSE-SU-2020:0856-1 Security update for SUSE Manager Server 3.2 3 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Manager Server 3.2 Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-1693 CVE-2018-1077 Reference: ESB-2020.0922 ESB-2019.3003 ESB-2019.2936 ESB-2019.0790.2 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-20200856-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0856-1 Rating: moderate References: #1085414 #1140332 #1155372 #1157317 #1158899 #1159184 #1160246 #1161862 #1162609 #1162683 #1163001 #1163538 #1164120 #1164563 #1164771 #1165425 #1165921 Cross-References: CVE-2018-1077 CVE-2020-1693 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that solves two vulnerabilities and has 15 fixes is now available. Description: This update fixes the following issues: py26-compat-salt: o Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425) redstone-xmlrpc: o Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) o Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) spacecmd: o Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: o Spell correctly "successful" and "successfully" spacewalk-backend: o When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899) o Enhance suseProducts via ISS to fix SP migration on slave server (bsc# 1159184) spacewalk-certs-tools: o Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001) spacewalk-client-tools: o Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3 o Add workaround for uptime overflow to spacewalk-update-status as well (bsc# 1165921) o Spell correctly "successful" and "successfully" spacewalk-java: o Fix error when adding systems to ssm with 'add to ssm' button (bsc#1160246) o Validate the suseproductchannel table and update missing date when running mgr-sync refresh (bsc#1163538) o Read the subscriptions from the output instead of input (bsc#1140332) o Show additional headers and dependencies for deb packages o Use channel name from product tree instead of constructing it (bsc#1157317) spacewalk-setup: o Spell correctly "successful" and "successfully" spacewalk-utils: o Check for delimiter as well when detecting current phase (bsc#1164771) spacewalk-web: o Report merge_subscriptions message in a readable way (bsc#1140332) subscription-matcher: o Add missing library for SLE15 SP2 (slf4j-log4j12) o Make the code usable with Math3 on SLES o Use log4j12 package on newer SLE versions o Aggregate stackable subscriptions with same parameters o Implement new "swap move" used in optaplanner (bsc#1140332) o Enable aarch64 builds, except for SLE susemanager: o Fix salt bootstrapping on SLE15 (require python3-pycrypto or python3-M2Crypto to support all variants) (bsc#1164563) o Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) o Add bootstrap-repo data for SLE15 SP2 Family susemanager-sls: o Adapt 'mgractionchains' module to work with Salt 3000 o Do not workaround util.syncmodules for SSH minions (bsc#1162609) o Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). susemanager-sync-data: o Add OES 2018 SP2 (bsc#1161862) o Rename RHEL 8 Base product o Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-856=1 Package List: o SUSE Manager Server 3.2 (ppc64le s390x x86_64): susemanager-3.2.23-3.40.2 susemanager-tools-3.2.23-3.40.2 o SUSE Manager Server 3.2 (noarch): py26-compat-salt-2016.11.10-6.35.1 python2-spacewalk-certs-tools-2.8.8.14-3.23.1 python2-spacewalk-client-tools-2.8.22.7-3.12.1 redstone-xmlrpc-1.1_20071120-0.11.3.1 spacecmd-2.8.25.14-3.32.1 spacewalk-admin-2.8.4.6-3.12.1 spacewalk-backend-2.8.57.22-3.48.1 spacewalk-backend-app-2.8.57.22-3.48.1 spacewalk-backend-applet-2.8.57.22-3.48.1 spacewalk-backend-config-files-2.8.57.22-3.48.1 spacewalk-backend-config-files-common-2.8.57.22-3.48.1 spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 spacewalk-backend-iss-2.8.57.22-3.48.1 spacewalk-backend-iss-export-2.8.57.22-3.48.1 spacewalk-backend-libs-2.8.57.22-3.48.1 spacewalk-backend-package-push-server-2.8.57.22-3.48.1 spacewalk-backend-server-2.8.57.22-3.48.1 spacewalk-backend-sql-2.8.57.22-3.48.1 spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 spacewalk-backend-tools-2.8.57.22-3.48.1 spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 spacewalk-base-2.8.7.23-3.45.1 spacewalk-base-minimal-2.8.7.23-3.45.1 spacewalk-base-minimal-config-2.8.7.23-3.45.1 spacewalk-certs-tools-2.8.8.14-3.23.1 spacewalk-client-tools-2.8.22.7-3.12.1 spacewalk-html-2.8.7.23-3.45.1 spacewalk-java-2.8.78.28-3.47.1 spacewalk-java-config-2.8.78.28-3.47.1 spacewalk-java-lib-2.8.78.28-3.47.1 spacewalk-java-oracle-2.8.78.28-3.47.1 spacewalk-java-postgresql-2.8.78.28-3.47.1 spacewalk-setup-2.8.7.10-3.25.1 spacewalk-taskomatic-2.8.78.28-3.47.1 spacewalk-utils-2.8.18.6-3.12.1 subscription-matcher-0.25-4.15.1 susemanager-sls-3.2.30-3.44.1 susemanager-sync-data-3.2.19-3.35.1 susemanager-web-libs-2.8.7.23-3.45.1 References: o https://www.suse.com/security/cve/CVE-2018-1077.html o https://www.suse.com/security/cve/CVE-2020-1693.html o https://bugzilla.suse.com/1085414 o https://bugzilla.suse.com/1140332 o https://bugzilla.suse.com/1155372 o https://bugzilla.suse.com/1157317 o https://bugzilla.suse.com/1158899 o https://bugzilla.suse.com/1159184 o https://bugzilla.suse.com/1160246 o https://bugzilla.suse.com/1161862 o https://bugzilla.suse.com/1162609 o https://bugzilla.suse.com/1162683 o https://bugzilla.suse.com/1163001 o https://bugzilla.suse.com/1163538 o https://bugzilla.suse.com/1164120 o https://bugzilla.suse.com/1164563 o https://bugzilla.suse.com/1164771 o https://bugzilla.suse.com/1165425 o https://bugzilla.suse.com/1165921 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXoakv2aOgq3Tt24GAQihchAAw9sKuSby9iSUv+9ma7LQ0RQLl6NeI8f0 CGe2EZ/261o5NIs1O0g4Lvm+KKNnkncu0/31rdABmqxAuyOYoJCN/TR/98dfjJY5 DIIUMWrGgW/iY0KYjcMGFf8e4kPCiQV7WjfriYq3uFDtbdLR7ut3uWKBzOuOFc4w CMRnUcO1I0qZMqiJ/X/PnxS18Ad7uBF4MlJHssCrABCHswVNVpu1yLrMoMIAUIuM uNaeE4IdBNl96L0nxH3aaZZSvy8xJRA29gwA+aN4ICOfCr7OOeZ0sKw54Y0PD/uo BsiiEZMat8BL3Nh/AS/47VXINq/l4Z9DVZrhj+tPA9MP5ZE0jm6OF8VePg4MbMCo aQ3xkz4S5+S1iSscHC50sK9XDKFVJyBfd3medH+VcMa/+YxYy2KxjXXvQKJWjapB N91ZS8DtA4vsK+nWPwVP2zFhTtzyjLfVhHHkILSwC/36suCR0f48ItAwPBvU3jCF Mu69Otb0HLn1r3T8BIxDArW3yt0trItA5AGNGqXO9+113UZ3ZZJStDdZge70kZ7Q YQTcS61oy9Zx9ykJHRAVDn8LJtIB8qj36qJ0x8p1VwKpyBQtgeOLmbf2mS1Qn7Fa NIzeCs5u4GJlsG08mPRq7KMU34pn5IYTQ2NaAtBIqguQcAWnY3Vg1vKk43VNcWWS o7GDsb4AZpk= =uexn -----END PGP SIGNATURE-----