-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1197
      SUSE-SU-2020:0856-1 Security update for SUSE Manager Server 3.2
                               3 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE Manager Server 3.2
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1693 CVE-2018-1077 

Reference:         ESB-2020.0922
                   ESB-2019.3003
                   ESB-2019.2936
                   ESB-2019.0790.2

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2020/suse-su-20200856-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Server 3.2

______________________________________________________________________________

Announcement ID:   SUSE-SU-2020:0856-1
Rating:            moderate
References:        #1085414 #1140332 #1155372 #1157317 #1158899 #1159184
                   #1160246 #1161862 #1162609 #1162683 #1163001 #1163538
                   #1164120 #1164563 #1164771 #1165425 #1165921
Cross-References:  CVE-2018-1077 CVE-2020-1693
Affected Products:
                   SUSE Manager Server 3.2
______________________________________________________________________________

An update that solves two vulnerabilities and has 15 fixes is now available.

Description:


This update fixes the following issues:
py26-compat-salt:

  o Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425)


redstone-xmlrpc:

  o Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
  o Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)


spacecmd:

  o Bugfix: attempt to purge SSM when it is empty (bsc#1155372)


spacewalk-admin:

  o Spell correctly "successful" and "successfully"


spacewalk-backend:

  o When downloading repo metadata, don't add "/" to the repo url if it already
    ends with one (bsc#1158899)
  o Enhance suseProducts via ISS to fix SP migration on slave server (bsc#
    1159184)


spacewalk-certs-tools:

  o Add minion option in config file to disable salt mine when generated by
    bootstrap script (bsc#1163001)


spacewalk-client-tools:

  o Do not crash 'mgr-update-status' because 'long' type is not defined in
    Python 3
  o Add workaround for uptime overflow to spacewalk-update-status as well (bsc#
    1165921)
  o Spell correctly "successful" and "successfully"


spacewalk-java:

  o Fix error when adding systems to ssm with 'add to ssm' button (bsc#1160246)
  o Validate the suseproductchannel table and update missing date when running
    mgr-sync refresh (bsc#1163538)
  o Read the subscriptions from the output instead of input (bsc#1140332)
  o Show additional headers and dependencies for deb packages
  o Use channel name from product tree instead of constructing it (bsc#1157317)


spacewalk-setup:

  o Spell correctly "successful" and "successfully"


spacewalk-utils:

  o Check for delimiter as well when detecting current phase (bsc#1164771)


spacewalk-web:

  o Report merge_subscriptions message in a readable way (bsc#1140332)


subscription-matcher:

  o Add missing library for SLE15 SP2 (slf4j-log4j12)
  o Make the code usable with Math3 on SLES
  o Use log4j12 package on newer SLE versions
  o Aggregate stackable subscriptions with same parameters
  o Implement new "swap move" used in optaplanner (bsc#1140332)
  o Enable aarch64 builds, except for SLE


susemanager:

  o Fix salt bootstrapping on SLE15 (require python3-pycrypto or
    python3-M2Crypto to support all variants) (bsc#1164563)
  o Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
  o Add bootstrap-repo data for SLE15 SP2 Family


susemanager-sls:

  o Adapt 'mgractionchains' module to work with Salt 3000
  o Do not workaround util.syncmodules for SSH minions (bsc#1162609)
  o Force to run util.synccustomall when triggering action chains on SSH
    minions (bsc#1162683).


susemanager-sync-data:

  o Add OES 2018 SP2 (bsc#1161862)
  o Rename RHEL 8 Base product
  o Change channel family name according to SCC data


How to apply this update: 1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using
either zypper patch or YaST Online Update. 4. Upgrade the database schema:
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service
start

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Manager Server 3.2:
    zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-856=1

Package List:

  o SUSE Manager Server 3.2 (ppc64le s390x x86_64):
       susemanager-3.2.23-3.40.2
       susemanager-tools-3.2.23-3.40.2
  o SUSE Manager Server 3.2 (noarch):
       py26-compat-salt-2016.11.10-6.35.1
       python2-spacewalk-certs-tools-2.8.8.14-3.23.1
       python2-spacewalk-client-tools-2.8.22.7-3.12.1
       redstone-xmlrpc-1.1_20071120-0.11.3.1
       spacecmd-2.8.25.14-3.32.1
       spacewalk-admin-2.8.4.6-3.12.1
       spacewalk-backend-2.8.57.22-3.48.1
       spacewalk-backend-app-2.8.57.22-3.48.1
       spacewalk-backend-applet-2.8.57.22-3.48.1
       spacewalk-backend-config-files-2.8.57.22-3.48.1
       spacewalk-backend-config-files-common-2.8.57.22-3.48.1
       spacewalk-backend-config-files-tool-2.8.57.22-3.48.1
       spacewalk-backend-iss-2.8.57.22-3.48.1
       spacewalk-backend-iss-export-2.8.57.22-3.48.1
       spacewalk-backend-libs-2.8.57.22-3.48.1
       spacewalk-backend-package-push-server-2.8.57.22-3.48.1
       spacewalk-backend-server-2.8.57.22-3.48.1
       spacewalk-backend-sql-2.8.57.22-3.48.1
       spacewalk-backend-sql-oracle-2.8.57.22-3.48.1
       spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1
       spacewalk-backend-tools-2.8.57.22-3.48.1
       spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1
       spacewalk-backend-xmlrpc-2.8.57.22-3.48.1
       spacewalk-base-2.8.7.23-3.45.1
       spacewalk-base-minimal-2.8.7.23-3.45.1
       spacewalk-base-minimal-config-2.8.7.23-3.45.1
       spacewalk-certs-tools-2.8.8.14-3.23.1
       spacewalk-client-tools-2.8.22.7-3.12.1
       spacewalk-html-2.8.7.23-3.45.1
       spacewalk-java-2.8.78.28-3.47.1
       spacewalk-java-config-2.8.78.28-3.47.1
       spacewalk-java-lib-2.8.78.28-3.47.1
       spacewalk-java-oracle-2.8.78.28-3.47.1
       spacewalk-java-postgresql-2.8.78.28-3.47.1
       spacewalk-setup-2.8.7.10-3.25.1
       spacewalk-taskomatic-2.8.78.28-3.47.1
       spacewalk-utils-2.8.18.6-3.12.1
       subscription-matcher-0.25-4.15.1
       susemanager-sls-3.2.30-3.44.1
       susemanager-sync-data-3.2.19-3.35.1
       susemanager-web-libs-2.8.7.23-3.45.1


References:

  o https://www.suse.com/security/cve/CVE-2018-1077.html
  o https://www.suse.com/security/cve/CVE-2020-1693.html
  o https://bugzilla.suse.com/1085414
  o https://bugzilla.suse.com/1140332
  o https://bugzilla.suse.com/1155372
  o https://bugzilla.suse.com/1157317
  o https://bugzilla.suse.com/1158899
  o https://bugzilla.suse.com/1159184
  o https://bugzilla.suse.com/1160246
  o https://bugzilla.suse.com/1161862
  o https://bugzilla.suse.com/1162609
  o https://bugzilla.suse.com/1162683
  o https://bugzilla.suse.com/1163001
  o https://bugzilla.suse.com/1163538
  o https://bugzilla.suse.com/1164120
  o https://bugzilla.suse.com/1164563
  o https://bugzilla.suse.com/1164771
  o https://bugzilla.suse.com/1165425
  o https://bugzilla.suse.com/1165921

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXoakv2aOgq3Tt24GAQihchAAw9sKuSby9iSUv+9ma7LQ0RQLl6NeI8f0
CGe2EZ/261o5NIs1O0g4Lvm+KKNnkncu0/31rdABmqxAuyOYoJCN/TR/98dfjJY5
DIIUMWrGgW/iY0KYjcMGFf8e4kPCiQV7WjfriYq3uFDtbdLR7ut3uWKBzOuOFc4w
CMRnUcO1I0qZMqiJ/X/PnxS18Ad7uBF4MlJHssCrABCHswVNVpu1yLrMoMIAUIuM
uNaeE4IdBNl96L0nxH3aaZZSvy8xJRA29gwA+aN4ICOfCr7OOeZ0sKw54Y0PD/uo
BsiiEZMat8BL3Nh/AS/47VXINq/l4Z9DVZrhj+tPA9MP5ZE0jm6OF8VePg4MbMCo
aQ3xkz4S5+S1iSscHC50sK9XDKFVJyBfd3medH+VcMa/+YxYy2KxjXXvQKJWjapB
N91ZS8DtA4vsK+nWPwVP2zFhTtzyjLfVhHHkILSwC/36suCR0f48ItAwPBvU3jCF
Mu69Otb0HLn1r3T8BIxDArW3yt0trItA5AGNGqXO9+113UZ3ZZJStDdZge70kZ7Q
YQTcS61oy9Zx9ykJHRAVDn8LJtIB8qj36qJ0x8p1VwKpyBQtgeOLmbf2mS1Qn7Fa
NIzeCs5u4GJlsG08mPRq7KMU34pn5IYTQ2NaAtBIqguQcAWnY3Vg1vKk43VNcWWS
o7GDsb4AZpk=
=uexn
-----END PGP SIGNATURE-----