Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2966
Security update for SUSE Manager Server 4.1
31 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Server 4.1
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11022
Reference: ESB-2020.2883
ESB-2020.2775
ESB-2020.2694
ESB-2020.2660.2
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-20202373-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:2373-1
Rating: moderate
References: #1136857 #1165572 #1169553 #1169780 #1170244 #1170468
#1170654 #1171281 #1172279 #1172504 #1172709 #1172807
#1172831 #1172839 #1173169 #1173522 #1173535 #1173554
#1173566 #1173584 #1173932 #1173982 #1173997 #1174025
#1174167 #1174201 #1174229 #1174325 #1174405 #1174470
#1174965 #1175485 #1175555 #1175558 #1175724 #1175791
#678126
Cross-References: CVE-2020-11022
Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1
______________________________________________________________________________
An update that solves one vulnerability and has 36 fixes is now available.
Description:
This update fixes the following issues:
cobbler:
o More old modules naming fixes (bsc#1169553)
image-sync-formula:
o Allow image-sync state on regular minion. Image sync state requires
branch-network pillars to get the directory where to sync images. Use
default `/srv/saltboot` if that pillar is missing so image-sync can be
applied on non branch minions as well.
mgr-libmod:
o Remove unnecessary array wrap in 'list_modules' response object
mgr-osad:
o Move uyuni-base-common dependency from mgr-osad to mgr-osa-dispatcher (bsc#
1174405)
openvpn-formula:
o Add hint that ssl certs must be on system (bsc#1172279)
patterns-suse-manager:
o Add Recommends for golang-github-QubitProducts-exporter_exporter
prometheus-exporters-formula:
o Bugfix: Handle exporters proxy for unsupported distros (bsc#1175555)
o Add support for exporters proxy (exporter_exporter)
pxe-default-image-sle15:
o Rollback the workaround for bsc#1172807, as dracut is now fixed
saltboot-formula:
o Better fix for rounding errors (bsc#1136857)
spacecmd:
o Fix softwarechannel update for vendor channels (bsc#1172709)
o Fix escaping of package names (bsc#1171281)
spacewalk-backend:
o Adds basic functionality for gpg check
o Verify GPG signature of Ubuntu/Debian repository metadata (Release file)
o Take care of SCC auth tokens on DEB repos GPG checks (bsc#1175485)
o Use spacewalk keyring for GPG checks on DEB repos (bsc#1175485)
spacewalk-branding:
o Implement Maintenance Windows
o Fix typo on spacewalk-branding license
spacewalk-certs-tools:
o Strip SSL Certificate Common Name after 63 Characters (bsc#1173535)
o Fix centos detection (bsc#1173584)
spacewalk-java:
o Use media.1/products from media when not specified different (bsc#1175558)
o Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
o Fix error when rolling back a system to a snapshot (bsc#1173997)
o Implement maintenance windows backend
o Add check for maintainence window during executing recurring actions
o Implement maintenance windows in struts
o XMLRPC: Assign/retract maintenance schedule to/from systems
o Fix softwarechannel update for vendor channels (bsc#1172709)
o Avoid deadlock when syncing channels and registering minions at the same
time (bsc#1173566)
o Change system list header text to something better (bsc#1173982)
o Set CPU and memory info for virtual instances (bsc#1170244)
o Add virtual network Start, Stop and Delete actions
o Add virtual network list page
o Fix httpcomponents and gson jar symlinks (bsc#1174229)
o Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)
o Provide comps.xml and modules.yaml when using onlinerepo for kickstart
o Refresh virtualization pages only on events
o Fix up2date detection on RH8 when salt-minion is used for registration
o Improve performance of the System Groups page with many clients (bsc#
1172839)
o Include number of non-patch package updates to non-critical update counts
in system group pages (bsc#1170468)
o Bump XMLRPC API version number to distinguish from Spacewalk 2.10
o Cluster UI: return to overview page after scheduling actions
o Fix NPE on auto installation when no kernel options are given (bsc#1173932)
o Fix issue with disabling self_update for autoyast autoupgrade (bsc#1170654)
o Adapt expectations for jobs return events after switching Salt states to
use 'mgrcompat.module_run' state.
spacewalk-utils:
o Add aarch64 for openSUSE Leap 15.1 and 15.2
spacewalk-web:
o Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
o Fix JS linting errors/warnings
o Enable Nutanix AHV virtual host gatherer.
o Web UI: Implement managing maintenance schedules and calendars
o Warn when a system is in multiple groups that configure the same formula in
the system formula's UI (bsc#1173554)
o Add virtual network start, stop and delete actions
o Add virtual network list page
o Fix internal server error when creating module filters in CLM (bsc#1174325)
o Fix VM creation page when there is no volume in the default storage pool
o Refresh virtualization pages only on events
o Product list in the Wizard doesn't show SLE products first (bsc#1173522)
o Cluster UI: return to overview page after scheduling actions
o Changes in the logic to update the tick icon.
o For the postgres localhost:5432 case, use the
o Fix internal server errors by returning 0 instead of dying
o Add missing dependency to spacewalk-base-minimal (bsc#678126)
o Change kickstart to autoinstallation in navigation on pxt pages
o Debranding
suseRegisterInfo:
o Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)
susemanager:
o Migrate all occurrences of kickstart to autoinstall in cobbler database
(bsc#1169780)
o Define bootstrap repo data for SUSE Manager Proxies (bsc#1174470)
o Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is
required to get python3-M2crypto (bsc#1174167)
susemanager-doc-indexes:
o Left navigation structure cleaned up
o Fixed several broken xrefs
o Added hostname admonition for public cloud sections
o Clarified Branch Proxy configuration instructions
o Fixed index page pdf links, urls were 1 step to deep
o SUSECOM 2020 branding update
o PDF 2020 branding update
o WEBUI 2020 branding update
o Added maintenance window documentation
o Added SLE client chapter
o Added 508 compliance
o Added reverse proxy information to Monitoring in Admin Guide
o Add note about accessibility to index
o In the Upgrade Guide, use Major, Minor, and Patch Level terminology for
versioning.
o Added docs for nutanix VHM
o Ubuntu clients using the CLI in SUMA (bsc#1174025)
susemanager-docs_en:
o Left navigation structure cleaned up
o Fixed several broken xrefs
o Added hostname admonition for public cloud sections
o Clarified Branch Proxy configuration instructions
o Fixed index page pdf links, urls were 1 step to deep
o SUSECOM 2020 branding update
o PDF 2020 branding update
o WEBUI 2020 branding update
o Added maintenance window documentation
o Added SLE client chapter
o Added 508 compliance
o Added reverse proxy information to Monitoring in Admin Guide
o Add note about accessibility to index
o In the Upgrade Guide, use Major, Minor, and Patch Level terminology for
versioning.
o Added docs for nutanix VHM
o Ubuntu clients using the CLI in SUMA (bsc#1174025)
susemanager-frontend-libs:
o Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831)
susemanager-schema:
o Add new states and types for virtual instances in order to support Nutanix
AHV.
o Implement Maintenance Windows
o Add virtual network state change action
o Internal fixes to avoid problems with the idempotency tests
susemanager-sls:
o Fix the dnf plugin to add the token to the HTTP header (bsc#1175724)
o Fix: supply a dnf base when dealing w/repos (bsc#1172504)
o Fix: autorefresh in repos is zypper-only
o Add virtual network state change state to handle start, stop and delete
o Add virtual network state change state to handle start and stop
o Fetch oracle-release when looking for RedHat Product Info (bsc#1173584)
o Force a refresh after deleting a virtual storage volume
o Prevent stuck Hardware Refresh actions on Salt 2016.11.10 based SSH minions
(bsc#1173169)
o Require PyYAML version >= 5.1
o Log out of Docker registries after image build (bsc#1165572)
o Prevent "module.run" deprecation warnings by using custom mgrcompat module
susemanager-sync-data:
o Remove version from centos and oracle linux identifier (bsc#1173584)
uyuni-common-libs:
o Fix issues importing RPM packages with long RPM headers (bsc#1174965)
virtual-host-gatherer:
o Add new gatherer module for Nutanix AHV.
virtualization-host-formula:
o Ensure kernel-default and libvirt-python3 are installed
o Set bridge network as default
o Fix conditionals (bsc#1175791)
yomi-formula:
o Update to version 0.0.1+git.1595952633.b300be2: * pillar: install always
kernel-default * chroot: python3-base is now a capability * Move systemctl
calls inside chroot * Network: initial work for network declaration *
MicroOS: Remove tmp subvolume * Update format following the new standard *
Fix __mount_device wrapper
httpcomponents-core:
o Include the correct package in SUSE Manager Server (no source changes)
httpcomponents-client:
o Include the correct package in SUSE Manager Server (no source changes)
google-gson:
o Include the correct package in SUSE Manager Server (no source changes)
How to apply this update: 1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using
either zypper patch or YaST Online Update. 4. Upgrade the database schema:
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service
start
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-2373=1
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2020-2373=1
Package List:
o SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x
x86_64):
golang-github-QubitProducts-exporter_exporter-0.4.0-6.3.6
openvpn-formula-0.1.1-3.3.6
patterns-suma_retail-4.1-6.3.6
patterns-suma_server-4.1-6.3.6
python3-uyuni-common-libs-4.1.6-3.3.6
spacewalk-branding-4.1.9-3.3.6
susemanager-4.1.18-3.3.6
susemanager-tools-4.1.18-3.3.6
o SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):
cobbler-3.0.0+git20190806.32c4bae0-5.3.6
google-gson-2.8.5-3.2.6
httpcomponents-client-4.5.6-3.2.6
httpcomponents-core-4.4.10-3.2.6
ical4j-3.0.18-3.2.7
image-sync-formula-0.1.1595937550.0285244-3.3.6
mgr-libmod-4.1.4-3.3.6
mgr-osa-dispatcher-4.1.3-2.3.6
prometheus-exporters-formula-0.7.1-3.5.2
pxe-default-image-sle15-4.1.0-Build5.3
python3-mgr-osa-common-4.1.3-2.3.6
python3-mgr-osa-dispatcher-4.1.3-2.3.6
python3-spacewalk-certs-tools-4.1.12-3.3.6
python3-suseRegisterInfo-4.1.3-4.3.6
saltboot-formula-0.1.1595937550.0285244-3.3.6
spacecmd-4.1.6-4.3.6
spacewalk-backend-4.1.14-4.5.2
spacewalk-backend-app-4.1.14-4.5.2
spacewalk-backend-applet-4.1.14-4.5.2
spacewalk-backend-config-files-4.1.14-4.5.2
spacewalk-backend-config-files-common-4.1.14-4.5.2
spacewalk-backend-config-files-tool-4.1.14-4.5.2
spacewalk-backend-iss-4.1.14-4.5.2
spacewalk-backend-iss-export-4.1.14-4.5.2
spacewalk-backend-package-push-server-4.1.14-4.5.2
spacewalk-backend-server-4.1.14-4.5.2
spacewalk-backend-sql-4.1.14-4.5.2
spacewalk-backend-sql-postgresql-4.1.14-4.5.2
spacewalk-backend-tools-4.1.14-4.5.2
spacewalk-backend-xml-export-libs-4.1.14-4.5.2
spacewalk-backend-xmlrpc-4.1.14-4.5.2
spacewalk-base-4.1.15-3.3.6
spacewalk-base-minimal-4.1.15-3.3.6
spacewalk-base-minimal-config-4.1.15-3.3.6
spacewalk-certs-tools-4.1.12-3.3.6
spacewalk-html-4.1.15-3.3.6
spacewalk-java-4.1.18-3.5.3
spacewalk-java-config-4.1.18-3.5.3
spacewalk-java-lib-4.1.18-3.5.3
spacewalk-java-postgresql-4.1.18-3.5.3
spacewalk-taskomatic-4.1.18-3.5.3
spacewalk-utils-4.1.11-3.3.6
spacewalk-utils-extras-4.1.11-3.3.6
suseRegisterInfo-4.1.3-4.3.6
susemanager-doc-indexes-4.1-11.7.2
susemanager-docs_en-4.1-11.7.2
susemanager-docs_en-pdf-4.1-11.7.2
susemanager-frontend-libs-4.1.0-3.3.6
susemanager-schema-4.1.12-3.3.6
susemanager-sls-4.1.14-3.5.2
susemanager-sync-data-4.1.7-3.3.6
susemanager-web-libs-4.1.15-3.3.6
virtual-host-gatherer-1.0.21-4.3.6
virtual-host-gatherer-Kubernetes-1.0.21-4.3.6
virtual-host-gatherer-Nutanix-1.0.21-4.3.6
virtual-host-gatherer-VMware-1.0.21-4.3.6
virtual-host-gatherer-libcloud-1.0.21-4.3.6
virtualization-host-formula-0.5-3.3.1
yomi-formula-0.0.1+git.1595952633.b300be2-3.3.6
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (x86_64):
golang-github-QubitProducts-exporter_exporter-0.4.0-6.3.6
patterns-suma_proxy-4.1-6.3.6
python3-uyuni-common-libs-4.1.6-3.3.6
o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch):
mgr-osad-4.1.3-2.3.6
python3-mgr-osa-common-4.1.3-2.3.6
python3-mgr-osad-4.1.3-2.3.6
python3-spacewalk-certs-tools-4.1.12-3.3.6
python3-suseRegisterInfo-4.1.3-4.3.6
spacecmd-4.1.6-4.3.6
spacewalk-backend-4.1.14-4.5.2
spacewalk-base-minimal-4.1.15-3.3.6
spacewalk-base-minimal-config-4.1.15-3.3.6
spacewalk-certs-tools-4.1.12-3.3.6
spacewalk-proxy-broker-4.1.2-3.3.6
spacewalk-proxy-common-4.1.2-3.3.6
spacewalk-proxy-management-4.1.2-3.3.6
spacewalk-proxy-package-manager-4.1.2-3.3.6
spacewalk-proxy-redirect-4.1.2-3.3.6
spacewalk-proxy-salt-4.1.2-3.3.6
suseRegisterInfo-4.1.3-4.3.6
References:
o https://www.suse.com/security/cve/CVE-2020-11022.html
o https://bugzilla.suse.com/1136857
o https://bugzilla.suse.com/1165572
o https://bugzilla.suse.com/1169553
o https://bugzilla.suse.com/1169780
o https://bugzilla.suse.com/1170244
o https://bugzilla.suse.com/1170468
o https://bugzilla.suse.com/1170654
o https://bugzilla.suse.com/1171281
o https://bugzilla.suse.com/1172279
o https://bugzilla.suse.com/1172504
o https://bugzilla.suse.com/1172709
o https://bugzilla.suse.com/1172807
o https://bugzilla.suse.com/1172831
o https://bugzilla.suse.com/1172839
o https://bugzilla.suse.com/1173169
o https://bugzilla.suse.com/1173522
o https://bugzilla.suse.com/1173535
o https://bugzilla.suse.com/1173554
o https://bugzilla.suse.com/1173566
o https://bugzilla.suse.com/1173584
o https://bugzilla.suse.com/1173932
o https://bugzilla.suse.com/1173982
o https://bugzilla.suse.com/1173997
o https://bugzilla.suse.com/1174025
o https://bugzilla.suse.com/1174167
o https://bugzilla.suse.com/1174201
o https://bugzilla.suse.com/1174229
o https://bugzilla.suse.com/1174325
o https://bugzilla.suse.com/1174405
o https://bugzilla.suse.com/1174470
o https://bugzilla.suse.com/1174965
o https://bugzilla.suse.com/1175485
o https://bugzilla.suse.com/1175555
o https://bugzilla.suse.com/1175558
o https://bugzilla.suse.com/1175724
o https://bugzilla.suse.com/1175791
o https://bugzilla.suse.com/678126
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX0xE3uNLKJtyKPYoAQh3gQ//UKbDuO1gnfGqmxgbNUqeDq6l0/z1dHRW
LfqYrAHa7T6EKMeYp6u2lv5aM1EFOvDeO4tqEkpv5lS49SiNlZ5ip4Wj2rVbF2Jx
L5ORdfvyvjoeJ9Wh0SOrxYiaioptoHB/X38w0xkkudSyQvlwUrlRs7hpS9gbp8sc
fzDJBKzO7QrDFEFcmWglCPakMLkWaGLLJXSfhQr9hLeDbGOc/sFC2BW0mBQjc0Xs
fscF0IfepXvE0gpjroPu9/nuxU2gXXjX3FDgX7LGXE0WyMH3W5OUNU3hfd9hBTuI
CdoAjxHwoVEVOH/ozE4XM5wozFUVPTq6lO6DSBPLwt/8jKarjXHC5JdOP3zySUrN
AsejFCAtVoFt1bi6NRoo+Sh09qIi0TS07oTtFZ7B05JHQTE4seqxV0r/dUdBfnzB
BPe5JFyyCMqJnCQSnzKeNIgKl0l+S+eg0ZAU29TyLnIGgC7IJtAelThKlChq80UR
oXUagSqkXjdcG02mlc/bdyJstvFsV0/PvHqvPtij3fzp3f2UfFRjrkq5RmMt5o/M
uOARgGWSSUcCrC4jrEWasmMZy+9NKwT+BmO5O8zLNCjN5fIzbQXLuwWykM3UMb9g
8cnfryM382amxhLLy6xpEQX7xceNRkwZlofq8Sc+FACG8TlHka3S7epIPzxt+bSm
rL/OPL99bME=
=EBKp
-----END PGP SIGNATURE-----