Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                Security update for SUSE Manager Server 4.0
                             26 November 2020


        AusCERT Security Bulletin Summary

Product:           SUSE Manager Server 4.0
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13692 CVE-2018-10936 

Reference:         ESB-2020.3558

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security update for SUSE Manager Server 4.0

SUSE Security Update: Security update for SUSE Manager Server 4.0
- -------------------------------------------------------------------------------

Announcement ID:  SUSE-SU-2020:3466-1
Rating:           moderate
                  #1144447 #1172079 #1173199 #1175739 #1175876 #1175987 #
References:       1176074 #1176172 #1177336 #1177435 #1177790 #1178060 #1178145
Cross-References: CVE-2018-10936 CVE-2020-13692
Affected            * SUSE Linux Enterprise Module for SUSE Manager Server 4.0

- -------------------------------------------------------------------------------

An update that solves two vulnerabilities and has 12 fixes is now available.


This update fixes the following issues:

  * Temporarily disable dnssec-validation as hotfix for bsc#1177790
  * Update to version 0.1.1603299886.60e4bcf


  * Use variable for product name
  * Add support for system groups in Client Systems dashboard


  * Address CVE-2020-13692 (bsc#1172079)
  * Add patch:
  * Major changes since 9.4-1200: * License changed to BSD-2-Clause and
    BSD-3-Clause and Apache-2.0 * Support PostgreSQL 9.5, 9.6, 10 11 and 12
    added * Support for PostgreSQL versions below 8.2 was dropped * Support for
    JDK8, JDK9, JDK10, JDK11 and JDK12 * Support for JDK 1.4 and 1.5 was
    dropped * Support for JDBC 4.2 added * Add maxResultBuffer property * Add
    caller push of binary data * Read only transactions * pkcs12 key
    functionality * New "escapeSyntaxCallMode" connection property * Connection
    property to limit server error detail in exception exceptions * CancelQuery
    () to PGConnection public interface * Support for large update counts (JDBC
    4.2) * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY * Expose
    parameter status messages (GUC_REPORT) to the user * Log ignoring rollback
    when no transaction in progress * Map inet type to InetAddress * Change
    ISGENERATED to ISGENERATEDCOLUMN as per spec * Support temporary
    replication slots in ReplicationCreateSlotBuilder * Return function
    (PostgreSQL 11) columns in PgDatabaseMetaData#getFunctionColumns * Return
    information on create replication slot, now the snapshot_name is exported
    to allow a consistent snapshot in some uses cases * `ssl=true` implies
    `sslmode=verify-full`, that is it requires valid server certificate *
    Support for `sslmode=allow/prefer/require` * Added server hostname
    verification for non-default SSL factories in `sslmode=verify-full`
    (CVE-2018-10936) * PreparedStatement.setNull(int parameterIndex, int t,
    String typeName) no longer ignores the typeName argument if it is not
    setNull * Reduce the severity of the error log messages when an exception
    is re-thrown. The error will be thrown to caller to be dealt with so no
    need to log at this verbosity by pgjdbc * Deprecate Fastpath API PR 903 *
    Support parenthesis in {oj ...} JDBC escape syntax * socksProxyHost is
    ignored in case it contains empty string * Support SCRAM-SHA-256 for
    PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM
    library * Make SELECT INTO and CREATE TABLE AS return row counts to the
    client in their command tags * Support Subject Alternative Names for SSL
    connections * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY
    column * Support for primitive arrays PR 887 3e0491a * Implement support
    for get/setNetworkTimeout() in connections * Make GSS JAAS login optional,
    add an option "jaasLogin" * Improve behaviour of ResultSet.getObject(int,
    Class) * Parse CommandComplete message using a regular expression, allows
    complete catch of server returned commands for INSERT, UPDATE, DELETE,
    SELECT, FETCH, MOVE,COPY and future commands. * Use 'time with timezone'
    and 'timestamp with timezone' as is and ignore the user provided Calendars,
    'time' and 'timestamp' work as earlier except "00:00:00" now maps to
    1970-01-01 and "24:00:00" uses the system provided Calendar ignoring the
    user-provided one * Change behaviour of multihost connection. The new
    behaviour is to try all secondaries first before trying the master * Drop
    support for the (insecure) crypt authentication method * slave and
    preferSlave values for the targetServerType connection property have been
    deprecated in favour of secondary and preferSecondary respectively *
    Statements with non-zero fetchSize no longer require server-side named
    handle. This might cause issues when using old PostgreSQL versions
    (pre-8.4)+fetchSize+interleaved ResultSet processing combo * Better logic
    for returning keyword detection. Previously, pgjdbc could be defeated by
    column names that contain returning, so pgjdbc failed to "return generated
    keys" as it considered statement as already having returning keyword * Use
    server-prepared statements for batch inserts when prepareThreshold>0. This
    enables batch to use server-prepared from the first executeBatch()
    execution (previously it waited for prepareThreshold executeBatch() calls)
    * Replication protocol API was added: replication API documentation *
    java.util.logging is now used for logging: logging documentation * Add
    support for PreparedStatement.setCharacterStream(int, Reader) * Ensure
    executeBatch() can be used with pgbouncer. Previously pgjdbc could use
    server-prepared statements for batch execution even with prepareThreshold=0
    * Error position is displayed when SQL has unterminated literals, comments,
    etc * Strict handling of accepted values in getBoolean and setObject
    (BOOLEAN), now it follows PostgreSQL accepted values, only 1 and 0 for
    numeric types are acepted (previusly !=0 was true) * Deprecated
    PGPoolingDataSource, instead of this class you should use a fully featured
    connection pool like HikariCP, vibur-dbcp, commons-dbcp, c3p0, etc *
    'current transaction is aborted' exception includes the original exception
    via caused-by chain * Better support for RETURNGENERATEDKEYS, statements
    with RETURNING clause * Avoid user-visible prepared-statement errors if
    client uses DEALLOCATE/DISCARD statements (invalidate cache when those
    statements detected) * Avoid user-visible prepared-statement errors if
    client changes searchpath (invalidate cache when set searchpath detected) *
    Support comments when replacing {fn ...} JDBC syntax * Support for
    Types.REF_CURSOR * Performance optimization for timestamps
    (~TimeZone.getDefault optimization) * Ability to customize socket factory
    (e.g. for unix domain sockets) * Ignore empty sub-queries in composite
    queries * Add equality support to PSQLState * Improved composite/array type
    support and type naming changes.
  * Update to version 42.2.10 *

Update to version 42.2.9 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.8 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.7 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.6 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.5 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.4 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.3 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.2 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.1 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/
Update to version 42.1.4 * https://jdbc.postgresql.org/documentation/
Update to version 42.1.3 * https://jdbc.postgresql.org/documentation/
Update to version 42.1.2 * https://jdbc.postgresql.org/documentation/
Update to version 42.1.1 * https://jdbc.postgresql.org/documentation/
Update to version 42.1.0 * https://jdbc.postgresql.org/documentation/
Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1211 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1210 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1209 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1208 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1207 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1206 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1205 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1204 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1203 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1202 * https://jdbc.postgresql.org/documentation/
Update to version 9.4.1201 * https://jdbc.postgresql.org/documentation/

  * Fix empty directory values initialization
  * Disable reverse proxy on default


  * Update to version 0.2.3
  * Disable Alertmanager clustering (bsc#1178145)
  * Update to version 0.2.2
  * Use variable for product name


  * Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag


  * Use the license macro to mark the LICENSE in the package so that when
    installing without docs, it does install the LICENSE file
  * Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE
    Manager 3.2 (bsc#1177435)


  * ISS: Differentiate packages with same nevra but different checksum in the
    same channel (bsc#1178195)
  * Fix unique machine_id detection (bsc#1176074)


  * Revert: Sync state modules when starting action chain execution (bsc#
  * Sync state modules when starting action chain execution (bsc#1177336)
  * Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file (bsc#
  * Log token verify errors and check for expired tokens
  * Execute Salt SSH actions in parallel (bsc#1173199)
  * Take pool and volume from Salt virt.vm_info for files and blocks disks (bsc
  * Fix action chain resuming when patches updating salt-minion don't cause
    service to be restarted (bsc#1144447)
  * Renaming autoinstall distro didn't change the name of the Cobbler distro


  * Fix link to documentation in Admin -> Manager Configuration -> Monitoring
  * Don't allow selecting spice for Xen PV and PVH guests


  * Add --force to mgr-create-bootstrap-repo to enforce generation even when
    some products are not synchronized


  * Execute Salt SSH actions in parallel (bsc#1173199)


  * Revert: Sync state modules when starting action chain execution (bsc#
  * Sync state modules when starting action chain execution (bsc#1177336)
  * Fix grub2 autoinstall kernel path (bsc#1178060)
  * Move channel token information from sources.list to auth.conf on Debian 10
    and Ubuntu 18 and newer
  * Fix action chain resuming when patches updating salt-minion don't cause
    service to be restarted (bsc#1144447)
  * Make grub2 autoinstall kernel path relative to the boot partition root (bsc

How to apply this update: 1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using
either zypper patch or YaST Online Update. 4. Upgrade the database schema:
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1

Package List:

  * SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
      + susemanager-4.0.32-3.46.1
      + susemanager-tools-4.0.32-3.46.1
  * SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
      + bind-formula-0.1.1603299886.60e4bcf-3.11.1
      + grafana-formula-0.2.2-4.13.1
      + postgresql-jdbc-42.2.10-3.3.1
      + prometheus-exporters-formula-0.7.5-3.16.1
      + prometheus-formula-0.2.3-4.16.1
      + python3-spacewalk-backend-libs-4.0.35-3.38.1
      + salt-netapi-client-0.18.0-4.12.1
      + spacewalk-admin-4.0.12-3.15.1
      + spacewalk-backend-4.0.35-3.38.1
      + spacewalk-backend-app-4.0.35-3.38.1
      + spacewalk-backend-applet-4.0.35-3.38.1
      + spacewalk-backend-config-files-4.0.35-3.38.1
      + spacewalk-backend-config-files-common-4.0.35-3.38.1
      + spacewalk-backend-config-files-tool-4.0.35-3.38.1
      + spacewalk-backend-iss-4.0.35-3.38.1
      + spacewalk-backend-iss-export-4.0.35-3.38.1
      + spacewalk-backend-package-push-server-4.0.35-3.38.1
      + spacewalk-backend-server-4.0.35-3.38.1
      + spacewalk-backend-sql-4.0.35-3.38.1
      + spacewalk-backend-sql-postgresql-4.0.35-3.38.1
      + spacewalk-backend-tools-4.0.35-3.38.1
      + spacewalk-backend-xml-export-libs-4.0.35-3.38.1
      + spacewalk-backend-xmlrpc-4.0.35-3.38.1
      + spacewalk-base-4.0.25-3.36.1
      + spacewalk-base-minimal-4.0.25-3.36.1
      + spacewalk-base-minimal-config-4.0.25-3.36.1
      + spacewalk-html-4.0.25-3.36.1
      + spacewalk-java-4.0.40-3.48.2
      + spacewalk-java-config-4.0.40-3.48.2
      + spacewalk-java-lib-4.0.40-3.48.2
      + spacewalk-java-postgresql-4.0.40-3.48.2
      + spacewalk-taskomatic-4.0.40-3.48.2
      + susemanager-schema-4.0.23-3.32.1
      + susemanager-sls-4.0.31-3.37.1
      + susemanager-web-libs-4.0.25-3.36.1


  * https://www.suse.com/security/cve/CVE-2018-10936.html
  * https://www.suse.com/security/cve/CVE-2020-13692.html
  * https://bugzilla.suse.com/1144447
  * https://bugzilla.suse.com/1172079
  * https://bugzilla.suse.com/1173199
  * https://bugzilla.suse.com/1175739
  * https://bugzilla.suse.com/1175876
  * https://bugzilla.suse.com/1175987
  * https://bugzilla.suse.com/1176074
  * https://bugzilla.suse.com/1176172
  * https://bugzilla.suse.com/1177336
  * https://bugzilla.suse.com/1177435
  * https://bugzilla.suse.com/1177790
  * https://bugzilla.suse.com/1178060
  * https://bugzilla.suse.com/1178145
  * https://bugzilla.suse.com/1178195

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967