Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4199
Security update for SUSE Manager Server 4.0
26 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Server 4.0
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13692 CVE-2018-10936
Reference: ESB-2020.3558
ESB-2020.3213
ESB-2020.3084
ESB-2020.2648
Original Bulletin:
https://www.suse.com/support/update/announcement/2020/suse-su-20203466-1
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update for SUSE Manager Server 4.0
SUSE Security Update: Security update for SUSE Manager Server 4.0
- -------------------------------------------------------------------------------
Announcement ID: SUSE-SU-2020:3466-1
Rating: moderate
#1144447 #1172079 #1173199 #1175739 #1175876 #1175987 #
References: 1176074 #1176172 #1177336 #1177435 #1177790 #1178060 #1178145
#1178195
Cross-References: CVE-2018-10936 CVE-2020-13692
Affected * SUSE Linux Enterprise Module for SUSE Manager Server 4.0
Products:
- -------------------------------------------------------------------------------
An update that solves two vulnerabilities and has 12 fixes is now available.
Description:
This update fixes the following issues:
bind-formula:
* Temporarily disable dnssec-validation as hotfix for bsc#1177790
* Update to version 0.1.1603299886.60e4bcf
grafana-formula:
* Use variable for product name
* Add support for system groups in Client Systems dashboard
postgresql-jdbc:
* Address CVE-2020-13692 (bsc#1172079)
* Add patch:
* Major changes since 9.4-1200: * License changed to BSD-2-Clause and
BSD-3-Clause and Apache-2.0 * Support PostgreSQL 9.5, 9.6, 10 11 and 12
added * Support for PostgreSQL versions below 8.2 was dropped * Support for
JDK8, JDK9, JDK10, JDK11 and JDK12 * Support for JDK 1.4 and 1.5 was
dropped * Support for JDBC 4.2 added * Add maxResultBuffer property * Add
caller push of binary data * Read only transactions * pkcs12 key
functionality * New "escapeSyntaxCallMode" connection property * Connection
property to limit server error detail in exception exceptions * CancelQuery
() to PGConnection public interface * Support for large update counts (JDBC
4.2) * Add Binary Support for Oid.NUMERIC and Oid.NUMERIC_ARRAY * Expose
parameter status messages (GUC_REPORT) to the user * Log ignoring rollback
when no transaction in progress * Map inet type to InetAddress * Change
ISGENERATED to ISGENERATEDCOLUMN as per spec * Support temporary
replication slots in ReplicationCreateSlotBuilder * Return function
(PostgreSQL 11) columns in PgDatabaseMetaData#getFunctionColumns * Return
information on create replication slot, now the snapshot_name is exported
to allow a consistent snapshot in some uses cases * `ssl=true` implies
`sslmode=verify-full`, that is it requires valid server certificate *
Support for `sslmode=allow/prefer/require` * Added server hostname
verification for non-default SSL factories in `sslmode=verify-full`
(CVE-2018-10936) * PreparedStatement.setNull(int parameterIndex, int t,
String typeName) no longer ignores the typeName argument if it is not
setNull * Reduce the severity of the error log messages when an exception
is re-thrown. The error will be thrown to caller to be dealt with so no
need to log at this verbosity by pgjdbc * Deprecate Fastpath API PR 903 *
Support parenthesis in {oj ...} JDBC escape syntax * socksProxyHost is
ignored in case it contains empty string * Support SCRAM-SHA-256 for
PostgreSQL 10 in the JDBC 4.2 version (Java 8+) using the Ongres SCRAM
library * Make SELECT INTO and CREATE TABLE AS return row counts to the
client in their command tags * Support Subject Alternative Names for SSL
connections * Support isAutoIncrement metadata for PostgreSQL 10 IDENTITY
column * Support for primitive arrays PR 887 3e0491a * Implement support
for get/setNetworkTimeout() in connections * Make GSS JAAS login optional,
add an option "jaasLogin" * Improve behaviour of ResultSet.getObject(int,
Class) * Parse CommandComplete message using a regular expression, allows
complete catch of server returned commands for INSERT, UPDATE, DELETE,
SELECT, FETCH, MOVE,COPY and future commands. * Use 'time with timezone'
and 'timestamp with timezone' as is and ignore the user provided Calendars,
'time' and 'timestamp' work as earlier except "00:00:00" now maps to
1970-01-01 and "24:00:00" uses the system provided Calendar ignoring the
user-provided one * Change behaviour of multihost connection. The new
behaviour is to try all secondaries first before trying the master * Drop
support for the (insecure) crypt authentication method * slave and
preferSlave values for the targetServerType connection property have been
deprecated in favour of secondary and preferSecondary respectively *
Statements with non-zero fetchSize no longer require server-side named
handle. This might cause issues when using old PostgreSQL versions
(pre-8.4)+fetchSize+interleaved ResultSet processing combo * Better logic
for returning keyword detection. Previously, pgjdbc could be defeated by
column names that contain returning, so pgjdbc failed to "return generated
keys" as it considered statement as already having returning keyword * Use
server-prepared statements for batch inserts when prepareThreshold>0. This
enables batch to use server-prepared from the first executeBatch()
execution (previously it waited for prepareThreshold executeBatch() calls)
* Replication protocol API was added: replication API documentation *
java.util.logging is now used for logging: logging documentation * Add
support for PreparedStatement.setCharacterStream(int, Reader) * Ensure
executeBatch() can be used with pgbouncer. Previously pgjdbc could use
server-prepared statements for batch execution even with prepareThreshold=0
* Error position is displayed when SQL has unterminated literals, comments,
etc * Strict handling of accepted values in getBoolean and setObject
(BOOLEAN), now it follows PostgreSQL accepted values, only 1 and 0 for
numeric types are acepted (previusly !=0 was true) * Deprecated
PGPoolingDataSource, instead of this class you should use a fully featured
connection pool like HikariCP, vibur-dbcp, commons-dbcp, c3p0, etc *
'current transaction is aborted' exception includes the original exception
via caused-by chain * Better support for RETURNGENERATEDKEYS, statements
with RETURNING clause * Avoid user-visible prepared-statement errors if
client uses DEALLOCATE/DISCARD statements (invalidate cache when those
statements detected) * Avoid user-visible prepared-statement errors if
client changes searchpath (invalidate cache when set searchpath detected) *
Support comments when replacing {fn ...} JDBC syntax * Support for
Types.REF_CURSOR * Performance optimization for timestamps
(~TimeZone.getDefault optimization) * Ability to customize socket factory
(e.g. for unix domain sockets) * Ignore empty sub-queries in composite
queries * Add equality support to PSQLState * Improved composite/array type
support and type naming changes.
* Update to version 42.2.10 *
https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.10
Update to version 42.2.9 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.9
Update to version 42.2.8 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.8
Update to version 42.2.7 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.7
Update to version 42.2.6 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.6
Update to version 42.2.5 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.5
Update to version 42.2.4 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.4
Update to version 42.2.3 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.3
Update to version 42.2.2 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.2
Update to version 42.2.1 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.1
Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.2.0
Update to version 42.1.4 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.4
Update to version 42.1.3 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.3
Update to version 42.1.2 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.2
Update to version 42.1.1 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.1
Update to version 42.1.0 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.1
Update to version 42.2.0 * https://jdbc.postgresql.org/documentation/
changelog.html#version_42.1.0
Update to version 9.4.1211 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1211
Update to version 9.4.1210 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1210
Update to version 9.4.1209 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1209
Update to version 9.4.1208 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1208
Update to version 9.4.1207 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1207
Update to version 9.4.1206 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1206
Update to version 9.4.1205 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1204
Update to version 9.4.1204 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1204
Update to version 9.4.1203 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1203
Update to version 9.4.1202 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1202
Update to version 9.4.1201 * https://jdbc.postgresql.org/documentation/
changelog.html#version_9.4-1201
prometheus-exporters-formula:
* Fix empty directory values initialization
* Disable reverse proxy on default
prometheus-formula:
* Update to version 0.2.3
* Disable Alertmanager clustering (bsc#1178145)
* Update to version 0.2.2
* Use variable for product name
salt-netapi-client:
* Version 0.18.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag
/v0.18.0
spacewalk-admin:
* Use the license macro to mark the LICENSE in the package so that when
installing without docs, it does install the LICENSE file
* Prevent javax.net.ssl.SSLHandshakeException after upgrading from SUSE
Manager 3.2 (bsc#1177435)
spacewalk-backend:
* ISS: Differentiate packages with same nevra but different checksum in the
same channel (bsc#1178195)
* Fix unique machine_id detection (bsc#1176074)
spacewalk-java:
* Revert: Sync state modules when starting action chain execution (bsc#
1177336)
* Sync state modules when starting action chain execution (bsc#1177336)
* Fix repo url of AppStream in generated RHEL/Centos 8 kickstart file (bsc#
1175739)
* Log token verify errors and check for expired tokens
* Execute Salt SSH actions in parallel (bsc#1173199)
* Take pool and volume from Salt virt.vm_info for files and blocks disks (bsc
#1175987)
* Fix action chain resuming when patches updating salt-minion don't cause
service to be restarted (bsc#1144447)
* Renaming autoinstall distro didn't change the name of the Cobbler distro
(bsc#1175876)
spacewalk-web:
* Fix link to documentation in Admin -> Manager Configuration -> Monitoring
(bsc#1176172)
* Don't allow selecting spice for Xen PV and PVH guests
susemanager:
* Add --force to mgr-create-bootstrap-repo to enforce generation even when
some products are not synchronized
susemanager-schema:
* Execute Salt SSH actions in parallel (bsc#1173199)
susemanager-sls:
* Revert: Sync state modules when starting action chain execution (bsc#
1177336)
* Sync state modules when starting action chain execution (bsc#1177336)
* Fix grub2 autoinstall kernel path (bsc#1178060)
* Move channel token information from sources.list to auth.conf on Debian 10
and Ubuntu 18 and newer
* Fix action chain resuming when patches updating salt-minion don't cause
service to be restarted (bsc#1144447)
* Make grub2 autoinstall kernel path relative to the boot partition root (bsc
#1175876)
How to apply this update: 1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using
either zypper patch or YaST Online Update. 4. Upgrade the database schema:
spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service
start
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3466=1
Package List:
* SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
x86_64):
+ susemanager-4.0.32-3.46.1
+ susemanager-tools-4.0.32-3.46.1
* SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
+ bind-formula-0.1.1603299886.60e4bcf-3.11.1
+ grafana-formula-0.2.2-4.13.1
+ postgresql-jdbc-42.2.10-3.3.1
+ prometheus-exporters-formula-0.7.5-3.16.1
+ prometheus-formula-0.2.3-4.16.1
+ python3-spacewalk-backend-libs-4.0.35-3.38.1
+ salt-netapi-client-0.18.0-4.12.1
+ spacewalk-admin-4.0.12-3.15.1
+ spacewalk-backend-4.0.35-3.38.1
+ spacewalk-backend-app-4.0.35-3.38.1
+ spacewalk-backend-applet-4.0.35-3.38.1
+ spacewalk-backend-config-files-4.0.35-3.38.1
+ spacewalk-backend-config-files-common-4.0.35-3.38.1
+ spacewalk-backend-config-files-tool-4.0.35-3.38.1
+ spacewalk-backend-iss-4.0.35-3.38.1
+ spacewalk-backend-iss-export-4.0.35-3.38.1
+ spacewalk-backend-package-push-server-4.0.35-3.38.1
+ spacewalk-backend-server-4.0.35-3.38.1
+ spacewalk-backend-sql-4.0.35-3.38.1
+ spacewalk-backend-sql-postgresql-4.0.35-3.38.1
+ spacewalk-backend-tools-4.0.35-3.38.1
+ spacewalk-backend-xml-export-libs-4.0.35-3.38.1
+ spacewalk-backend-xmlrpc-4.0.35-3.38.1
+ spacewalk-base-4.0.25-3.36.1
+ spacewalk-base-minimal-4.0.25-3.36.1
+ spacewalk-base-minimal-config-4.0.25-3.36.1
+ spacewalk-html-4.0.25-3.36.1
+ spacewalk-java-4.0.40-3.48.2
+ spacewalk-java-config-4.0.40-3.48.2
+ spacewalk-java-lib-4.0.40-3.48.2
+ spacewalk-java-postgresql-4.0.40-3.48.2
+ spacewalk-taskomatic-4.0.40-3.48.2
+ susemanager-schema-4.0.23-3.32.1
+ susemanager-sls-4.0.31-3.37.1
+ susemanager-web-libs-4.0.25-3.36.1
References:
* https://www.suse.com/security/cve/CVE-2018-10936.html
* https://www.suse.com/security/cve/CVE-2020-13692.html
* https://bugzilla.suse.com/1144447
* https://bugzilla.suse.com/1172079
* https://bugzilla.suse.com/1173199
* https://bugzilla.suse.com/1175739
* https://bugzilla.suse.com/1175876
* https://bugzilla.suse.com/1175987
* https://bugzilla.suse.com/1176074
* https://bugzilla.suse.com/1176172
* https://bugzilla.suse.com/1177336
* https://bugzilla.suse.com/1177435
* https://bugzilla.suse.com/1177790
* https://bugzilla.suse.com/1178060
* https://bugzilla.suse.com/1178145
* https://bugzilla.suse.com/1178195
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX78n9uNLKJtyKPYoAQhPrxAAp2fU+52f55KH34OVZoR4d4xs1I57KkjF
OljvTFzZozal6F8xIf9mPwhJJ9ni7cUbrveGG09kTjS19QXdCh7+OoBaYX44JC0y
e0XDB34Jp3Oa0jUTrpSUef8UC7ZRkQngH8t2zEDmbo6WtNBB9ESzrQIcfE6Inf9x
HM/nB6YaHZ6UzGh9035eWfWA1PAfmzQ85vW0WlrKdRU8GM54Fzw2zH3jhklysRSQ
WzbVZO+rOCtn/YDeHGKtxt0vrEcvBm9/HjC1FVji78iu+alTBCwDKrJiG5LpPjyk
pjPkkprUMXzpczEM3JlxWqKiVVgFUdufIIpibx/Y/o5g7VHV5mKQH74vEXjeLNae
LV2Mz2y5VX3q/Egb4jqKCr54NFX9BTx6X2V2ltly8wq+6fRvFMKm1wXB7EZw54fc
X9IVKMg56JJe3SXAHgffsRvznjQJSjXpwZgHQNQcLLHYd95wLfkuFJPd61Yvwh8o
xuv/FdSdVkizk6YgId6SrjE3LiAu4J+oLJS7LnakEMjbvmUsAMOxhCL7h7NtCCAX
5pb1yv/enqlfXKdHXaHL9nBoFHmy2LiD2vwkqfAWpiRjbF9ESyujQylgXNNQLeCq
L52Y9Du4i0mydsHVTR4NCHqinn57IoPM+zc0wFFISQwN5sccxESXj5/QgCS+TYpp
Rn2+XqDpBIY=
=lArO
-----END PGP SIGNATURE-----