Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0542
Security Beta update for SUSE Manager Client Tools
15 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Client Tools
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-25592 CVE-2020-17490 CVE-2020-16846
CVE-2019-17361
Reference: ESB-2021.0441
ESB-2021.0275
ESB-2020.4395
ESB-2020.4300
Original Bulletin:
https://www.suse.com/support/update/announcement/2021/suse-su-202114624-1
https://www.suse.com/support/update/announcement/2021/suse-su-202114623-1
Comment: This bulletin contains two (2) SUSE security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security Beta update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:14624-1
Rating: moderate
References: #1083110 #1157479 #1158441 #1159284 #1162504 #1163981
#1165425 #1167556 #1169604 #1171257 #1171461 #1172211
#1173909 #1173911 #1175549 #1176293 #1176823 #1178319
#1178361 #1178362 #1178485 #1179566 #1180584
Cross-References: CVE-2019-17361 CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
Affected Products:
SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA
______________________________________________________________________________
An update that solves four vulnerabilities and has 19 fixes is now available.
Description:
This update fixes the following issues:
prometheus-exporter-exporter:
o Initial release (Closes: #968029).
salt:
o Remove deprecated warning that breaks minion execution when
"server_id_use_crc" opts is missing
o Revert wrong zypper patch to support vendorchanges flags on pkg.install
o Force zyppnotify to prefer Packages.db than Packages if it exists
o Allow vendor change option with zypper
o Add pkg.services_need_restart
o Fix for file.check_perms to work with numeric uid/gid
o Virt: more network support Add more network and PCI/USB host devices
passthrough support to virt module and states
o Bigvm backports
o Virt consoles, CPU tuning and topology, and memory tuning.
o Fix pkg states when DEB package has "all" arch
o Do not force beacons configuration to be a list. Revert https://github.com/
saltstack/salt/pull/58655
o Drop wrong virt capabilities code after rebasing patches
o Update to Salt release version 3002.2
o See release notes: https://docs.saltstack.com/en/latest/topics/releases/
3002.2.html
o Force zyppnotify to prefer Packages.db than Packages if it exists
o Allow vendor change option with zypper
o Add pkg.services_need_restart
o Bigvm backports: virt consoles, CPU tuning and topology, and memory tuning.
o Fix for file.check_perms to work with numeric uid/gid
o Change 'Requires(pre)' to 'Requires' for salt-minion package (bsc#1083110)
o Set passphrase for salt-ssh keys to empty string (bsc#1178485)
o Properly validate eauth credentials and tokens on SSH calls made by Salt
API (bsc#1178319) (bsc#1178362) (bsc#1178361) (CVE-2020-25592)
(CVE-2020-17490) (CVE-2020-16846)
o Fix novendorchange handling in zypperpkg module
o Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
o Adding missing virt backports to 3000.3
o Do not raise StreamClosedError traceback but only log it (bsc#1175549)
o Update to Salt release version 3000.3 See release notes: https://
docs.saltstack.com/en/latest/topics/releases/3000.3.html
o Take care of failed, skipped and unreachable tasks and propagate "retcode"
(bsc#1173911) (bsc#1173909)
o Msgpack: support versions >= 1.0.0 (bsc#1171257)
o Fix the registration of libvirt pool and nodedev events
o Accept nested namespaces in spacewalk.api runner function. (bsc#1172211)
o Info_installed works without status attr now (bsc#1171461)
o Prevent sporious "salt-api" stuck processes when managing SSH minions
because of logging deadlock (bsc#1159284)
o Avoid segfault from "salt-api" under certain conditions of heavy load
managing SSH minions (bsc#1169604)
o Update to Salt version 3000 See release notes: https://docs.saltstack.com/
en/latest/topics/releases/3000.html loop: fix variable names for
until_no_eval
o Enable building and installation for Fedora
o Disable python2 build on Tumbleweed We are removing the python2 interpreter
from openSUSE (SLE16). As such disable salt building for python2 there.
o Sanitize grains loaded from roster_grains.json cache during "state.pkg"
o Build: Buildequire pkgconfig(systemd) instead of systemd pkgconfig(systemd)
is provided by systemd, so this is de-facto no change. But inside the Open
Build Service (OBS), the same symbol is also provided by systemd-mini,
which exists to shorten build-chains by only enabling what other packages
need to successfully build
o Backport saltutil state module to 2019.2 codebase (bsc#1167556)
o Add new custom SUSE capability for saltutil state module
o Virt._get_domain: don't raise an exception if there is no VM
o Adds test for zypper abbreviation fix
o Improved storage pool or network handling
o Better import cache handline
o Requiring python3-distro only for openSUSE/SLE >= 15
o Use full option name instead of undocumented abbreviation for zypper
o Python-distro is only needed for > Python 3.7. Removing it for Python 2
o RHEL/CentOS 8 uses platform-python instead of python3
o Enable build for Python 3.8
o Update to Salt version 2019.2.3 (CVE-2019-17361) (bsc#1163981) (bsc#
1162504) See release notes:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
o Enable passing grains to start event based on 'start_event_grains'
configuration parameter
o Support for Btrfs and XFS in parted and mkfs added Adds virt.(pool|network)
_get_xml functions Various libvirt updates
o Let salt-ssh use platform-python on RHEL8 (bsc#1158441)
o Fix StreamClosedError issue (bsc#1157479)
o Requires vs BuildRequires
o Limiting M2Crypto to >= SLE15
o Replacing pycrypto with M2Crypto (bsc#1165425)
o Update to 2019.2.2 release zypperpkg: understand product type
o Enable usage of downloadonly parameter for apt module
o Add new "salt-standalone-formulas-configuration" package
spacecmd:
o Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#
1176823)
o Fixed "non-advanced" package search when using multiple package names (bsc#
1180584)
o Added '-r REVISION' option to the 'configchannel_updateinitsls' command
(bsc#1179566)
o Fix: internal: workaround for future tee of logs translation
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA:
zypper in -t patch suse-ubu184ct-client-tools-beta-202101-14624=1
Package List:
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (amd64):
prometheus-exporter-exporter-0.4.0-1
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all):
salt-common-3002.2+ds-1+27.28.2
salt-minion-3002.2+ds-1+27.28.2
spacecmd-4.2.4-2.15.1
References:
o https://www.suse.com/security/cve/CVE-2019-17361.html
o https://www.suse.com/security/cve/CVE-2020-16846.html
o https://www.suse.com/security/cve/CVE-2020-17490.html
o https://www.suse.com/security/cve/CVE-2020-25592.html
o https://bugzilla.suse.com/1083110
o https://bugzilla.suse.com/1157479
o https://bugzilla.suse.com/1158441
o https://bugzilla.suse.com/1159284
o https://bugzilla.suse.com/1162504
o https://bugzilla.suse.com/1163981
o https://bugzilla.suse.com/1165425
o https://bugzilla.suse.com/1167556
o https://bugzilla.suse.com/1169604
o https://bugzilla.suse.com/1171257
o https://bugzilla.suse.com/1171461
o https://bugzilla.suse.com/1172211
o https://bugzilla.suse.com/1173909
o https://bugzilla.suse.com/1173911
o https://bugzilla.suse.com/1175549
o https://bugzilla.suse.com/1176293
o https://bugzilla.suse.com/1176823
o https://bugzilla.suse.com/1178319
o https://bugzilla.suse.com/1178361
o https://bugzilla.suse.com/1178362
o https://bugzilla.suse.com/1178485
o https://bugzilla.suse.com/1179566
o https://bugzilla.suse.com/1180584
- --------------------------------------------------------------------------------
SUSE Security Update: Security Beta update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:14624-1
Rating: moderate
References: #1083110 #1157479 #1158441 #1159284 #1162504 #1163981
#1165425 #1167556 #1169604 #1171257 #1171461 #1172211
#1173909 #1173911 #1175549 #1176293 #1176823 #1178319
#1178361 #1178362 #1178485 #1179566 #1180584
Cross-References: CVE-2019-17361 CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
Affected Products:
SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA
______________________________________________________________________________
An update that solves four vulnerabilities and has 19 fixes is now available.
Description:
This update fixes the following issues:
prometheus-exporter-exporter:
o Initial release (Closes: #968029).
salt:
o Remove deprecated warning that breaks minion execution when
"server_id_use_crc" opts is missing
o Revert wrong zypper patch to support vendorchanges flags on pkg.install
o Force zyppnotify to prefer Packages.db than Packages if it exists
o Allow vendor change option with zypper
o Add pkg.services_need_restart
o Fix for file.check_perms to work with numeric uid/gid
o Virt: more network support Add more network and PCI/USB host devices
passthrough support to virt module and states
o Bigvm backports
o Virt consoles, CPU tuning and topology, and memory tuning.
o Fix pkg states when DEB package has "all" arch
o Do not force beacons configuration to be a list. Revert https://github.com/
saltstack/salt/pull/58655
o Drop wrong virt capabilities code after rebasing patches
o Update to Salt release version 3002.2
o See release notes: https://docs.saltstack.com/en/latest/topics/releases/
3002.2.html
o Force zyppnotify to prefer Packages.db than Packages if it exists
o Allow vendor change option with zypper
o Add pkg.services_need_restart
o Bigvm backports: virt consoles, CPU tuning and topology, and memory tuning.
o Fix for file.check_perms to work with numeric uid/gid
o Change 'Requires(pre)' to 'Requires' for salt-minion package (bsc#1083110)
o Set passphrase for salt-ssh keys to empty string (bsc#1178485)
o Properly validate eauth credentials and tokens on SSH calls made by Salt
API (bsc#1178319) (bsc#1178362) (bsc#1178361) (CVE-2020-25592)
(CVE-2020-17490) (CVE-2020-16846)
o Fix novendorchange handling in zypperpkg module
o Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
o Adding missing virt backports to 3000.3
o Do not raise StreamClosedError traceback but only log it (bsc#1175549)
o Update to Salt release version 3000.3 See release notes: https://
docs.saltstack.com/en/latest/topics/releases/3000.3.html
o Take care of failed, skipped and unreachable tasks and propagate "retcode"
(bsc#1173911) (bsc#1173909)
o Msgpack: support versions >= 1.0.0 (bsc#1171257)
o Fix the registration of libvirt pool and nodedev events
o Accept nested namespaces in spacewalk.api runner function. (bsc#1172211)
o Info_installed works without status attr now (bsc#1171461)
o Prevent sporious "salt-api" stuck processes when managing SSH minions
because of logging deadlock (bsc#1159284)
o Avoid segfault from "salt-api" under certain conditions of heavy load
managing SSH minions (bsc#1169604)
o Update to Salt version 3000 See release notes: https://docs.saltstack.com/
en/latest/topics/releases/3000.html loop: fix variable names for
until_no_eval
o Enable building and installation for Fedora
o Disable python2 build on Tumbleweed We are removing the python2 interpreter
from openSUSE (SLE16). As such disable salt building for python2 there.
o Sanitize grains loaded from roster_grains.json cache during "state.pkg"
o Build: Buildequire pkgconfig(systemd) instead of systemd pkgconfig(systemd)
is provided by systemd, so this is de-facto no change. But inside the Open
Build Service (OBS), the same symbol is also provided by systemd-mini,
which exists to shorten build-chains by only enabling what other packages
need to successfully build
o Backport saltutil state module to 2019.2 codebase (bsc#1167556)
o Add new custom SUSE capability for saltutil state module
o Virt._get_domain: don't raise an exception if there is no VM
o Adds test for zypper abbreviation fix
o Improved storage pool or network handling
o Better import cache handline
o Requiring python3-distro only for openSUSE/SLE >= 15
o Use full option name instead of undocumented abbreviation for zypper
o Python-distro is only needed for > Python 3.7. Removing it for Python 2
o RHEL/CentOS 8 uses platform-python instead of python3
o Enable build for Python 3.8
o Update to Salt version 2019.2.3 (CVE-2019-17361) (bsc#1163981) (bsc#
1162504) See release notes:
https://docs.saltstack.com/en/latest/topics/releases/2019.2.3.html
o Enable passing grains to start event based on 'start_event_grains'
configuration parameter
o Support for Btrfs and XFS in parted and mkfs added Adds virt.(pool|network)
_get_xml functions Various libvirt updates
o Let salt-ssh use platform-python on RHEL8 (bsc#1158441)
o Fix StreamClosedError issue (bsc#1157479)
o Requires vs BuildRequires
o Limiting M2Crypto to >= SLE15
o Replacing pycrypto with M2Crypto (bsc#1165425)
o Update to 2019.2.2 release zypperpkg: understand product type
o Enable usage of downloadonly parameter for apt module
o Add new "salt-standalone-formulas-configuration" package
spacecmd:
o Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#
1176823)
o Fixed "non-advanced" package search when using multiple package names (bsc#
1180584)
o Added '-r REVISION' option to the 'configchannel_updateinitsls' command
(bsc#1179566)
o Fix: internal: workaround for future tee of logs translation
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA:
zypper in -t patch suse-ubu184ct-client-tools-beta-202101-14624=1
Package List:
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (amd64):
prometheus-exporter-exporter-0.4.0-1
o SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all):
salt-common-3002.2+ds-1+27.28.2
salt-minion-3002.2+ds-1+27.28.2
spacecmd-4.2.4-2.15.1
References:
o https://www.suse.com/security/cve/CVE-2019-17361.html
o https://www.suse.com/security/cve/CVE-2020-16846.html
o https://www.suse.com/security/cve/CVE-2020-17490.html
o https://www.suse.com/security/cve/CVE-2020-25592.html
o https://bugzilla.suse.com/1083110
o https://bugzilla.suse.com/1157479
o https://bugzilla.suse.com/1158441
o https://bugzilla.suse.com/1159284
o https://bugzilla.suse.com/1162504
o https://bugzilla.suse.com/1163981
o https://bugzilla.suse.com/1165425
o https://bugzilla.suse.com/1167556
o https://bugzilla.suse.com/1169604
o https://bugzilla.suse.com/1171257
o https://bugzilla.suse.com/1171461
o https://bugzilla.suse.com/1172211
o https://bugzilla.suse.com/1173909
o https://bugzilla.suse.com/1173911
o https://bugzilla.suse.com/1175549
o https://bugzilla.suse.com/1176293
o https://bugzilla.suse.com/1176823
o https://bugzilla.suse.com/1178319
o https://bugzilla.suse.com/1178361
o https://bugzilla.suse.com/1178362
o https://bugzilla.suse.com/1178485
o https://bugzilla.suse.com/1179566
o https://bugzilla.suse.com/1180584
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYCnCNONLKJtyKPYoAQgriw/8CDkMKHcQ0cgau/Ohoe7QyEqJlsnw7tW7
kcSek9ghApJpp4ejjiutcdncT5NGufbL/ACTSdT5QwzyOw+zASXd0+8FTbH0s/vC
9mMT8hAKkImFPEgEBKE3ZHrRMk2q0kVUI5HZRY1OSClOw/QpHu9/4P0aVRdnLKEr
w86FPQKe4UvsSAQT9FLSqTsh8/AQqwbtnGu+8F33HK1fGinlHw6dfqgtoENjp6hk
yIrEoCYki7QEZ32XC/wsCZaVJ53h6ziymnX3Rt2LSpIQYBtwDcUMz2Z3dRhaSjDX
/UwliE9cyuKau3LDzu53nXSiwP6EkdOAHb5d2qkBBQUn9HOCKbczsn8BeLWrOq9g
/JDgY3LV5l3SK/NyftReRVXjf3wJ3GZpTh6cbPCjAhaqtb2DRH++77CgVtOBC7y0
LAs1Y76Dn+/stH7PXO+gsdww4NhliZhcLXyeCSvpKMcohf/lgX7RY+rBmB30LPzZ
l1mNeUAxyGJFo+UBaJBw9jNpFPhSP7dfCYrUFzxnEzJQduhgOATT+LbA9opCzKQm
QbQzt0lTNZ6iqHvbOFbIUrLooxNW6V+41xahxIPFQYkL5dMRCti47pRCj1z077o3
wraVydXSRRa1tiCgxwh/pzAIsGoT1pxQFCPviHBXOJsahh3to+HPOtQR4KZX4O2t
cBiGwYvo0go=
=d0xU
-----END PGP SIGNATURE-----