Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0546 Security update for SUSE Manager Server 4.0 15 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Publisher: SUSE Operating System: SUSE Impact/Access: Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-23901 Reference: ESB-2021.0433 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20210448-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0448-1 Rating: moderate References: #1164227 #1164451 #1171836 #1176018 #1176417 #1176823 #1176898 #1176906 #1177031 #1177184 #1177336 #1177508 #1178303 #1178503 #1178647 #1178839 #1179087 #1179273 #1179410 #1179552 #1179589 #1179872 #1179990 #1180001 #1180127 #1180285 #1180803 #1181356 Cross-References: CVE-2021-23901 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has 27 fixes is now available. Description: This update fixes the following issues: cpu-mitigations-formula: o Handle unsupported target systems gracefully (bsc#1179273) o add mitigations for Xen hypervisor nutch-core: o Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356) smdba: o Do not remove the database if there is no backup and deal with manifest o Fix smdba throws error on mgr-setup/installation o Raise an exception on failed external process call o Fix TablePrint formatting o Rename configuration parameter wal_keep_segments to wal_keep_size (jsc# SLE-17030) o Revert modifying cpu_tuple_cost o Adapted spec file for RHEL8 o Adapt recover mechanism for postgresql12 and later spacecmd: o Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc# 1176823) spacewalk-backend: o Reposync: Fixed Kickstart functionality. o Reposync: Fixed URLGrabber error handling. o Reposync: Fix modular data handling for cloned channels (bsc#1177508) o Truncate author name in the changelog (bsc#1180285) o Drop Transfer-Encoding header from proxy respone to fix error response messages (bsc#1176906) o Prevent tracebacks on missing mail configuration (bsc#1179990) o Fix pycurl.error handling in suseLib.py (bsc#1179990) o Use sanitized repo label to build reposync repo cache path (bsc#1179410) o Quote the proxy settings to be used by Zypper (bsc#1179087) o Fix spacewalk-repo-sync to successfully manage and sync ULN repositories o Fix errors in spacewalk-debug and align postgresql queries to new DB version spacewalk-branding: o Set Copyright year to 2021 spacewalk-certs-tools: o Improve check for correct CA trust store directory (bsc#1176417) spacewalk-java: o Fix modular data handling for cloned channels (bsc#1177508) o Fix reboot action race condition (bsc#1177031) o Fix availability check for debian repositories (bsc#1180127) o Ignore duplicate NEVRAs in package profile update (bsc#1176018) o Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) o Register saltkey XMLRPC handler and fix behavior of delete salt key (bsc# 1179872) o Add validation for custom repository labels o Fix expanded support detection based on CentOS installations (bsc#1179589) o Add translation strings for newly added countries and timezones (jsc# PM-2081) o Fix the activation key handling from kickstart profile (bsc#1178647) o Update exception message in findSyncedMandatoryChannels o Fix check for available products on ISS Slaves (bsc#1177184) o Get media.1/products for cloned channels (bsc#1178303) o Calculate size to truncate a history message based on the htmlified version (bsc#1178503) o Change message "Minion is down" to be more accurate o XMLRPC: Report architecture label in the list of installed packages (bsc# 1176898) spacewalk-reports: o Fixes no file content in `spacewalk-report config-files` o Write ` ` placeholder instead of dumping binary data spacewalk-utils: o Fix modular data handling for cloned channels (bsc#1177508) spacewalk-web: o Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) o Fix mandatory channels JS API to finish loading in case of error (bsc# 1178839) supportutils-plugin-susemanager: o Remove checks for obsolete packages o Gather new configfiles o Add more important informations susemanager-doc-indexes: o Added new section for bootstrap repository for end of life products in Client Configuration Guide o Remove old certs before renaming moved to Administration Guide (bsc# 1171836) o Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) o Combining activation keys works only with traditional clients. Updated in Client Configuration Guide and Reference. (bsc#1164451) susemanager-docs_en: o Added new section for bootstrap repository for end of life products in Client Configuration Guide o Remove old certs before renaming moved to Administration Guide (bsc# 1171836) o Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) o Combining activation keys works only with traditional clients. Updated Client Configuration Guide and Reference. (bsc#1164451) susemanager-frontend-libs: o Update Bootstrap to 3.1.0 susemanager-schema: o Add new valid countries and timezones (jsc#PM-2081) susemanager-sls: o Fix apt login for similar channel labels (bsc#1180803) o Change behavior of mgrcompat wrapper after deprecation changes on Salt 3002 o Make autoinstallation provisoning compatible with GRUB and ELILO in addition to GRUB2 only (bsc#1164227) o Fix: sync before start action chains (bsc#1177336) susemanager-sync-data: o Change centos 6 URLs to vault.centos.org o Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS o Remove duplicate repo definition How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1 Package List: o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): smdba-1.7.8-0.3.3.2 spacewalk-branding-4.0.19-3.21.3 o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): cpu-mitigations-formula-0.3-4.9.2 nutch-core-1.0.1-4.5.2 python3-spacewalk-backend-libs-4.0.36-3.41.2 python3-spacewalk-certs-tools-4.0.18-3.24.2 spacecmd-4.0.22-3.25.2 spacewalk-backend-4.0.36-3.41.2 spacewalk-backend-app-4.0.36-3.41.2 spacewalk-backend-applet-4.0.36-3.41.2 spacewalk-backend-config-files-4.0.36-3.41.2 spacewalk-backend-config-files-common-4.0.36-3.41.2 spacewalk-backend-config-files-tool-4.0.36-3.41.2 spacewalk-backend-iss-4.0.36-3.41.2 spacewalk-backend-iss-export-4.0.36-3.41.2 spacewalk-backend-package-push-server-4.0.36-3.41.2 spacewalk-backend-server-4.0.36-3.41.2 spacewalk-backend-sql-4.0.36-3.41.2 spacewalk-backend-sql-postgresql-4.0.36-3.41.2 spacewalk-backend-tools-4.0.36-3.41.2 spacewalk-backend-xml-export-libs-4.0.36-3.41.2 spacewalk-backend-xmlrpc-4.0.36-3.41.2 spacewalk-base-4.0.26-3.39.3 spacewalk-base-minimal-4.0.26-3.39.3 spacewalk-base-minimal-config-4.0.26-3.39.3 spacewalk-certs-tools-4.0.18-3.24.2 spacewalk-html-4.0.26-3.39.3 spacewalk-java-4.0.41-3.51.2 spacewalk-java-config-4.0.41-3.51.2 spacewalk-java-lib-4.0.41-3.51.2 spacewalk-java-postgresql-4.0.41-3.51.2 spacewalk-reports-4.0.6-3.3.2 spacewalk-taskomatic-4.0.41-3.51.2 spacewalk-utils-4.0.19-3.24.2 supportutils-plugin-susemanager-4.0.5-3.6.2 susemanager-doc-indexes-4.0-10.30.2 susemanager-docs_en-4.0-10.30.2 susemanager-docs_en-pdf-4.0-10.30.2 susemanager-frontend-libs-4.0.3-4.6.2 susemanager-schema-4.0.24-3.35.2 susemanager-sls-4.0.32-3.40.2 susemanager-sync-data-4.0.20-3.32.2 susemanager-web-libs-4.0.26-3.39.3 References: o https://www.suse.com/security/cve/CVE-2021-23901.html o https://bugzilla.suse.com/1164227 o https://bugzilla.suse.com/1164451 o https://bugzilla.suse.com/1171836 o https://bugzilla.suse.com/1176018 o https://bugzilla.suse.com/1176417 o https://bugzilla.suse.com/1176823 o https://bugzilla.suse.com/1176898 o https://bugzilla.suse.com/1176906 o https://bugzilla.suse.com/1177031 o https://bugzilla.suse.com/1177184 o https://bugzilla.suse.com/1177336 o https://bugzilla.suse.com/1177508 o https://bugzilla.suse.com/1178303 o https://bugzilla.suse.com/1178503 o https://bugzilla.suse.com/1178647 o https://bugzilla.suse.com/1178839 o https://bugzilla.suse.com/1179087 o https://bugzilla.suse.com/1179273 o https://bugzilla.suse.com/1179410 o https://bugzilla.suse.com/1179552 o https://bugzilla.suse.com/1179589 o https://bugzilla.suse.com/1179872 o https://bugzilla.suse.com/1179990 o https://bugzilla.suse.com/1180001 o https://bugzilla.suse.com/1180127 o https://bugzilla.suse.com/1180285 o https://bugzilla.suse.com/1180803 o https://bugzilla.suse.com/1181356 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYCnCfuNLKJtyKPYoAQiLRQ/+ILYpz8X6p9qAdoHiFnAtCwufoA9iEquz ZdBQapvIY6wk7ExPBonjiKKA1/gXpY7WFbJRliuYuS4l2tpm1fQeWV84UM/cVLEz JGt1Mn3KsHTStJTP3ZB/anv4HrnHX79b9wFRSVQjx2HnF/4zwGYYHh4VGJL503w7 2uVmln+j0GmVZD+dAWD62a0j84Jac8i568XDu+a7j02djMzF3QN/03K4e//gV1pX VPHQuNf+HGEGXuH4iZqThkjs0HOCv2XByOAgPiztC+Ex1riMKotKbMYCVkCu/R/L I+AeIT7xtlYrz4UIQYyakI57GoKpn7LPzp/sCiJxywBbD3TQbIKpm1Kr0phnhe9X mkqJ3iqF6bHPbvKwvcdkpnGmICbx+EoZB+Lxmf9cCEZPEsDcQ67ElrVeIh29LLck KOv7+XDKKlqaUe+5wSI7T6V6hAgn/qRrlTaeWtKHjmfR+l1/jIPtMVWQvKsvjcax yYyZI6jhTyR5w1EeszKK7y1nWhnaO0bJ0OS03hnKu0G/3UXpwQvBrAPeAJLwEZI1 RM8yDmm5xKolZLT0lxolCXYon7J34fxhnJHZHdbm2D7XlH29WJ3dIgL2ThX/CEQE rSe6vxiwhwHAVyn7LmfOIw10lO5vipGiHgaBYvRqZw8GhBlIN/jPDhPz0IxjmblT +CR3ix4k93g= =BEuC -----END PGP SIGNATURE-----