-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0546
                Security update for SUSE Manager Server 4.0
                             15 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-23901  

Reference:         ESB-2021.0433

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2021/suse-su-20210448-1

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Server 4.0

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:0448-1
Rating:            moderate
References:        #1164227 #1164451 #1171836 #1176018 #1176417 #1176823
                   #1176898 #1176906 #1177031 #1177184 #1177336 #1177508
                   #1178303 #1178503 #1178647 #1178839 #1179087 #1179273
                   #1179410 #1179552 #1179589 #1179872 #1179990 #1180001
                   #1180127 #1180285 #1180803 #1181356
Cross-References:  CVE-2021-23901
Affected Products:
                   SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

An update that solves one vulnerability and has 27 fixes is now available.

Description:

This update fixes the following issues:
cpu-mitigations-formula:

  o Handle unsupported target systems gracefully (bsc#1179273)
  o add mitigations for Xen hypervisor


nutch-core:

  o Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356)


smdba:

  o Do not remove the database if there is no backup and deal with manifest
  o Fix smdba throws error on mgr-setup/installation
  o Raise an exception on failed external process call
  o Fix TablePrint formatting
  o Rename configuration parameter wal_keep_segments to wal_keep_size (jsc#
    SLE-17030)
  o Revert modifying cpu_tuple_cost
  o Adapted spec file for RHEL8
  o Adapt recover mechanism for postgresql12 and later


spacecmd:

  o Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#
    1176823)


spacewalk-backend:

  o Reposync: Fixed Kickstart functionality.
  o Reposync: Fixed URLGrabber error handling.
  o Reposync: Fix modular data handling for cloned channels (bsc#1177508)
  o Truncate author name in the changelog (bsc#1180285)
  o Drop Transfer-Encoding header from proxy respone to fix error response
    messages (bsc#1176906)
  o Prevent tracebacks on missing mail configuration (bsc#1179990)
  o Fix pycurl.error handling in suseLib.py (bsc#1179990)
  o Use sanitized repo label to build reposync repo cache path (bsc#1179410)
  o Quote the proxy settings to be used by Zypper (bsc#1179087)
  o Fix spacewalk-repo-sync to successfully manage and sync ULN repositories
  o Fix errors in spacewalk-debug and align postgresql queries to new DB
    version


spacewalk-branding:

  o Set Copyright year to 2021


spacewalk-certs-tools:

  o Improve check for correct CA trust store directory (bsc#1176417)


spacewalk-java:

  o Fix modular data handling for cloned channels (bsc#1177508)
  o Fix reboot action race condition (bsc#1177031)
  o Fix availability check for debian repositories (bsc#1180127)
  o Ignore duplicate NEVRAs in package profile update (bsc#1176018)
  o Prevent deletion of CLM environments if they're used in an autoinstallation
    profile (bsc#1179552)
  o Register saltkey XMLRPC handler and fix behavior of delete salt key (bsc#
    1179872)
  o Add validation for custom repository labels
  o Fix expanded support detection based on CentOS installations (bsc#1179589)
  o Add translation strings for newly added countries and timezones (jsc#
    PM-2081)
  o Fix the activation key handling from kickstart profile (bsc#1178647)
  o Update exception message in findSyncedMandatoryChannels
  o Fix check for available products on ISS Slaves (bsc#1177184)
  o Get media.1/products for cloned channels (bsc#1178303)
  o Calculate size to truncate a history message based on the htmlified version
    (bsc#1178503)
  o Change message "Minion is down" to be more accurate
  o XMLRPC: Report architecture label in the list of installed packages (bsc#
    1176898)


spacewalk-reports:

  o Fixes no file content in `spacewalk-report config-files`
  o Write ` ` placeholder instead of dumping binary data


spacewalk-utils:

  o Fix modular data handling for cloned channels (bsc#1177508)


spacewalk-web:

  o Prevent deletion of CLM environments if they're used in an autoinstallation
    profile (bsc#1179552)
  o Fix mandatory channels JS API to finish loading in case of error (bsc#
    1178839)


supportutils-plugin-susemanager:

  o Remove checks for obsolete packages
  o Gather new configfiles
  o Add more important informations


susemanager-doc-indexes:

  o Added new section for bootstrap repository for end of life products in
    Client Configuration Guide
  o Remove old certs before renaming moved to Administration Guide (bsc#
    1171836)
  o Fixed error in Create and Replace CA and Server Certificates of
    Administration Guide (bsc#1180001)
  o Combining activation keys works only with traditional clients. Updated in
    Client Configuration Guide and Reference. (bsc#1164451)


susemanager-docs_en:

  o Added new section for bootstrap repository for end of life products in
    Client Configuration Guide
  o Remove old certs before renaming moved to Administration Guide (bsc#
    1171836)
  o Fixed error in Create and Replace CA and Server Certificates of
    Administration Guide (bsc#1180001)
  o Combining activation keys works only with traditional clients. Updated
    Client Configuration Guide and Reference. (bsc#1164451)


susemanager-frontend-libs:

  o Update Bootstrap to 3.1.0


susemanager-schema:

  o Add new valid countries and timezones (jsc#PM-2081)


susemanager-sls:

  o Fix apt login for similar channel labels (bsc#1180803)
  o Change behavior of mgrcompat wrapper after deprecation changes on Salt 3002
  o Make autoinstallation provisoning compatible with GRUB and ELILO in
    addition to GRUB2 only (bsc#1164227)
  o Fix: sync before start action chains (bsc#1177336)


susemanager-sync-data:

  o Change centos 6 URLs to vault.centos.org
  o Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS
  o Remove duplicate repo definition


How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper patch
or YaST Online Update. 4. Upgrade the database schema:
`spacewalk-schema-upgrade` 5. Start the Spacewalk service: `spacewalk-service
start`

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1

Package List:

  o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
    x86_64):
       smdba-1.7.8-0.3.3.2
       spacewalk-branding-4.0.19-3.21.3
  o SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
       cpu-mitigations-formula-0.3-4.9.2
       nutch-core-1.0.1-4.5.2
       python3-spacewalk-backend-libs-4.0.36-3.41.2
       python3-spacewalk-certs-tools-4.0.18-3.24.2
       spacecmd-4.0.22-3.25.2
       spacewalk-backend-4.0.36-3.41.2
       spacewalk-backend-app-4.0.36-3.41.2
       spacewalk-backend-applet-4.0.36-3.41.2
       spacewalk-backend-config-files-4.0.36-3.41.2
       spacewalk-backend-config-files-common-4.0.36-3.41.2
       spacewalk-backend-config-files-tool-4.0.36-3.41.2
       spacewalk-backend-iss-4.0.36-3.41.2
       spacewalk-backend-iss-export-4.0.36-3.41.2
       spacewalk-backend-package-push-server-4.0.36-3.41.2
       spacewalk-backend-server-4.0.36-3.41.2
       spacewalk-backend-sql-4.0.36-3.41.2
       spacewalk-backend-sql-postgresql-4.0.36-3.41.2
       spacewalk-backend-tools-4.0.36-3.41.2
       spacewalk-backend-xml-export-libs-4.0.36-3.41.2
       spacewalk-backend-xmlrpc-4.0.36-3.41.2
       spacewalk-base-4.0.26-3.39.3
       spacewalk-base-minimal-4.0.26-3.39.3
       spacewalk-base-minimal-config-4.0.26-3.39.3
       spacewalk-certs-tools-4.0.18-3.24.2
       spacewalk-html-4.0.26-3.39.3
       spacewalk-java-4.0.41-3.51.2
       spacewalk-java-config-4.0.41-3.51.2
       spacewalk-java-lib-4.0.41-3.51.2
       spacewalk-java-postgresql-4.0.41-3.51.2
       spacewalk-reports-4.0.6-3.3.2
       spacewalk-taskomatic-4.0.41-3.51.2
       spacewalk-utils-4.0.19-3.24.2
       supportutils-plugin-susemanager-4.0.5-3.6.2
       susemanager-doc-indexes-4.0-10.30.2
       susemanager-docs_en-4.0-10.30.2
       susemanager-docs_en-pdf-4.0-10.30.2
       susemanager-frontend-libs-4.0.3-4.6.2
       susemanager-schema-4.0.24-3.35.2
       susemanager-sls-4.0.32-3.40.2
       susemanager-sync-data-4.0.20-3.32.2
       susemanager-web-libs-4.0.26-3.39.3


References:

  o https://www.suse.com/security/cve/CVE-2021-23901.html
  o https://bugzilla.suse.com/1164227
  o https://bugzilla.suse.com/1164451
  o https://bugzilla.suse.com/1171836
  o https://bugzilla.suse.com/1176018
  o https://bugzilla.suse.com/1176417
  o https://bugzilla.suse.com/1176823
  o https://bugzilla.suse.com/1176898
  o https://bugzilla.suse.com/1176906
  o https://bugzilla.suse.com/1177031
  o https://bugzilla.suse.com/1177184
  o https://bugzilla.suse.com/1177336
  o https://bugzilla.suse.com/1177508
  o https://bugzilla.suse.com/1178303
  o https://bugzilla.suse.com/1178503
  o https://bugzilla.suse.com/1178647
  o https://bugzilla.suse.com/1178839
  o https://bugzilla.suse.com/1179087
  o https://bugzilla.suse.com/1179273
  o https://bugzilla.suse.com/1179410
  o https://bugzilla.suse.com/1179552
  o https://bugzilla.suse.com/1179589
  o https://bugzilla.suse.com/1179872
  o https://bugzilla.suse.com/1179990
  o https://bugzilla.suse.com/1180001
  o https://bugzilla.suse.com/1180127
  o https://bugzilla.suse.com/1180285
  o https://bugzilla.suse.com/1180803
  o https://bugzilla.suse.com/1181356

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCnCfuNLKJtyKPYoAQiLRQ/+ILYpz8X6p9qAdoHiFnAtCwufoA9iEquz
ZdBQapvIY6wk7ExPBonjiKKA1/gXpY7WFbJRliuYuS4l2tpm1fQeWV84UM/cVLEz
JGt1Mn3KsHTStJTP3ZB/anv4HrnHX79b9wFRSVQjx2HnF/4zwGYYHh4VGJL503w7
2uVmln+j0GmVZD+dAWD62a0j84Jac8i568XDu+a7j02djMzF3QN/03K4e//gV1pX
VPHQuNf+HGEGXuH4iZqThkjs0HOCv2XByOAgPiztC+Ex1riMKotKbMYCVkCu/R/L
I+AeIT7xtlYrz4UIQYyakI57GoKpn7LPzp/sCiJxywBbD3TQbIKpm1Kr0phnhe9X
mkqJ3iqF6bHPbvKwvcdkpnGmICbx+EoZB+Lxmf9cCEZPEsDcQ67ElrVeIh29LLck
KOv7+XDKKlqaUe+5wSI7T6V6hAgn/qRrlTaeWtKHjmfR+l1/jIPtMVWQvKsvjcax
yYyZI6jhTyR5w1EeszKK7y1nWhnaO0bJ0OS03hnKu0G/3UXpwQvBrAPeAJLwEZI1
RM8yDmm5xKolZLT0lxolCXYon7J34fxhnJHZHdbm2D7XlH29WJ3dIgL2ThX/CEQE
rSe6vxiwhwHAVyn7LmfOIw10lO5vipGiHgaBYvRqZw8GhBlIN/jPDhPz0IxjmblT
+CR3ix4k93g=
=BEuC
-----END PGP SIGNATURE-----