SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:0671-1
Rating:             moderate
References:         #1083326 #1085414 #1121640 #1123274 #1137248 
                    #1140332 #1144176 #1152673 #1152795 #1153269 
                    #1154246 #1154590 #1154599 #1155281 #1155372 
                    #1156751 #1157317 #1157346 #1157447 #1157700 
                    #1157975 #1158178 #1158181 #1158283 #1158480 
                    #1158564 #1158672 #1158697 #1158754 #1158818 
                    #1158899 #1158943 #1159012 #1159023 #1159076 
                    #1159184 #1159492 #1159553 #1160184 #1160940 
                    #1161755 #1161862 #1162609 #1162683 #1164120 
                    #1164309 #1164452 #1164649 #1164875 #1165541 
                    #1165927 #1166061 #1166388 
Cross-References:   CVE-2018-1077 CVE-2020-1693
Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves two vulnerabilities and has 51 fixes
   is now available.

Description:


   This update fixes the following issues:

   branch-network-formula:

   - Update formula to include terminal naming and identification

   image-sync-formula:

   - Prevent installing xdelta3 package and disable delta functionality
     on SLE12 branch servers (bsc#1159553)

   mgr-osad:

   - Take care that osad is not disabled nor deactivated during update
     (bsc#1157700, bsc#1158697)

   patterns-suse-manager:

   - Add recommends for virtualization-host-formula to suma_server pattern
   - Add recommends for virtualization-host-formula to retail

   prometheus-formula:

   - Bugfix: disabled fields not enabled when checkbox is checked

   pxe-default-image-sle15:

   - Adapt to new kiwi version to fix pre registration in the bare-metal
     image (bsc#1153269)

   pxe-formula:

   - Add support for new features in terminal naming
   - Remove branch_id from pxe form, moved to branch-network form

   py26-compat-salt:

   - Replace pycrypto with M2Crypto as dependency for SLE15+

   python-susemanager-retail:

   - Add support for terminal naming block
   - Add delta support for SLE15 tar.xz bundles

   redstone-xmlrpc:

   - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
   - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)

   salt-netapi-client:

   - Version 0.17.0 See:
     https://github.com/SUSE/salt-netapi-client/releases/tag/v0.17.0

   spacecmd:

   - Bugfix: attempt to purge SSM when it is empty (bsc#1155372)

   spacewalk-admin:

   - Spell correctly "successful" and "successfully"

   spacewalk-backend:

   - Fix mgrcfg-client python3 breakage (bsc#1164309)
   - Update doc link to point to new documentation server
   - Prevent timestamp format exception on mgr-inter-sync while processing
     comps (bsc#1157346)
   - When downloading repo metadata, don't add "/" to the repo url if it
     already ends with one (bsc#1158899)
   - Use HTTP proxy settings when fetching the mirrorlist on
     spacewalk-repo-sync (bsc#1159076)
   - Enhance suseProducts via ISS to fix SP migration on slave server
     (bsc#1159184)
   - Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672)
   - Close config files after reading them (bsc#1158283)
   - Associate VMs and systems with the same machine ID at bootstrap
     (bsc#1144176)

   spacewalk-certs-tools:

   - Add 'start_event_grains' minion option to configfile when generated by
     bootstrap script
   - Forbid multiple activation keys for salt minions during bootstrap
     (bsc#1164452)
   - Add additional minion options to configfile when generated by bootstrap
     script (bsc#1159492)
   - Change the order to check the version correctly for RES (bsc#1152795)

   spacewalk-client-tools:

   - Spell correctly "successful" and "successfully"

   system-lock-formula:

   - Clarified terms along documentation and product (bsc#1166061)

   spacewalk-java:

   - Feat: enable Salt system lock when CaaSP node is onboarded and add
     depedency to 'system-lock-formula' (bsc#1165541)
   - Support non discoverable fqdns via custom grain (bsc#1155281)
   - Handle the non-existent requested grains gracefully
   - Get the machineid grain from the minion startup event
   - Use term 'patch' instead of 'errata' (bsc#1164649)
   - Enable provisioning API with salt and bootstrap entitled systems
   - Fix a problem with removing the monitoring entitlement from a system
   - Improve performance when adding systems to system groups (bsc#1158754)
   - Migrate pillar and formula data on minion id change (bsc#1161755)
   - Change doc links pointing to new documentation server
   - Call saltutil.sync_all before calling highstate (bsc#1152673)
   - Exclude base products from PAYG (Pay-As-You-Go) instances when doing
     subscription matching
   - Show additional headers and dependencies for deb packages
   - Show adequate message on saving formulas that change only pillar data
   - Fix mgr-sync add channel when fromdir is configured (bsc#1160184)
   - Handle not found re-activation key (bsc#1159012)
   - Write a list of formulas sorted by execution order (bsc#1083326)
   - Use channel name from product tree instead of constructing it
     (bsc#1157317)
   - Read the subscriptions from the output instead of input (bsc#1140332)
   - Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248)
   - Fix container image import (bsc#1154246)
   - Add missing permission checks on formula api (bsc#1123274)
   - Generate metadata with empty vendor (bsc#1158480)
   - Remove undefined variable from redhat_register snippet
   - Add a method in API to check if the provided session key is a valid one.
   - Associate VMs and systems with the same machine ID at bootstrap
     (bsc#1144176)
   - Fix minion id when applying engine-events state (bsc#1158181)
   - Remove unnecessary WARN log entries from Kubernetes integration
   - Fix for pillar not being refreshed when CaaSP pattern is detected upon
     software profile update (bsc#1166061)

   spacewalk-search:

   - Make rhn-search log to correct file (bsc#1156751)

   spacewalk-setup:

   - Spell correctly "successful" and "successfully"
   - create AJP connector for tomcat if it does not exist (bsc#1165927,
     bsc#1166388)

   spacewalk-utils:

   - Spell "successfully" correctly

   spacewalk-web:

   - Don't validate mandatory fields that are not visible (bsc#1158943)
   - Fix count of changes to build (bsc#1160940)
   - Report merge_subscriptions message in a readable way (bsc#1140332)
   - Fix ordering by date (bsc#1158818)

   subscription-matcher:

   - Add missing library for SLE15 SP2 (slf4j-log4j12)
   - Make the code usable with Math3 on SLES
   - Use log4j12 package on newer SLE versions
   - Aggregate stackable subscriptions with same parameters   - Implement new "swap move" used in optaplanner (bsc#1140332)
   - Enable aarch64 builds, except for SLE < 15

   susemanager:

   - Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos
     (bsc#1164875)
   - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
   - Add bootstrap-repo data for SLE15 SP2 Family
   - Fix documentation URL in installer (bsc#1154590)
   - Update requirements to match documented values (bsc#1154599)

   susemanager-doc-indexes:

   - Adding Additional FQDNS for Proxies with Salt
   - Reference guide review and update moving content into tabular format
   - Autogenerate pdf index from antora html nav lists
   - Documentation needs to address using RHEL8 in the correct way
     (bsc#1159023)
   - Traditional clients bootstrap, the example applies to SLES ES 7 only
     (bsc#1158564)
   - Remove auditlog-keeper from list
   - Removed duplicate client requirements entries
   - Fix missing spaces throughout docs
   - Added the complete path for using manager-setup
   - Fix typo in vhm-kubernetes
   - Cleaned up client registration documents
   - Improved ubuntu instructions
   - Explain how to compose a DSN string for monitoring
   - Added publishing dates to individual book intros
   - Updated common spacewalk-common-channels usage
   - Adding Additional FQDNS for Proxies with Salt
   - Reference guide review and update moving content into tabular format
   - Autogenerate pdf index from antora html nav lists
   - Documentation needs to address using RHEL8 in the correct way
     (bsc#1159023)
   - Traditional clients bootstrap, the example applies to SLES ES 7 only
     (bsc#1158564)
   - Remove auditlog-keeper from list
   - Removed duplicate client requirements entries
   - Fix missing spaces throughout docs
   - Added the complete path for using manager-setup
   - Fix typo in vhm-kubernetes
   - Cleaned up client registration documents
   - Improved ubuntu instructions
   - Explain how to compose a DSN string for monitoring
   - Added publishing dates to individual book intros
   - Updated common spacewalk-common-channels usage

   susemanager-docs_en:

   - Adding Additional FQDNS for Proxies with Salt
   - Reference guide review and update moving content into tabular format
   - Autogenerate pdf index from antora html nav lists
   - Documentation needs to address using RHEL8 in the correct way
     (bsc#1159023)
   - Traditional clients bootstrap, the example applies to SLES ES 7 only
     (bsc#1158564)
   - Remove auditlog-keeper from list
   - Removed duplicate client requirements entries
   - Fix missing spaces throughout docs
   - Added the complete path for using manager-setup
   - Fix typo in vhm-kubernetes
   - Cleaned up client registration documents
   - Improved ubuntu instructions
   - Explain how to compose a DSN string for monitoring
   - Added publishing dates to individual book intros
   - Updated common spacewalk-common-channels usage
   - Adding Additional FQDNS for Proxies with Salt
   - Reference guide review and update moving content into tabular format
   - Autogenerate pdf index from antora html nav lists
   - Documentation needs to address using RHEL8 in the correct way
     (bsc#1159023)
   - Traditional clients bootstrap, the example applies to SLES ES 7 only
     (bsc#1158564)
   - Remove auditlog-keeper from list
   - Removed duplicate client requirements entries
   - Fix missing spaces throughout docs
   - Added the complete path for using manager-setup
   - Fix typo in vhm-kubernetes
   - Cleaned up client registration documents
   - Improved ubuntu instructions
   - Explain how to compose a DSN string for monitoring
   - Added publishing dates to individual book intros
   - Updated common spacewalk-common-channels usage

   susemanager-schema:

   - Add new 'payg' attribute to rhnServer table
   - Enable re-activation keys for salt managed systems (bsc#1159012)
   - Generate metadata with empty vendor (bsc#1158480)
   - Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178)

   susemanager-sls:

   - Install dmidecode before HW profile update when missing
   - Add mgr_start_event_grains.sls to update minion config
   - Add 'product' custom state module to handle installation of SUSE
     products at client side (bsc#1157447)
   - Support reading of pillar data for minions from multiple files
     (bsc#1158754)
   - Do not workaround util.syncmodules for SSH minions (bsc#1162609)
   - Force to run util.synccustomall when triggering action chains on SSH
     minions (bsc#1162683).
   - Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS.
   - Adapt sls file for pre-downloading in Ubuntu minions
   - Sort formulas by execution order (bsc#1083326)
   - Split remove_traditional_stack into two parts. One for all systems and
     another for clients not being a Uyuni Server or Proxy (bsc#1121640)
   - Change the order to check the version correctly for RES (bsc#1152795)
   - Do not break Servers registering to a Server
   - Remove the virt-poller cache when applying Virtualization entitlement
   - Force HTTP request timeout on public cloud grain (bsc#1157975)

   susemanager-sync-data:

   - Add OES 2018 SP2 (bsc#1161862)
   - Rename RHEL 8 Base product
   - Change channel family name according to SCC data

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-671=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):

      patterns-suma_retail-4.0-9.10.2
      patterns-suma_server-4.0-9.10.2
      susemanager-4.0.22-3.20.3
      susemanager-tools-4.0.22-3.20.3

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      branch-network-formula-0.1.1580471316.1839544-3.10.2
      image-sync-formula-0.1.1579102150.4716559-3.11.2
      mgr-osa-dispatcher-4.0.11-3.9.2
      prometheus-formula-0.1-4.7.2
      pxe-default-image-sle15-4.0.1-20200305173027
      pxe-formula-0.1.1580384994.6076a7e-3.11.2
      py26-compat-salt-2016.11.10-10.11.2
      python3-mgr-osa-common-4.0.11-3.9.2
      python3-mgr-osa-dispatcher-4.0.11-3.9.2
      python3-spacewalk-backend-libs-4.0.30-3.23.3
      python3-spacewalk-certs-tools-4.0.15-3.15.2
      python3-spacewalk-client-tools-4.0.12-3.13.2
      python3-susemanager-retail-1.0.1580471316.1839544-3.13.2
      redstone-xmlrpc-1.1_20071120-0.11.3.2
      salt-netapi-client-0.17.0-4.3.2
      spacecmd-4.0.18-3.13.2
      spacewalk-admin-4.0.9-3.6.2
      spacewalk-backend-4.0.30-3.23.3
      spacewalk-backend-app-4.0.30-3.23.3
      spacewalk-backend-applet-4.0.30-3.23.3
      spacewalk-backend-config-files-4.0.30-3.23.3
      spacewalk-backend-config-files-common-4.0.30-3.23.3
      spacewalk-backend-config-files-tool-4.0.30-3.23.3
      spacewalk-backend-iss-4.0.30-3.23.3
      spacewalk-backend-iss-export-4.0.30-3.23.3
      spacewalk-backend-package-push-server-4.0.30-3.23.3
      spacewalk-backend-server-4.0.30-3.23.3
      spacewalk-backend-sql-4.0.30-3.23.3
      spacewalk-backend-sql-postgresql-4.0.30-3.23.3
      spacewalk-backend-tools-4.0.30-3.23.3
      spacewalk-backend-xml-export-libs-4.0.30-3.23.3
      spacewalk-backend-xmlrpc-4.0.30-3.23.3
      spacewalk-base-4.0.19-3.18.3
      spacewalk-base-minimal-4.0.19-3.18.3
      spacewalk-base-minimal-config-4.0.19-3.18.3
      spacewalk-certs-tools-4.0.15-3.15.2
      spacewalk-client-tools-4.0.12-3.13.2
      spacewalk-html-4.0.19-3.18.3
      spacewalk-java-4.0.31-3.23.1
      spacewalk-java-config-4.0.31-3.23.1
      spacewalk-java-lib-4.0.31-3.23.1
      spacewalk-java-postgresql-4.0.31-3.23.1
      spacewalk-search-4.0.9-3.11.2
      spacewalk-setup-4.0.13-3.11.1
      spacewalk-taskomatic-4.0.31-3.23.1
      spacewalk-utils-4.0.16-3.15.2
      subscription-matcher-0.25-3.3.2
      susemanager-doc-indexes-4.0-10.18.2
      susemanager-docs_en-4.0-10.18.2
      susemanager-docs_en-pdf-4.0-10.18.2
      susemanager-retail-tools-1.0.1580471316.1839544-3.13.2
      susemanager-schema-4.0.18-3.17.2
      susemanager-sls-4.0.24-3.17.2
      susemanager-sync-data-4.0.16-3.15.2
      susemanager-web-libs-4.0.19-3.18.3
      system-lock-formula-0.2-4.5.1
      virtualization-host-formula-0.2-4.3.2


References:

   https://www.suse.com/security/cve/CVE-2018-1077.html
   https://www.suse.com/security/cve/CVE-2020-1693.html
   https://bugzilla.suse.com/1083326
   https://bugzilla.suse.com/1085414
   https://bugzilla.suse.com/1121640
   https://bugzilla.suse.com/1123274
   https://bugzilla.suse.com/1137248
   https://bugzilla.suse.com/1140332
   https://bugzilla.suse.com/1144176
   https://bugzilla.suse.com/1152673
   https://bugzilla.suse.com/1152795
   https://bugzilla.suse.com/1153269
   https://bugzilla.suse.com/1154246
   https://bugzilla.suse.com/1154590
   https://bugzilla.suse.com/1154599
   https://bugzilla.suse.com/1155281
   https://bugzilla.suse.com/1155372
   https://bugzilla.suse.com/1156751
   https://bugzilla.suse.com/1157317
   https://bugzilla.suse.com/1157346
   https://bugzilla.suse.com/1157447
   https://bugzilla.suse.com/1157700
   https://bugzilla.suse.com/1157975
   https://bugzilla.suse.com/1158178
   https://bugzilla.suse.com/1158181
   https://bugzilla.suse.com/1158283
   https://bugzilla.suse.com/1158480
   https://bugzilla.suse.com/1158564
   https://bugzilla.suse.com/1158672
   https://bugzilla.suse.com/1158697
   https://bugzilla.suse.com/1158754
   https://bugzilla.suse.com/1158818
   https://bugzilla.suse.com/1158899
   https://bugzilla.suse.com/1158943
   https://bugzilla.suse.com/1159012
   https://bugzilla.suse.com/1159023
   https://bugzilla.suse.com/1159076
   https://bugzilla.suse.com/1159184
   https://bugzilla.suse.com/1159492
   https://bugzilla.suse.com/1159553
   https://bugzilla.suse.com/1160184
   https://bugzilla.suse.com/1160940
   https://bugzilla.suse.com/1161755
   https://bugzilla.suse.com/1161862
   https://bugzilla.suse.com/1162609
   https://bugzilla.suse.com/1162683
   https://bugzilla.suse.com/1164120
   https://bugzilla.suse.com/1164309
   https://bugzilla.suse.com/1164452
   https://bugzilla.suse.com/1164649
   https://bugzilla.suse.com/1164875
   https://bugzilla.suse.com/1165541
   https://bugzilla.suse.com/1165927
   https://bugzilla.suse.com/1166061
   https://bugzilla.suse.com/1166388

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates