SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:0856-1
Rating:             moderate
References:         #1085414 #1140332 #1155372 #1157317 #1158899 
                    #1159184 #1160246 #1161862 #1162609 #1162683 
                    #1163001 #1163538 #1164120 #1164563 #1164771 
                    #1165425 #1165921 
Cross-References:   CVE-2018-1077 CVE-2020-1693
Affected Products:
                    SUSE Manager Server 3.2
______________________________________________________________________________

   An update that solves two vulnerabilities and has 15 fixes
   is now available.

Description:


   This update fixes the following issues:

   py26-compat-salt:

   - Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425)

   redstone-xmlrpc:

   - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
   - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)

   spacecmd:

   - Bugfix: attempt to purge SSM when it is empty (bsc#1155372)

   spacewalk-admin:

   - Spell correctly "successful" and "successfully"

   spacewalk-backend:

   - When downloading repo metadata, don't add "/" to the repo url if it
     already ends with one (bsc#1158899)
   - Enhance suseProducts via ISS to fix SP migration on slave server
     (bsc#1159184)

   spacewalk-certs-tools:

   - Add minion option in config file to disable salt mine when generated by
     bootstrap script (bsc#1163001)

   spacewalk-client-tools:

   - Do not crash 'mgr-update-status' because 'long' type is not defined in
     Python 3
   - Add workaround for uptime overflow to spacewalk-update-status as well
     (bsc#1165921)
   - Spell correctly "successful" and "successfully"

   spacewalk-java:

   - Fix error when adding systems to ssm with 'add to ssm' button
     (bsc#1160246)
   - Validate the suseproductchannel table and update missing date when
     running mgr-sync refresh (bsc#1163538)
   - Read the subscriptions from the output instead of input (bsc#1140332)
   - Show additional headers and dependencies for deb packages
   - Use channel name from product tree instead of constructing it
     (bsc#1157317)

   spacewalk-setup:

   - Spell correctly "successful" and "successfully"

   spacewalk-utils:

   - Check for delimiter as well when detecting current phase (bsc#1164771)

   spacewalk-web:

   - Report merge_subscriptions message in a readable way (bsc#1140332)

   subscription-matcher:

   - Add missing library for SLE15 SP2 (slf4j-log4j12)
   - Make the code usable with Math3 on SLES
   - Use log4j12 package on newer SLE versions
   - Aggregate stackable subscriptions with same parameters   - Implement new "swap move" used in optaplanner (bsc#1140332)
   - Enable aarch64 builds, except for SLE < 15

   susemanager:

   - Fix salt bootstrapping on SLE15 (require python3-pycrypto or
     python3-M2Crypto to support all variants) (bsc#1164563)
   - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
   - Add bootstrap-repo data for SLE15 SP2 Family

   susemanager-sls:

   - Adapt 'mgractionchains' module to work with Salt 3000
   - Do not workaround util.syncmodules for SSH minions (bsc#1162609)
   - Force to run util.synccustomall when triggering action chains on SSH
     minions (bsc#1162683).

   susemanager-sync-data:

   - Add OES 2018 SP2 (bsc#1161862)
   - Rename RHEL 8 Base product
   - Change channel family name according to SCC data

   How to apply this update: 1. Log in as root user to the SUSE Manager
   server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
   patch using either zypper patch or YaST Online Update. 4. Upgrade the
   database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
   spacewalk-service start


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-856=1



Package List:

   - SUSE Manager Server 3.2 (ppc64le s390x x86_64):

      susemanager-3.2.23-3.40.2
      susemanager-tools-3.2.23-3.40.2

   - SUSE Manager Server 3.2 (noarch):

      py26-compat-salt-2016.11.10-6.35.1
      python2-spacewalk-certs-tools-2.8.8.14-3.23.1
      python2-spacewalk-client-tools-2.8.22.7-3.12.1
      redstone-xmlrpc-1.1_20071120-0.11.3.1
      spacecmd-2.8.25.14-3.32.1
      spacewalk-admin-2.8.4.6-3.12.1
      spacewalk-backend-2.8.57.22-3.48.1
      spacewalk-backend-app-2.8.57.22-3.48.1
      spacewalk-backend-applet-2.8.57.22-3.48.1
      spacewalk-backend-config-files-2.8.57.22-3.48.1
      spacewalk-backend-config-files-common-2.8.57.22-3.48.1
      spacewalk-backend-config-files-tool-2.8.57.22-3.48.1
      spacewalk-backend-iss-2.8.57.22-3.48.1
      spacewalk-backend-iss-export-2.8.57.22-3.48.1
      spacewalk-backend-libs-2.8.57.22-3.48.1
      spacewalk-backend-package-push-server-2.8.57.22-3.48.1
      spacewalk-backend-server-2.8.57.22-3.48.1
      spacewalk-backend-sql-2.8.57.22-3.48.1
      spacewalk-backend-sql-oracle-2.8.57.22-3.48.1
      spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1
      spacewalk-backend-tools-2.8.57.22-3.48.1
      spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1
      spacewalk-backend-xmlrpc-2.8.57.22-3.48.1
      spacewalk-base-2.8.7.23-3.45.1
      spacewalk-base-minimal-2.8.7.23-3.45.1
      spacewalk-base-minimal-config-2.8.7.23-3.45.1
      spacewalk-certs-tools-2.8.8.14-3.23.1
      spacewalk-client-tools-2.8.22.7-3.12.1
      spacewalk-html-2.8.7.23-3.45.1
      spacewalk-java-2.8.78.28-3.47.1
      spacewalk-java-config-2.8.78.28-3.47.1
      spacewalk-java-lib-2.8.78.28-3.47.1
      spacewalk-java-oracle-2.8.78.28-3.47.1
      spacewalk-java-postgresql-2.8.78.28-3.47.1
      spacewalk-setup-2.8.7.10-3.25.1
      spacewalk-taskomatic-2.8.78.28-3.47.1
      spacewalk-utils-2.8.18.6-3.12.1
      subscription-matcher-0.25-4.15.1
      susemanager-sls-3.2.30-3.44.1
      susemanager-sync-data-3.2.19-3.35.1
      susemanager-web-libs-2.8.7.23-3.45.1


References:

   https://www.suse.com/security/cve/CVE-2018-1077.html
   https://www.suse.com/security/cve/CVE-2020-1693.html
   https://bugzilla.suse.com/1085414
   https://bugzilla.suse.com/1140332
   https://bugzilla.suse.com/1155372
   https://bugzilla.suse.com/1157317
   https://bugzilla.suse.com/1158899
   https://bugzilla.suse.com/1159184
   https://bugzilla.suse.com/1160246
   https://bugzilla.suse.com/1161862
   https://bugzilla.suse.com/1162609
   https://bugzilla.suse.com/1162683
   https://bugzilla.suse.com/1163001
   https://bugzilla.suse.com/1163538
   https://bugzilla.suse.com/1164120
   https://bugzilla.suse.com/1164563
   https://bugzilla.suse.com/1164771
   https://bugzilla.suse.com/1165425
   https://bugzilla.suse.com/1165921

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates

SUSE: 2020:0856-1 moderate: SUSE Manager Server 3.2

April 2, 2020
An update that solves two vulnerabilities and has 15 fixes is now available

Summary

This update fixes the following issues: py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425) redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly "successful" and "successfully" spacewalk-backend: - When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) spacewalk-certs-tools: - Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001) spacewalk-client-tools: - Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3 - Add workaround for uptime overfl...

Read the Full Advisory

References

#1085414 #1140332 #1155372 #1157317 #1158899

#1159184 #1160246 #1161862 #1162609 #1162683

#1163001 #1163538 #1164120 #1164563 #1164771

#1165425 #1165921

Cross- CVE-2018-1077 CVE-2020-1693

Affected Products:

SUSE Manager Server 3.2

https://www.suse.com/security/cve/CVE-2018-1077.html

https://www.suse.com/security/cve/CVE-2020-1693.html

https://bugzilla.suse.com/1085414

https://bugzilla.suse.com/1140332

https://bugzilla.suse.com/1155372

https://bugzilla.suse.com/1157317

https://bugzilla.suse.com/1158899

https://bugzilla.suse.com/1159184

https://bugzilla.suse.com/1160246

https://bugzilla.suse.com/1161862

https://bugzilla.suse.com/1162609

https://bugzilla.suse.com/1162683

https://bugzilla.suse.com/1163001

https://bugzilla.suse.com/1163538

https://bugzilla.suse.com/1164120

https://bugzilla.suse.com/1164563

https://bugzilla.suse.com/1164771

https://bugzilla.suse.com...

Read the Full Advisory

Severity
Announcement ID: SUSE-SU-2020:0856-1
Rating: moderate

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved