Security update for SUSE Manager Server 3.2

SUSE Security Update: Security update for SUSE Manager Server 3.2

Announcement ID:	SUSE-SU-2019:1006-1
Rating:	moderate
References:	#1070731 #1109316 #1120242 #1121195 #1122230 #1122381 #1122837 #1124290 #1125600 #1125744 #1126075 #1126099 #1126518 #1127542 #1128228 #1128724 #1128781 #1129765 #1129851 #1129956 #1130658 #1131490 #1131677 #1131721 #1132579
Cross-References:	CVE-2017-7957
Affected Products:	SUSE Manager Server 3.2 SUSE Manager Proxy 3.2

An update that solves one vulnerability and has 24 fixes is now available.

Description:

This update includes the following new features:
to the repository metadata (fate#325676)
This update fixes the following issues:
apache-commons-lang3:

Run fdupes on javadoc
Specify java target and source level 1.6 to make package compatible with JDK >= 1.8

cobbler:

Fixes case where distribution detection returns None (bsc#1130658)
SUSE texmode fix (bsc#1109316)

drools:

Update Drools to 7.17.0
Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa
Fixes for SLE 15 compatibility

guava:

Updated from 13.0.1 to 27.0.1
Changes between 13.0.1 and 23.0: https://github.com/google/guava/wiki/Release14 https://github.com/google/guava/wiki/Release15 https://github.com/google/guava/wiki/Release16 https://github.com/google/guava/wiki/Release17 https://github.com/google/guava/wiki/Release18 https://github.com/google/guava/wiki/Release19 https://github.com/google/guava/wiki/Release23
Changes between 23.0 and 27.0.1: see https://github.com/google/guava/releases

jade4j:

Conditional java/java-devel requires based on os version
Update dependency version for commons-lang3 to 3.4
Fix building javadoc

kie-api:

Update KIE to 7.17.0
Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa

optaplanner:

Update Optaplanner to 7.17.0

py26-compat-salt:

Fix minion arguments assign via sysctl (bsc#1124290)

smdba:

Make 'smdba space-overview' postgresql version agnostic (bsc#1129956)
Fix version mismatch

spacecmd:

Fix system_delete with SSM (bsc#1125744)

spacewalk-admin:

Fix encoding bug in salt event processing (bsc#1129851)

spacewalk-backend:

Fix linking of packages in reposync (bsc#1131677)
Fix: handle non-standard filenames for comps.xml (bsc#1120242)
Mgr-sign-metadata can optionally clear-sign metadata files

spacewalk-branding:

Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)

spacewalk-certs-tools:

Add support for Ubuntu to bootstrap script
Clean up downloaded gpg keys after bootstrap (bsc#1126075)

spacewalk-java:

Fix base channel selection for Ubuntu systems (bsc#1132579)
Fix retrieval of build time for .deb repositories (bsc#1131721)
Allow access to susemanager tools channels without res subscription (bsc#1127542)
Add support for SLES 15 live patches in CVE audit
Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
Fix errata_details to return details correctly (bsc#1128228)
Support ubuntu products and debian architectures in mgr-sync
Adapt check for available repositories to debian style repositories
Add support for custom username when bootstrapping with Salt-SSH
Read and update running kernel release value at each startup of minion (bsc#1122381)
Add error message on sync refresh when there are no scc credentials
Fix apidoc issues
Fix deleting server when minion_formulas.json is empty (bsc#1122230)
Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour
Schedule full package refresh only once per action chain if needed (bsc#1126518)
Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)
Add configuration option to limit the number of changelog entries added to the repository metadata (fate#325676)
Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled

spacewalk-web:

Show undetected subscription-matching message object as a string anyway (bsc#1125600)
Fix action scheduler time picker prefill when the server is on "UTC/GMT" timezone (bsc#1121195)
Allow username input on bootstrap page when using Salt-SSH
Add cache buster for static files (js/css) to fix caching issues after upgrading.

subscription-matcher:

Update dependencies (Drools, Optaplanner, Guava, Xstream)
Make the java and java-devel requirements variable
Relax the requirement condition on apache-commons-lang3

susemanager:

Support creating bootstrap repos for Ubuntu 18.04 and 16.04.
Allow alternative names for bootstrap packages, to allow using old client tools after package renames
Feat: create Ubuntu empty repository
Fix creation of bootstrap repositories for SLE12 (no SP) by requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)
Add bootstrap repo definition for SLE15 SP1

susemanager-docs_en:

Update text and image files.
Fix bad link.
Update Manual Backup and smdba sections.
Troubleshooting Salt clients.
Fix package endpoint in salt pillar content.
Ubuntu Clients supported.
Change License to GFL 1.2, as it is the real license for the doc since 3.2.0

susemanager-schema:

Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
Fix performance regression in inter-server-sync (bsc#1128781)
Set minion-action-cleanup run frequency from hourly to daily at midnight

susemanager-sls:

Update get_kernel_live_version module to support older Salt versions (bsc#1131490)
Update get_kernel_live_version module to support SLES 15 live patches
Do not configure Salt Mine in newly registered minions (bsc#1122837)
Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu minion (bsc#1128724)
Automatically trust SUSE GPG key for client tools channels on Ubuntu systems
Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381)

susemanager-sync-data:

Allow access to susemanager tools channels without res subscription (bsc#1127542)
Add Ubuntu product definitions
Adapt to SCC changes
Add CaaSP 4 Toolchain

xstream:

Update xstream to 1.4.10
Major changes:
CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).
Improve performance by minimizing call stack of mapper chain.
XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).
JavaBeanConverter does not respect ignored unknown elements.
Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.
Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.
Feat: modify patch to be compatible with JDK 11 building
Fixes for SLE 15 compatibility

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Manager Server 3.2:
zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-1006=1
SUSE Manager Proxy 3.2:
zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2019-1006=1

Package List:

SUSE Manager Server 3.2 (ppc64le s390x x86_64):
- reprepro-5.3.0-2.3.3
- smdba-1.6.4-0.3.9.3
- spacewalk-branding-2.8.5.15-3.19.3
- susemanager-3.2.17-3.22.4
- susemanager-tools-3.2.17-3.22.4
SUSE Manager Server 3.2 (noarch):
- apache-commons-lang3-3.4-3.3.3
- cobbler-2.6.6-6.16.3
- drools-7.17.0-3.3.3
- guava-27.0.1-3.3.3
- jade4j-1.0.7-3.3.3
- kie-api-7.17.0-3.3.3
- kie-soup-7.17.0.Final-2.3.3
- optaplanner-7.17.0-3.3.3
- py26-compat-salt-2016.11.10-6.21.3
- python2-spacewalk-certs-tools-2.8.8.7-3.6.3
- spacecmd-2.8.25.10-3.20.3
- spacewalk-admin-2.8.4.4-3.6.3
- spacewalk-backend-2.8.57.14-3.25.3
- spacewalk-backend-app-2.8.57.14-3.25.3
- spacewalk-backend-applet-2.8.57.14-3.25.3
- spacewalk-backend-config-files-2.8.57.14-3.25.3
- spacewalk-backend-config-files-common-2.8.57.14-3.25.3
- spacewalk-backend-config-files-tool-2.8.57.14-3.25.3
- spacewalk-backend-iss-2.8.57.14-3.25.3
- spacewalk-backend-iss-export-2.8.57.14-3.25.3
- spacewalk-backend-libs-2.8.57.14-3.25.3
- spacewalk-backend-package-push-server-2.8.57.14-3.25.3
- spacewalk-backend-server-2.8.57.14-3.25.3
- spacewalk-backend-sql-2.8.57.14-3.25.3
- spacewalk-backend-sql-oracle-2.8.57.14-3.25.3
- spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3
- spacewalk-backend-tools-2.8.57.14-3.25.3
- spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3
- spacewalk-backend-xmlrpc-2.8.57.14-3.25.3
- spacewalk-base-2.8.7.15-3.24.3
- spacewalk-base-minimal-2.8.7.15-3.24.3
- spacewalk-base-minimal-config-2.8.7.15-3.24.3
- spacewalk-certs-tools-2.8.8.7-3.6.3
- spacewalk-html-2.8.7.15-3.24.3
- spacewalk-java-2.8.78.21-3.29.1
- spacewalk-java-config-2.8.78.21-3.29.1
- spacewalk-java-lib-2.8.78.21-3.29.1
- spacewalk-java-oracle-2.8.78.21-3.29.1
- spacewalk-java-postgresql-2.8.78.21-3.29.1
- spacewalk-taskomatic-2.8.78.21-3.29.1
- subscription-matcher-0.23-4.12.3
- susemanager-schema-3.2.18-3.22.3
- susemanager-sls-3.2.23-3.26.3
- susemanager-sync-data-3.2.14-3.20.3
- susemanager-web-libs-2.8.7.15-3.24.3
- xstream-1.4.10-4.3.3
SUSE Manager Proxy 3.2 (noarch):
- python2-spacewalk-certs-tools-2.8.8.7-3.6.3
- spacewalk-backend-2.8.57.14-3.25.3
- spacewalk-backend-libs-2.8.57.14-3.25.3
- spacewalk-base-minimal-2.8.7.15-3.24.3
- spacewalk-base-minimal-config-2.8.7.15-3.24.3
- spacewalk-certs-tools-2.8.8.7-3.6.3
- susemanager-web-libs-2.8.7.15-3.24.3

Security update for SUSE Manager Server 3.2

Description:

Patch Instructions:

Package List:

References: