Security update for cobbler

Announcement ID:	SUSE-SU-2018:2551-1
Rating:	important
References:	bsc#1101670 bsc#1104189 bsc#1104190 bsc#1104287 bsc#1105440 bsc#1105442
Cross-References:	CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931
CVSS scores:	CVE-2018-1000225 ( SUSE ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1000225 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-1000226 ( SUSE ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2018-1000226 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-10931 ( SUSE ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-10931 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Manager Server 3.2

An update that solves three vulnerabilities and has three security fixes can now be installed.

Description:

This update for cobbler fixes the following issues:

Security issues fixed:

Forbid exposure of private methods in the API (CVE-2018-10931, CVE-2018-1000225, bsc#1104287, bsc#1104189, bsc#1105442)
Check access token when calling 'modify_setting' API endpoint (bsc#1104190, bsc#1105440, CVE-2018-1000226)

Other bugs fixed:

Fix kernel options when generating bootiso (bsc#1101670)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Manager Server 3.2
zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-1788=1

Package List:

SUSE Manager Server 3.2 (noarch)
- cobbler-2.6.6-6.7.1

Security update for cobbler

Description:

Patch Instructions:

Package List:

References: