Security update for SUSE Manager Server 4.1

SUSE Security Update: Security update for SUSE Manager Server 4.1
Announcement ID: SUSE-SU-2020:2373-1
Rating: moderate
References: #1136857 #1165572 #1169553 #1169780 #1170244 #1170468 #1170654 #1171281 #1172279 #1172504 #1172709 #1172807 #1172831 #1172839 #1173169 #1173522 #1173535 #1173554 #1173566 #1173584 #1173932 #1173982 #1173997 #1174025 #1174167 #1174201 #1174229 #1174325 #1174405 #1174470 #1174965 #1175485 #1175555 #1175558 #1175724 #1175791 #678126
Cross-References:CVE-2020-11022
Affected Products:
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.1
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1

An update that solves one vulnerability and has 36 fixes is now available.

Description:

This update fixes the following issues:
cobbler:

  • More old modules naming fixes (bsc#1169553)

image-sync-formula:
  • Allow image-sync state on regular minion. Image sync state requires branch-network pillars to get the directory where to sync images. Use default `/srv/saltboot` if that pillar is missing so image-sync can be applied on non branch minions as well.

mgr-libmod:
  • Remove unnecessary array wrap in 'list_modules' response object

mgr-osad:
  • Move uyuni-base-common dependency from mgr-osad to mgr-osa-dispatcher (bsc#1174405)

openvpn-formula:

  • Add hint that ssl certs must be on system (bsc#1172279)

patterns-suse-manager:
  • Add Recommends for golang-github-QubitProducts-exporter_exporter

prometheus-exporters-formula:
  • Bugfix: Handle exporters proxy for unsupported distros (bsc#1175555)
  • Add support for exporters proxy (exporter_exporter)

pxe-default-image-sle15:
  • Rollback the workaround for bsc#1172807, as dracut is now fixed

saltboot-formula:
  • Better fix for rounding errors (bsc#1136857)

spacecmd:
  • Fix softwarechannel update for vendor channels (bsc#1172709)
  • Fix escaping of package names (bsc#1171281)

spacewalk-backend:
  • Adds basic functionality for gpg check
  • Verify GPG signature of Ubuntu/Debian repository metadata (Release file)
  • Take care of SCC auth tokens on DEB repos GPG checks (bsc#1175485)
  • Use spacewalk keyring for GPG checks on DEB repos (bsc#1175485)

spacewalk-branding:
  • Implement Maintenance Windows
  • Fix typo on spacewalk-branding license

spacewalk-certs-tools:
  • Strip SSL Certificate Common Name after 63 Characters (bsc#1173535)
  • Fix centos detection (bsc#1173584)

spacewalk-java:
  • Use media.1/products from media when not specified different (bsc#1175558)
  • Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
  • Fix error when rolling back a system to a snapshot (bsc#1173997)
  • Implement maintenance windows backend
  • Add check for maintainence window during executing recurring actions
  • Implement maintenance windows in struts
  • XMLRPC: Assign/retract maintenance schedule to/from systems
  • Fix softwarechannel update for vendor channels (bsc#1172709)
  • Avoid deadlock when syncing channels and registering minions at the same time (bsc#1173566)
  • Change system list header text to something better (bsc#1173982)
  • Set CPU and memory info for virtual instances (bsc#1170244)
  • Add virtual network Start, Stop and Delete actions
  • Add virtual network list page
  • Fix httpcomponents and gson jar symlinks (bsc#1174229)
  • Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)
  • Provide comps.xml and modules.yaml when using onlinerepo for kickstart
  • Refresh virtualization pages only on events
  • Fix up2date detection on RH8 when salt-minion is used for registration
  • Improve performance of the System Groups page with many clients (bsc#1172839)
  • Include number of non-patch package updates to non-critical update counts in system group pages (bsc#1170468)
  • Bump XMLRPC API version number to distinguish from Spacewalk 2.10
  • Cluster UI: return to overview page after scheduling actions
  • Fix NPE on auto installation when no kernel options are given (bsc#1173932)
  • Fix issue with disabling self_update for autoyast autoupgrade (bsc#1170654)
  • Adapt expectations for jobs return events after switching Salt states to use 'mgrcompat.module_run' state.

spacewalk-utils:
  • Add aarch64 for openSUSE Leap 15.1 and 15.2

spacewalk-web:
  • Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
  • Fix JS linting errors/warnings
  • Enable Nutanix AHV virtual host gatherer.
  • Web UI: Implement managing maintenance schedules and calendars
  • Warn when a system is in multiple groups that configure the same formula in the system formula's UI (bsc#1173554)
  • Add virtual network start, stop and delete actions
  • Add virtual network list page
  • Fix internal server error when creating module filters in CLM (bsc#1174325)
  • Fix VM creation page when there is no volume in the default storage pool
  • Refresh virtualization pages only on events
  • Product list in the Wizard doesn't show SLE products first (bsc#1173522)
  • Cluster UI: return to overview page after scheduling actions
  • Changes in the logic to update the tick icon.
  • For the postgres localhost:5432 case, use the
  • Fix internal server errors by returning 0 instead of dying
  • Add missing dependency to spacewalk-base-minimal (bsc#678126)
  • Change kickstart to autoinstallation in navigation on pxt pages
  • Debranding

suseRegisterInfo:
  • Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)

susemanager:
  • Migrate all occurrences of kickstart to autoinstall in cobbler database (bsc#1169780)
  • Define bootstrap repo data for SUSE Manager Proxies (bsc#1174470)
  • Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is required to get python3-M2crypto (bsc#1174167)

susemanager-doc-indexes:
  • Left navigation structure cleaned up
  • Fixed several broken xrefs
  • Added hostname admonition for public cloud sections
  • Clarified Branch Proxy configuration instructions
  • Fixed index page pdf links, urls were 1 step to deep
  • SUSECOM 2020 branding update
  • PDF 2020 branding update
  • WEBUI 2020 branding update
  • Added maintenance window documentation
  • Added SLE client chapter
  • Added 508 compliance
  • Added reverse proxy information to Monitoring in Admin Guide
  • Add note about accessibility to index
  • In the Upgrade Guide, use Major, Minor, and Patch Level terminology for versioning.
  • Added docs for nutanix VHM
  • Ubuntu clients using the CLI in SUMA (bsc#1174025)

susemanager-docs_en:
  • Left navigation structure cleaned up
  • Fixed several broken xrefs
  • Added hostname admonition for public cloud sections
  • Clarified Branch Proxy configuration instructions
  • Fixed index page pdf links, urls were 1 step to deep
  • SUSECOM 2020 branding update
  • PDF 2020 branding update
  • WEBUI 2020 branding update
  • Added maintenance window documentation
  • Added SLE client chapter
  • Added 508 compliance
  • Added reverse proxy information to Monitoring in Admin Guide
  • Add note about accessibility to index
  • In the Upgrade Guide, use Major, Minor, and Patch Level terminology for versioning.
  • Added docs for nutanix VHM
  • Ubuntu clients using the CLI in SUMA (bsc#1174025)

susemanager-frontend-libs:
  • Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831)

susemanager-schema:
  • Add new states and types for virtual instances in order to support Nutanix AHV.
  • Implement Maintenance Windows
  • Add virtual network state change action
  • Internal fixes to avoid problems with the idempotency tests

susemanager-sls:
  • Fix the dnf plugin to add the token to the HTTP header (bsc#1175724)
  • Fix: supply a dnf base when dealing w/repos (bsc#1172504)
  • Fix: autorefresh in repos is zypper-only
  • Add virtual network state change state to handle start, stop and delete
  • Add virtual network state change state to handle start and stop
  • Fetch oracle-release when looking for RedHat Product Info (bsc#1173584)
  • Force a refresh after deleting a virtual storage volume
  • Prevent stuck Hardware Refresh actions on Salt 2016.11.10 based SSH minions (bsc#1173169)
  • Require PyYAML version >= 5.1
  • Log out of Docker registries after image build (bsc#1165572)
  • Prevent "module.run" deprecation warnings by using custom mgrcompat module

susemanager-sync-data:
  • Remove version from centos and oracle linux identifier (bsc#1173584)

uyuni-common-libs:
  • Fix issues importing RPM packages with long RPM headers (bsc#1174965)

virtual-host-gatherer:
  • Add new gatherer module for Nutanix AHV.

virtualization-host-formula:
  • Ensure kernel-default and libvirt-python3 are installed
  • Set bridge network as default
  • Fix conditionals (bsc#1175791)



yomi-formula:
  • Update to version 0.0.1+git.1595952633.b300be2: * pillar: install always kernel-default * chroot: python3-base is now a capability * Move systemctl calls inside chroot * Network: initial work for network declaration * MicroOS: Remove tmp subvolume * Update format following the new standard * Fix __mount_device wrapper

httpcomponents-core:
  • Include the correct package in SUSE Manager Server (no source changes)

httpcomponents-client:
  • Include the correct package in SUSE Manager Server (no source changes)

google-gson:
  • Include the correct package in SUSE Manager Server (no source changes)

How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.1:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2020-2373=1
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2020-2373=1

Package List:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):
    • golang-github-QubitProducts-exporter_exporter-0.4.0-6.3.6
    • openvpn-formula-0.1.1-3.3.6
    • patterns-suma_retail-4.1-6.3.6
    • patterns-suma_server-4.1-6.3.6
    • python3-uyuni-common-libs-4.1.6-3.3.6
    • spacewalk-branding-4.1.9-3.3.6
    • susemanager-4.1.18-3.3.6
    • susemanager-tools-4.1.18-3.3.6
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):
    • cobbler-3.0.0+git20190806.32c4bae0-5.3.6
    • google-gson-2.8.5-3.2.6
    • httpcomponents-client-4.5.6-3.2.6
    • httpcomponents-core-4.4.10-3.2.6
    • ical4j-3.0.18-3.2.7
    • image-sync-formula-0.1.1595937550.0285244-3.3.6
    • mgr-libmod-4.1.4-3.3.6
    • mgr-osa-dispatcher-4.1.3-2.3.6
    • prometheus-exporters-formula-0.7.1-3.5.2
    • pxe-default-image-sle15-4.1.0-Build5.3
    • python3-mgr-osa-common-4.1.3-2.3.6
    • python3-mgr-osa-dispatcher-4.1.3-2.3.6
    • python3-spacewalk-certs-tools-4.1.12-3.3.6
    • python3-suseRegisterInfo-4.1.3-4.3.6
    • saltboot-formula-0.1.1595937550.0285244-3.3.6
    • spacecmd-4.1.6-4.3.6
    • spacewalk-backend-4.1.14-4.5.2
    • spacewalk-backend-app-4.1.14-4.5.2
    • spacewalk-backend-applet-4.1.14-4.5.2
    • spacewalk-backend-config-files-4.1.14-4.5.2
    • spacewalk-backend-config-files-common-4.1.14-4.5.2
    • spacewalk-backend-config-files-tool-4.1.14-4.5.2
    • spacewalk-backend-iss-4.1.14-4.5.2
    • spacewalk-backend-iss-export-4.1.14-4.5.2
    • spacewalk-backend-package-push-server-4.1.14-4.5.2
    • spacewalk-backend-server-4.1.14-4.5.2
    • spacewalk-backend-sql-4.1.14-4.5.2
    • spacewalk-backend-sql-postgresql-4.1.14-4.5.2
    • spacewalk-backend-tools-4.1.14-4.5.2
    • spacewalk-backend-xml-export-libs-4.1.14-4.5.2
    • spacewalk-backend-xmlrpc-4.1.14-4.5.2
    • spacewalk-base-4.1.15-3.3.6
    • spacewalk-base-minimal-4.1.15-3.3.6
    • spacewalk-base-minimal-config-4.1.15-3.3.6
    • spacewalk-certs-tools-4.1.12-3.3.6
    • spacewalk-html-4.1.15-3.3.6
    • spacewalk-java-4.1.18-3.5.3
    • spacewalk-java-config-4.1.18-3.5.3
    • spacewalk-java-lib-4.1.18-3.5.3
    • spacewalk-java-postgresql-4.1.18-3.5.3
    • spacewalk-taskomatic-4.1.18-3.5.3
    • spacewalk-utils-4.1.11-3.3.6
    • spacewalk-utils-extras-4.1.11-3.3.6
    • suseRegisterInfo-4.1.3-4.3.6
    • susemanager-doc-indexes-4.1-11.7.2
    • susemanager-docs_en-4.1-11.7.2
    • susemanager-docs_en-pdf-4.1-11.7.2
    • susemanager-frontend-libs-4.1.0-3.3.6
    • susemanager-schema-4.1.12-3.3.6
    • susemanager-sls-4.1.14-3.5.2
    • susemanager-sync-data-4.1.7-3.3.6
    • susemanager-web-libs-4.1.15-3.3.6
    • virtual-host-gatherer-1.0.21-4.3.6
    • virtual-host-gatherer-Kubernetes-1.0.21-4.3.6
    • virtual-host-gatherer-Nutanix-1.0.21-4.3.6
    • virtual-host-gatherer-VMware-1.0.21-4.3.6
    • virtual-host-gatherer-libcloud-1.0.21-4.3.6
    • virtualization-host-formula-0.5-3.3.1
    • yomi-formula-0.0.1+git.1595952633.b300be2-3.3.6
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (x86_64):
    • golang-github-QubitProducts-exporter_exporter-0.4.0-6.3.6
    • patterns-suma_proxy-4.1-6.3.6
    • python3-uyuni-common-libs-4.1.6-3.3.6
  • SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch):
    • mgr-osad-4.1.3-2.3.6
    • python3-mgr-osa-common-4.1.3-2.3.6
    • python3-mgr-osad-4.1.3-2.3.6
    • python3-spacewalk-certs-tools-4.1.12-3.3.6
    • python3-suseRegisterInfo-4.1.3-4.3.6
    • spacecmd-4.1.6-4.3.6
    • spacewalk-backend-4.1.14-4.5.2
    • spacewalk-base-minimal-4.1.15-3.3.6
    • spacewalk-base-minimal-config-4.1.15-3.3.6
    • spacewalk-certs-tools-4.1.12-3.3.6
    • spacewalk-proxy-broker-4.1.2-3.3.6
    • spacewalk-proxy-common-4.1.2-3.3.6
    • spacewalk-proxy-management-4.1.2-3.3.6
    • spacewalk-proxy-package-manager-4.1.2-3.3.6
    • spacewalk-proxy-redirect-4.1.2-3.3.6
    • spacewalk-proxy-salt-4.1.2-3.3.6
    • suseRegisterInfo-4.1.3-4.3.6

References: