Recommended update for SUSE Manager Client Tools

Announcement ID:	SUSE-RU-2020:14536-1
Rating:	critical
References:	bsc#1159670 bsc#1167907 bsc#1169664 bsc#1175987 bsc#1176024 bsc#1176294 bsc#1176397 bsc#1177867 bsc#1178319 bsc#1178361 bsc#1178362
Cross-References:	CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
CVSS scores:	CVE-2020-16846 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-16846 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-17490 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-17490 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-25592 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Manager Client Tools for Ubuntu 18.04 1804

An update that solves three vulnerabilities and has eight fixes can now be installed.

Description:

This update fixes the following issues:

salt:

• Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)
• Fix disk.blkid to avoid unexpected keyword argument '__pub_user' (bsc#1177867)
• Ensure virt.update stop_on_reboot is updated with its default value
• Do not break package building for systemd OSes
• Drop wrong mock from chroot unit test
• Support systemd versions with dot (bsc#1176294)
• Fix for grains.test_core unit test
• Fix file/directory user and group ownership containing UTF-8 characters (bsc#1176024)
• Several changes to virtualization:
• • Fix virt update when cpu and memory are changed
• • Memory Tuning GSoC
• • Properly fix memory setting regression in virt.update
• • Expose libvirt on_reboot in virt states
• Support transactional systems (MicroOS)
• Zypperpkg module ignores retcode 104 for search() (bsc#1159670)
• Xen disk fixes. No longer generates volumes for Xen disks, but the corresponding file or block disk (bsc#1175987)
• Invalidate file list cache when cache file modified time is in the future (bsc#1176397)
• Prevent import errors when running test_btrfs unit tests

spacecmd:

• Python3 fixes for errata in spacecmd (bsc#1169664)
• Added support for i18n of user-facing strings
• Python3 fix for sorted usage (bsc#1167907)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for Ubuntu 18.04 1804
  zypper in -t patch suse-ubu184ct-client-tools-202010-14536=1

Package List:

• SUSE Manager Client Tools for Ubuntu 18.04 1804 (all)
  • spacecmd-4.1.8-14.2
  • salt-minion-3000+ds-1+59.1
  • salt-common-3000+ds-1+59.1

References:

• https://www.suse.com/security/cve/CVE-2020-16846.html
• https://www.suse.com/security/cve/CVE-2020-17490.html
• https://www.suse.com/security/cve/CVE-2020-25592.html
• https://bugzilla.suse.com/show_bug.cgi?id=1159670
• https://bugzilla.suse.com/show_bug.cgi?id=1167907
• https://bugzilla.suse.com/show_bug.cgi?id=1169664
• https://bugzilla.suse.com/show_bug.cgi?id=1175987
• https://bugzilla.suse.com/show_bug.cgi?id=1176024
• https://bugzilla.suse.com/show_bug.cgi?id=1176294
• https://bugzilla.suse.com/show_bug.cgi?id=1176397
• https://bugzilla.suse.com/show_bug.cgi?id=1177867
• https://bugzilla.suse.com/show_bug.cgi?id=1178319
• https://bugzilla.suse.com/show_bug.cgi?id=1178361
• https://bugzilla.suse.com/show_bug.cgi?id=1178362