Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Announcement ID: SUSE-RU-2023:2566-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2023-22644 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected Products:
  • SUSE Manager Proxy 4.3
  • SUSE Manager Proxy 4.3 Module 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3
  • SUSE Manager Server 4.3 Module 4.3

An update that solves one vulnerability, contains one feature and has 58 recommended fixes can now be installed.

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

Description:

This update fixes the following issues:

mgr-daemon:

  • Version 4.3.7-1
  • Update translation strings

spacecmd:

  • Version 4.3.21-1
  • fix argument parsing of distribution_update (bsc#1210458)
  • Version 4.3.20-1
  • Display activation key details after executing the corresponding command (bsc#1208719)
  • Show targetted packages before actually removing them (bsc#1207830)

spacewalk-backend:

  • Version 4.3.21-1
  • Add package details to reposync error logging
  • Fix the mgr-inter-sync not creating valid repository metadata when dealing with empty channels (bsc#1207829)
  • Filter CLM modular packages using release strings (bsc#1207814)
  • Fix issues with kickstart syncing on mirrorlist repositories
  • Do not sync .mirrorlist and other non needed files
  • reposync: catch local file not found urlgrabber error properly (bsc#1208288)
  • Version 4.3.20-1
  • fix repo sync for cloud payg connected repositories (bsc#1208772)

spacewalk-proxy:

  • Version 4.3.16-1
  • Better error message on missing systemid file (bsc#1209119)

spacewalk-proxy-installer:

  • version 4.3.11-1
  • Fix squid refresh_pattern for "venv-enabled-*.txt" files to avoid serving outdated version of the file (bsc#1211956)

spacewalk-web:

  • Version 4.3.31-1
  • Fix title on recurring actions edit page
  • Version 4.3.30-1
  • Disable login button with empty password
  • Ignore mandatory channels results that don't match list of channels (bsc#1204270)
  • Increase datetimepicker font sizes (bsc#1210437)
  • Recurring custom states
  • fix an issue where the datetimepicker shows wrong date (bsc#1209231)
  • Add support to add optional channels via webUI
  • Added pages to install and remove ptf
  • Added CLM filters to match product temporary fixes packages
  • Refactor Software / Manage / Packages to use SQL paging (bsc#1206725)

susemanager-build-keys:

  • Version 15.4.9
  • add Debian 12 (bookworm) GPG keys (bsc#1212363)
  • add new 4096 bit RSA SUSE Package Hub key
  • Version 15.4.8
  • add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc

uyuni-common-libs:

  • Version 4.3.8-1
  • Allow default component for context manager

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: spacewalk-proxy stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-proxy start

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

branch-network-formula:

  • Update to version 0.1.1680167239.23f2fec
  • Remove unnecessary import of "salt.ext.six"

cobbler:

  • Fix cobbler buildiso so that the artifact can be booted by EFI firmware. (bsc#1206060)
  • Switch packaging from patch based to Git tree based development
  • S390X systems require their kernel options to have a linebreak at 79 characters (bsc#1207595)
  • Settings-migration-v1-to-v2.sh will now handle paths with whitespace correctly
  • Fix renaming Cobbler items (bsc#1204900, bsc#1209149)
  • "cobbler buildiso" arguments "--system" and "--profile" are now accepted in the right order (bsc#1210776)

cpu-mitigations-formula:

  • Update to version 0.5.0:
  • Mark all SUSE Linux Enterprise 15 SP4 and newer and openSUSE 15.4 and newer as supported (bsc#1210835)

hub-xmlrpc-api:

  • Do not strictly require Go 1.18 on SUSE Linux Enterprise 15 SP3 (bsc#1203599)

perl-Satcon:

  • Version 4.3.2-1
  • Accept keys with dots

python-urlgrabber:

  • Raise proper exception from urlgrab() when local file is not found (bsc#1208288)

spacecmd:

  • Version 4.3.21-1
  • Fix argument parsing of distribution_update (bsc#1210458)
  • Version 4.3.20-1
  • Display activation key details after executing the corresponding command (bsc#1208719)
  • Show targetted packages before actually removing them (bsc#1207830)

spacewalk-admin:

  • Version 4.3.11-1
  • change backup file extension from .orig to .current_time (bsc#1206783)

spacewalk-backend:

  • Version 4.3.21-1
  • Add package details to reposync error logging
  • Fix the mgr-inter-sync not creating valid repository metadata when dealing with empty channels (bsc#1207829)
  • Filter CLM modular packages using release strings (bsc#1207814)
  • Fix issues with kickstart syncing on mirrorlist repositories
  • Do not sync .mirrorlist and other non needed files
  • reposync: catch local file not found urlgrabber error properly (bsc#1208288)
  • Version 4.3.20-1
  • Fix repo sync for cloud payg connected repositories (bsc#1208772)

spacewalk-config:

  • Version 4.3.10-1
  • Add /saltboot directory
  • Mark /os-images and /tftp as static content

spacewalk-java:

  • Security fixes included in this version update from 4.3.52-1 to 4.3.58-1:
  • CVE-2023-22644: Fix session information leak (bsc#1210107)
  • CVE-2023-22644: Do not output cobbler xmlrpc token in debug logs (bsc#1210162)
  • CVE-2023-22644: fix credentials and other secrets disclosure when debug log is enabled (bsc#1210154)
  • CVE-2023-22644: Don't output URL parameters for tiny urls (bsc#1210101)
  • CVE-2023-22644: Do not log SSL certificate / key file content (bsc#1210094)
  • CVE-2023-22644: Remove web session swap secrets output in logs (bsc#1210086)
  • Non-security bug fixes included in this version update from 4.3.52-1 to 4.3.58-1:
  • Version 4.3.58-1
    • Make sure that all hibernate connections are closed (bsc#1208687)
  • Version 4.3.57-1
    • Update version of tomcat build dependencies
  • Version 4.3.55-1
    • Fix breadcrumbs on recurring actions pages
  • Version 4.3.54-1
    • Kernel options: only add quotes if there is a space in the value (bsc#1209926)
  • Version 4.3.53-1
    • Update Cobbler profile when a new image is deployed
    • Add mapping of image URLs for containerized proxy
    • Remove channels from client after transfer to a different organization (bsc#1209220)
    • Fix RHEL9 / SLL9 product discovery (bsc#1209993)
    • Fix displaying system channels when no base product is installed (bsc#1206423)
    • Fix NPE in cobbler system sync when server has no creator set
    • Recurring custom states
    • Removed the expensive 'diff' column (bsc#1208427)
    • Fix possible "NullPointerException" when clicking on the "Create PXE installation configuration" button from Provising page
    • Fix possible "NullPointerException" issues when running cobbler-sync-bunch
    • Do not trigger extra cobbler sync when changing kickstart data (bsc#1208536)
    • Set jasper development mode to false (bsc#1206191)
    • Fixed select all for ptf packages list (bsc#1209143)
    • Added SLES 12 support for ptf removal
    • Fixed issue with checking ptf repositories on cloned channels
    • Add support to add optional channels via webUI
    • Added APIs to allow frontend to install and remove ptf
    • Show the package summary where applicable to better describe PTF packages
    • Added CLM filters to match product temporary fixes packages
    • Restrict product temporary fixes visibility in the UI and in the APIs responses
    • Fixed empty selection warning in the lock/unlock page
    • Set GPG Key Url for PTF repositories
    • Fix deleting custom info pillar (bsc#1209253)
    • Update report outdated system query to de-duplicate errata id's
    • Refactor Software / Manage / Packages to use SQL paging (bsc#1206725)
    • Filter CLM modular packages using release strings (bsc#1207814)
    • Fix systems subscribed to channel CSV download (bsc#1201063)
    • Fix cobbler system entries for retail terminals (bsc#1208661)
    • Make API method systemgroup.listSystemsMinimal read-only (bsc#1208550)
    • Add missing text for user preferenaces page
    • Do not include channels from different orgs when listing mandatory channels (bsc#1204270)
    • Save scheduler user when creating Patch actions manually (bsc#1208321)
  • Version 4.3.52-1
    • Add more restricted arguments to prevent HTTP API logging sensitive data (bsc#1209386, bsc#1209395)
  • Version 4.3.51-1
    • Support multiple gpgkey urls for a channel (bsc#1208540)

spacewalk-search:

  • Version 4.3.9-1
  • Add maxPoolSize option to search

spacewalk-setup:

  • Version 4.3.16-1
  • Enable netapi clients in master configuration (required for Salt 3006)
  • Persist report_db_sslrootcert value (bsc#1210349)
  • Fix migration test
  • Escape % in spec file.
  • remove useless tomcat configuration (bsc#1206191)
  • use template for reportdb configuration (bsc#1206783)

spacewalk-web:

  • Version 4.3.31-1
  • Fix title on recurring actions edit page
  • Version 4.3.30-1
  • Disable login button with empty password
  • Ignore mandatory channels results that don't match list of channels (bsc#1204270)
  • Increase datetimepicker font sizes (bsc#1210437)
  • Recurring custom states
  • fix an issue where the datetimepicker shows wrong date (bsc#1209231)
  • Add support to add optional channels via webUI
  • Added pages to install and remove ptf
  • Added CLM filters to match product temporary fixes packages
  • Refactor Software / Manage / Packages to use SQL paging (bsc#1206725)

subscription-matcher:

  • Relax antlr version requirement

supportutils-plugin-susemanager:

  • Version 4.3.7-1
  • fix db connection check tool (bsc#1208586)

susemanager:

  • version 4.3.27-1
  • Use newest venv-salt-minion version available to generate the venv-enabled-*.txt file in bootstrap repos (bsc#1211958)
  • Version 4.3.26-1
  • Add bootstrap repository definitions for SLE-Micro 5.4
  • Make python3-ordered-set optional for the SLE15 bootstrap repo as it is not required or present in SLE15SP3 or older
  • Add bootstrap repository definitions for openSUSE Leap 15.5
  • add bootstrap repository definitions for SLE-Micro 5.1 (bsc#1209557)
  • Add SLES15SP5 to bootstrap repo definitions

susemanager-build-keys:

  • Version 15.4.9
  • add Debian 12 (bookworm) GPG keys (bsc#1212363)
  • add new 4096 bit RSA SUSE Package Hub key
  • Version 15.4.8
  • add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc

susemanager-docs_en:

  • Change cleanup Salt Client description
  • Documentation Salt version updated to 3006
  • Added SUSE Linux Enterprise Micro 5.4 support
  • Added openSUSE Leap version 15.5
  • Added SUSE Linux Enterprise version 15 SP5
  • Documented new Recurring Actions feature
  • Adjusted Single Sign-On example in Administration Guide according to Keycloak 21.0.1 update
  • Add multiple GPG key url usage to Client Configuration Guide to Keycloak 22.0.1 update
  • Documented custom info is available via pillars in Client Configuration Guide (bsc#1209253)
  • Added updated options for rhn.conf file in the Administration Guide (bsc#1209508)
  • Added instruction for Cobbler to use the correct label in Client Config Guide distro label (bsc#1205600)
  • Adjusted python version and openSUSE Leap version in public cloud document (bsc#1209938)
  • Fixed calculation of DB max-connections and align it with the supportconfig checking tool in the Tuning Guide
  • Fixed Troubleshooting Corrupt Repositories procedure
  • Branding updated for 2023
  • New search engine optimization improvements for documentation
  • Translations are now included in the WebUI help documentation
  • Local search is now provided with the WebUI help documentation

susemanager-schema:

  • Version 4.3.18-1
  • Recurring custom states
  • Added view to handle ptf packages and updated the procedures to refresh the updatable/installable packages
  • Fix update of sql function create_new_org
  • Filter CLM modular packages using release strings (bsc#1207814)

susemanager-sls:

  • Version 4.3.33-1
  • fix duplicate packages in state
  • Version 4.3.32-1
  • disable salt-minion and remove its config file on cleanup (bsc#1209277)
  • Add kiwi supported disk images to be collectable (bsc#1208522)
  • Rename internal state 'synccustomall' to 'syncall'
  • Recurring custom states
  • to update everything on a debian system, call dist-upgrade to be able to install and remove packages
  • Allow KiwiNG to be used on SLE12 buildhosts (bsc#1204089)
  • Enforce installation of the PTF GPG key package
  • Improve error handling in mgr_events.py (bsc#1208687)
  • Version 4.3.31-1
  • support multiple gpgkey urls for a channel (bsc#1208540)
  • make SUSE Addon GPG key available on all instance (bsc#1208540)

susemanager-tftpsync:

  • Version 4.3.4-1
  • Fix server-side cache that's used for only pushing files to proxies that need to be pushed, as well as propagating deletions (bsc#1209215)
  • Fix removal of proxies section in cobbler settings (bsc#1207063)

uyuni-common-libs:

  • Version 4.3.8-1
  • Allow default component for context manager

virtual-host-gatherer:

  • Version 1.0.26-1
  • fix cpu calculation in the libvirt module and enhance the data structure by os value

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Proxy 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-2566=1
  • SUSE Manager Server 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-2566=1

Package List:

  • SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    • susemanager-build-keys-15.4.9-150400.3.20.2
    • susemanager-build-keys-web-15.4.9-150400.3.20.2
    • spacewalk-base-minimal-4.3.31-150400.3.21.7
    • spacewalk-base-minimal-config-4.3.31-150400.3.21.7
    • mgr-daemon-4.3.7-150400.3.9.5
    • spacewalk-proxy-broker-4.3.16-150400.3.20.6
    • spacewalk-proxy-management-4.3.16-150400.3.20.6
    • spacewalk-proxy-redirect-4.3.16-150400.3.20.6
    • spacecmd-4.3.21-150400.3.18.5
    • spacewalk-proxy-common-4.3.16-150400.3.20.6
    • spacewalk-proxy-package-manager-4.3.16-150400.3.20.6
    • spacewalk-proxy-salt-4.3.16-150400.3.20.6
    • spacewalk-proxy-installer-4.3.11-150400.3.6.4
    • spacewalk-backend-4.3.21-150400.3.21.13
  • SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    • python3-uyuni-common-libs-4.3.8-150400.3.12.5
  • SUSE Manager Server 4.3 Module 4.3 (noarch)
    • spacewalk-setup-4.3.16-150400.3.21.6
    • spacewalk-html-4.3.31-150400.3.21.7
    • spacewalk-config-4.3.10-150400.3.6.3
    • supportutils-plugin-susemanager-4.3.7-150400.3.9.6
    • susemanager-build-keys-web-15.4.9-150400.3.20.2
    • spacewalk-backend-sql-4.3.21-150400.3.21.13
    • spacewalk-admin-4.3.11-150400.3.6.6
    • virtual-host-gatherer-Nutanix-1.0.26-150400.3.12.3
    • spacewalk-backend-tools-4.3.21-150400.3.21.13
    • spacewalk-java-4.3.58-150400.3.46.4
    • spacewalk-base-4.3.31-150400.3.21.7
    • susemanager-docs_en-pdf-4.3-150400.9.27.3
    • spacewalk-backend-applet-4.3.21-150400.3.21.13
    • spacewalk-java-lib-4.3.58-150400.3.46.4
    • uyuni-config-modules-4.3.33-150400.3.25.7
    • spacewalk-backend-config-files-common-4.3.21-150400.3.21.13
    • spacewalk-backend-xml-export-libs-4.3.21-150400.3.21.13
    • spacewalk-backend-config-files-4.3.21-150400.3.21.13
    • virtual-host-gatherer-1.0.26-150400.3.12.3
    • virtual-host-gatherer-Kubernetes-1.0.26-150400.3.12.3
    • python3-urlgrabber-4.1.0-150400.4.3.6.3
    • spacewalk-taskomatic-4.3.58-150400.3.46.4
    • susemanager-schema-4.3.18-150400.3.18.7
    • spacewalk-backend-config-files-tool-4.3.21-150400.3.21.13
    • susemanager-build-keys-15.4.9-150400.3.20.2
    • spacewalk-base-minimal-config-4.3.31-150400.3.21.7
    • cobbler-3.3.3-150400.5.25.3
    • virtual-host-gatherer-libcloud-1.0.26-150400.3.12.3
    • spacewalk-backend-iss-export-4.3.21-150400.3.21.13
    • spacewalk-backend-iss-4.3.21-150400.3.21.13
    • spacewalk-java-postgresql-4.3.58-150400.3.46.4
    • spacecmd-4.3.21-150400.3.18.5
    • perl-Satcon-4.3.2-150400.3.3.5
    • spacewalk-backend-xmlrpc-4.3.21-150400.3.21.13
    • susemanager-sls-4.3.33-150400.3.25.7
    • spacewalk-backend-server-4.3.21-150400.3.21.13
    • spacewalk-backend-4.3.21-150400.3.21.13
    • spacewalk-backend-package-push-server-4.3.21-150400.3.21.13
    • spacewalk-search-4.3.9-150400.3.12.7
    • spacewalk-base-minimal-4.3.31-150400.3.21.7
    • cpu-mitigations-formula-0.5.0-150400.3.3.3
    • spacewalk-backend-app-4.3.21-150400.3.21.13
    • susemanager-docs_en-4.3-150400.9.27.3
    • susemanager-schema-utility-4.3.18-150400.3.18.7
    • virtual-host-gatherer-VMware-1.0.26-150400.3.12.3
    • spacewalk-java-config-4.3.58-150400.3.46.4
    • branch-network-formula-0.1.1680167239.23f2fec-150400.3.3.3
    • spacewalk-backend-sql-postgresql-4.3.21-150400.3.21.13
  • SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    • python3-uyuni-common-libs-4.3.8-150400.3.12.5
    • susemanager-tftpsync-4.3.4-150400.3.9.9
    • susemanager-tools-4.3.27-150400.3.26.5
    • hub-xmlrpc-api-0.7-150400.5.6.5
    • susemanager-4.3.27-150400.3.26.5

References: