This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires that SUSE makes available certain source code that corresponds to the GPL-licensed material. The source code is available for download.

For up to three years after SUSE’s distribution of the SUSE product, SUSE will mail a copy of the source code upon request. Requests should be sent by e-mail or as otherwise instructed here. SUSE may charge a fee to recover reasonable costs of distribution.

Version Revision History

  • June 22nd, 2021: 4.0.14 release

  • April 15th, 2021: 4.0.13 release

  • February 25th, 2021: release

  • February 11th, 2021: 4.0.12 release

  • November 19th, 2020: 4.0.11 release

  • October 15th, 2020: 4.0.10 release

  • September 10th, 2020: 4.0.9 release

  • August 6th, 2020: 4.0.8 release

  • July 21st, 2020: 4.0.7 release

  • May 7th, 2020: 4.0.6 release

  • March 12th, 2020: 4.0.5 release

  • December 20th, 2019: 4.0.4 release

  • November 7th, 2019: 4.0.3 release

  • September 6th, 2019: 4.0.2 release

  • July 9th, 2019: 4.0.1 release

  • June 26th, 2019: 4.0.0 release

About SUSE Manager Proxy 4

SUSE Manager Proxy provides mirroring proxy support for large and distributed environments.

Operation of the proxy is completely transparent. The SUSE Manager Proxy looks like a managed client to SUSE Manager Server, and like a Server to the managed clients. Managed clients talk to the Proxy only, and the Proxy in turn communicates to the SUSE Manager Server.

All software packages that pass the Proxy are cached and subsequent client requests for these packages are resolved from the cache.

System Requirements

SUSE Manager Proxy is available for the x86_64 architecture only. We recommend you have at least 2 GB main memory, and approximately 50 GB of disk space per distribution or channel.

Consider additional disk space required for storing images for retail terminals.

For more details on system requirements, see the Installation Guide on

SUSE Manager Proxy Distribution

SUSE Manager Proxy 4 is provided through SUSE Customer Center and can be installed with the unified installer for SUSE Linux Enterprise 15 SP1. No separate SUSE Linux Enterprise subscription is required.

Installation and Setup

Installation of SUSE Manager Proxy 4.0 is done with the SUSE Manager Server 4 Web interface.

For more details on installing and configuring SUSE Manager Proxy 4.0, see the Installation Guide on

Upgrade from Version 3.2

To upgrade an existing SUSE Manager Proxy 3.2 system to SUSE Manager Proxy 4.0, you can do an in-place upgrade, or you can set up a new system to replace the old one.

For more information about upgrading, see the Upgrade Guide on

Upgrade from Version 3.1 or Older

In-place updates from SUSE Manager Proxy 3.1 or older are not supported. You will need to install a new system with SUSE Manager Proxy 4.0.

SUSE Manager Server Versions

SUSE Manager Proxy 4.0 works only with SUSE Manager 4.0 Server.

SUSE Manager Server 4.0 works with SUSE Manager Proxy 3.2 and later.

Major changes since SUSE Manager Proxy 4.0 GA

Features and changes

Version 4.0.14

Bugfix release.

Version 4.0.13

This is a bugfix release with a few notable enhancements.

New products enabled
  • MicroFocus Open Enterprise Server 2018 SP3

Enable SAN SSL certificates

Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. This is commonly used to generate SSL certificates that protect multiple domains with a single certificate.

Since this kind of certificate is becoming popular amongst users with their own Certificate Authority, we have implemented support.


Fixes for Salt security issues

You should patch all your SUSE Manager Server, Proxy, Retail Branch Server, and Salt minions as soon as possible.

Version 4.0.12

Bugfix release

Version 4.0.11

Recent Salt CVEs remediation

This release fixes CVE-2020-16846, CVE-2020-17490, and CVE-2020-25592. Patch your SUSE Manager Servers, Proxies, Retail Branch Servers, and Salt minions as soon as possible.

DNSSEC enabled by default by bind update

With the update of ISC bind to version 9.16.6 on SLES 15 SP1 and SP2, DNSSEC is now enabled by default, which may cause DNS resolution to fail unless there are fallback DNS servers.

The Retail Branch Server formula has been modified to disable DNSSEC, and will be updated to support DNSSEC in a future release of SUSE Manager. For existing Retail Branch Servers, you can disable DNSSEC to retain the same behaviour ISC bind showed until version 9.11.2. To do that, edit /etc/bind and set:

dnssec-enable no; dnssec-validation no;

Version 4.0.10

Bugfix release

New products enabled
  • SUSE Linux Enterprise for High Performance Computing 15 SP2

  • SUSE Container as a Service Platform 4.5

  • SUSE Enterprise Storage 7 (beta)

  • SUSE Linux Enterprise Server 15 SP3 Alpha

Version 4.0.9

Bugfix release.

New products enabled
  • SUSE Linux Enterprise Real Time 15 SP2

Version 4.0.8

Bugfix release.

Version 4.0.7

Bugfix release.

Version 4.0.6

This is mostly a bugfix release, with some highlights.

Critical security update for Salt

Two critical security flaws (CVE-2020-11651, CVE-2020-11652) were identified in Salt, with a CVSS score of 10.0/10.

In coordination with and at the same time as upstream SaltStack, security patches for SUSE Linux Enterprise and all client tools were released on April 30th.

Together with SUSE Manager 4.0.6, a new security update to the Salt packages is also released, fixing a corner case in the previous patch.

We recommend you immediately patch the SUSE Manager Server, Proxy, Retail Branch Server, and all Salt minions. Traditional clients are not affected by this security issue.

SLES 15 SP1 JeOS as a Base System

SUSE Manager Proxy 4.0 and SUSE Manager Retail Branch Server 4.0 can now be installed on top of SLES 15 SP1.

Version 4.0.5

Bugfix release.

New products enabled
  • SUSE Linux Enterprise Real Time 12 SP5

  • SUSE Linux Enterprise 15 SP2 family

  • MicroFocus Open Enterprise Server 2018 SP2 (product GA in Q2 2020)

Version 4.0.4

New products enabled
  • SLES12 SP5

  • RHEL 8 and SLES ES 8

  • CaaSP 4

RHEL 8 and SLES ES 8 support

Red Hat Enterprise Linux 8 and SUSE Linux Enterprise Server Expanded Support 8 are now supported clients as Salt minions. The traditional stack will not be supported on these operating systems.

With the new application streams concept introduced in these operating systems, you will need to import both the BaseOS and the AppStream directories from the ISO image for the bootstrap repository to be created correctly. If the AppStream directory is not imported, you will receive an error about missing Python 3 packages.

AppStream awareness in the UI and Content Lifecycle Management will be available in an upcoming version of SUSE Manager.


This version of SUSE Manager includes formulas to install Prometheus and Grafana, and makes the Apache exporter available for Ubuntu 18.04, RES6, RES7 and Proxy.

Package Hub

SUSE Package Hub is now supported on the Server, since the problems with the search that were caused by PackageHub-provided packages have been solved.

If you were using Package Hub as a source of packages for you clients, it is recommended that you re-generate all package metadata. The reason for this is in the Package Hub repositories there may exist multiple packages with the same NEVRA but different checksums. This might result in checksum errors when repositories are used on the clients as SUSE Manager randomly selected any of those packages. After this update, SUSE Manager will generate the checksum into the package path to ensure the right package is used. If you use also SUSE Manager Proxy / SUSE Manager Retail Branch Server please update all of them before you re-generate the metadata.


The cpu-mitigations-formula is now installed by default.

The Retail branch network formula now works all SUSE and openSUSE based distros, using SuSEfirewall or firewalld as appropriate.

Version 4.0.3

Please check the SUSE Manager 4.0 Server Release Notes for all the changes happening in the product in the 4.0.3 release.

On the proxy, the most remarkable changes are the ones that enhance support for Debian and Ubuntu:

  • Support for all of the headers in .deb packages, including custom ones, when syncing Debian/Ubuntu repositories. You can use the new script mgr-update-pkg-extra-tags to update extra fields in DB without recreating all Debian/Ubuntu channels.

  • Support for .deb packages with hyphens in the package name or version. There remain a very small percentage (<0.1%) of packages for which our version comparison algorithm fails; we will fix this known issue in a coming release.

Version 4.0.2

Updated documentation

The SUSE Manager documentation has received improvements in all of the books, with small clarifications and enhancements all around: content lifecycle management filters, public cloud, JeOS, retail images and formulas, etc

Of particular interest for customers with large installations will be the new Large Scale Deployment and Salt Tuning sections in the Salt Guide. Given that modifying advanced parameters can cause catastrophic failure, we strongly recommend that you contact SUSE Consulting for assistance with tuning for your specific case.

Additionally, the search functionality in the documentation now works offline.

UEFI boot (Retail)

SUSE Manager for Retail can now create the required partitions and image machines with an EFI boot, using the Saltboot formula.

Version 4.0.1

Bugfix release


SUSE Customer Center provides a simple online service to view released patches:

Version 4.0.14


  • Add require for py27-compat-salt (salt 3002 does not provide python2-salt anymore)


  • Maintainer field in debian packages are only recommended (bsc#1186508)

  • Switch to www group for satellite logs (bsc#1185097)

Version 4.0.13


  • Build requires Go 1.15

  • Add %license macro for LICENSE file


  • Build with Go 1.15


  • Adapt to new SSL implementation of rhnlib (bsc#1181807)


  • Change SSL implementation to Python SSL for better SAN and hostname matching support (bsc#1181807)


  • Handle SIGPIPE without a user-visible exception (bsc#1181124)


  • Deb_src repo plugin is not restoring config namespace on exception (bsc#1182197, bsc#1184179)

  • Fixing improper exception handling causing another exception in ThreadedDownloader

  • Avoid race condition due multiple reposync import threads (bsc#1183151)

  • Fix for UnicodeDecodeError in satellite-sync: Opening RPM file in binary mode (bsc#1181274)

  • Open repomd files as binary (bsc#1173893)


  • Fallback to sysfs when reading info from python-dmidecode fails (bsc#1182603)

  • Adapt to new SSL implementation of rhnlib (bsc#1181807)


  • Adapt to new SSL implementation of rhnlib (bsc#1181807)


  • Adapt to new SSL implementation of rhnlib (bsc#1181807)


  • Speed up susemanager-nodejs-sdk-devel RPM build


  • Support for "allow vendor change" for patching/upgrading

Version 4.0.12


  • Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#1176823)


  • Reposync: Fixed Kickstart functionality.

  • Reposync: Fixed URLGrabber error handling.

  • Reposync: Fix modular data handling for cloned channels (bsc#1177508)

  • Truncate author name in the changelog (bsc#1180285)

  • Drop Transfer-Encoding header from proxy respone to fix error response messages (bsc#1176906)

  • Prevent tracebacks on missing mail configuration (bsc#1179990)

  • Fix pycurl.error handling in (bsc#1179990)

  • Use sanitized repo label to build reposync repo cache path (bsc#1179410)

  • Quote the proxy settings to be used by Zypper (bsc#1179087)

  • Fix spacewalk-repo-sync to successfully manage and sync ULN repositories

  • Fix errors in spacewalk-debug and align postgresql queries to new DB version


  • Improve check for correct CA trust store directory (bsc#1176417)


  • Fix package manager string compare - python3 porting issue


  • Prevent deletion of CLM environments if they’re used in an autoinstallation profile (bsc#1179552)

  • Fix mandatory channels JS API to finish loading in case of error (bsc#1178839)


  • Remove checks for obsolete packages

  • Gather new configfiles

  • Add more important informations


  • Remove checks for obsolete packages

  • Gather new configfiles

  • Add more important informations


  • Fix option parsing in configure-tftpsync (bsc#1180017)

Version 4.0.11


  • ISS: Differentiate packages with same nevra but different checksum in the same channel (bsc#1178195)

  • Fix unique machine_id detection (bsc#1176074)


  • Fix link to documentation in Admin -> Manager Configuration -> Monitoring (bsc#1176172)

  • Don’t allow users to select spice for Xen PV and PVH guests


  • 1.0.8

  • Support "allow vendor change" for dist upgrades

Version 4.0.10


  • Reverse order for activation keys is needed (bsc#1167907)


  • Fix the jQuery selector in SP Migration page (bsc#1176500)

  • Fix JavaScript error caused by SPA navigation event with empty event field (bsc#1176503)

  • Force disable SPA for non-navigation links (bsc#1175512)

  • Changes in the logic to update the tick icon.

  • For the postgres localhost:5432 case, use the

  • Fix internal server errors by returning 0 instead of dying

  • Add missing dependency to spacewalk-base-minimal (bsc#678126)

  • Change kickstart to autoinstallation in navigation on pxt pages

  • Debranding


  • Replace "SuSE" user-facing references with "SUSE"

  • Trust PackageHub key (bsc#1175103)

Version 4.0.9


  • Python3 fixes for errata in spacecmd (bsc#1169664)

  • Python3 fix for sorted usage (bsc#1167907)

  • Fix softwarechannel_listlatestpackages throwing error on empty channels (bsc#1175889)

  • Fix escaping of package names (bsc#1171281)


  • Add option --nostricthostkeychecking to spacewalk-ssh-push-init

  • Strip SSL Certificate Common Name after 63 Characters (bsc#1173535)


  • Python3 fix for loading pickle file during kickstart procedure (bsc#1174201)


  • Fix login page after jQuery upgrade (bsc#1175224)

  • Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

  • Warn when a system is in multiple groups that configure the same formula in the system formula’s UI (bsc#1173554)

Version 4.0.8


  • Fix issues importing RPM packages with long RPM headers (bsc#1174871)

  • Make media.1/products available for every channel. Needed for autoinstallation of SLE15 SP2 (bsc#1173204)


  • Fix VM creation page when there is no volume in the default storage pool

  • Use volumes for VMs disks

  • Use ReactJS Context in Form components

  • Product list in the Wizard doesn’t show SLE products first (bsc#1173522)

  • Compute the websockify URL on browser side (bsc#1149644)

Version 4.0.7


  • Remove Recommends for traditional client from proxy pattern as this will install the traditional stack during upgrades (bsc#1171494)

  • Add requires for openvpn-formula


  • Only report real error, not result (bsc#1171687)

  • Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687)


  • Supportconfig speedup fixes, add option to not compress spacewalk-debug output dir

  • Prevent failure when syncing from RHEL CDN due extra params (bsc#1171885)

  • Use default sender address from web namespace


  • Do not cache metadata of the bootstrap repositories (bsc#1171169)


  • Remove lowercase image label limitation

  • Sort activation keys on bootstrapping page (bsc#1171251)

  • Auto select recommended and mandatory channels by default (bsc#1162843)

  • Add hint to edit formulas before applying state (bsc#1168805)

  • Fix custom info values input in image profile edit form (bsc#1169773)



  • Ensure correct /etc/apache2/conf.d/susemanager-tftpsync-recv.conf after upgrade (bsc#1169535)

  • Do not produce 500 errors with empty and UTF files (bsc#1167265)


  • Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)

Version 4.0.6


  • Require yast2-migration to allow online OS migrations (bsc#1167777)


  • Validate cached package entries on ISS slave (bsc#1159184)

  • Do not break when syncing Oracle 7 yum channel (bsc#1158463)

  • Always use the same RPM database when running "spacewalk-repo-sync" from the command line or via taskomatic (bsc#1163468)


  • Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001)

  • Disable modularity failsafe mechanism for RHEL 8 bootstrap repos (bsc#1164875)


  • Use 'int' instead of 'long' on rhn_check for both Python 2 and 3

  • Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3

  • Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)


  • Move vital proxy templates to a safe place outside of docu (bsc#1166284)


  • Show warning on products page when no SUSE Manager Server Subscription is available

  • Scheme is not allowed for URI of image store’s API endpoint (bsc#1165571)


  • Make wsgi scripts compatible with Python3 (bsc#1164111)


  • Cast to NodeState to str to allow serialization on libcloud 2.8.1 (bsc#1167052)

Version 4.0.5



  • Add recommends for virtualization-host-formula to suma_server pattern

  • Add recommends for virtualization-host-formula to retail


  • Bugfix: attempt to purge SSM when it is empty (bsc#1155372)


  • Fix mgrcfg-client python3 breakage (bsc#1164309)

  • Update doc link to point to new documentation server

  • Prevent timestamp format exception on mgr-inter-sync while processing comps (bsc#1157346)

  • When downloading repo metadata, don’t add "/" to the repo url if it already ends with one (bsc#1158899)

  • Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync (bsc#1159076)

  • Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184)

  • Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672)

  • Close config files after reading them (bsc#1158283)

  • Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176)


  • Add 'start_event_grains' minion option to configfile when generated by bootstrap script

  • Forbid multiple activation keys for salt minions during bootstrap (bsc#1164452)

  • Add additional minion options to configfile when generated by bootstrap script (bsc#1159492)

  • Change the order to check the version correctly for RES (bsc#1152795)


  • Spell correctly "successful" and "successfully"



  • Rename rhncfg-actions to mgr-cfg-actions


  • Rename rhncfg-actions to mgr-cfg-actions

Version 4.0.4


  • SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352)

  • Always require zlib-devel for building (fixes building for SLE15 SP2)


  • Add prometheus-formula and grafana-formula to the server pattern

  • Add the apache exporter to the proxy pattern as "Recommends"

  • Install cpu-mitigations-formula by default


  • Add support for provisioning the apache exporter


  • Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)


  • Fix specfile for systems that do not yet use systemd

  • Fix spacewalk-update-signatures for python3 (bsc#1156521)

  • Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683)

  • Fix broken spacewalk-data-fsck utility (bsc#1131556)


  • Fix certificate generation when the serial has leading zeroes to avoid "asn1 encoding routines:a2i_ASN1_INTEGER:odd number of chars" during setup

  • Make traditional bootstrap more robust for unknown hostname (bsc#1152298)

  • fix bootstrap script generator to work with Expanded Support 8 product (bsc#1158002)


  • Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)


  • Fix problems with Package Hub repos having multiple rpms with same NEVRA but different checksums (bsc#1146683)


  • SQL scripts are now placed at /etc/jabberd/scripts to make jabberd compatible with JeOS (bsc#1148352)


  • Add self monitoring to Admin Monitoring UI (bsc#1143638)

  • Layout changes in formula forms, validation, deprecate $visibleIf and add new attributes: $disabled, $visisble, $required, $match

  • Fix create VM dialog when there is no virtual storage pool or network

  • Show channels and filters in CLM history

  • SPA: do not early drop modals they can contain inputs (bsc#1155800)

  • Fix WebUI invalidation time by using the package build time instead of the WebUI version (bsc#1154868)

  • Filter by description on the Products page works recursively

  • Add check/message for project not found (bsc#1145755)

  • Remove/change text on edit filters for clp (bsc#1145608)

  • Fix sorting issues on content filter list page (bsc#1145591)


  • Prevent possible encoding issues on Python 3 (bsc#1152722)

Version 4.0.3


  • Obsolete all old python2-rhncfg* packages to avoid conflicts (bsc#1152290)

  • Fix data type issue to correctly decode if needed (bsc#1150320)

  • Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353)


  • Adjust current name of the package to mgr-daemon and not spacewalksd (bsc#1149353)

  • Enable spacewalk-update-service on package installation (bsc#1143789, bsc#1150216)


  • Obsolete all old python2-osa* packages to avoid conflicts (bsc#1152290)


  • Add recommends for cpu-mitigations-formula


  • Fix re-registration with re-activation key (bsc#1154275)

  • Change the default value of taskomatic maxmemory to 4GB

  • Add basic support for importing modular repositories

  • Import additional fields for Deb packages

  • Add script to update additional fields in the DB for existing Deb packages

  • Use active values for diskchecker mails

  • Parse restart_suggested flag from patches and set it as keywords (bsc#1151467)

  • Improve error message when deleting channel that’s in a content lifecycle project (bsc#1145769)

  • Prevent "reposync" crash when handling metadata on RPM repos (bsc#1138358)

  • Do not show expected WARNING messages from "c_rehash"

  • Fix misspelling in spacewalk-repo-sync (bsc#1149633)

  • Remove credentials also from potential rhn.conf backup files in spacewalk-debug (bsc#1146419)

  • Do not crash 'rhn-satellite-exporter' with ModuleNotFound error (bsc#1146869)

  • Spacewalk-remove-channel check that channel doesn’t have cloned channels before deleting it (bsc#1138454)

  • Fix broken spacewalk-data-fsck utility

  • Add '--latest' support for reposync on DEB based repositories

  • Do not try to download RPMs from the unresolved mirrorlist URL

  • Fix encoding issues with DB bytes values (bsc#1144300)

  • Fix import of rhnAuthPAM to avoid issues when using rhnpush.

  • Avoid traceback on mgr-inter-sync when there are problems with cache of packages (bsc#1143016)


  • Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353)


  • Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353)

  • Enable spacewalk-update-service on package installation (bsc#1143789)

  • Invalidate cache 5 minutes before actual expiration(bsc#1143562)


  • Redirect to project when canceling creating a filter (bsc#1145750)

  • Better visualization of the filters attached to a CLM Project. Allow/deny are now split

  • Fix ui issues with content lifecycle project list page (bsc#1145587)

  • Implement "keyword" filter for Content Lifecycle Management

  • Enable Azure, Amazon EC2 and Google Compute Engine as available Virtual host Managers

  • Trim strings when creating/updating image stores/profiles (bsc#1133429)

  • Show loading spin while loading salt keys data (bsc#1150180)

  • CLM - Disable clones by default of the shown CLM Project sources

  • Change form order and change project creation message (bsc#1145744)

  • Add UI message when salt-formulas system folders are unreachable (bsc#1142309)

  • Implement "regular expression" Filter for Content Lifecycle Management matching package names, patch name, patch synopsis and package names in patches

  • New Single Page Application engine for the UI. It can be enabled with the config '' set to true

  • Add environment label when deleting environment (bsc#1145758)

  • Change color of disabled build button on clp page (bsc#1145626)

  • Fix the 'include recommended' button on channels selection in SSM (bsc#1145086)

  • Implement "patch contains package" Filter for Content Lifecycle Management

  • Implement Filter Patch "by type" Content Lifecycle Management

  • Implement filtering errata by synopsis in Content Lifecycle Management

  • Normalize date formats for actions, notifications and clm (bsc#1142774)

  • Implement ALLOW filters in Content Lifecycle Management

  • Implement "by date" Filter for Content Lifecycle Management

Version 4.0.2


  • Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


  • Fix systemd timer configuration on SLE12 (bsc#1142038)

  • Rhnsd service was replaced by rhnsd timer (bsc#1138130)


  • Fix obsolete for old osad packages, to allow installing mgr-osad even by using osad at yum/zyppper install (bsc#1139453)

  • Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


  • Add SNI support for clients

  • fix initialize ssl connection (bsc#1144155)

  • Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)


  • Do not overwrite comps and module data with older versions

  • Fix issue with "dists" keyword in url hostname

  • Import packages from all collections of a patch not just first one

  • Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to "registration.register_osad" (bsc#1138822)

  • For backend-libs subpackages, exclude files for the server (already part of spacewalk-backend) to avoid conflicts (bsc#1148125)

  • prevent duplicate key violates on repo-sync with long changelog entries (bsc#1144889)

  • Don’t skip Deb package tags on package import (bsc#1130040)


  • Run completely unattended on Ubuntu (bsc#1137881)


  • The rhnsd service was replaced by rhnsd timer, so registration script and systemd presets are now adapted to this (bsc#1138130)


  • Add RHEL8


  • Redirect to first step of channel assignment after change channel submit (bsc#1137244)

  • Hide channels managed by Content Lifecycle projects from available sources (bsc#1137965)

  • Add unsupported browser warning when using Internet Explorer

  • Allow virtualization tab for foreign systems (bsc#1116869)

  • Allow forcing off or resetting VMs

  • Fix VM creation dialog with non-default pools and networks (bsc#1138268)

  • Add checks for empty required entries on formula forms (bsc#1109639)

Version 4.0.1


  • Do not duplicate "https://" protocol when using proxies with "deb" repositories (bsc#1138313)

  • Fix reposync when dealing with RedHat CDN (bsc#1138358)

  • Fix for CVE-2019-10136. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. (bsc#1136480)


  • Fix for CVE-2019-10137. A path traversal flaw was found in the way the proxy processes cached client tokens. A remote, unauthenticated, attacker could use this flaw to test the existence of arbitrary files, or if they have access to the proxy’s filesystem, execute arbitrary code in the context of the proxy. (bsc#1136476)


  • Change WebUI version 4.0.1

Major Changes Since SUSE Manager Proxy 3.2

Prometheus Monitoring

We now include packages for the latest version of Prometheus. The SUSE Manager Monitoring entitlement is required for all systems that have monitoring with Prometheus enabled.

Some exporters will be pre-installed on SUSE Manager Proxy as part of its self-monitoring features. They will provide hardware, operating system, and HTTP Proxy metrics.

Formulas Update for Retail Branch Server

Formulas used to operate a SUSE Manager for Retail Branch Server were updated to support a SUSE Linux Enterprise 15 SP1 environment.

Configuration of SUSE Manager Retail Branch Server with Multiple Network Interfaces

During installation of SUSE Manager Retail Branch Server the secondary network interface, intended to be used for the terminal network, may be configured and bound to a firewall zone. This zone binding can interfere with the configuration of Retail services, and could result in you being unable to apply the highstate.

To avoid this problem, ensure that:

  • the primary network interface is either bound to 'public' zone or not bound to any zone

  • the secondary network interface either bound to 'internal' zone or is not bound to any firewall zone.

Do this by running these commands before you apply the retail formulas:

firewall-cmd --permanent --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=internal --change-interface=eth1
firewall-cmd --reload

This example assumes eth0 is the primary interface and eth1 the secondary terminal interface.

Salt 2019.2.0

Salt has been upgraded to the 2019.2.0 release.

We intend to regularly upgrade Salt to more recent versions.

For more information about changes in your manually-created Salt states, see the Salt upstream release notes 2019.2.0.

Base System Upgrade

The base system was upgraded to SUSE Linux Enterprise 15 SP1. As a result, all code was ported to run with Python 3.

Known issues

Proxy password

Do not use the '@' character in the SUSE Manager Proxy password, as it is not escaped correctly.

Providing feedback

If you encounter a bug in any SUSE product, please report it through your support contact or in the SUSE Forums:

Documentation and Other Information

Latest product documentation:

Technical product information for SUSE Manager:

These release notes are available online:

Visit for the latest Linux product news from SUSE.

Visit for additional information on the source code of SUSE Linux Enterprise products.

Maxfeldstr. 5
D-90409 Nürnberg
Tel: +49 (0)911 740 53 - 0
Registrierung/Registration Number: HRB 21284 AG Nürnberg
Geschäftsführer/Managing Director: Felix Imendörffer, Mary Higgins, Sri Rasiah
Steuernummer/Sales Tax ID: DE 192 167 791
Erfüllungsort/Legal Venue: Nürnberg

SUSE makes no representations or warranties with regard to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to revise this publication and to make changes to its content, at any time, without the obligation to notify any person or entity of such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to make changes to any and all parts of SUSE software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classifications to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical/biological weaponry end uses. Please refer to the SUSE Legal information page for more information on exporting SUSE software. SUSE assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2012-2020 SUSE LLC.

This release notes document is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License (CC-BY-ND-4.0). You should have received a copy of the license along with this document. If not, see

SUSE has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and other countries.

For SUSE trademarks, see SUSE Trademark and Service Mark list ( All third-party trademarks are the property of their respective owners.


Thank you for using SUSE Manager Proxy Server in your business.

Your SUSE Manager Team.