Security update for SLMS

SUSE Security Update: Security update for SLMS
Announcement ID: SUSE-SU-2013:1813-1
Rating: low
References: #799218 #839419 #852101
Affected Products:
  • SUSE Lifecycle Management Server 1.3

  • An update that solves one vulnerability and has two fixes is now available. It includes one version update.


    This update for SLMS provides the following fixes:

    * Always generate secret key if default one from git is
    used and ensure files containing keys are readable only by
    SLMS. (CVE-2013-3710)
    * Fix valid appliance handling in studio APIv2 which
    return 404 instead of 400.
    * Fix grammar in error message.
    * NetIQ migration L3 fixes: o Fix injecting metadata
    into repodata o Fixed wrong namespace in injecting metadata
    o Prevent oversized logs when log xmlling output o Fix
    crash for download in chunk as it's object doesn't have
    even empty method o Fix crash if additional package is
    inconsistently added and not included in appliance anymore.

    Security Issues:

    * CVE-2013-3710

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Lifecycle Management Server 1.3:
      zypper in -t patch sleslms13-slms-8586

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Lifecycle Management Server 1.3 (noarch) [New Version: 1.3.7]:
    • slms-1.3.7-0.5.1
    • slms-core-1.3.7-0.5.1
    • slms-customer-center-1.3.7-0.5.1
    • slms-devel-doc-1.3.7-0.5.1
    • slms-external-1.3.7-0.5.1
    • slms-registration-1.3.7-0.5.1
    • slms-testsuite-1.3.7-0.5.1