Security update for Spacewalk stack
SUSE Security Update: Security update for Spacewalk stack
This Spacewalk stack update fixes the following security
issues and bugs:
spacewalk-backend:
* Check for empty result before printing software
entitlement. (bnc#853913)
* Added extra log folder to spacewalk-debug.
(bnc#854090)
* Better detection for SUSE KVM and Cloud systems.
spacewalk-branding:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
spacewalk-certs-tools:
* Older versions of ssh-copy-id do not support the -o
switch.
* ssh-keygen fails with an error when known_hosts
doesn't exist.
* Call the new script from the old one and print
deprecation warning.
* New ssh-push client initialization script.
spacewalk-java:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
* CVE-2010-2236: Clean backticks from monitoring-probes
where appropriate. (bnc#850930)
* CVE-2012-6149: Fix XSS in notes.jsp. (bnc#850929)
* CVE-2013-1869: Only follow internal return_urls to
fix header injection flaw. (bnc#850928)
* CVE-2013-1871: Fix XSS in edit-address JSPs.
(bnc#850927)
* Add the paste event handler in 'onload'. (bnc#846356)
spacewalk-search:
* Allow NULL as createdBy and lastModifiedBy to fix
custom info value index. (bnc#834415)
spacewalk-utils:
* clone-by-date: Fix with dependency check enabled.
(bnc#858652)
spacewalk-web:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
* Put the given year in the valid range. (bnc#846356)
* Paste event handler parsing CVE identifiers with
Javascript. (bnc#846356)
susemanager:
* Create bootstrap repositories from SLES4SAP repos.
(bnc#858197)
How to apply this update: 1. Log in as root user to the
SUSE Manager server. 2. Stop the Spacewalk service:
spacewalk-service stop 3. Apply the patch using either
zypper patch or YaST Online Update. 4. Start the Spacewalk
service: spacewalk-service start
Security Issues:
* CVE-2010-2236
>
* CVE-2012-6149
>
* CVE-2013-1869
>
* CVE-2013-1871
>
* CVE-2013-4415
>
| Announcement ID: | SUSE-SU-2014:0222-1 |
| Rating: | moderate |
| References: | #834415 #846356 #850925 #850927 #850928 #850929 #850930 #853913 #854090 #858197 #858652 |
| Affected Products: |
An update that solves 5 vulnerabilities and has 6 fixes is now available. It includes 8 new package versions.
Description:
This Spacewalk stack update fixes the following security
issues and bugs:
spacewalk-backend:
* Check for empty result before printing software
entitlement. (bnc#853913)
* Added extra log folder to spacewalk-debug.
(bnc#854090)
* Better detection for SUSE KVM and Cloud systems.
spacewalk-branding:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
spacewalk-certs-tools:
* Older versions of ssh-copy-id do not support the -o
switch.
* ssh-keygen fails with an error when known_hosts
doesn't exist.
* Call the new script from the old one and print
deprecation warning.
* New ssh-push client initialization script.
spacewalk-java:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
* CVE-2010-2236: Clean backticks from monitoring-probes
where appropriate. (bnc#850930)
* CVE-2012-6149: Fix XSS in notes.jsp. (bnc#850929)
* CVE-2013-1869: Only follow internal return_urls to
fix header injection flaw. (bnc#850928)
* CVE-2013-1871: Fix XSS in edit-address JSPs.
(bnc#850927)
* Add the paste event handler in 'onload'. (bnc#846356)
spacewalk-search:
* Allow NULL as createdBy and lastModifiedBy to fix
custom info value index. (bnc#834415)
spacewalk-utils:
* clone-by-date: Fix with dependency check enabled.
(bnc#858652)
spacewalk-web:
* CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
scripting. (bnc#850925)
* Put the given year in the valid range. (bnc#846356)
* Paste event handler parsing CVE identifiers with
Javascript. (bnc#846356)
susemanager:
* Create bootstrap repositories from SLES4SAP repos.
(bnc#858197)
How to apply this update: 1. Log in as root user to the
SUSE Manager server. 2. Stop the Spacewalk service:
spacewalk-service stop 3. Apply the patch using either
zypper patch or YaST Online Update. 4. Start the Spacewalk
service: spacewalk-service start
Security Issues:
* CVE-2010-2236
* CVE-2012-6149
* CVE-2013-1869
* CVE-2013-1871
* CVE-2013-4415
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager 1.7 for SLE 11 SP2:
zypper in -t patch sleman17sp2-suse-manager-201401-8817
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.1.11,1.7.27 and 1.7.38.31]:
- spacewalk-backend-1.7.38.31-0.5.1
- spacewalk-backend-app-1.7.38.31-0.5.1
- spacewalk-backend-applet-1.7.38.31-0.5.1
- spacewalk-backend-config-files-1.7.38.31-0.5.1
- spacewalk-backend-config-files-common-1.7.38.31-0.5.1
- spacewalk-backend-config-files-tool-1.7.38.31-0.5.1
- spacewalk-backend-iss-1.7.38.31-0.5.1
- spacewalk-backend-iss-export-1.7.38.31-0.5.1
- spacewalk-backend-libs-1.7.38.31-0.5.1
- spacewalk-backend-package-push-server-1.7.38.31-0.5.1
- spacewalk-backend-server-1.7.38.31-0.5.1
- spacewalk-backend-sql-1.7.38.31-0.5.1
- spacewalk-backend-sql-oracle-1.7.38.31-0.5.1
- spacewalk-backend-sql-postgresql-1.7.38.31-0.5.1
- spacewalk-backend-tools-1.7.38.31-0.5.1
- spacewalk-backend-xml-export-libs-1.7.38.31-0.5.1
- spacewalk-backend-xmlrpc-1.7.38.31-0.5.1
- spacewalk-backend-xp-1.7.38.31-0.5.1
- spacewalk-branding-1.7.1.11-0.5.1
- susemanager-1.7.27-0.5.2
- susemanager-tools-1.7.27-0.5.2
- SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.15.12,1.7.28.20,1.7.3.11,1.7.3.12 and 1.7.54.30]:
- spacewalk-base-1.7.28.20-0.5.1
- spacewalk-base-minimal-1.7.28.20-0.5.1
- spacewalk-certs-tools-1.7.3.11-0.5.1
- spacewalk-grail-1.7.28.20-0.5.1
- spacewalk-html-1.7.28.20-0.5.1
- spacewalk-java-1.7.54.30-0.5.1
- spacewalk-java-config-1.7.54.30-0.5.1
- spacewalk-java-lib-1.7.54.30-0.5.1
- spacewalk-java-oracle-1.7.54.30-0.5.1
- spacewalk-java-postgresql-1.7.54.30-0.5.1
- spacewalk-pxt-1.7.28.20-0.5.1
- spacewalk-search-1.7.3.12-0.5.1
- spacewalk-sniglets-1.7.28.20-0.5.1
- spacewalk-taskomatic-1.7.54.30-0.5.1
- spacewalk-utils-1.7.15.12-0.5.3
References:
- http://support.novell.com/security/cve/CVE-2010-2236.html
- http://support.novell.com/security/cve/CVE-2012-6149.html
- http://support.novell.com/security/cve/CVE-2013-1869.html
- http://support.novell.com/security/cve/CVE-2013-1871.html
- http://support.novell.com/security/cve/CVE-2013-4415.html
- https://bugzilla.novell.com/834415
- https://bugzilla.novell.com/846356
- https://bugzilla.novell.com/850925
- https://bugzilla.novell.com/850927
- https://bugzilla.novell.com/850928
- https://bugzilla.novell.com/850929
- https://bugzilla.novell.com/850930
- https://bugzilla.novell.com/853913
- https://bugzilla.novell.com/854090
- https://bugzilla.novell.com/858197
- https://bugzilla.novell.com/858652
- http://download.novell.com/patch/finder/?keywords=c86d2c06c2403e2323a238c376ec6f16