Security update for Spacewalk stack

SUSE Security Update: Security update for Spacewalk stack
Announcement ID: SUSE-SU-2014:0223-1
Rating: moderate
References: #846356 #850925 #853913 #854090 #855610
Affected Products:
  • SUSE Manager Proxy 1.7 for SLE 11 SP2

  • An update that solves one vulnerability and has four fixes is now available. It includes four new package versions.

    Description:


    This SUSE Manager Proxy update fixes the following security
    issue and bugs:

    spacewalk-backend:

    * Check for empty result before printing software
    entitlement. (bnc#853913)
    * Added extra log folder to spacewalk-debug.
    (bnc#854090)
    * Better detection for SUSE KVM and Cloud systems.

    spacewalk-certs-tools:

    * Older versions of ssh-copy-id do not support the -o
    switch.
    * ssh-keygen fails with an error when known_hosts
    doesn't exist.
    * Call the new script from the old one and print
    deprecation warning.
    * New ssh-push client initialization script.

    spacewalk-proxy:

    * Fixed client registration via proxy. (bnc#855610)

    spacewalk-web:

    * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
    scripting. (bnc#850925)
    * Put the given year in the valid range. (bnc#846356)
    * Paste event handler parsing CVE identifiers with
    Javascript. (bnc#846356)

    How to apply this update:

    1. Log in as root user to the SUSE Manager proxy. 2. Stop
    the proxy service: spacewalk-proxy stop 3. Apply the patch
    using either zypper patch or YaST Online Update. 4. Start
    the Spacewalk service: spacewalk-proxy start

    Security Issues:

    * CVE-2013-4415
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Manager Proxy 1.7 for SLE 11 SP2:
      zypper in -t patch slemap17sp2-suse-manager-proxy-201401-8818

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Manager Proxy 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.38.31]:
    • spacewalk-backend-1.7.38.31-0.5.1
    • spacewalk-backend-libs-1.7.38.31-0.5.1
    • SUSE Manager Proxy 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.12.14,1.7.28.20 and 1.7.3.11]:
    • spacewalk-base-minimal-1.7.28.20-0.5.1
    • spacewalk-certs-tools-1.7.3.11-0.5.1
    • spacewalk-proxy-broker-1.7.12.14-0.5.1
    • spacewalk-proxy-common-1.7.12.14-0.5.1
    • spacewalk-proxy-management-1.7.12.14-0.5.1
    • spacewalk-proxy-package-manager-1.7.12.14-0.5.1
    • spacewalk-proxy-redirect-1.7.12.14-0.5.1

    References:

    • http://support.novell.com/security/cve/CVE-2013-4415.html
    • https://bugzilla.novell.com/846356
    • https://bugzilla.novell.com/850925
    • https://bugzilla.novell.com/853913
    • https://bugzilla.novell.com/854090
    • https://bugzilla.novell.com/855610
    • http://download.novell.com/patch/finder/?keywords=1dc3b35801903770f664389364a3d72e