Security update for SUSE Manager Server 2.1

SUSE Security Update: Security update for SUSE Manager Server 2.1
Announcement ID: SUSE-SU-2016:1367-1
Rating: moderate
References: #922740 #924298 #958923 #961002 #961565 #962253 #966622 #966737 #966890 #968257 #968406 #968851 #970223 #970425 #970550 #970672 #970901 #970989 #971237 #972341 #973162 #973432 #973550 #974010 #974011 #974315 #976194 #976826 #978166
Affected Products:
  • SUSE Manager 2.1
    		•

    An update that solves 5 vulnerabilities and has 24 fixes is now available.

    Description:


    This update for SUSE Manager Server 2.1 fixes the following issues:

    cobbler:

    - Add logrotate file for cobbler (bsc#976826)
    - Fix cobbler yaboot handling (bsc#968406, bsc#966622)

    osad:

    - Fix file permissions (bsc#970550)

    rhnlib:

    - Use TLSv1_METHOD in SSL Context (bsc#970989)

    spacewalk-backend:

    - Mgr_ncc_sync: Adapt to bulk scheduling introduced in
    scheduleSingleSatRepoSync

    spacewalk-branding:

    - Fix link to "Schedule patch updates" (bsc#973432)
    - Fix link to scheduled action for SP migration (bsc#968257, bsc#974315)
    - Fix: 'Advanced Search' title consistency

    spacewalk-certs-tools:

    - Fix file permissions (bsc#970550)

    spacewalk-java:

    - Recreate upgrade paths on every refresh (bsc#978166)
    - Call cobbler sync after cobbler command is finished (bsc#966890)
    - Under high load, the service wrapper may incorrectly interpret the
    inability to get a response in time from taskomatic and kill it
    (bsc#962253)
    - Log permissions problems on channel access while SP migration
    (bsc#970223)
    - Unittests: support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194)
    - Mgr-sync: use bulk channel reposync (bsc#961002)
    - Double the backslashes when reading the config files from java
    (bsc#958923)
    - When generating repo metadata for a cloned channel, recursively fetch
    keywords from the original channel (bsc#970901)
    - Better logging for SP Migration feature (bsc#970223)
    - Fix: 'Advanced Search' title consistency
    - CVE-2015-0284: XSS when altering user details and going somewhere where
    you are choosing user (bsc#922740)
    - CVE-2016-3079, CVE-2016-2103, CVE-2016-2104, CVE-2016-3097: Fix multiple
    XSS vulnerabilities (bsc#973162, bsc#974011, bsc#974010, bsc#973550)
    - BugFix: 'Systems > Advanced Search' title and description consistency
    (bsc#966737)
    - Fix: correct behavior with visibility conditions of sub-tabs in
    Systems/Misc page
    - BugFix: add missing url mapping (bsc#961565)
    - Fix kernel and initrd pathes for creating autoinstallation tries
    (bsc#966622)
    - Fix tests for HAE-GEO on SLES 4 SAP (bsc#970425)
    - Add unit tests for SLE-Live-Patching12 (bsc#924298)

    spacewalk-utils:

    - Bugfix: don't repeat channel labels
    - Taskotop: a utility to monitor what Taskomatic is doing
    - Fix file permissions (bsc#970550)

    suseRegisterInfo:

    - Fix file permissions (bsc#970550)

    susemanager:

    - Add packages to bootstrap repo (bsc#971237)
    - Mgr-sync: use bulk channel reposync (bsc#961002)
    - Mgr_ncc_sync: adapt to bulk scheduling introduced in
    scheduleSingleSatRepoSync
    - Add SLES 4 SAP to mgr-create-bootstap-repo as an option (bsc#972341)
    - Put packages only available in SLE12 SP1 in a seperate list (bsc#970672)
    - Fix file permissions (bsc#970550)

    susemanager-sync-data:

    - Support SLE-POS 11 SP3 as addon for SLES 11 SP4 (bsc#976194)
    - HAE-GEO is an addon product for SLES 4 SAP (bsc#970425)
    - Add support for SLE-Live-Patching12 (bsc#924298, bsc#968851)

    susemanager-tftpsync:

    - Rename change_tftpd_proxies.py to sync_post_tftpd_proxies.py and change
    trigger type (bsc#966890)

    How to apply this update: 1. Log in as root user to the SUSE Manager
    server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
    patch using either zypper patch or YaST Online Update. 4. Start the
    Spacewalk service: spacewalk-service start

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Manager 2.1:
      zypper in -t patch sleman21-suse-manager-21-201605-12567=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Manager 2.1 (s390x x86_64):
      • cobbler-2.2.2-0.61.2
      • rhnlib-2.5.69.8-11.2
      • spacewalk-backend-2.1.55.25-24.5
      • spacewalk-backend-app-2.1.55.25-24.5
      • spacewalk-backend-applet-2.1.55.25-24.5
      • spacewalk-backend-config-files-2.1.55.25-24.5
      • spacewalk-backend-config-files-common-2.1.55.25-24.5
      • spacewalk-backend-config-files-tool-2.1.55.25-24.5
      • spacewalk-backend-iss-2.1.55.25-24.5
      • spacewalk-backend-iss-export-2.1.55.25-24.5
      • spacewalk-backend-libs-2.1.55.25-24.5
      • spacewalk-backend-package-push-server-2.1.55.25-24.5
      • spacewalk-backend-server-2.1.55.25-24.5
      • spacewalk-backend-sql-2.1.55.25-24.5
      • spacewalk-backend-sql-oracle-2.1.55.25-24.5
      • spacewalk-backend-sql-postgresql-2.1.55.25-24.5
      • spacewalk-backend-tools-2.1.55.25-24.5
      • spacewalk-backend-xml-export-libs-2.1.55.25-24.5
      • spacewalk-backend-xmlrpc-2.1.55.25-24.5
      • spacewalk-branding-2.1.33.16-18.2
      • suseRegisterInfo-2.1.12-14.2
      • susemanager-2.1.24-23.1
      • susemanager-tftpsync-2.1.2-11.2
      • susemanager-tools-2.1.24-23.1
    • SUSE Manager 2.1 (noarch):
      • osa-dispatcher-5.11.33.11-15.2
      • spacewalk-certs-tools-2.1.6.10-18.3
      • spacewalk-java-2.1.165.23-20.1
      • spacewalk-java-config-2.1.165.23-20.1
      • spacewalk-java-lib-2.1.165.23-20.1
      • spacewalk-java-oracle-2.1.165.23-20.1
      • spacewalk-java-postgresql-2.1.165.23-20.1
      • spacewalk-taskomatic-2.1.165.23-20.1
      • spacewalk-utils-2.1.27.15-12.7
      • susemanager-sync-data-2.1.15-30.2

    References: