Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2017:1352-1
Rating:	moderate
References:	bsc#1020376 bsc#1023233 bsc#1024406 bsc#1024714 bsc#1025312 bsc#1026633 bsc#1027426 bsc#1029755 bsc#1031667 bsc#1032256
Cross-References:	CVE-2017-7470
CVSS scores:	CVE-2017-7470 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12

An update that solves one vulnerability and has nine security fixes can now be installed.

Description:

The following security issue in spacewalk-backend has been fixed:

• Non admin or disabled user cannot make changes to a system anymore using spacewalk-channel. (bsc#1026633, CVE-2017-7470)

Additionally, the following non-security issues have been fixed:

cobbler:

• Support UEFI boot with cobbler generated tftp tree. (bsc#1020376)
• Refresh patch for fuzzless appliance.

rhnlib:

• Support all TLS versions in rpclib. (bsc#1025312)

spacecmd:

• Improve output on error for listrepo. (bsc#1027426)
• Reword spacecmd removal message. (bsc#1024406)

spacewalk-backend:

• Do not fail with traceback when media.1 does not exist. (bsc#1032256)
• Create scap files directory beforehand. (bsc#1029755)
• Fix error if SPACEWALK_DEBUG_NO_REPORTS env variable is not present.
• Don't skip 'rhnErrataPackage' cleanup during an errata update. (bsc#1023233)
• Add support for running spacewalk-debug without creating reports. (bsc#1024714)
• Set scap store directory mod to 775 and group owner to susemanager.
• incomplete_package_import: Do import rhnPackageFile as it breaks some package installations.
• Added traceback printing to the exception block.
• Change postgresql starting commands.

spacewalk-client-tools:

• Fix reboot message to use correct product name. (bsc#1031667)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2017-822=1

Package List:

• SUSE Manager Client Tools for SLE 12 (noarch)
  • spacewalk-client-setup-2.5.13.8-48.1
  • koan-2.6.6-45.1
  • rhnlib-2.5.84.4-17.1
  • spacewalk-backend-libs-2.5.24.9-51.1
  • spacewalk-client-tools-2.5.13.8-48.1
  • spacewalk-check-2.5.13.8-48.1
  • spacecmd-2.5.5.5-34.1

References:

• https://www.suse.com/security/cve/CVE-2017-7470.html
• https://bugzilla.suse.com/show_bug.cgi?id=1020376
• https://bugzilla.suse.com/show_bug.cgi?id=1023233
• https://bugzilla.suse.com/show_bug.cgi?id=1024406
• https://bugzilla.suse.com/show_bug.cgi?id=1024714
• https://bugzilla.suse.com/show_bug.cgi?id=1025312
• https://bugzilla.suse.com/show_bug.cgi?id=1026633
• https://bugzilla.suse.com/show_bug.cgi?id=1027426
• https://bugzilla.suse.com/show_bug.cgi?id=1029755
• https://bugzilla.suse.com/show_bug.cgi?id=1031667
• https://bugzilla.suse.com/show_bug.cgi?id=1032256