Security update for SUSE Manager Server 3.2

SUSE Security Update: Security update for SUSE Manager Server 3.2
Announcement ID: SUSE-SU-2019:1006-1
Rating: moderate
References: #1070731 #1109316 #1120242 #1121195 #1122230 #1122381 #1122837 #1124290 #1125600 #1125744 #1126075 #1126099 #1126518 #1127542 #1128228 #1128724 #1128781 #1129765 #1129851 #1129956 #1130658 #1131490 #1131677 #1131721 #1132579
Cross-References: CVE-2017-7957
Affected Products:
  • SUSE Manager Server 3.2
  • SUSE Manager Proxy 3.2

An update that solves one vulnerability and has 24 fixes is now available.

Description:


This update includes the following new features:
to the repository metadata (fate#325676)
This update fixes the following issues:
apache-commons-lang3:

  • Run fdupes on javadoc
  • Specify java target and source level 1.6 to make package compatible with JDK >= 1.8

cobbler:
  • Fixes case where distribution detection returns None (bsc#1130658)
  • SUSE texmode fix (bsc#1109316)

drools:
  • Update Drools to 7.17.0
  • Release Notes: https://issues.jboss.org/secure/ReleaseNote.jspa
  • Fixes for SLE 15 compatibility

guava:
  • Updated from 13.0.1 to 27.0.1
  • Changes between 13.0.1 and 23.0: https://github.com/google/guava/wiki/Release14 https://github.com/google/guava/wiki/Release15 https://github.com/google/guava/wiki/Release16 https://github.com/google/guava/wiki/Release17 https://github.com/google/guava/wiki/Release18 https://github.com/google/guava/wiki/Release19 https://github.com/google/guava/wiki/Release23
  • Changes between 23.0 and 27.0.1: see https://github.com/google/guava/releases

jade4j:
  • Conditional java/java-devel requires based on os version
  • Update dependency version for commons-lang3 to 3.4
  • Fix building javadoc

kie-api:
  • Update KIE to 7.17.0
  • Release notes: https://issues.jboss.org/secure/ReleaseNote.jspa

optaplanner:
  • Update Optaplanner to 7.17.0

py26-compat-salt:
  • Fix minion arguments assign via sysctl (bsc#1124290)

smdba:
  • Make 'smdba space-overview' postgresql version agnostic (bsc#1129956)
  • Fix version mismatch

spacecmd:
  • Fix system_delete with SSM (bsc#1125744)

spacewalk-admin:
  • Fix encoding bug in salt event processing (bsc#1129851)

spacewalk-backend:
  • Fix linking of packages in reposync (bsc#1131677)
  • Fix: handle non-standard filenames for comps.xml (bsc#1120242)
  • Mgr-sign-metadata can optionally clear-sign metadata files

spacewalk-branding:
  • Introduce a description label for the new 'minion-checkin' Taskomatic job (bsc#1122837)

spacewalk-certs-tools:
  • Add support for Ubuntu to bootstrap script
  • Clean up downloaded gpg keys after bootstrap (bsc#1126075)

spacewalk-java:
  • Fix base channel selection for Ubuntu systems (bsc#1132579)
  • Fix retrieval of build time for .deb repositories (bsc#1131721)
  • Allow access to susemanager tools channels without res subscription (bsc#1127542)
  • Add support for SLES 15 live patches in CVE audit
  • Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
  • Fix errata_details to return details correctly (bsc#1128228)
  • Support ubuntu products and debian architectures in mgr-sync
  • Adapt check for available repositories to debian style repositories
  • Add support for custom username when bootstrapping with Salt-SSH
  • Read and update running kernel release value at each startup of minion (bsc#1122381)
  • Add error message on sync refresh when there are no scc credentials
  • Fix apidoc issues
  • Fix deleting server when minion_formulas.json is empty (bsc#1122230)
  • Minion-action-cleanup Taskomatic task: do not clean actions younger than one hour
  • Schedule full package refresh only once per action chain if needed (bsc#1126518)
  • Check and schedule package refresh in response to events independently of what originates them (bsc#1126099)
  • Add configuration option to limit the number of changelog entries added to the repository metadata (fate#325676)
  • Generate InRelease file for Debian/Ubuntu repos when metadata signing is enabled

spacewalk-web:
  • Show undetected subscription-matching message object as a string anyway (bsc#1125600)
  • Fix action scheduler time picker prefill when the server is on "UTC/GMT" timezone (bsc#1121195)
  • Allow username input on bootstrap page when using Salt-SSH
  • Add cache buster for static files (js/css) to fix caching issues after upgrading.

subscription-matcher:
  • Update dependencies (Drools, Optaplanner, Guava, Xstream)
  • Make the java and java-devel requirements variable
  • Relax the requirement condition on apache-commons-lang3

susemanager:
  • Support creating bootstrap repos for Ubuntu 18.04 and 16.04.
  • Allow alternative names for bootstrap packages, to allow using old client tools after package renames
  • Feat: create Ubuntu empty repository
  • Fix creation of bootstrap repositories for SLE12 (no SP) by requiring python-setuptools only for SLE12 >= SP1 (bsc#1129765)
  • Add bootstrap repo definition for SLE15 SP1

susemanager-docs_en:
  • Update text and image files.
  • Fix bad link.
  • Update Manual Backup and smdba sections.
  • Troubleshooting Salt clients.
  • Fix package endpoint in salt pillar content.
  • Ubuntu Clients supported.
  • Change License to GFL 1.2, as it is the real license for the doc since 3.2.0

susemanager-schema:
  • Add a Taskomatic job to perform minion check-in regularly, drop use of Salt's Mine (bsc#1122837)
  • Fix performance regression in inter-server-sync (bsc#1128781)
  • Set minion-action-cleanup run frequency from hourly to daily at midnight

susemanager-sls:
  • Update get_kernel_live_version module to support older Salt versions (bsc#1131490)
  • Update get_kernel_live_version module to support SLES 15 live patches
  • Do not configure Salt Mine in newly registered minions (bsc#1122837)
  • Fix Salt error related to remove_traditional_stack when bootstrapping an Ubuntu minion (bsc#1128724)
  • Automatically trust SUSE GPG key for client tools channels on Ubuntu systems
  • Util.systeminfo sls has been added to perform different actions at minion startup(bsc#1122381)

susemanager-sync-data:
  • Allow access to susemanager tools channels without res subscription (bsc#1127542)
  • Add Ubuntu product definitions
  • Adapt to SCC changes
  • Add CaaSP 4 Toolchain

xstream:
  • Update xstream to 1.4.10
  • Major changes:
  • CVE-2017-7957: XStream could cause a Denial of Service when unmarshalling void. (bsc#1070731)
  • New XStream artifact with -java7 appended as version suffix for a library explicitly without the Java 8 stuff (lambda expression support, converters for java.time.* package).
  • Improve performance by minimizing call stack of mapper chain.
  • XSTR-774: Add converters for types of java.time, java.time.chrono, and java.time.temporal packages (converters for LocalDate, LocalDateTime, LocalTime, OffsetDateTime, and ZonedDateTime by Matej Cimbora).
  • JavaBeanConverter does not respect ignored unknown elements.
  • Add XStream.setupDefaultSecurity to initialize security framework with defaults of XStream 1.5.x.
  • Emit error warning if security framework has not been initialized and the XStream instance is vulnerable to known exploits.
  • Feat: modify patch to be compatible with JDK 11 building
  • Fixes for SLE 15 compatibility

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Server 3.2:
    zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-1006=1
  • SUSE Manager Proxy 3.2:
    zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2019-1006=1

Package List:

  • SUSE Manager Server 3.2 (ppc64le s390x x86_64):
    • reprepro-5.3.0-2.3.3
    • smdba-1.6.4-0.3.9.3
    • spacewalk-branding-2.8.5.15-3.19.3
    • susemanager-3.2.17-3.22.4
    • susemanager-tools-3.2.17-3.22.4
  • SUSE Manager Server 3.2 (noarch):
    • apache-commons-lang3-3.4-3.3.3
    • cobbler-2.6.6-6.16.3
    • drools-7.17.0-3.3.3
    • guava-27.0.1-3.3.3
    • jade4j-1.0.7-3.3.3
    • kie-api-7.17.0-3.3.3
    • kie-soup-7.17.0.Final-2.3.3
    • optaplanner-7.17.0-3.3.3
    • py26-compat-salt-2016.11.10-6.21.3
    • python2-spacewalk-certs-tools-2.8.8.7-3.6.3
    • spacecmd-2.8.25.10-3.20.3
    • spacewalk-admin-2.8.4.4-3.6.3
    • spacewalk-backend-2.8.57.14-3.25.3
    • spacewalk-backend-app-2.8.57.14-3.25.3
    • spacewalk-backend-applet-2.8.57.14-3.25.3
    • spacewalk-backend-config-files-2.8.57.14-3.25.3
    • spacewalk-backend-config-files-common-2.8.57.14-3.25.3
    • spacewalk-backend-config-files-tool-2.8.57.14-3.25.3
    • spacewalk-backend-iss-2.8.57.14-3.25.3
    • spacewalk-backend-iss-export-2.8.57.14-3.25.3
    • spacewalk-backend-libs-2.8.57.14-3.25.3
    • spacewalk-backend-package-push-server-2.8.57.14-3.25.3
    • spacewalk-backend-server-2.8.57.14-3.25.3
    • spacewalk-backend-sql-2.8.57.14-3.25.3
    • spacewalk-backend-sql-oracle-2.8.57.14-3.25.3
    • spacewalk-backend-sql-postgresql-2.8.57.14-3.25.3
    • spacewalk-backend-tools-2.8.57.14-3.25.3
    • spacewalk-backend-xml-export-libs-2.8.57.14-3.25.3
    • spacewalk-backend-xmlrpc-2.8.57.14-3.25.3
    • spacewalk-base-2.8.7.15-3.24.3
    • spacewalk-base-minimal-2.8.7.15-3.24.3
    • spacewalk-base-minimal-config-2.8.7.15-3.24.3
    • spacewalk-certs-tools-2.8.8.7-3.6.3
    • spacewalk-html-2.8.7.15-3.24.3
    • spacewalk-java-2.8.78.21-3.29.1
    • spacewalk-java-config-2.8.78.21-3.29.1
    • spacewalk-java-lib-2.8.78.21-3.29.1
    • spacewalk-java-oracle-2.8.78.21-3.29.1
    • spacewalk-java-postgresql-2.8.78.21-3.29.1
    • spacewalk-taskomatic-2.8.78.21-3.29.1
    • subscription-matcher-0.23-4.12.3
    • susemanager-schema-3.2.18-3.22.3
    • susemanager-sls-3.2.23-3.26.3
    • susemanager-sync-data-3.2.14-3.20.3
    • susemanager-web-libs-2.8.7.15-3.24.3
    • xstream-1.4.10-4.3.3
  • SUSE Manager Proxy 3.2 (noarch):
    • python2-spacewalk-certs-tools-2.8.8.7-3.6.3
    • spacewalk-backend-2.8.57.14-3.25.3
    • spacewalk-backend-libs-2.8.57.14-3.25.3
    • spacewalk-base-minimal-2.8.7.15-3.24.3
    • spacewalk-base-minimal-config-2.8.7.15-3.24.3
    • spacewalk-certs-tools-2.8.8.7-3.6.3
    • susemanager-web-libs-2.8.7.15-3.24.3

References: