Security update for SUSE Manager Server 3.2

SUSE Security Update: Security update for SUSE Manager Server 3.2
Announcement ID: SUSE-SU-2019:2521-1
Rating: moderate
References: #1093381 #1096426 #1135957 #1137229 #1138454 #1140644 #1141661 #1142309 #1142764 #1142774 #1143016 #1143562 #1144500 #1144510 #1144515 #1144889 #1145086 #1145119 #1146416 #1146419 #1146869 #1146895 #1147126 #1149409
Cross-References: CVE-2019-10088 CVE-2019-10093 CVE-2019-10094
Affected Products:
  • SUSE Manager Server 3.2

An update that solves three vulnerabilities and has 21 fixes is now available.


This update fixes the following issues:

  • Jinja2 template library fix (bsc#1141661)

  • Allow dots in database name (bsc#1146416)

  • Get tornado dependency from the system on SLE12 (bsc#1149409)
  • Catch SSLError for TLS 1.2 bootstraps with RES/RHEL6 and SLE11 (bsc#1147126)

  • Check that a channel doesn't have clones before deleting it (bsc#1138454)

  • Remove credentials also from potential rhn.conf backup files in spacewalk-debug (bsc#1146419)
  • Do not make 'rhn-satellite-exporter' to crash with "AttributeError" (bsc#1146869)
  • Spacewalk-remove-channel check that channel doesn't have cloned channels before deleting it (bsc#1138454)
  • Prevent duplicate changelog entries due VARCHAR(3000) db text column (bsc#1144889)
  • Avoid traceback on mgr-inter-sync when exception message contains UTF8 characters or there are problems with the package cache (bsc#1143016) registered guest (bsc#1093381)

  • Add missing strings for task status page

  • Invalidate cache 5 minutes before actual expiration(bsc#1143562)

  • Add UI message when salt-formulas system folders are unreachable (bsc#1142309)
  • Don't convert localhost repositories URL in mirror case (bsc#1135957)
  • Check that a channel doesn't have clones before deleting it (bsc#1138454)
  • Improve websocket authentication to prevent errors in logs (bsc#1138454)
  • Normalize date formats for actions, notifications and clm (bsc#1142774)
  • Cloning Errata from a specific channel should not take packages from other channels (bsc#1142764)
  • Add susemanager as prerequired for spacewalk-java
  • Improve performance for retrieving the user permissions on channels (bsc#1140644)
  • Prerequire salt package to avoid not existing user issues
  • Support partly patched CVEs in CVE audit (bsc#1137229)

  • Configure 150 Tomcat workers by default, matching httpds MaxClients

  • Common-channels: Fix repo type assignment for type YUM
  • Adds support for Ubuntu and Debian channels to spacewalk-common-channels.

  • Fix the 'include recommended' button on channels selection in SSM (bsc#1145086)
  • Normalize date formats for actions, notifications and clm (bsc#1142774)
  • Add unsupported browser warning when using Internet Explorer

  • Dmidecode does not exist on s390x (bsc#1145119)

  • Add link to the creation of the bootstrap script (bsc#1146895).
  • Improve adoc tagging.
  • LimitNOFILE back-port.
  • Fix command-line error (bsc#1096426).

  • Improve performance for retrieving the user permissions on channels (bsc#1140644)

  • Bootstrapping RES6/RHEL6/SLE11 with TLS1.2 now shows error message. (bsc#1147126)
  • Dmidecode does not exist on ppc64le and s390x (bsc#1145119)
  • Update susemanager.conf to use adler32 for computing the server_id for new minions

New upstream version 1.2.2. Fixes security issues:
  • CVE-2019-10088: Fixed an OOM from a crafted Zip File in Apache Tika's RecursiveParserWrapper (bsc#1144500).
  • CVE-2019-10093: Fixed a Denial of Service in Apache Tika's 2003ml and 2006ml Parsers (bsc#1144510).
  • CVE-2019-10094: Fixed a stack overflow from crafted compressed files in Apache Tika's RecursiveParserWrapper (bsc#1144515).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Server 3.2:
    zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-2521=1

Package List:

  • SUSE Manager Server 3.2 (ppc64le s390x x86_64):
    • spacewalk-branding-
    • susemanager-3.2.20-3.31.2
    • susemanager-tools-3.2.20-3.31.2
  • SUSE Manager Server 3.2 (noarch):
    • cobbler-2.6.6-6.22.1
    • pgjdbc-ng-0.7.1-2.6.1
    • py26-compat-salt-2016.11.10-6.32.1
    • python2-spacewalk-client-tools-
    • spacecmd-
    • spacewalk-backend-
    • spacewalk-backend-app-
    • spacewalk-backend-applet-
    • spacewalk-backend-config-files-
    • spacewalk-backend-config-files-common-
    • spacewalk-backend-config-files-tool-
    • spacewalk-backend-iss-
    • spacewalk-backend-iss-export-
    • spacewalk-backend-libs-
    • spacewalk-backend-package-push-server-
    • spacewalk-backend-server-
    • spacewalk-backend-sql-
    • spacewalk-backend-sql-oracle-
    • spacewalk-backend-sql-postgresql-
    • spacewalk-backend-tools-
    • spacewalk-backend-xml-export-libs-
    • spacewalk-backend-xmlrpc-
    • spacewalk-base-
    • spacewalk-base-minimal-
    • spacewalk-base-minimal-config-
    • spacewalk-client-tools-
    • spacewalk-html-
    • spacewalk-java-
    • spacewalk-java-config-
    • spacewalk-java-lib-
    • spacewalk-java-oracle-
    • spacewalk-java-postgresql-
    • spacewalk-setup-
    • spacewalk-taskomatic-
    • spacewalk-utils-
    • susemanager-advanced-topics_en-pdf-3.2-11.32.1
    • susemanager-best-practices_en-pdf-3.2-11.32.1
    • susemanager-docs_en-3.2-11.32.1
    • susemanager-getting-started_en-pdf-3.2-11.32.1
    • susemanager-jsp_en-3.2-11.32.1
    • susemanager-reference_en-pdf-3.2-11.32.1
    • susemanager-schema-3.2.21-3.31.1
    • susemanager-sls-3.2.27-3.35.1
    • susemanager-web-libs-
    • tika-core-1.22-3.9.1