Security update for SUSE Manager Server 4.0

SUSE Security Update: Security update for SUSE Manager Server 4.0
Announcement ID: SUSE-SU-2019:2930-1
Rating: moderate
References: #1133429 #1135442 #1136959 #1138358 #1138454 #1142309 #1142764 #1142774 #1143016 #1143562 #1143789 #1144300 #1144500 #1144510 #1144515 #1144889 #1145086 #1145119 #1145551 #1145587 #1145626 #1145744 #1145750 #1145753 #1145758 #1145769 #1145873 #1146416 #1146419 #1146683 #1146869 #1148169 #1149075 #1149210 #1149353 #1149409 #1149425 #1149633 #1150113 #1150154 #1150180 #1150314 #1150729 #1151097 #1151280 #1151399 #1151467 #1151481 #1151666 #1151875 #1152170 #1152290 #1152514 #1152735 #1153277 #1153578 #1154275 #1155656 #1155794
Cross-References: CVE-2019-10088 CVE-2019-10093 CVE-2019-10094
Affected Products:
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0

An update that solves three vulnerabilities and has 56 fixes is now available.

Description:


This update fixes the following issues:
cobbler:

  • Fix for install loop caused autoinstallation profiles (bsc#1151875)
  • Update module config description to match new parameters
  • Add config migration script and runs it in post-install script
  • Fix for config backups in post install script (bsc#1149075)
  • Move apache config file cobbler.conf to conf.d directory and remove the VirtualHost container as it overwrite rules already set in conf.d
  • Realignment with Cobbler 3.0.0 release candidate.
  • Fix for typo in settings for scm_track module.
  • Optimization for settings loading in scm_track module.

cpu-mitigations-formula:
  • Fix grub entry changed for sle12* so it matches sle15* (bsc#1145873)

mgr-osad:
  • Obsolete all old python2-osa* packages to avoid conflicts (bsc#1152290)

patterns-suse-manager:
  • Add recommends for cpu-mitigations-formula

pgjdbc-ng:
  • Allow dots in database name (bsc#1146416)

prometheus-exporters-formula:
  • Allow to configure arbitrary arguments when running exporters
  • Add support for Debian/Ubuntu and Red Hat systems (RHEL/CentOS)
  • Install the LICENSE together with the package

py26-compat-salt:
  • Get tornado dependency from the system on SLE12 (bsc#1149409)

python-susemanager-retail:
  • Update to version 0.1.1568808472.be9f236
  • Parse parition type 82 as swap in SLEPOS migration (bsc#1136959)
  • Allow kernel command line for branches to be set as an option to retail_branch_init CLI
  • Automatically calculate dhcp dynamic range from branch ip if not set

python-urlgrabber:
  • Allow non-integer values for URLGRABBER_DEBUG env variable (bsc#1152514)
  • Fixes usage of log level lookup for Python3 (bsc#1146683)

spacecmd:
  • Java api expects content as encoded string instead of encode bytes like before (bsc#1153277)
  • Fix building and installing on CentOS8/RES8/RHEL8
  • Check that a channel doesn't have clones before deleting it (bsc#1138454)

spacewalk-admin:
  • Avoid a "Permission denied" salt error when publisher_acl is set (bsc#1150154)

spacewalk-backend:
  • Fix re-registration with re-activation key (bsc#1154275)
  • Change the default value of taskomatic maxmemory to 4GB
  • Add basic support for importing modular repositories
  • Import additional fields for Deb packages
  • Add script to update additional fields in the DB for existing Deb packages
  • Use active values for diskchecker mails
  • Parse restart_suggested flag from patches and set it as keywords (bsc#1151467)
  • Improve error message when deleting channel that's in a content lifecycle project (bsc#1145769)
  • Prevent "reposync" crash when handling metadata on RPM repos (bsc#1138358)
  • Do not show expected WARNING messages from "c_rehash"
  • Fix misspelling in spacewalk-repo-sync (bsc#1149633)
  • Remove credentials also from potential rhn.conf backup files in spacewalk-debug (bsc#1146419)
  • Do not crash 'rhn-satellite-exporter' with ModuleNotFound error (bsc#1146869)
  • Spacewalk-remove-channel check that channel doesn't have cloned channels before deleting it (bsc#1138454)
  • Fix broken spacewalk-data-fsck utility
  • Add '--latest' support for reposync on DEB based repositories
  • Do not try to download RPMs from the unresolved mirrorlist URL
  • Fix encoding issues with DB bytes values (bsc#1144300)
  • Fix import of rhnAuthPAM to avoid issues when using rhnpush.
  • Avoid traceback on mgr-inter-sync when there are problems with cache of packages (bsc#1143016)

spacewalk-branding:
  • Improve menu scrollbar style for firefox
  • Add UI message when salt-formulas system folders are unreachable (bsc#1142309)

spacewalk-certs-tools:
  • Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353)

spacewalk-client-tools:
  • Require mgr-daemon (new name of spacewalksd) so we systems with spacewalksd get always the new package installed (bsc#1149353)
  • Enable spacewalk-update-service on package installation (bsc#1143789)
  • Invalidate cache 5 minutes before actual expiration(bsc#1143562)

spacewalk-config:
  • Change the default value of taskomatic maxmemory to 4GB
  • Resolve modules.yaml file for modular repositories

spacewalk-java:
  • Change the default value of taskomatic maxmemory to 4GB
  • Silence cache strategy Hibernate warning
  • Return result in compatible type to what defined in database procedure (bsc#1150729)
  • Allow channels names to start with numbers
  • Fix: handle special deb package names (bsc#1150113)
  • Remove extra spaces in dependencies fields in Debian repo Packages file (bsc#1145551)
  • Allow monitoring for managed systems running Ubuntu 18.04 and RedHat 6/7
  • Improve performance for 'Manage Software Channels' view (bsc#1151399)
  • Import additional fields for Deb packages
  • Use value from systemd unit file if not set in /etc/rhn/rhn.conf
  • Implement "keyword" filter for Content Lifecycle Management
  • Add support for Azure, Amazon EC2, and Google Compute Engine as Virtual Host Manager.
  • Allow ssl connections from Tomcat to Postgres (bsc#1149210)
  • Use default in case taskomatic.java.maxmemory is unset
  • Fix parsing of /etc/rhn/rhn.conf for taskomatic.java.maxmemory (bsc#1151097)
  • Change form order and change project creation message (bsc#1145744)
  • Use 'SCC organization credentials' instead of 'SCC credentials' in error message (bsc#1149425)
  • Implement "regular expression" Filter for Content Lifecycle Management matching package names, patch name, patch synopsis and package names in patches
  • Implement provisioning for salt clients
  • Explicitly mention in API docs that to preserve LF/CR, user needs to encode the data(bsc#1135442)
  • New Single Page Application engine for the UI. It can be enabled with the config 'web.spa.enable' set to true
  • Check that a channel doesn't have clones before deleting it (bsc#1138454)
  • Fix documentation of contentmanagement handler (bsc#1145753)
  • Add new API endpoint to list available Filter Criteria
  • Improve API documentation of Filter Criteria
  • Implement "patch contains package" Filter for Content Lifecycle Management
  • Implement Filter Patch "by type" Content Lifecycle Management
  • Improve websocket authentication to prevent errors in logs (bsc#1138454)
  • Implement filtering errata by synopsis in Content Lifecycle Management
  • Normalize date formats for actions, notifications and clm (bsc#1142774)
  • Implement ALLOW filters in Content Lifecycle Management
  • Implement "by date" Filter for Content Lifecycle Management
  • UI render without error if salt-formulas system folders are unreachable (bsc#1142309)
  • Cloning Errata from a specific channel should not take packages from other channels (bsc#1142764)
  • Add susemanager as prerequired for spacewalk-java

spacewalk-setup:
  • Fix cobbler authentication module configuration required for new cobbler package
  • Configure 150 Tomcat workers by default, matching httpds MaxClients

spacewalk-utils:
  • Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578)
  • Common-channels: Fix repo type assignment for type YUM

spacewalk-web:
  • Redirect to project when canceling creating a filter (bsc#1145750)
  • Better visualization of the filters attached to a CLM Project. Allow/deny are now split
  • Fix ui issues with content lifecycle project list page (bsc#1145587)
  • Implement "keyword" filter for Content Lifecycle Management
  • Enable Azure, Amazon EC2 and Google Compute Engine as available Virtual host Managers
  • Trim strings when creating/updating image stores/profiles (bsc#1133429)
  • Show loading spin while loading salt keys data (bsc#1150180)
  • CLM - Disable clones by default of the shown CLM Project sources
  • Change form order and change project creation message (bsc#1145744)
  • Add UI message when salt-formulas system folders are unreachable (bsc#1142309)
  • Implement "regular expression" Filter for Content Lifecycle Management matching package names, patch name, patch synopsis and package names in patches
  • New Single Page Application engine for the UI. It can be enabled with the config 'web.spa.enable' set to true
  • Add environment label when deleting environment (bsc#1145758)
  • Change color of disabled build button on clp page (bsc#1145626)
  • Fix the 'include recommended' button on channels selection in SSM (bsc#1145086)
  • Implement "patch contains package" Filter for Content Lifecycle Management
  • Implement Filter Patch "by type" Content Lifecycle Management
  • Implement filtering errata by synopsis in Content Lifecycle Management
  • Normalize date formats for actions, notifications and clm (bsc#1142774)
  • Implement ALLOW filters in Content Lifecycle Management
  • Implement "by date" Filter for Content Lifecycle Management

susemanager:
  • Require dmidecode only for SLE12 aarch64 and x86_64 (bsc#1152170)
  • Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
  • Fix test for btrfs subvolume for new btrfs version (bsc#1151666)
  • Ensure working directory is /root during setup (bsc#1148169)
  • Dmidecode does not exist on s390x (bsc#1145119)

susemanager-docs_en:
  • Update text and images (mu-4.0.3); many changes caused by Technical and Content Reviews.
  • Added partition permissions to Install Guide (bsc#1152735)
  • Move Disconnected Setup from Client Config to Admin Guide
  • Updated references to documentation.suse.com (was: www.suse.com/documentation)
  • Increase default value for taskomatic to 4GB
  • Registering to proxy information in Install Guide
  • Edits to Prometheus section in Admin Guide
  • Update database migration section in Upgrade Guide
  • Update server update, upgrade, and migration chapters in Upgrade Guide
  • Update server installation and setup chapters
  • Update proxy installation and setup chapters
  • Add section about maintenance window in Admin Guide
  • Update Kubernetes chapter
  • Admin Guide: ISS: Adapt the CA path to correspond to SLES 15.1
  • Update image management
  • Update channel management screenshot in Reference
  • Update CLM
  • Provide basic documentation on foreign clients
  • Update info on mgr-sync
  • New images added to Retail Guide
  • Minor edits in Salt Guide
  • Improvements to Troubleshooting section in Admin Guide
  • Removed reference to SLP in Install Guide
  • Minor edits to SSM in Client Config Guide

susemanager-schema:
  • Fix in schema migration script when recreating the 'suseUserRoleView' (bsc#1151280)
  • Fix: handle special deb package names (bsc#1150113)
  • Refactor in suseChannelUserRoleView for retrieving the parent_channel_id (bsc#1151399)
  • Add tables rhnPackageExtraTag and rhnPackageExtraTagKey
  • Allow monitoring for Ubuntu systems
  • Add new types needed for Azure, Amazon EC2 and Google CE
  • Enable provisioning for salt clients
  • Allow package changelog entries with more than 3000 characters (bsc#1144889)

susemanager-sls:
  • Require pmtools only for SLE11 i586 and x86_64 (bsc#1150314)
  • Introduce dnf-susemanager-plugin for RHEL8 minions
  • Provide custom grain to report "instance id" when running on Public Cloud instances
  • Disable legacy startup events for new minions
  • Implement provisioning for salt clients
  • Dmidecode does not exist on ppc64le and s390x (bsc#1145119)
  • Update susemanager.conf to use adler32 for computing the server_id for new minions
  • Do not show errors when polling internal metadata API (bsc#1155794)
  • Add missing "public_cloud" custom grain (bsc#1155656)

susemanager-sync-data:
  • Ubuntu repositories released

tika-core:
  • New upstream version 1.2.2. Fixes: * OOM from a crafted Zip File in Apache Tika's RecursiveParserWrapper (CVE-2019-10088) (bsc#1144500). * Denial of Service in Apache Tika's 2003ml and 2006ml Parsers (CVE-2019-10093) (bsc#1144510). * StackOverflow from Crafted Package/Compressed Files in Apache Tika's RecursiveParserWrapper (CVE-2019-10094) (bsc#1144515).

virtual-host-gatherer:
  • Add new modules to deal with Amazon EC2, Azure and Google Compute

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2019-2930=1

Package List:

  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):
    • patterns-suma_retail-4.0-9.3.8
    • patterns-suma_server-4.0-9.3.8
    • spacewalk-branding-4.0.14-3.6.8
    • susemanager-4.0.17-3.6.9
    • susemanager-tools-4.0.17-3.6.9
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
    • cobbler-3.0.0+git20190806.32c4bae0-7.3.7
    • cpu-mitigations-formula-0.1-4.6.7
    • mgr-osa-dispatcher-4.0.10-3.6.8
    • pgjdbc-ng-0.7.1-3.3.8
    • prometheus-exporters-formula-0.4-3.3.7
    • pxe-default-image-sle15-4.0.0-20191106084601
    • py26-compat-salt-2016.11.10-10.8.8
    • python3-mgr-osa-common-4.0.10-3.6.8
    • python3-mgr-osa-dispatcher-4.0.10-3.6.8
    • python3-spacewalk-backend-libs-4.0.27-3.13.9
    • python3-spacewalk-certs-tools-4.0.12-3.6.8
    • python3-spacewalk-client-tools-4.0.10-3.6.8
    • python3-susemanager-retail-1.0.1568808472.be9f236-3.6.7
    • python3-urlgrabber-3.10.2.1py2_3-6.22.6
    • spacecmd-4.0.16-3.6.7
    • spacewalk-admin-4.0.8-3.3.8
    • spacewalk-backend-4.0.27-3.13.9
    • spacewalk-backend-app-4.0.27-3.13.9
    • spacewalk-backend-applet-4.0.27-3.13.9
    • spacewalk-backend-config-files-4.0.27-3.13.9
    • spacewalk-backend-config-files-common-4.0.27-3.13.9
    • spacewalk-backend-config-files-tool-4.0.27-3.13.9
    • spacewalk-backend-iss-4.0.27-3.13.9
    • spacewalk-backend-iss-export-4.0.27-3.13.9
    • spacewalk-backend-package-push-server-4.0.27-3.13.9
    • spacewalk-backend-server-4.0.27-3.13.9
    • spacewalk-backend-sql-4.0.27-3.13.9
    • spacewalk-backend-sql-postgresql-4.0.27-3.13.9
    • spacewalk-backend-tools-4.0.27-3.13.9
    • spacewalk-backend-xml-export-libs-4.0.27-3.13.9
    • spacewalk-backend-xmlrpc-4.0.27-3.13.9
    • spacewalk-base-4.0.16-3.9.8
    • spacewalk-base-minimal-4.0.16-3.9.8
    • spacewalk-base-minimal-config-4.0.16-3.9.8
    • spacewalk-certs-tools-4.0.12-3.6.8
    • spacewalk-client-tools-4.0.10-3.6.8
    • spacewalk-config-4.0.13-3.3.7
    • spacewalk-html-4.0.16-3.9.8
    • spacewalk-java-4.0.25-3.10.5
    • spacewalk-java-config-4.0.25-3.10.5
    • spacewalk-java-lib-4.0.25-3.10.5
    • spacewalk-java-postgresql-4.0.25-3.10.5
    • spacewalk-setup-4.0.11-3.6.7
    • spacewalk-taskomatic-4.0.25-3.10.5
    • spacewalk-utils-4.0.13-3.6.8
    • susemanager-doc-indexes-4.0-10.9.8
    • susemanager-docs_en-4.0-10.9.7
    • susemanager-docs_en-pdf-4.0-10.9.7
    • susemanager-retail-tools-1.0.1568808472.be9f236-3.6.7
    • susemanager-schema-4.0.16-3.8.5
    • susemanager-sls-4.0.22-3.10.4
    • susemanager-sync-data-4.0.13-3.6.7
    • susemanager-web-libs-4.0.16-3.9.8
    • tika-core-1.22-3.3.7
    • virtual-host-gatherer-1.0.19-3.3.8
    • virtual-host-gatherer-Kubernetes-1.0.19-3.3.8
    • virtual-host-gatherer-VMware-1.0.19-3.3.8
    • virtual-host-gatherer-libcloud-1.0.19-3.3.8

References: