Security update for SUSE Manager 4.0

Announcement ID:	SUSE-SU-2020:3250-1
Rating:	critical
References:	bsc#1178319 bsc#1178361 bsc#1178362
Cross-References:	CVE-2020-16846 CVE-2020-17490 CVE-2020-25592
CVSS scores:	CVE-2020-16846 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-16846 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-17490 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-17490 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-25592 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Manager Server 4.0 SUSE Manager Server 4.0 Module 4.0

An update that solves three vulnerabilities can now be installed.

Description:

This security update for SUSE Manager 4.0 provides the following fixes:

py26-compat-salt:

Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846)

spacewalk-java:

Use correct eauth module and credentials for Salt SSH calls. (bsc#1178319, CVE-2020-25592)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Manager Server 4.0 Module 4.0
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2020-3250=1

Package List:

SUSE Manager Server 4.0 Module 4.0 (noarch)
- spacewalk-java-lib-4.0.39-3.45.1
- spacewalk-java-config-4.0.39-3.45.1
- py26-compat-salt-2016.11.10-10.17.1
- spacewalk-java-postgresql-4.0.39-3.45.1
- spacewalk-java-4.0.39-3.45.1
- spacewalk-taskomatic-4.0.39-3.45.1

Security update for SUSE Manager 4.0

Description:

Patch Instructions:

Package List:

References: