Security Beta update for SUSE Manager Client Tools

Announcement ID: SUSE-SU-2021:3904-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2021-21996 ( SUSE ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
  • CVE-2021-21996 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Manager Client Tools Beta for Debian 9

An update that solves one vulnerability, contains one feature and has 26 security fixes can now be installed.

Description:

This update fixes the following issues:

salt:

  • Remove wrong _parse_cpe_name from grains.core
  • Prevent tracebacks if directory for cookie is missing
  • Fix file.find tracebacks with non utf8 file names (bsc#1190114)
  • Fix ip6_interface grain to not leak secondary IPv4 aliases (bsc#1191412)
  • Do not consider skipped targets as failed for ansible.playbooks state (bsc#1190446)
  • Fix traceback.*_exc() calls
  • Fix the regression of docker_container state module
  • Support querying for JSON data in external sql pillar
  • Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996)
  • Fix wrong relative paths resolution with Jinja renderer when importing subdirectories
  • Fix python-MarkupSafe dependency (bsc#1189043)
  • Add missing aarch64 to rpm package architectures
  • Consolidate some state requisites (bsc#1188641)
  • Fix failing unit test for systemd
  • Fix error handling in openscap module (bsc#1188647)
  • Better handling of bad public keys from minions (bsc#1189040)
  • Define license macro as doc in spec file if not existing
  • Add standalone formulas configuration for salt minion and remove salt-master requirement (bsc#1168327)
  • Do noop for services states when running systemd in offline mode (bsc#1187787)
  • Transactional_updates: do not execute states in parallel but use a queue (bsc#1188170)
  • Handle "master tops" data when states are applied by "transactional_update" (bsc#1187787)
  • Enhance openscap module: add "xccdf_eval" call
  • Virt: pass emulator when getting domain capabilities from libvirt
  • Implementation of held/unheld functions for state pkg (bsc#1187813)
  • Fix exception in yumpkg.remove for not installed package
  • Fix save for iptables state module (bsc#1185131)
  • Virt: use /dev/kvm to detect KVM
  • Zypperpkg: improve logic for handling vendorchange flags
  • Add bundled provides for tornado to the spec file
  • Enhance logging when inotify beacon is missing pyinotify (bsc#1186310)
  • Add "python3-pyinotify" as a recommended package for Salt in SUSE/openSUSE distros
  • Check if dpkgnotify is executable (bsc#1186674)
  • Detect Python version to use inside container (bsc#1167586) (bsc#1164192)
  • Handle volumes on stopped pools in virt.vm_info (bsc#1186287)
  • Grains.extra: support old non-intel kernels (bsc#1180650)
  • Fix missing minion returns in batch mode (bsc#1184659)
  • Parsing Epoch out of version provided during pkg remove (bsc#1173692)

scap-security-guide:

  • Fix SLE-12 build issue caused by '\xb0' character (bsc#1191431).
  • Updated to 0.1.58 release (jsc#ECO-3319)
  • Support for Script Checking Engine (SCE)
  • Split RHEL 8 CIS profile using new controls file format
  • CIS Profiles for SLE12
  • Initial Ubuntu 20.04 STIG Profiles
  • Addition of an automated CCE adder
  • Updated to 0.1.57 release (jsc#ECO-3319)
  • CIS profile for RHEL 7 is updated
  • initial CIS profiles for Ubuntu 20.04
  • Major improvement of RHEL 9 content
  • new release process implemented using Github actions
  • Specify the maintainer, for deb packages.
  • Updated to 0.1.56 release (jsc#ECO-3319)
  • Align ism_o profile with latest ISM SSP (#6878)
  • Align RHEL 7 STIG profile with DISA STIG V3R3
  • Creating new RHEL 7 STIG GUI profile (#6863)
  • Creating new RHEL 8 STIG GUI profile (#6862)
  • Add the RHEL9 product (#6801)
  • Initial support for SUSE SLE-15 (#6666)
  • add support for osbuild blueprint remediations (#6970)
  • Updated to a intermediate GIT snapshot of 20210323 (jsc#ECO-3319)
  • initial SLES15 STIG added
  • more SLES 12 STIG work
  • correct tables and cross references for SLES 12 and 15 STIG
  • Updated to 0.1.55 release (jsc#ECO-3319)
  • big update of rules used in SLES-12 STIG profile
  • Render policy to HTML (#6532)
  • Add variable support to yamlfile_value template (#6563)
  • Introduce new template for dconf configuration files (#6118)
  • Avoid some non sles12 sp2 available macros.

spacecmd:

  • Version 4.3.4-1
  • Update translation strings
  • Version 4.3.3-1
  • Improved event history listing and added new system_eventdetails command to retrieve the details of an event
  • configchannel_updatefile handles directory properly (bsc#1190512)
  • Version 4.3.2-1
  • Add schedule_archivecompleted to mass archive actions (bsc#1181223)
  • Make schedule_deletearchived to get all actions without display limit
  • Allow passing a date limit for schedule_deletearchived on spacecmd (bsc#1181223)
  • Remove whoami from the list of unauthenticated commands (bsc#1188977)
  • Version 4.3.1-1
  • Use correct API endpoint in list_proxies (bsc#1188042)
  • Add schedule_deletearchived to bulk delete archived actions (bsc#1181223)
  • Make spacecmd aware of retracted patches/packages
  • Version 4.2.10-1
  • Enhance help for installation types when creating distributions (bsc#1186581)
  • Version 4.2.9-1
  • Parse empty argument when nothing in between the separator

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Client Tools Beta for Debian 9
    zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-BETA-2021-3904=1

Package List:

  • SUSE Manager Client Tools Beta for Debian 9 (all)
    • salt-minion-3000+ds-1+2.18.1
    • spacecmd-4.3.4-2.18.1
    • scap-security-guide-debian-0.1.58-2.6.1
    • salt-common-3000+ds-1+2.18.1

References: