Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Announcement ID:	SUSE-SU-2023:4737-1
Rating:	important
References:	bsc#1191143 bsc#1204235 bsc#1207012 bsc#1207532 bsc#1210928 bsc#1210930 bsc#1211355 bsc#1211560 bsc#1211649 bsc#1212695 bsc#1212904 bsc#1213469 bsc#1214186 bsc#1214471 bsc#1214601 bsc#1214759 bsc#1215209 bsc#1215514 bsc#1215949 bsc#1216030 bsc#1216041 bsc#1216085 bsc#1216128 bsc#1216380 bsc#1216506 bsc#1216555 bsc#1216690 bsc#1216754 bsc#1217038 bsc#1217223 bsc#1217224 jsc#MSQA-708 jsc#SUMA-282
Cross-References:	CVE-2023-22644
CVSS scores:	CVE-2023-22644 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected Products:	openSUSE Leap 15.4 openSUSE Leap 15.5 Public Cloud Module 15-SP4 Public Cloud Module 15-SP5 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Manager Server 4.3 Module 4.3

An update that solves one vulnerability, contains two features and has 30 security fixes can now be installed.

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

Description:

This update fixes the following issues:

spacecmd:

• Version 4.3.25-1
• Update translation strings

spacewalk-backend:

• Version 4.3.25-1
• Use the new apache2-mod_wsgi package name
• Set stricter file permissions for config file
• Add table statistics and options to the support config database output
• Add CLM data collection to spacewalk-debug

spacewalk-client-tools:

• Version 4.3.17-1
• Update translation strings

spacewalk-proxy:

• Version 4.3.17-1
• Use the new apache2-mod_wsgi package name

spacewalk-web:

• Version 4.3.36-1
• Safeguard request URLs against tempering (bsc#1216754)
• Improve datetimepicker input formatting
• Improve logging to better capture third-party library issues
• Simplify and modernize password generation logic
• Update webpack to 5.88.2
• Handle new message from subscription-matcher (bsc#1216506)
• Add sanity checks for FQDNs in proxy configuration dialog
• Add option to filter packages by build time in CLM (jsc#SUMA-282)

susemanager-tftpsync-recv:

• Version 4.3.9-1
• Use the new apache2-mod_wsgi package name
• Build with Python 3 and clean up references to Python 2

How to apply this update:

1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: spacewalk-proxy stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-proxy start

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

billing-data-service:

• Version 4.3.2-1
• Relax dependency to csp-billing-adapter-service

inter-server-sync:

• Version 0.3.1
• Require at least Go 1.20 for building SUSE packages

spacecmd:

• Version 4.3.25-1
• Update translation strings

spacewalk-backend:

• Version 4.3.25-1
• Use the new apache2-mod_wsgi package name
• Set stricter file permissions for config file
• Add table statistics and options to the support config database output
• Add CLM data collection to spacewalk-debug

spacewalk-client-tools:

• Version 4.3.17-1
• Update translation strings

spacewalk-java:

• Version 4.3.69-1

• Security fixes:

  • CVE-2023-22644: Sanitize token before logging it (bsc#1210930)
  • CVE-2023-22644: Fix permissions for logfiles (bsc#1210928)
  • CVE-2023-22644: Log potential sensitive information only in debug mode (bsc#1210928)
• Non security fixes:
  • Include in API response reboot_suggested and restart_suggested booleans
  • Fix filter ID comparison when attaching filters to a CLM project (bsc#1215949)
  • Fix validation of lists with empty defaults in formulas (bsc#1216555)
  • Safeguard request URLs against tempering (bsc#1216754)
  • Improve logging to better capture third-party library issues
  • Fix issue of non-installed package listed as errata package update candidates (bsc#1212904)
  • Fix issue with reporting database query pagination
  • Update tomcat jars to version greater than 9.0.75
  • Fix notification messages email content (bsc#1216041)
  • Look for the PAYG CA certificate location in different order to find and import the correct one (bsc#1214759)
  • Add salt-api socket timeout to abort stuck taskomatic jobs (bsc#1211649)
  • Fix SUSE Linux Enterprise Micro PAYG detection
  • Wait for lock to execute SCC sync task (bsc#1216030)
  • Fix url pointing to SCC (bsc#1216690)
  • Prevent download when a PAYG Server is not compliant
  • Fix system.provisionSystem xmlrpc endpoint to calculate host properly (bsc#1215209)
  • Include "uuid" as system search xmlrpc results (bsc#1216380)
  • Prevent losing Remote Command action result if returned JSON cannot be parsed
  • Add PAYG info to UI and rest API
  • Add management restrictions to SUMA PAYG when dealing with BYOS instances when no SCC credentials are set
  • Fix issue where bad SCC credentials were preventing other credentials to refresh (bsc#1211355)
  • Fix conversion to string if branchid is numeric in PXEEvent
  • Fix token validation for shared (public) child channels (bsc#1216128)
  • Prevent NullPointerException in updateSystemInfo (bsc#1217224)
  • Update SCC REST call to register systems in bulk
  • Enhance hardware data sent to SCC by memory
  • Fix FQDN machine name mapping on proxy configuration
  • Fix NullPointerException when creating PXE config for an unmanaged profile (bsc#1217223)
  • Add option to filter packages by build time in CLM (jsc#SUMA-282)
  • Consider server id when removing invalid erratas from rhnSet (bsc#1204235,bsc#1207012,bsc#1211560)
  • Fix createSystemRecord XML-RPC API call so the Cobbler UID is persisted (bsc#1207532)

spacewalk-search:

• Version 4.3.10-1
• Include "uuid" as system search result attribute (bsc#1216380)

spacewalk-web:

• Version 4.3.36-1
• Safeguard request URLs against tempering (bsc#1216754)
• Improve datetimepicker input formatting
• Improve logging to better capture third-party library issues
• Simplify and modernize password generation logic
• Update webpack to 5.88.2
• Handle new message from subscription-matcher (bsc#1216506)
• Add sanity checks for FQDNs in proxy configuration dialog
• Add option to filter packages by build time in CLM (jsc#SUMA-282)

subscription-matcher:

• Version 0.33
• Added missing part numbers (bsc#1216506)
• Ignore subscriptions without any associated products (bsc#1216506)
• Update Guava to version 32.0

susemanager:

• Version 4.3.33-1
• Add bootstrap repository data for SUSE Linux Enterprise Micro 5.5 (bsc#1217038)

susemanager-docs_en:

• Add SUSE Liberty Linux versions 7 and 8 to the supported features matrix in the Client Configuration Guide
• Add support for SUSE Linux Enterprise Micro 5.5 and openSUSE Leap Micro 5.5 clients to the Installation and Upgrade Guide, and to the Client Configuration Guide
• Update Twitter handle reference in documentation user interface
• Update feature table and add legend in the Configuration Management section of the Client Configuration Guide
• Fix parameter name in the Register clients section of the Client Configuration Guide
• Fix links to HTML output of SUSE Linux Enterprise Server 15 SP4 documentation
• Add note about using short hostname in the Quick Start: SAP guide (bsc#1212695)
• Mention the option to install Prometheus on Retail branch servers (bsc#1191143)
• Fix link loop and clarify some server upgrade description details in the Installation and Upgrade Guide (bsc#1214471)
• SUSE Manager 4.3 is based on SUSE Linux Enterprise 15 SP4; update the installation procedure (bsc#1213469)

susemanager-schema:

• Version 4.3.22-1
• Drop special versioned schema files
• Add unique index for rhnpackagechangelogdata table

susemanager-sls:

• Version 4.3.37-1
• Disable dnf_rhui_plugin as it breaks our susemanagerplugin (bsc#1214601)
• Fix susemanagerplugin to not overwrite header fields set by other plugins
• Let the DNF plugin log when a token was set
• Retry loading of pillars from DB on connection error (bsc#1214186)
• Recognize squashfs build results from KIWI (bsc#1216085)

susemanager-sync-data:

• Version 4.3.14-1
• SUSE Linux Enterprise 15 SP4 Long Term Service Pack Support (LTSS)
• Extended Service Pack Overlay Support (ESPOS) for High Performance Computing 15 SP5
• Long Term Service Pack Support (LTSS) for High Performance Computing 15 SP5
• Update Open Enterprise Server to 2023.4 (bsc#1215514)

uyuni-reportdb-schema:

• Version 4.3.8-1
• Provide reportdb upgrade schema path structure

How to apply this update:

1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start

Recommended update for apache2-mod_wsgi

Description:

This update fixes the following issues:

apache2-mod_wsgi:

• Ensure the binaries are included in SUSE Manager Server

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch SUSE-2023-4737=1 openSUSE-SLE-15.4-2023-4737=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-4737=1
• Public Cloud Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4737=1
• Public Cloud Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2023-4737=1
• SUSE Manager Proxy 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-4737=1
• SUSE Manager Server 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-4737=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
• Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64)
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
• Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
• SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
• SUSE Manager Proxy 4.3 Module 4.3 (noarch)
  • python3-spacewalk-client-tools-4.3.17-150400.3.21.6
  • susemanager-tftpsync-recv-4.3.9-150400.3.9.5
  • spacewalk-proxy-salt-4.3.17-150400.3.23.5
  • spacecmd-4.3.25-150400.3.30.5
  • python3-spacewalk-check-4.3.17-150400.3.21.6
  • spacewalk-proxy-management-4.3.17-150400.3.23.5
  • spacewalk-proxy-broker-4.3.17-150400.3.23.5
  • spacewalk-proxy-common-4.3.17-150400.3.23.5
  • spacewalk-check-4.3.17-150400.3.21.6
  • spacewalk-proxy-redirect-4.3.17-150400.3.23.5
  • spacewalk-base-minimal-4.3.36-150400.3.36.7
  • spacewalk-backend-4.3.25-150400.3.33.7
  • python3-spacewalk-client-setup-4.3.17-150400.3.21.6
  • spacewalk-client-tools-4.3.17-150400.3.21.6
  • spacewalk-proxy-package-manager-4.3.17-150400.3.23.5
  • spacewalk-base-minimal-config-4.3.36-150400.3.36.7
  • spacewalk-client-setup-4.3.17-150400.3.21.6
• SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
  • apache2-mod_wsgi-debugsource-4.7.1-150400.3.9.4
  • inter-server-sync-debuginfo-0.3.1-150400.3.24.5
  • apache2-mod_wsgi-4.7.1-150400.3.9.4
  • susemanager-4.3.33-150400.3.42.4
  • inter-server-sync-0.3.1-150400.3.24.5
  • apache2-mod_wsgi-debuginfo-4.7.1-150400.3.9.4
  • susemanager-tools-4.3.33-150400.3.42.4
• SUSE Manager Server 4.3 Module 4.3 (noarch)
  • uyuni-config-modules-4.3.37-150400.3.37.5
  • spacewalk-search-4.3.10-150400.3.15.4
  • spacecmd-4.3.25-150400.3.30.5
  • spacewalk-backend-iss-4.3.25-150400.3.33.7
  • spacewalk-java-config-4.3.69-150400.3.69.5
  • susemanager-sync-data-4.3.14-150400.3.17.5
  • spacewalk-backend-tools-4.3.25-150400.3.33.7
  • spacewalk-java-lib-4.3.69-150400.3.69.5
  • spacewalk-backend-package-push-server-4.3.25-150400.3.33.7
  • spacewalk-html-4.3.36-150400.3.36.7
  • subscription-matcher-0.33-150400.3.16.3
  • billing-data-service-4.3.2-150400.10.12.5
  • python3-spacewalk-client-tools-4.3.17-150400.3.21.6
  • spacewalk-java-4.3.69-150400.3.69.5
  • spacewalk-backend-config-files-common-4.3.25-150400.3.33.7
  • uyuni-reportdb-schema-4.3.8-150400.3.9.6
  • spacewalk-base-minimal-4.3.36-150400.3.36.7
  • spacewalk-java-postgresql-4.3.69-150400.3.69.5
  • spacewalk-backend-4.3.25-150400.3.33.7
  • spacewalk-backend-app-4.3.25-150400.3.33.7
  • spacewalk-client-tools-4.3.17-150400.3.21.6
  • spacewalk-base-4.3.36-150400.3.36.7
  • spacewalk-taskomatic-4.3.69-150400.3.69.5
  • susemanager-sls-4.3.37-150400.3.37.5
  • spacewalk-backend-iss-export-4.3.25-150400.3.33.7
  • susemanager-schema-utility-4.3.22-150400.3.30.5
  • spacewalk-backend-applet-4.3.25-150400.3.33.7
  • spacewalk-backend-config-files-tool-4.3.25-150400.3.33.7
  • spacewalk-backend-xml-export-libs-4.3.25-150400.3.33.7
  • spacewalk-backend-xmlrpc-4.3.25-150400.3.33.7
  • susemanager-docs_en-pdf-4.3-150400.9.50.5
  • spacewalk-backend-sql-4.3.25-150400.3.33.7
  • spacewalk-backend-server-4.3.25-150400.3.33.7
  • susemanager-docs_en-4.3-150400.9.50.5
  • susemanager-schema-4.3.22-150400.3.30.5
  • spacewalk-backend-config-files-4.3.25-150400.3.33.7
  • spacewalk-backend-sql-postgresql-4.3.25-150400.3.33.7
  • spacewalk-base-minimal-config-4.3.36-150400.3.36.7

References:

• https://www.suse.com/security/cve/CVE-2023-22644.html
• https://bugzilla.suse.com/show_bug.cgi?id=1191143
• https://bugzilla.suse.com/show_bug.cgi?id=1204235
• https://bugzilla.suse.com/show_bug.cgi?id=1207012
• https://bugzilla.suse.com/show_bug.cgi?id=1207532
• https://bugzilla.suse.com/show_bug.cgi?id=1210928
• https://bugzilla.suse.com/show_bug.cgi?id=1210930
• https://bugzilla.suse.com/show_bug.cgi?id=1211355
• https://bugzilla.suse.com/show_bug.cgi?id=1211560
• https://bugzilla.suse.com/show_bug.cgi?id=1211649
• https://bugzilla.suse.com/show_bug.cgi?id=1212695
• https://bugzilla.suse.com/show_bug.cgi?id=1212904
• https://bugzilla.suse.com/show_bug.cgi?id=1213469
• https://bugzilla.suse.com/show_bug.cgi?id=1214186
• https://bugzilla.suse.com/show_bug.cgi?id=1214471
• https://bugzilla.suse.com/show_bug.cgi?id=1214601
• https://bugzilla.suse.com/show_bug.cgi?id=1214759
• https://bugzilla.suse.com/show_bug.cgi?id=1215209
• https://bugzilla.suse.com/show_bug.cgi?id=1215514
• https://bugzilla.suse.com/show_bug.cgi?id=1215949
• https://bugzilla.suse.com/show_bug.cgi?id=1216030
• https://bugzilla.suse.com/show_bug.cgi?id=1216041
• https://bugzilla.suse.com/show_bug.cgi?id=1216085
• https://bugzilla.suse.com/show_bug.cgi?id=1216128
• https://bugzilla.suse.com/show_bug.cgi?id=1216380
• https://bugzilla.suse.com/show_bug.cgi?id=1216506
• https://bugzilla.suse.com/show_bug.cgi?id=1216555
• https://bugzilla.suse.com/show_bug.cgi?id=1216690
• https://bugzilla.suse.com/show_bug.cgi?id=1216754
• https://bugzilla.suse.com/show_bug.cgi?id=1217038
• https://bugzilla.suse.com/show_bug.cgi?id=1217223
• https://bugzilla.suse.com/show_bug.cgi?id=1217224
• https://jira.suse.com/browse/MSQA-708
• https://jira.suse.com/browse/SUMA-282