Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Announcement ID:	SUSE-SU-2024:1507-1
Rating:	moderate
References:	bsc#1170848 bsc#1208572 bsc#1214340 bsc#1214387 bsc#1216085 bsc#1217204 bsc#1217874 bsc#1218764 bsc#1218805 bsc#1218931 bsc#1218957 bsc#1219061 bsc#1219233 bsc#1219634 bsc#1219875 bsc#1220101 bsc#1220169 bsc#1220194 bsc#1220221 bsc#1220376 bsc#1220705 bsc#1220726 bsc#1220903 bsc#1220980 bsc#1221111 bsc#1221182 bsc#1221279 bsc#1221465 bsc#1221571 bsc#1221784 bsc#1221922 bsc#1222110 bsc#1222347 jsc#MSQA-760
Cross-References:	CVE-2023-51775
CVSS scores:	CVE-2023-51775 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Manager Server 4.3 Module 4.3

An update that solves one vulnerability, contains one feature and has 32 security fixes can now be installed.

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

Description:

This update fixes the following issues:

mgr-daemon:

• Version 4.3.9-0
• Update translation strings

spacecmd:

• Version 4.3.27-0
• Update translation strings

spacewalk-backend:

• Version 4.3.28-0
• Strip whitespace from .deb package metadata (bsc#1214387)
• Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980)
• Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
• Unquote HTML-encoded credentials before synchronizing repositories (bsc#1217204)

spacewalk-certs-tools:

• Version 4.3.23-0
• Fix liberty bootstrapping when zypper is installed (bsc#1222347)
• Apply reboot method changes for transactional systems in the bootstrap script

spacewalk-client-tools:

• Version 4.3.19-0
• Update translation strings

spacewalk-web:

• Version 4.3.38-0
• Upgrade json5 to 2.2.3
• Upgrade semver to 7.6.0
• Add one-shot action execution to recurring custom state create/edit
• Add two filters for rpmlint in package spacewalk-web: explicit-lib-dependency and filename-too-long-for-joliet
• Fix virtual systems filters (bsc#1208572)
• Improve CLM Create New Filter button
• Bump the WebUI version to 4.3.12

uyuni-common-libs:

• Version 4.3.10-0
• Add support for package signature type V4 RSA/SHA384
• Add support for package signature type V4 RSA/SHA512 (bsc#1221465)

uyuni-proxy-systemd-services:

• Version 4.3.12-0
• Update to SUSE Manager 4.3.12
• Version 4.3.11-1
• Update the image version

How to apply this update:

1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: spacewalk-proxy stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-proxy start

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

cobbler:

• Provide option to use pre-built GRUB bootloader
• Prevent parallel executions of cobbler sync actions (bsc#1218764)

image-sync-formula:

• Update to version 0.1.1711646883.4a44375
• Add missing URL tag
• Update license to SPDX syntax

inter-server-sync:

• Version 0.3.3-1
• Correct primary key export for table suseproductsccrepository (bsc#1220169)

jose4j:

• CVE-2023-51775: Fix denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value (bsc#1220726)

smdba:

• Version 1.7.13
• postmaster no longer exists from >=16 and it's an alias for postgresql, using postgresql command

spacecmd:

• Version 4.3.27-0
• Update translation strings

spacewalk-backend:

• Version 4.3.28-0
• Strip whitespace from .deb package metadata (bsc#1214387)
• Fix inserting NULL into some columns during ISSv1 sync (bsc#1220980)
• Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
• Unquote HTML-encoded credentials before synchronizing repositories (bsc#1217204)

spacewalk-certs-tools:

• Version 4.3.23-0
• Fix liberty bootstrapping when zypper is installed (bsc#1222347)
• Apply reboot method changes for transactional systems in the bootstrap script

spacewalk-client-tools:

• Version 4.3.19-0
• Update translation strings

spacewalk-config:

• Version 4.3.13-0
• Be explicit about default Apache configs being overwritten on updates and point to making custom configs. (bsc#1219061)

spacewalk-java:

• Version 4.3.73-0
• New API endpoint for getRelevantErrata. It takes multiple servers as argument and it returns an array of maps representing the errata that can be applied to each system
• Version 4.3.72-0
• Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805)
• Update help text for the custom repo filter field (bsc#1217874)
• Fix issue where Salt cannot access autoinstallation files (bsc#1220221)
• Fix issue when checking for credential duplication (bsc#1218957)
• Fix matching epoch while creating Ubuntu erratas
• When an action that belongs to an action chain is unscheduled, unschedule the action chain as well (bsc#1221784)
• Reschedule failed SSH actions caused by a connection error due to a scheduled reboot
• Fix removal of old IPv6 addresses (bsc#1214340)
• Do not automatically add child channels outside of selected base channel (bsc#1220101)
• Fix listProxies API call (bsc#1219233)
• Fix system.provisionSystem when called via HTTP API (bsc#1219875)
• Remove package sync not available message in Software > Packages > Profile since it is no longer available for supported clients (bsc#1221279)
• Fix login for read-only users when using HTTP API (bsc#1221111)
• Add one-shot action execution to recurring custom state create/edit
• Fix a typo in 'Deploy Files' page
• Drop system password as identifier on SCC system registration (bsc#1219634, bsc#1221182)
• Fix memory size extraction in virtual instances (bsc#1219634)
• Fix virtual systems filters (bsc#1208572)
• Update license to include the year 2024
• Add timeout for SMTP server connection (bsc#1218931)
• Commit Salt event removal in case of process failure (bsc#1218931)
• Users with API read only are only allowed to make GET requests
• Ignore retry suffix when getting recurring action id from schedule name
• Sort CLM project filters by filter name

spacewalk-web:

• Version 4.3.38-0
• Upgrade json5 to 2.2.3
• Upgrade semver to 7.6.0
• Add one-shot action execution to recurring custom state create/edit
• Fix virtual systems filters (bsc#1208572)
• Improve CLM Create New Filter button
• Bump the WebUI version to 4.3.12

subscription-matcher:

• Version 0.37
• add missing part number (bsc#1221922)
• Fix penalties logging by initializing the score director consistently
• Removed wrong apache-commons-lang dependency
• Version 0.36
• Fixed Log4j 2 initialization

supportutils-plugin-susemanager:

• Version 4.3.11-0
• Add Salt and Reposync connections to minimum required DB connections calculation

susemanager:

• Version 4.3.35-0
• Add bootstrap repository definition for openSUSE Leap 15.6
• Add bootstrap repository definition for SUSE Linux Enterprise 15 SP6

susemanager-docs_en:

• Removed Debian 10 from the list of supported clients
• Added new workflow describing updating of clients using recurring actions to Commown Workflows
• Added documentation on adding a storage device for VMWare
• Documented registercloudguest tools for registering public cloud installation (BYOS) by adding a reference to the Public Cloud Guide
• Added information about requirements for the PostgreSQL database to the Installation and Upgrade Guide (bsc#1220376)
• Fixed the instructions for SSL Certificates (bsc#1219061)
• Remove package sync paragraph in package-management doc since it is not available for Salt clients and traditional clients are no longer supported (bsc#1221279)
• Fixed incorrect reference to SUSE Linux Enterprise Server 15 SP5 as base product for SUSE Manager 4.3, even in public cloud
• Updated VM based installation for 4.3 VM image with ignition or cloudinit in Installation and Upgrade Guide
• Added reference from Hub documentation to Inter-Server Synchronization in Large Deployment Guide
• Documented Virtualization Guest and Virtualization Host Formula
• Reformatted Supported Clients tables in Client Configuration Guide and Installation and Upgrade Guide
• Add documentation about SMTP timeout configuration
• Documented SSH key rotation in Salt Guide (bsc#1170848)
• Documented liberate formula in Salt Guide
• Fixed Prepare on-demand images section in Client Configuration
• Fixed a changed configuration parameter for salt-ssh
• Added Pay-as-you-go on the Cloud: FAQ document
• Updated max-connections tuning recommendation in Large Deployment
• Added troubleshooting instructions for setting up in public cloud (BYOS) to Administration Guide
• Added section about migrating Enterprise Linux (EL) clients to SUSE Liberty Linux to Client Configuration Guide
• Added detailed information about the messages produced by subscription matcher
• Added Pay-as-you-go as supported service on Azure to the Public Cloud Guide
• Added and fixed configuration details in Troubleshooting Renaming Server in Administration Guide

susemanager-schema:

• Version 4.3.25-0
• Add update-salt to internal state table

susemanager-sls:

• Version 4.3.41-0
• Use execution module call to detect client instance flavor (PAYG/BYOS) in public cloud (bsc#1218805)
• Do not log dnf needs-restarting output in Salt's log (bsc#1220194)
• Dynamically load an SELinux policy for "Push via SSH tunnel" for SELinux enabled clients. This policy allows communication over a custom SSH port
• Fix reboot needed detection for SUSE systems
• Fix SUSE Liberty Linux bootstrapping when Zypper is installed (bsc#1222347)
• Distinguish between different SUSE versions when detecting if a reboot is needed (bsc#1220903, bsc#1221571)
• Improve updatestack update in uptodate state
• Add a standalone update-salt state
• Add pillar check to skip reboot_if_needed state
• Recognize .tar.xz and .ext4 image files (bsc#1216085)
• Avoid issues on reactivating traditional clients as Salt managed
• Fix the case of missing requisites on bootstrap (bsc#1220705)

susemanager-sync-data:

• Version 4.3.17-0
• AlmaLinux 9 PowerTools was renamed into CRB (bsc#1222110)

uyuni-common-libs:

• Version 4.3.10-0
• Add support for package signature type V4 RSA/SHA384
• Add support for package signature type V4 RSA/SHA512 (bsc#1221465)

uyuni-reportdb-schema:

• Version 4.3.10-0
• Provide reportdb upgrade schema path structure

How to apply this update:

1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Proxy 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-1507=1
• SUSE Manager Server 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-1507=1

Package List:

• SUSE Manager Proxy 4.3 Module 4.3 (noarch)
  • spacewalk-base-minimal-4.3.38-150400.3.42.6
  • python3-spacewalk-certs-tools-4.3.23-150400.3.28.5
  • python3-spacewalk-client-setup-4.3.19-150400.3.27.5
  • python3-spacewalk-client-tools-4.3.19-150400.3.27.5
  • mgr-daemon-4.3.9-150400.3.15.5
  • spacewalk-backend-4.3.28-150400.3.41.7
  • spacecmd-4.3.27-150400.3.36.5
  • spacewalk-certs-tools-4.3.23-150400.3.28.5
  • spacewalk-client-setup-4.3.19-150400.3.27.5
  • spacewalk-client-tools-4.3.19-150400.3.27.5
  • python3-spacewalk-check-4.3.19-150400.3.27.5
  • spacewalk-check-4.3.19-150400.3.27.5
  • spacewalk-base-minimal-config-4.3.38-150400.3.42.6
• SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
  • python3-uyuni-common-libs-4.3.10-150400.3.18.4
• SUSE Manager Server 4.3 Module 4.3 (noarch)
  • spacewalk-java-lib-4.3.73-150400.3.79.1
  • susemanager-docs_en-4.3-150400.9.56.4
  • spacewalk-backend-package-push-server-4.3.28-150400.3.41.7
  • spacewalk-backend-4.3.28-150400.3.41.7
  • spacewalk-java-4.3.73-150400.3.79.1
  • spacewalk-backend-iss-export-4.3.28-150400.3.41.7
  • spacewalk-backend-xmlrpc-4.3.28-150400.3.41.7
  • spacewalk-base-4.3.38-150400.3.42.6
  • spacewalk-taskomatic-4.3.73-150400.3.79.1
  • spacewalk-backend-sql-4.3.28-150400.3.41.7
  • spacewalk-backend-sql-postgresql-4.3.28-150400.3.41.7
  • python3-spacewalk-certs-tools-4.3.23-150400.3.28.5
  • python3-spacewalk-client-tools-4.3.19-150400.3.27.5
  • susemanager-docs_en-pdf-4.3-150400.9.56.4
  • jose4j-0.5.1-150400.3.9.4
  • spacewalk-backend-config-files-tool-4.3.28-150400.3.41.7
  • spacecmd-4.3.27-150400.3.36.5
  • spacewalk-certs-tools-4.3.23-150400.3.28.5
  • susemanager-schema-4.3.25-150400.3.39.5
  • spacewalk-backend-config-files-common-4.3.28-150400.3.41.7
  • supportutils-plugin-susemanager-4.3.11-150400.3.21.4
  • spacewalk-java-config-4.3.73-150400.3.79.1
  • image-sync-formula-0.1.1711646883.4a44375-150400.3.18.4
  • spacewalk-base-minimal-config-4.3.38-150400.3.42.6
  • spacewalk-java-postgresql-4.3.73-150400.3.79.1
  • subscription-matcher-0.37-150400.3.22.4
  • susemanager-schema-utility-4.3.25-150400.3.39.5
  • uyuni-reportdb-schema-4.3.10-150400.3.15.6
  • spacewalk-backend-xml-export-libs-4.3.28-150400.3.41.7
  • spacewalk-backend-iss-4.3.28-150400.3.41.7
  • susemanager-sync-data-4.3.17-150400.3.25.4
  • cobbler-3.3.3-150400.5.42.5
  • spacewalk-backend-config-files-4.3.28-150400.3.41.7
  • spacewalk-backend-applet-4.3.28-150400.3.41.7
  • spacewalk-base-minimal-4.3.38-150400.3.42.6
  • spacewalk-backend-app-4.3.28-150400.3.41.7
  • uyuni-config-modules-4.3.41-150400.3.47.6
  • susemanager-sls-4.3.41-150400.3.47.6
  • spacewalk-html-4.3.38-150400.3.42.6
  • spacewalk-client-tools-4.3.19-150400.3.27.5
  • spacewalk-backend-tools-4.3.28-150400.3.41.7
  • spacewalk-backend-server-4.3.28-150400.3.41.7
  • spacewalk-config-4.3.13-150400.3.15.5
• SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
  • smdba-1.7.13-0.150400.4.12.4
  • susemanager-4.3.35-150400.3.48.6
  • inter-server-sync-debuginfo-0.3.3-150400.3.30.4
  • inter-server-sync-0.3.3-150400.3.30.4
  • susemanager-tools-4.3.35-150400.3.48.6
  • python3-uyuni-common-libs-4.3.10-150400.3.18.4

References:

• https://www.suse.com/security/cve/CVE-2023-51775.html
• https://bugzilla.suse.com/show_bug.cgi?id=1170848
• https://bugzilla.suse.com/show_bug.cgi?id=1208572
• https://bugzilla.suse.com/show_bug.cgi?id=1214340
• https://bugzilla.suse.com/show_bug.cgi?id=1214387
• https://bugzilla.suse.com/show_bug.cgi?id=1216085
• https://bugzilla.suse.com/show_bug.cgi?id=1217204
• https://bugzilla.suse.com/show_bug.cgi?id=1217874
• https://bugzilla.suse.com/show_bug.cgi?id=1218764
• https://bugzilla.suse.com/show_bug.cgi?id=1218805
• https://bugzilla.suse.com/show_bug.cgi?id=1218931
• https://bugzilla.suse.com/show_bug.cgi?id=1218957
• https://bugzilla.suse.com/show_bug.cgi?id=1219061
• https://bugzilla.suse.com/show_bug.cgi?id=1219233
• https://bugzilla.suse.com/show_bug.cgi?id=1219634
• https://bugzilla.suse.com/show_bug.cgi?id=1219875
• https://bugzilla.suse.com/show_bug.cgi?id=1220101
• https://bugzilla.suse.com/show_bug.cgi?id=1220169
• https://bugzilla.suse.com/show_bug.cgi?id=1220194
• https://bugzilla.suse.com/show_bug.cgi?id=1220221
• https://bugzilla.suse.com/show_bug.cgi?id=1220376
• https://bugzilla.suse.com/show_bug.cgi?id=1220705
• https://bugzilla.suse.com/show_bug.cgi?id=1220726
• https://bugzilla.suse.com/show_bug.cgi?id=1220903
• https://bugzilla.suse.com/show_bug.cgi?id=1220980
• https://bugzilla.suse.com/show_bug.cgi?id=1221111
• https://bugzilla.suse.com/show_bug.cgi?id=1221182
• https://bugzilla.suse.com/show_bug.cgi?id=1221279
• https://bugzilla.suse.com/show_bug.cgi?id=1221465
• https://bugzilla.suse.com/show_bug.cgi?id=1221571
• https://bugzilla.suse.com/show_bug.cgi?id=1221784
• https://bugzilla.suse.com/show_bug.cgi?id=1221922
• https://bugzilla.suse.com/show_bug.cgi?id=1222110
• https://bugzilla.suse.com/show_bug.cgi?id=1222347
• https://jira.suse.com/browse/MSQA-760