Security update for rmt-server

Announcement ID:	SUSE-SU-2019:0272-1
Rating:	moderate
References:	bsc#1102046 bsc#1102193 bsc#1109307 bsc#1113760 bsc#1113969 bsc#1114831 bsc#1117106 bsc#1118579 bsc#1118584
Cross-References:	CVE-2018-14404 CVE-2018-16468 CVE-2018-16470
CVSS scores:	CVE-2018-14404 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-14404 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16468 ( SUSE ): 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L CVE-2018-16468 ( NVD ): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2018-16470 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-16470 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves three vulnerabilities and has six security fixes can now be installed.

Description:

This update for rmt-server to version 1.1.1 fixes the following issues:

The following issues have been fixed:

• Fixed migration problems which caused some extensions / modules to be dropped (bsc#1118584, bsc#1118579)
• Fixed listing of mirrored products (bsc#1102193)
• Include online migration paths into offline migration (bsc#1117106)
• Sync products that do not have a base product (bsc#1109307)
• Fixed SLP auto discovery for RMT (bsc#1113760)

Update dependencies for security fixes:

• CVE-2018-16468: Update loofah to 2.2.3 (bsc#1113969)
• CVE-2018-16470: Update rack to 2.0.6 (bsc#1114831)
• CVE-2018-14404: Update nokogiri to 1.8.5 (bsc#1102046)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-272=1

Package List:

• Server Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • rmt-server-1.1.1-3.13.1
  • rmt-server-debuginfo-1.1.1-3.13.1

References:

• https://www.suse.com/security/cve/CVE-2018-14404.html
• https://www.suse.com/security/cve/CVE-2018-16468.html
• https://www.suse.com/security/cve/CVE-2018-16470.html
• https://bugzilla.suse.com/show_bug.cgi?id=1102046
• https://bugzilla.suse.com/show_bug.cgi?id=1102193
• https://bugzilla.suse.com/show_bug.cgi?id=1109307
• https://bugzilla.suse.com/show_bug.cgi?id=1113760
• https://bugzilla.suse.com/show_bug.cgi?id=1113969
• https://bugzilla.suse.com/show_bug.cgi?id=1114831
• https://bugzilla.suse.com/show_bug.cgi?id=1117106
• https://bugzilla.suse.com/show_bug.cgi?id=1118579
• https://bugzilla.suse.com/show_bug.cgi?id=1118584