Security update for SUSE Manager Server 3.2

SUSE Security Update: Security update for SUSE Manager Server 3.2
Announcement ID: SUSE-SU-2020:0856-1
Rating: moderate
References: #1085414 #1140332 #1155372 #1157317 #1158899 #1159184 #1160246 #1161862 #1162609 #1162683 #1163001 #1163538 #1164120 #1164563 #1164771 #1165425 #1165921
Cross-References:CVE-2018-1077 CVE-2020-1693
Affected Products:
  • SUSE Manager Server 3.2

An update that solves two vulnerabilities and has 15 fixes is now available.


This update fixes the following issues:

  • Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425)

  • Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693)
  • Do not download external entities (1555429, bsc#1085414, CVE-2018-1077)

  • Bugfix: attempt to purge SSM when it is empty (bsc#1155372)

  • Spell correctly "successful" and "successfully"

  • When downloading repo metadata, don't add "/" to the repo url if it already ends with one (bsc#1158899)
  • Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184)

  • Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001)

  • Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3
  • Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
  • Spell correctly "successful" and "successfully"

  • Fix error when adding systems to ssm with 'add to ssm' button (bsc#1160246)
  • Validate the suseproductchannel table and update missing date when running mgr-sync refresh (bsc#1163538)
  • Read the subscriptions from the output instead of input (bsc#1140332)
  • Show additional headers and dependencies for deb packages
  • Use channel name from product tree instead of constructing it (bsc#1157317)

  • Spell correctly "successful" and "successfully"

  • Check for delimiter as well when detecting current phase (bsc#1164771)

  • Report merge_subscriptions message in a readable way (bsc#1140332)

  • Add missing library for SLE15 SP2 (slf4j-log4j12)
  • Make the code usable with Math3 on SLES
  • Use log4j12 package on newer SLE versions
  • Aggregate stackable subscriptions with same parameters
  • Implement new "swap move" used in optaplanner (bsc#1140332)
  • Enable aarch64 builds, except for SLE < 15

  • Fix salt bootstrapping on SLE15 (require python3-pycrypto or python3-M2Crypto to support all variants) (bsc#1164563)
  • Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862)
  • Add bootstrap-repo data for SLE15 SP2 Family

  • Adapt 'mgractionchains' module to work with Salt 3000
  • Do not workaround util.syncmodules for SSH minions (bsc#1162609)
  • Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683).

  • Add OES 2018 SP2 (bsc#1161862)
  • Rename RHEL 8 Base product
  • Change channel family name according to SCC data

How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Server 3.2:
    zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-856=1

Package List:

  • SUSE Manager Server 3.2 (ppc64le s390x x86_64):
    • susemanager-3.2.23-3.40.2
    • susemanager-tools-3.2.23-3.40.2
  • SUSE Manager Server 3.2 (noarch):
    • py26-compat-salt-2016.11.10-6.35.1
    • python2-spacewalk-certs-tools-
    • python2-spacewalk-client-tools-
    • redstone-xmlrpc-1.1_20071120-
    • spacecmd-
    • spacewalk-admin-
    • spacewalk-backend-
    • spacewalk-backend-app-
    • spacewalk-backend-applet-
    • spacewalk-backend-config-files-
    • spacewalk-backend-config-files-common-
    • spacewalk-backend-config-files-tool-
    • spacewalk-backend-iss-
    • spacewalk-backend-iss-export-
    • spacewalk-backend-libs-
    • spacewalk-backend-package-push-server-
    • spacewalk-backend-server-
    • spacewalk-backend-sql-
    • spacewalk-backend-sql-oracle-
    • spacewalk-backend-sql-postgresql-
    • spacewalk-backend-tools-
    • spacewalk-backend-xml-export-libs-
    • spacewalk-backend-xmlrpc-
    • spacewalk-base-
    • spacewalk-base-minimal-
    • spacewalk-base-minimal-config-
    • spacewalk-certs-tools-
    • spacewalk-client-tools-
    • spacewalk-html-
    • spacewalk-java-
    • spacewalk-java-config-
    • spacewalk-java-lib-
    • spacewalk-java-oracle-
    • spacewalk-java-postgresql-
    • spacewalk-setup-
    • spacewalk-taskomatic-
    • spacewalk-utils-
    • subscription-matcher-0.25-4.15.1
    • susemanager-sls-3.2.30-3.44.1
    • susemanager-sync-data-3.2.19-3.35.1
    • susemanager-web-libs-