Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3811
Security update for SUSE Manager Server 3.2
10 December 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Server
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-11761
Reference: ESB-2018.3055
ESB-2018.2800
Original Bulletin:
https://www.suse.com/support/update/announcement/2018/suse-su-20184011-1/
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:4011-1
Rating: moderate
References: #1041999 #1080474 #1083094 #1104487 #1105359
#1105724 #1106430 #1106626 #1107869 #1109235
#1110361 #1110625 #1111247 #1111249 #1111387
#1111497 #1111542 #1111810 #1111966 #1112163
#1112445 #1112754 #1113557 #1113747 #1114181
#1114362 #1114814 #1114991 #1115449 #1116517
Cross-References: CVE-2018-11761
Affected Products:
SUSE Manager Server 3.2
SUSE Manager Proxy 3.2
______________________________________________________________________________
An update that solves one vulnerability and has 29 fixes is
now available.
Description:
This update fixes the following issues:
apache-mybatis:
- Install missing LICENSE.txt file (bsc#1114814)
cobbler:
- Fix service restart after logrotate for cobblerd (bsc#1113747)
- Rotate cobbler logs at higher frequency to prevent disk fillup
(bsc#1113747)
hadoop:
- Install missing LICENSE.txt file (bsc#1114814)
image-sync-formula:
- Handle empty images pillar (bsc#1105359)
lucene:
- Install missing LICENSE.txt file (bsc#1114814)
nekohtml:
- Install missing LICENSE.txt file (bsc#1114814)
nutch-core:
- Install missing LICENSE.txt file (bsc#1114814)
- Add conditional requirement for java 1.8
- Use java >= 1.8 - required by tika 0.19.1 to /var/log/nutch (bsc#1107869)
- Add new tarball file for v1.0.1
- Bump up version to 1.0.1 and fix paths
- Adjustments after upgrade of tika-core to v1.19
picocontainer:
- Install missing LICENSE.txt file (bsc#1114814)
python-susemanager-retail:
- Improve error reporting on duplicate systems
- Output partition size as int (bsc#1116517)
- Start partition numbers from 1
- Warn on long group names
- Improved logging support
- Add retail_yaml --only-new option
- Print import summary (bsc#1112754)
- Add retail_migration tool
- Check for duplicate addresses in yaml (bsc#1111497)
salt-netapi-client:
- Version 0.15.0 See:
https://github.com/SUSE/salt-netapi-client/releases/tag/v0.15.0
saltboot-formula:
- Send pxe_update by external command to make sure it is finished
(bsc#1111387)
- Better error message on missing partitioning pillar (bsc#1110625)
spacecmd:
- Show group id on group_details (bsc#1111542)
- State channels handling: Existing commands configchannel_create and
configchannel_import were updated while
system_scheduleapplyconfigchannels and configchannel_updateinitsls were
added.
spacewalk-branding:
- Automatic cleanup of notification messages after a configurable lifetime
- ActivationKey base and child channel in a reactjs component
- New messages are added for XMLRPC API for state channels
spacewalk-config:
- Add permissions for tomcat & apache to check bootstrap ssh file
(bsc#1114181)
spacewalk-java:
- Improve return value and errors thrown for system.createEmptyProfile
XMLRPC endpoint
- Fix scheduling jobs to prevent forever pending events (bsc#1114991)
- Performance improvements for group listings and detail page (bsc#1111810)
- Fix wrong counts of systems currency reports when a system belongs to
more than one group (bsc#1114362)
- Add check if ssh-file permissions are correct (bsc#1114181)
- Increase maximum number of threads and open files for taskomatic
(bsc#1111966)
- When removing cobbler system record, lookup by mac address as well if
lookup by id fails(bsc#1110361)
- Allow listing empty system profiles via XMLRPC
- Automatic cleanup of notification messages after a configurable lifetime
- Different methods have been refactored in tomcat/taskomatic for better
performance(bsc#1106430)
- Do not try cleanup when deleting empty system profiles (bsc#1111247)
- Better error handling when a websocket connection is aborted
(bsc#1080474)
- Change Requires to allow installing with both Tomcat 8 (SLE-12SP3) and 9
(SLE12-SP4)
- ActivationKey base and child channel in a reactjs component
- Fix typo in messages (bsc#1111249)
- Cleanup formula data and assignment when migrating formulas or when
removing system
- Remove restrictions on SUSE Manager Channel subscriptions (bsc#1105724)
- Added shortcut for editing Software Channel
- Fix permissions check on formula list api call (bsc#1106626)
- Add sp migration dry runs to the daily status report (bsc#1083094)
spacewalk-search:
- Fix nutch-core path (bsc#1112445)
spacewalk-setup:
- Increase maximum number of threads and open files for taskomatic
(bsc#1111966)
spacewalk-utils:
- Fix typo at --phases option help
spacewalk-web:
- Make datetimepicker update displayed time (bsc#1041999)
- Show human-readable system cleanup error messages
- ActivationKey base and child channel in a reactjs component
- Fix typo in messages (bsc#1111249)
susemanager:
- Add new option --with-parent-channel to mgr-create-bootrap-repo to
specify parent channel to use if multiple options are available
(bsc#1104487)
susemanager-docs_en:
- Update text and image files.
- Add information about SLE12 SP4 as base OS for Server and Proxy
susemanager-frontend-libs:
- Fix package version (bsc#1115449)
susemanager-schema:
- Automatic cleanup of notification messages after a configurable lifetime
- Add missing minion-action-chain-cleanup to db init scripts
susemanager-sls:
- Deploy SSL certificate during onboarding of openSUSE Leap 15.0
(bsc#1112163)
susemanager-sync-data:
- SUSE OpenStack Cloud 9 enablement (bsc#1113557)
- Add SUSE Manager 3.1 and 3.2 to SLES12 SP4
tika-core:
- Fix improper XML parsing to prevent DoS attacks (CVE-2018-11761)
(bsc#1109235)
- Install missing LICENSE.txt file (bsc#1114814)
- New upstream version (0.19.1)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Manager Server 3.2:
zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2869=1
- SUSE Manager Proxy 3.2:
zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2869=1
Package List:
- SUSE Manager Server 3.2 (ppc64le s390x x86_64):
spacewalk-branding-2.8.5.12-3.10.4
susemanager-3.2.14-3.13.3
susemanager-tools-3.2.14-3.13.3
- SUSE Manager Server 3.2 (noarch):
apache-mybatis-3.2.3-3.3.3
cobbler-2.6.6-6.10.3
hadoop-0.18.1-3.3.3
image-sync-formula-0.1.1542287363.b8aa274-3.6.3
lucene-2.4.1-4.3.3
nekohtml-1.9.21-3.3.3
nutch-core-1.0.1-7.10.3
picocontainer-1.3.7-3.3.3
python-susemanager-retail-1.0.1542643545.8752d17-2.6.3
salt-netapi-client-0.15.0-4.3.3
saltboot-formula-0.1.1542287363.b8aa274-3.6.3
spacecmd-2.8.25.7-3.9.3
spacewalk-base-2.8.7.11-3.13.3
spacewalk-base-minimal-2.8.7.11-3.13.3
spacewalk-base-minimal-config-2.8.7.11-3.13.3
spacewalk-config-2.8.5.5-3.10.3
spacewalk-html-2.8.7.11-3.13.3
spacewalk-java-2.8.78.13-3.13.1
spacewalk-java-config-2.8.78.13-3.13.1
spacewalk-java-lib-2.8.78.13-3.13.1
spacewalk-java-oracle-2.8.78.13-3.13.1
spacewalk-java-postgresql-2.8.78.13-3.13.1
spacewalk-search-2.8.3.7-3.12.3
spacewalk-setup-2.8.7.5-3.10.3
spacewalk-taskomatic-2.8.78.13-3.13.1
spacewalk-utils-2.8.18.3-3.3.3
susemanager-advanced-topics_en-pdf-3.2-11.12.3
susemanager-best-practices_en-pdf-3.2-11.12.3
susemanager-docs_en-3.2-11.12.3
susemanager-frontend-libs-3.2.4-3.7.3
susemanager-getting-started_en-pdf-3.2-11.12.3
susemanager-jsp_en-3.2-11.12.3
susemanager-reference_en-pdf-3.2-11.12.3
susemanager-retail-tools-1.0.1542643545.8752d17-2.6.3
susemanager-schema-3.2.15-3.13.3
susemanager-sls-3.2.18-3.13.3
susemanager-sync-data-3.2.10-3.9.3
tika-core-1.19.1-3.3.3
- SUSE Manager Proxy 3.2 (noarch):
spacewalk-base-minimal-2.8.7.11-3.13.3
spacewalk-base-minimal-config-2.8.7.11-3.13.3
References:
https://www.suse.com/security/cve/CVE-2018-11761.html
https://bugzilla.suse.com/1041999
https://bugzilla.suse.com/1080474
https://bugzilla.suse.com/1083094
https://bugzilla.suse.com/1104487
https://bugzilla.suse.com/1105359
https://bugzilla.suse.com/1105724
https://bugzilla.suse.com/1106430
https://bugzilla.suse.com/1106626
https://bugzilla.suse.com/1107869
https://bugzilla.suse.com/1109235
https://bugzilla.suse.com/1110361
https://bugzilla.suse.com/1110625
https://bugzilla.suse.com/1111247
https://bugzilla.suse.com/1111249
https://bugzilla.suse.com/1111387
https://bugzilla.suse.com/1111497
https://bugzilla.suse.com/1111542
https://bugzilla.suse.com/1111810
https://bugzilla.suse.com/1111966
https://bugzilla.suse.com/1112163
https://bugzilla.suse.com/1112445
https://bugzilla.suse.com/1112754
https://bugzilla.suse.com/1113557
https://bugzilla.suse.com/1113747
https://bugzilla.suse.com/1114181
https://bugzilla.suse.com/1114362
https://bugzilla.suse.com/1114814
https://bugzilla.suse.com/1114991
https://bugzilla.suse.com/1115449
https://bugzilla.suse.com/1116517
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXA2zAGaOgq3Tt24GAQiKYBAApEs7GZRmok1d/+37LDFxi+l60zCvDclP
qaTwuAUUevEAHF8H4jZrKHUT7oJ32g/2Ad3PXymsDEtAuDn3a4ywyfO9YZrC5+GB
59Z25XlHEL4XKVbjmCHQN6n2pKG1Wa9dnrCUhmpsFyyNMxiZgdI1oLf9Dkpc4Xz3
YNG4PpMisTsW+YewmcJnLjBD4f0lU9K84gqnZpQdFBwbSndRQZ0jWhVL05vf6oho
A75RypNOq27KHNpbHFU2SFkrXvA0F3Pc1XnpLxh0MWZuOFIU8SQaPU7KuLpTtrya
PBW6g4VKb0ZYjFXcrNhBROKkRANRatqq9a1anoyggaSeaMu4jGpn2FDIAb29Gm+P
X7NBijkt3wLIE3O5SKTdnFosmWiSfocIMFHOcDgmXpqJXq5DfsD5ChUhcJqB4f2x
Sp4SfTZRZ7kV82sdZJ196ccxAYwhQtCHa4Tpd2saU7Bwxu1rTnWVzyQVLHkgYAXT
rcj2ASz/20upaNOoVUVTJKNU4EXuNdY13WY89Ju9/t0knL5VnKdogLcY8H0MSvWg
Ur5eIRKMuuLs2tDXjA/56Uq4e1m3lce4tMI4NMEybAXO5zER3GfQ7v8Y9geOvYVk
mpy/81NYnx/tHhbQCJ/04WMh3wC+BlzQX0MogrSDsJq5wr3q2L0WxvtBwgdMfXXA
AqczK1lGPcM=
=InbE
-----END PGP SIGNATURE-----