Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3811 Security update for SUSE Manager Server 3.2 10 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Manager Server Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-11761 Reference: ESB-2018.3055 ESB-2018.2800 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20184011-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Server 3.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:4011-1 Rating: moderate References: #1041999 #1080474 #1083094 #1104487 #1105359 #1105724 #1106430 #1106626 #1107869 #1109235 #1110361 #1110625 #1111247 #1111249 #1111387 #1111497 #1111542 #1111810 #1111966 #1112163 #1112445 #1112754 #1113557 #1113747 #1114181 #1114362 #1114814 #1114991 #1115449 #1116517 Cross-References: CVE-2018-11761 Affected Products: SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 ______________________________________________________________________________ An update that solves one vulnerability and has 29 fixes is now available. Description: This update fixes the following issues: apache-mybatis: - Install missing LICENSE.txt file (bsc#1114814) cobbler: - Fix service restart after logrotate for cobblerd (bsc#1113747) - Rotate cobbler logs at higher frequency to prevent disk fillup (bsc#1113747) hadoop: - Install missing LICENSE.txt file (bsc#1114814) image-sync-formula: - Handle empty images pillar (bsc#1105359) lucene: - Install missing LICENSE.txt file (bsc#1114814) nekohtml: - Install missing LICENSE.txt file (bsc#1114814) nutch-core: - Install missing LICENSE.txt file (bsc#1114814) - Add conditional requirement for java 1.8 - Use java >= 1.8 - required by tika 0.19.1 to /var/log/nutch (bsc#1107869) - Add new tarball file for v1.0.1 - Bump up version to 1.0.1 and fix paths - Adjustments after upgrade of tika-core to v1.19 picocontainer: - Install missing LICENSE.txt file (bsc#1114814) python-susemanager-retail: - Improve error reporting on duplicate systems - Output partition size as int (bsc#1116517) - Start partition numbers from 1 - Warn on long group names - Improved logging support - Add retail_yaml --only-new option - Print import summary (bsc#1112754) - Add retail_migration tool - Check for duplicate addresses in yaml (bsc#1111497) salt-netapi-client: - Version 0.15.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.15.0 saltboot-formula: - Send pxe_update by external command to make sure it is finished (bsc#1111387) - Better error message on missing partitioning pillar (bsc#1110625) spacecmd: - Show group id on group_details (bsc#1111542) - State channels handling: Existing commands configchannel_create and configchannel_import were updated while system_scheduleapplyconfigchannels and configchannel_updateinitsls were added. spacewalk-branding: - Automatic cleanup of notification messages after a configurable lifetime - ActivationKey base and child channel in a reactjs component - New messages are added for XMLRPC API for state channels spacewalk-config: - Add permissions for tomcat & apache to check bootstrap ssh file (bsc#1114181) spacewalk-java: - Improve return value and errors thrown for system.createEmptyProfile XMLRPC endpoint - Fix scheduling jobs to prevent forever pending events (bsc#1114991) - Performance improvements for group listings and detail page (bsc#1111810) - Fix wrong counts of systems currency reports when a system belongs to more than one group (bsc#1114362) - Add check if ssh-file permissions are correct (bsc#1114181) - Increase maximum number of threads and open files for taskomatic (bsc#1111966) - When removing cobbler system record, lookup by mac address as well if lookup by id fails(bsc#1110361) - Allow listing empty system profiles via XMLRPC - Automatic cleanup of notification messages after a configurable lifetime - Different methods have been refactored in tomcat/taskomatic for better performance(bsc#1106430) - Do not try cleanup when deleting empty system profiles (bsc#1111247) - Better error handling when a websocket connection is aborted (bsc#1080474) - Change Requires to allow installing with both Tomcat 8 (SLE-12SP3) and 9 (SLE12-SP4) - ActivationKey base and child channel in a reactjs component - Fix typo in messages (bsc#1111249) - Cleanup formula data and assignment when migrating formulas or when removing system - Remove restrictions on SUSE Manager Channel subscriptions (bsc#1105724) - Added shortcut for editing Software Channel - Fix permissions check on formula list api call (bsc#1106626) - Add sp migration dry runs to the daily status report (bsc#1083094) spacewalk-search: - Fix nutch-core path (bsc#1112445) spacewalk-setup: - Increase maximum number of threads and open files for taskomatic (bsc#1111966) spacewalk-utils: - Fix typo at --phases option help spacewalk-web: - Make datetimepicker update displayed time (bsc#1041999) - Show human-readable system cleanup error messages - ActivationKey base and child channel in a reactjs component - Fix typo in messages (bsc#1111249) susemanager: - Add new option --with-parent-channel to mgr-create-bootrap-repo to specify parent channel to use if multiple options are available (bsc#1104487) susemanager-docs_en: - Update text and image files. - Add information about SLE12 SP4 as base OS for Server and Proxy susemanager-frontend-libs: - Fix package version (bsc#1115449) susemanager-schema: - Automatic cleanup of notification messages after a configurable lifetime - Add missing minion-action-chain-cleanup to db init scripts susemanager-sls: - Deploy SSL certificate during onboarding of openSUSE Leap 15.0 (bsc#1112163) susemanager-sync-data: - SUSE OpenStack Cloud 9 enablement (bsc#1113557) - Add SUSE Manager 3.1 and 3.2 to SLES12 SP4 tika-core: - Fix improper XML parsing to prevent DoS attacks (CVE-2018-11761) (bsc#1109235) - Install missing LICENSE.txt file (bsc#1114814) - New upstream version (0.19.1) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2018-2869=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2018-2869=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): spacewalk-branding-2.8.5.12-3.10.4 susemanager-3.2.14-3.13.3 susemanager-tools-3.2.14-3.13.3 - SUSE Manager Server 3.2 (noarch): apache-mybatis-3.2.3-3.3.3 cobbler-2.6.6-6.10.3 hadoop-0.18.1-3.3.3 image-sync-formula-0.1.1542287363.b8aa274-3.6.3 lucene-2.4.1-4.3.3 nekohtml-1.9.21-3.3.3 nutch-core-1.0.1-7.10.3 picocontainer-1.3.7-3.3.3 python-susemanager-retail-1.0.1542643545.8752d17-2.6.3 salt-netapi-client-0.15.0-4.3.3 saltboot-formula-0.1.1542287363.b8aa274-3.6.3 spacecmd-2.8.25.7-3.9.3 spacewalk-base-2.8.7.11-3.13.3 spacewalk-base-minimal-2.8.7.11-3.13.3 spacewalk-base-minimal-config-2.8.7.11-3.13.3 spacewalk-config-2.8.5.5-3.10.3 spacewalk-html-2.8.7.11-3.13.3 spacewalk-java-2.8.78.13-3.13.1 spacewalk-java-config-2.8.78.13-3.13.1 spacewalk-java-lib-2.8.78.13-3.13.1 spacewalk-java-oracle-2.8.78.13-3.13.1 spacewalk-java-postgresql-2.8.78.13-3.13.1 spacewalk-search-2.8.3.7-3.12.3 spacewalk-setup-2.8.7.5-3.10.3 spacewalk-taskomatic-2.8.78.13-3.13.1 spacewalk-utils-2.8.18.3-3.3.3 susemanager-advanced-topics_en-pdf-3.2-11.12.3 susemanager-best-practices_en-pdf-3.2-11.12.3 susemanager-docs_en-3.2-11.12.3 susemanager-frontend-libs-3.2.4-3.7.3 susemanager-getting-started_en-pdf-3.2-11.12.3 susemanager-jsp_en-3.2-11.12.3 susemanager-reference_en-pdf-3.2-11.12.3 susemanager-retail-tools-1.0.1542643545.8752d17-2.6.3 susemanager-schema-3.2.15-3.13.3 susemanager-sls-3.2.18-3.13.3 susemanager-sync-data-3.2.10-3.9.3 tika-core-1.19.1-3.3.3 - SUSE Manager Proxy 3.2 (noarch): spacewalk-base-minimal-2.8.7.11-3.13.3 spacewalk-base-minimal-config-2.8.7.11-3.13.3 References: https://www.suse.com/security/cve/CVE-2018-11761.html https://bugzilla.suse.com/1041999 https://bugzilla.suse.com/1080474 https://bugzilla.suse.com/1083094 https://bugzilla.suse.com/1104487 https://bugzilla.suse.com/1105359 https://bugzilla.suse.com/1105724 https://bugzilla.suse.com/1106430 https://bugzilla.suse.com/1106626 https://bugzilla.suse.com/1107869 https://bugzilla.suse.com/1109235 https://bugzilla.suse.com/1110361 https://bugzilla.suse.com/1110625 https://bugzilla.suse.com/1111247 https://bugzilla.suse.com/1111249 https://bugzilla.suse.com/1111387 https://bugzilla.suse.com/1111497 https://bugzilla.suse.com/1111542 https://bugzilla.suse.com/1111810 https://bugzilla.suse.com/1111966 https://bugzilla.suse.com/1112163 https://bugzilla.suse.com/1112445 https://bugzilla.suse.com/1112754 https://bugzilla.suse.com/1113557 https://bugzilla.suse.com/1113747 https://bugzilla.suse.com/1114181 https://bugzilla.suse.com/1114362 https://bugzilla.suse.com/1114814 https://bugzilla.suse.com/1114991 https://bugzilla.suse.com/1115449 https://bugzilla.suse.com/1116517 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXA2zAGaOgq3Tt24GAQiKYBAApEs7GZRmok1d/+37LDFxi+l60zCvDclP qaTwuAUUevEAHF8H4jZrKHUT7oJ32g/2Ad3PXymsDEtAuDn3a4ywyfO9YZrC5+GB 59Z25XlHEL4XKVbjmCHQN6n2pKG1Wa9dnrCUhmpsFyyNMxiZgdI1oLf9Dkpc4Xz3 YNG4PpMisTsW+YewmcJnLjBD4f0lU9K84gqnZpQdFBwbSndRQZ0jWhVL05vf6oho A75RypNOq27KHNpbHFU2SFkrXvA0F3Pc1XnpLxh0MWZuOFIU8SQaPU7KuLpTtrya PBW6g4VKb0ZYjFXcrNhBROKkRANRatqq9a1anoyggaSeaMu4jGpn2FDIAb29Gm+P X7NBijkt3wLIE3O5SKTdnFosmWiSfocIMFHOcDgmXpqJXq5DfsD5ChUhcJqB4f2x Sp4SfTZRZ7kV82sdZJ196ccxAYwhQtCHa4Tpd2saU7Bwxu1rTnWVzyQVLHkgYAXT rcj2ASz/20upaNOoVUVTJKNU4EXuNdY13WY89Ju9/t0knL5VnKdogLcY8H0MSvWg Ur5eIRKMuuLs2tDXjA/56Uq4e1m3lce4tMI4NMEybAXO5zER3GfQ7v8Y9geOvYVk mpy/81NYnx/tHhbQCJ/04WMh3wC+BlzQX0MogrSDsJq5wr3q2L0WxvtBwgdMfXXA AqczK1lGPcM= =InbE -----END PGP SIGNATURE-----