Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4655 Security update for SUSE Manager Server 4.2 21 September 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Manager Server Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-31129 CVE-2021-43138 CVE-2021-42740 CVE-2021-41411 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20223314-1 Comment: CVSS (Max): 9.8 CVE-2021-42740 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Server 4.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3314-1 Rating: critical References: #1172705 #1187028 #1195455 #1195895 #1196729 #1198168 #1198489 #1198738 #1198903 #1199372 #1199659 #1199913 #1199950 #1200276 #1200296 #1200480 #1200532 #1200573 #1200591 #1200629 #1201142 #1201189 #1201210 #1201220 #1201224 #1201527 #1201606 #1201607 #1201626 #1201753 #1201913 #1201918 #1202142 #1202272 #1202464 #1202724 #1202728 #1203287 #1203288 #1203449 Cross-References: CVE-2021-41411 CVE-2021-42740 CVE-2021-43138 CVE-2022-31129 Affected Products: SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 ______________________________________________________________________________ An update that solves four vulnerabilities and has 36 fixes is now available. Description: This update fixes the following issues: drools: o CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java. (bsc#1200629) httpcomponents-asyncclient: o Provide maven metadata needed by other packages to build image-sync-formula: o Update to version 0.1.1661440526.b08d95b * Add option to sort boot images by version (bsc#1196729) inter-server-sync: o Version 0.2.3 * Compress exported sql data #16631 * Add gzip dependency to decompress data file during import process patterns-suse-manager: o Strictly require OpenJDK 11 (bsc#1202142) py27-compat-salt: o Add support for gpgautoimport in zypperpkg module o Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc# 1199372) o Add support for name, pkgs and diff_attr parameters to upgrade function for zypper and yum (bsc#1198489) o Unify logic on using multiple requisites and add onfail_all (bsc#1198738) o Normalize package names once with pkg.installed/removed using yum (bsc# 1195895) salt-netapi-client: o Declare the LICENSE file as license and not doc o Adapted for Enterprise Linux 9. o Version 0.20.0 * See: https://github.com/SUSE/salt-netapi-client/releases/ tag/v0.20.0 saltboot-formula: o Update to version 0.1.1661440526.b08d95b * Fallback to local boot if the configured image is not synced * improve image url modifications - preparation for ftp/http changes spacecmd: o Version 4.2.19-1 * Process date values in spacecmd api calls (bsc#1198903) * Show correct help on calling kickstart_importjson with no arguments * Fix tracebacks on spacecmd kickstart_export (bsc#1200591) spacewalk-admin: o Version 4.2.12-1 * Add --help option to mgr-monitoring-ctl spacewalk-backend: o Version 4.2.24-1 * Make reposync use the configured http proxy with mirrorlist (bsc#1198168) * Revert proxy listChannels token caching pr#4548 * cleanup leftovers from removing unused xmlrpc endpoint spacewalk-certs-tools: o Version 4.2.18-1 * traditional stack bootstrap: install product packages (bsc#1201142) spacewalk-client-tools: o Version 4.2.20-1 * Update translation strings spacewalk-java: o Version 4.2.41-1 * Fixed date format on scheduler related messages (bsc# 1195455) * Support inherited values for kernel options from Cobbler API (bsc#1199913) * Add channel availability check for product migration (bsc# 1200296) * Check if system has all formulas correctly assigned (bsc# 1201607) * Remove group formula assignments and data on group delete (bsc# 1201606) * Fix sync for external repositories (bsc#1201753) * fix state.apply result parsing in test mode (bsc#1201913) * Reduce the length of image channel URL (bsc#1201220) * Calculate dependencies between cloned channels of vendor channels (bsc#1201626) * fix symlinks pointing to ongres-stringprep * Modify parameter type when communicating with the search server (bsc#1187028) * Fix initial profile and build host on Image Build page (bsc#1199659) * Fix the confirm message on the refresh action by adding a link to pending actions on it (bsc#1172705) * require new salt-netapi-client version * Clean grub2 reinstall entry in autoyast snippet (bsc#1199950) spacewalk-search: o Version 4.2.8-1 * Add methods to handle session id as String spacewalk-web: o Version 4.2.29-1 * CVE-2021-43138: Obtain privileges via the `mapValues()` method. (bsc#1200480) * CVE-2021-42740: Command injection in the shell-quote package. (bsc#1203287) * CVE-2022-31129: Denial-of-Service moment: inefficient parsing algorithm (bsc#1203288) * Fix table header layout for unselectable tables * Fix initial profile and build host on Image Build page (bsc#1199659) subscription-matcher: o Added Guava maximum version requirement. susemanager: o Version 4.2.37-1 * mark new dependencies for python-py optional in bootstrap repo to fix generation for older service packs (bsc#1203449) o Version 4.2.36-1 * add missing packages on SLES 15 * remove server-migrator.sh from SUSE Manager installations (bsc#1202728) * mgr-create-bootstrap-repo: flush directory also when called for a specific label (bsc#1200573) * add missing packages on SLES 12 SP5 bootstrap repo (bsc#1201918) * remove python-tornado from bootstrap repo, since no longer required for salt version >= 3000 * add openSUSE 15.4 product (bsc#1201527) * add clients tool product to generate bootstrap repo on openSUSE 15.x (bsc #1201189) susemanager-doc-indexes: o Documented mandatory channels in the Disconnected Setup chapter of the Administration Guide (bsc#1202464) o Documented how to onboard Ubuntu clients with the Salt bundle as a regular user o Documented how to onboard Debian clients with the Salt bundle or plain Salt as a regular user o Fixed the names of updates channels for Leap o Fixed errors in OpenSCAP chapter of Administration Guide o Added exact command to create the bootstrap repo for Salt bundle and about how to disable salt-thin o Removed CentOS 8 from the list of supported client systems o Extend the notes about using noexec option for /tmp and /var/tmp (bsc# 1201210) o Reverted single snippet change for two separate books o Added extend Salt Bundle functionality with Python packages using pip o Add missing part of the description to enable optional support of the Salt Bundle with Salt SSH o Added exact command to create the bootstrap repo for salt bundle and about how to disable salt-thin o Salt Configuration Modules are no longer Technology Preview in Salt Guide. o Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc# 1201224) o Added ports 1232 and 1233 in the Ports section of the Installation and Upgrade Guide; required for Salt SSH Push (bsc#1200532) o In the Custom Channel section of the Administration Guide add a note about synchronizing repositories regularly. o Removed SUSE Linux Enterprise 11 from the list of supported client systems susemanager-docs_en: o Documented mandatory channels in the Disconnected Setup chapter of the Administration Guide (bsc#1202464) o Documented how to onboard Ubuntu clients with the Salt bundle as a regular user o Documented how to onboard Debian clients with the Salt bundle or plain Salt as a regular user o Fixed the names of updates channels for Leap o Fixed errors in OpenSCAP chapter of Administration Guide o Added exact command to create the bootstrap repo for Salt bundle and about how to disable salt-thin o Removed CentOS 8 from the list of supported client systems o Extend the notes about using noexec option for /tmp and /var/tmp (bsc# 1201210) o Reverted single snippet change for two separate books o Added extend Salt Bundle functionality with Python packages using pip o Add missing part of the description to enable optional support of the Salt Bundle with Salt SSH o Added exact command to create the bootstrap repo for salt bundle and about how to disable salt-thin o Salt Configuration Modules are no longer Technology Preview in Salt Guide. o Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc# 1201224) o Added ports 1232 and 1233 in the Ports section of the Installation and Upgrade Guide; required for Salt SSH Push (bsc#1200532) o In the Custom Channel section of the Administration Guide add a note about synchronizing repositories regularly. o Removed SUSE Linux Enterprise 11 from the list of supported client systems susemanager-schema: o Version 4.2.24-1 * Fix migration of image actions (bsc#1202272) susemanager-sls: o Version 4.2.27-1 * Copy grains file with util.mgr_switch_to_venv_minion state apply * Remove the message 'rpm: command not found' on using Salt SSH with Debian based systems which has no Salt Bundle * Prevent possible tracebacks on calling module.run from mgrcompat by setting proper globals with using LazyLoader * Fix deploy of SLE Micro CA Certificate (bsc# 1200276) uyuni-common-libs: o Version 4.2.7-1 * Do not allow creating path if nonexistent user or group in fileutils. How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start ` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3314=1 o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2022-3314=1 Package List: o SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): inter-server-sync-0.2.3-150300.8.22.2 inter-server-sync-debuginfo-0.2.3-150300.8.22.2 patterns-suma_retail-4.2-150300.4.12.2 patterns-suma_server-4.2-150300.4.12.2 python3-uyuni-common-libs-4.2.7-150300.3.9.2 susemanager-4.2.37-150300.3.41.1 susemanager-tools-4.2.37-150300.3.41.1 o SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): drools-7.17.0-150300.4.6.2 httpcomponents-asyncclient-4.1.4-150300.3.3.2 image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2 py27-compat-salt-3000.3-150300.7.7.23.2 python3-spacewalk-certs-tools-4.2.18-150300.3.24.3 python3-spacewalk-client-tools-4.2.20-150300.4.24.3 salt-netapi-client-0.20.0-150300.3.9.4 saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2 spacecmd-4.2.19-150300.4.27.2 spacewalk-admin-4.2.12-150300.3.15.3 spacewalk-backend-4.2.24-150300.4.29.5 spacewalk-backend-app-4.2.24-150300.4.29.5 spacewalk-backend-applet-4.2.24-150300.4.29.5 spacewalk-backend-config-files-4.2.24-150300.4.29.5 spacewalk-backend-config-files-common-4.2.24-150300.4.29.5 spacewalk-backend-config-files-tool-4.2.24-150300.4.29.5 spacewalk-backend-iss-4.2.24-150300.4.29.5 spacewalk-backend-iss-export-4.2.24-150300.4.29.5 spacewalk-backend-package-push-server-4.2.24-150300.4.29.5 spacewalk-backend-server-4.2.24-150300.4.29.5 spacewalk-backend-sql-4.2.24-150300.4.29.5 spacewalk-backend-sql-postgresql-4.2.24-150300.4.29.5 spacewalk-backend-tools-4.2.24-150300.4.29.5 spacewalk-backend-xml-export-libs-4.2.24-150300.4.29.5 spacewalk-backend-xmlrpc-4.2.24-150300.4.29.5 spacewalk-base-4.2.29-150300.3.27.3 spacewalk-base-minimal-4.2.29-150300.3.27.3 spacewalk-base-minimal-config-4.2.29-150300.3.27.3 spacewalk-certs-tools-4.2.18-150300.3.24.3 spacewalk-client-tools-4.2.20-150300.4.24.3 spacewalk-html-4.2.29-150300.3.27.3 spacewalk-java-4.2.41-150300.3.43.5 spacewalk-java-config-4.2.41-150300.3.43.5 spacewalk-java-lib-4.2.41-150300.3.43.5 spacewalk-java-postgresql-4.2.41-150300.3.43.5 spacewalk-search-4.2.8-150300.3.12.2 spacewalk-taskomatic-4.2.41-150300.3.43.5 subscription-matcher-0.29-150300.6.12.2 susemanager-doc-indexes-4.2-150300.12.33.4 susemanager-docs_en-4.2-150300.12.33.2 susemanager-docs_en-pdf-4.2-150300.12.33.2 susemanager-schema-4.2.24-150300.3.27.3 susemanager-sls-4.2.27-150300.3.33.4 uyuni-config-modules-4.2.27-150300.3.33.4 o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (x86_64): patterns-suma_proxy-4.2-150300.4.12.2 python3-uyuni-common-libs-4.2.7-150300.3.9.2 o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (noarch): mgr-daemon-4.2.10-150300.2.9.4 python3-spacewalk-certs-tools-4.2.18-150300.3.24.3 python3-spacewalk-check-4.2.20-150300.4.24.3 python3-spacewalk-client-setup-4.2.20-150300.4.24.3 python3-spacewalk-client-tools-4.2.20-150300.4.24.3 spacecmd-4.2.19-150300.4.27.2 spacewalk-backend-4.2.24-150300.4.29.5 spacewalk-base-minimal-4.2.29-150300.3.27.3 spacewalk-base-minimal-config-4.2.29-150300.3.27.3 spacewalk-certs-tools-4.2.18-150300.3.24.3 spacewalk-check-4.2.20-150300.4.24.3 spacewalk-client-setup-4.2.20-150300.4.24.3 spacewalk-client-tools-4.2.20-150300.4.24.3 spacewalk-proxy-broker-4.2.12-150300.3.21.3 spacewalk-proxy-common-4.2.12-150300.3.21.3 spacewalk-proxy-management-4.2.12-150300.3.21.3 spacewalk-proxy-package-manager-4.2.12-150300.3.21.3 spacewalk-proxy-redirect-4.2.12-150300.3.21.3 spacewalk-proxy-salt-4.2.12-150300.3.21.3 susemanager-tftpsync-recv-4.2.5-150300.3.6.2 References: o https://www.suse.com/security/cve/CVE-2021-41411.html o https://www.suse.com/security/cve/CVE-2021-42740.html o https://www.suse.com/security/cve/CVE-2021-43138.html o https://www.suse.com/security/cve/CVE-2022-31129.html o https://bugzilla.suse.com/1172705 o https://bugzilla.suse.com/1187028 o https://bugzilla.suse.com/1195455 o https://bugzilla.suse.com/1195895 o https://bugzilla.suse.com/1196729 o https://bugzilla.suse.com/1198168 o https://bugzilla.suse.com/1198489 o https://bugzilla.suse.com/1198738 o https://bugzilla.suse.com/1198903 o https://bugzilla.suse.com/1199372 o https://bugzilla.suse.com/1199659 o https://bugzilla.suse.com/1199913 o https://bugzilla.suse.com/1199950 o https://bugzilla.suse.com/1200276 o https://bugzilla.suse.com/1200296 o https://bugzilla.suse.com/1200480 o https://bugzilla.suse.com/1200532 o https://bugzilla.suse.com/1200573 o https://bugzilla.suse.com/1200591 o https://bugzilla.suse.com/1200629 o https://bugzilla.suse.com/1201142 o https://bugzilla.suse.com/1201189 o https://bugzilla.suse.com/1201210 o https://bugzilla.suse.com/1201220 o https://bugzilla.suse.com/1201224 o https://bugzilla.suse.com/1201527 o https://bugzilla.suse.com/1201606 o https://bugzilla.suse.com/1201607 o https://bugzilla.suse.com/1201626 o https://bugzilla.suse.com/1201753 o https://bugzilla.suse.com/1201913 o https://bugzilla.suse.com/1201918 o https://bugzilla.suse.com/1202142 o https://bugzilla.suse.com/1202272 o https://bugzilla.suse.com/1202464 o https://bugzilla.suse.com/1202724 o https://bugzilla.suse.com/1202728 o https://bugzilla.suse.com/1203287 o https://bugzilla.suse.com/1203288 o https://bugzilla.suse.com/1203449 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYypc0skNZI30y1K9AQhj+xAAqtOyPzW4YLK+1yxsw1EwbIFhSRpxCkwR DWHXhTGteRSEAegZTzXCUCsfn8k5wX0+6+VJuE+KvKOewQRQHTFEWW2fUiiNxeA7 127HbayDTu54oQy4iuROiHaIgdHFszdtqoh1TriKNbXImxcoX8waZFFmTjsg2tkh mg4M+wj+ms+EZAax7GuiOhS/XSk9pzqVWxgL6921nAIvUm9whzHH1iRIqWGpjnfO gxxg1tSN8q3qFKQu/uogcuOrpkpE9s9LdbeFQUxpFXiX8yYUpIjnw5Rm37hUoJfT 5/HijC7rAz35WQLGtBXJSLByeoV8qQ+uL7VaeSE5xAFROAmfaN69c3XNLTNLt9f/ WwmGvoGQA3st6yAvryYyAiw1abuzhRPI+GB6TghHukF4tLAOCO1k0D6jsh9mZkIP F+j4WavbRHzLb9CenQswydPecMHL2nz52FScUIl3RO8r2iSgK70sAiZ6tmhOaIsT Zny96saVPz1GGVytK2fEqf3aJ3fOw1u/V96TZWwrw2k5uo/2wdGR7wu/B87iiwDS u0iFq8rnXDaeenq8SOd/LuF8sqcIyt1QLvY4Dko7Qse44P5MjDi3BEgQ00WnGsz8 pCR+4gU2mtL3M/r5ZH68tHBZaVRPcYRRJC1HHfQOvowRkvP3AE9yOJfhDd4WPlpr ZG3wXIokxMI= =f7Fj -----END PGP SIGNATURE-----