-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4655
                Security update for SUSE Manager Server 4.2
                             21 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE Manager Server
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-31129 CVE-2021-43138 CVE-2021-42740
                   CVE-2021-41411  

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2022/suse-su-20223314-1

Comment: CVSS (Max):  9.8 CVE-2021-42740 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Server 4.2

______________________________________________________________________________

Announcement ID:   SUSE-SU-2022:3314-1
Rating:            critical
References:        #1172705 #1187028 #1195455 #1195895 #1196729 #1198168
                   #1198489 #1198738 #1198903 #1199372 #1199659 #1199913
                   #1199950 #1200276 #1200296 #1200480 #1200532 #1200573
                   #1200591 #1200629 #1201142 #1201189 #1201210 #1201220
                   #1201224 #1201527 #1201606 #1201607 #1201626 #1201753
                   #1201913 #1201918 #1202142 #1202272 #1202464 #1202724
                   #1202728 #1203287 #1203288 #1203449
Cross-References:  CVE-2021-41411 CVE-2021-42740 CVE-2021-43138 CVE-2022-31129
Affected Products:
                   SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2
                   SUSE Linux Enterprise Module for SUSE Manager Server 4.2
                   SUSE Manager Proxy 4.2
                   SUSE Manager Server 4.2
______________________________________________________________________________

An update that solves four vulnerabilities and has 36 fixes is now available.

Description:

This update fixes the following issues:
drools:

  o CVE-2021-41411: XML External Entity injection in KieModuleModelImpl.java.
    (bsc#1200629)


httpcomponents-asyncclient:

  o Provide maven metadata needed by other packages to build


image-sync-formula:

  o Update to version 0.1.1661440526.b08d95b * Add option to sort boot images
    by version (bsc#1196729)


inter-server-sync:

  o Version 0.2.3 * Compress exported sql data #16631 * Add gzip dependency to
    decompress data file during import process


patterns-suse-manager:

  o Strictly require OpenJDK 11 (bsc#1202142)


py27-compat-salt:

  o Add support for gpgautoimport in zypperpkg module
  o Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#
    1199372)
  o Add support for name, pkgs and diff_attr parameters to upgrade function for
    zypper and yum (bsc#1198489)
  o Unify logic on using multiple requisites and add onfail_all (bsc#1198738)
  o Normalize package names once with pkg.installed/removed using yum (bsc#
    1195895)


salt-netapi-client:

  o Declare the LICENSE file as license and not doc
  o Adapted for Enterprise Linux 9.
  o Version 0.20.0 * See: https://github.com/SUSE/salt-netapi-client/releases/
    tag/v0.20.0


saltboot-formula:

  o Update to version 0.1.1661440526.b08d95b * Fallback to local boot if the
    configured image is not synced * improve image url modifications -
    preparation for ftp/http changes


spacecmd:

  o Version 4.2.19-1 * Process date values in spacecmd api calls (bsc#1198903)
    * Show correct help on calling kickstart_importjson with no arguments * Fix
    tracebacks on spacecmd kickstart_export (bsc#1200591)


spacewalk-admin:

  o Version 4.2.12-1 * Add --help option to mgr-monitoring-ctl


spacewalk-backend:

  o Version 4.2.24-1 * Make reposync use the configured http proxy with
    mirrorlist (bsc#1198168) * Revert proxy listChannels token caching pr#4548
    * cleanup leftovers from removing unused xmlrpc endpoint


spacewalk-certs-tools:

  o Version 4.2.18-1 * traditional stack bootstrap: install product packages
    (bsc#1201142)


spacewalk-client-tools:

  o Version 4.2.20-1 * Update translation strings


spacewalk-java:

  o Version 4.2.41-1 * Fixed date format on scheduler related messages (bsc#
    1195455) * Support inherited values for kernel options from Cobbler API
    (bsc#1199913) * Add channel availability check for product migration (bsc#
    1200296) * Check if system has all formulas correctly assigned (bsc#
    1201607) * Remove group formula assignments and data on group delete (bsc#
    1201606) * Fix sync for external repositories (bsc#1201753) * fix
    state.apply result parsing in test mode (bsc#1201913) * Reduce the length
    of image channel URL (bsc#1201220) * Calculate dependencies between cloned
    channels of vendor channels (bsc#1201626) * fix symlinks pointing to
    ongres-stringprep * Modify parameter type when communicating with the
    search server (bsc#1187028) * Fix initial profile and build host on Image
    Build page (bsc#1199659) * Fix the confirm message on the refresh action by
    adding a link to pending actions on it (bsc#1172705) * require new
    salt-netapi-client version * Clean grub2 reinstall entry in autoyast
    snippet (bsc#1199950)


spacewalk-search:

  o Version 4.2.8-1 * Add methods to handle session id as String


spacewalk-web:

  o Version 4.2.29-1 * CVE-2021-43138: Obtain privileges via the `mapValues()`
    method. (bsc#1200480) * CVE-2021-42740: Command injection in the
    shell-quote package. (bsc#1203287) * CVE-2022-31129: Denial-of-Service
    moment: inefficient parsing algorithm (bsc#1203288) * Fix table header
    layout for unselectable tables * Fix initial profile and build host on
    Image Build page (bsc#1199659)


subscription-matcher:

  o Added Guava maximum version requirement.


susemanager:

  o Version 4.2.37-1 * mark new dependencies for python-py optional in
    bootstrap repo to fix generation for older service packs (bsc#1203449)
  o Version 4.2.36-1 * add missing packages on SLES 15 * remove
    server-migrator.sh from SUSE Manager installations (bsc#1202728) *
    mgr-create-bootstrap-repo: flush directory also when called for a specific
    label (bsc#1200573) * add missing packages on SLES 12 SP5 bootstrap repo
    (bsc#1201918) * remove python-tornado from bootstrap repo, since no longer
    required for salt version >= 3000 * add openSUSE 15.4 product (bsc#1201527)
    * add clients tool product to generate bootstrap repo on openSUSE 15.x (bsc
    #1201189)


susemanager-doc-indexes:

  o Documented mandatory channels in the Disconnected Setup chapter of the
    Administration Guide (bsc#1202464)
  o Documented how to onboard Ubuntu clients with the Salt bundle as a regular
    user
  o Documented how to onboard Debian clients with the Salt bundle or plain Salt
    as a regular user
  o Fixed the names of updates channels for Leap
  o Fixed errors in OpenSCAP chapter of Administration Guide
  o Added exact command to create the bootstrap repo for Salt bundle and about
    how to disable salt-thin
  o Removed CentOS 8 from the list of supported client systems
  o Extend the notes about using noexec option for /tmp and /var/tmp (bsc#
    1201210)
  o Reverted single snippet change for two separate books
  o Added extend Salt Bundle functionality with Python packages using pip
  o Add missing part of the description to enable optional support of the Salt
    Bundle with Salt SSH
  o Added exact command to create the bootstrap repo for salt bundle and about
    how to disable salt-thin
  o Salt Configuration Modules are no longer Technology Preview in Salt Guide.
  o Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc#
    1201224)
  o Added ports 1232 and 1233 in the Ports section of the Installation and
    Upgrade Guide; required for Salt SSH Push (bsc#1200532)
  o In the Custom Channel section of the Administration Guide add a note about
    synchronizing repositories regularly.
  o Removed SUSE Linux Enterprise 11 from the list of supported client systems


susemanager-docs_en:

  o Documented mandatory channels in the Disconnected Setup chapter of the
    Administration Guide (bsc#1202464)
  o Documented how to onboard Ubuntu clients with the Salt bundle as a regular
    user
  o Documented how to onboard Debian clients with the Salt bundle or plain Salt
    as a regular user
  o Fixed the names of updates channels for Leap
  o Fixed errors in OpenSCAP chapter of Administration Guide
  o Added exact command to create the bootstrap repo for Salt bundle and about
    how to disable salt-thin
  o Removed CentOS 8 from the list of supported client systems
  o Extend the notes about using noexec option for /tmp and /var/tmp (bsc#
    1201210)
  o Reverted single snippet change for two separate books
  o Added extend Salt Bundle functionality with Python packages using pip
  o Add missing part of the description to enable optional support of the Salt
    Bundle with Salt SSH
  o Added exact command to create the bootstrap repo for salt bundle and about
    how to disable salt-thin
  o Salt Configuration Modules are no longer Technology Preview in Salt Guide.
  o Fixed Ubuntu 18 Client registration in Client Configuration Guide (bsc#
    1201224)
  o Added ports 1232 and 1233 in the Ports section of the Installation and
    Upgrade Guide; required for Salt SSH Push (bsc#1200532)
  o In the Custom Channel section of the Administration Guide add a note about
    synchronizing repositories regularly.
  o Removed SUSE Linux Enterprise 11 from the list of supported client systems


susemanager-schema:

  o Version 4.2.24-1 * Fix migration of image actions (bsc#1202272)


susemanager-sls:

  o Version 4.2.27-1 * Copy grains file with util.mgr_switch_to_venv_minion
    state apply * Remove the message 'rpm: command not found' on using Salt SSH
    with Debian based systems which has no Salt Bundle * Prevent possible
    tracebacks on calling module.run from mgrcompat by setting proper globals
    with using LazyLoader * Fix deploy of SLE Micro CA Certificate (bsc#
    1200276)


uyuni-common-libs:

  o Version 4.2.7-1 * Do not allow creating path if nonexistent user or group
    in fileutils.


How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper patch
or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start
`

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for SUSE Manager Server 4.2:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3314=1
  o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2022-3314=1

Package List:

  o SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x
    x86_64):
       inter-server-sync-0.2.3-150300.8.22.2
       inter-server-sync-debuginfo-0.2.3-150300.8.22.2
       patterns-suma_retail-4.2-150300.4.12.2
       patterns-suma_server-4.2-150300.4.12.2
       python3-uyuni-common-libs-4.2.7-150300.3.9.2
       susemanager-4.2.37-150300.3.41.1
       susemanager-tools-4.2.37-150300.3.41.1
  o SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):
       drools-7.17.0-150300.4.6.2
       httpcomponents-asyncclient-4.1.4-150300.3.3.2
       image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2
       py27-compat-salt-3000.3-150300.7.7.23.2
       python3-spacewalk-certs-tools-4.2.18-150300.3.24.3
       python3-spacewalk-client-tools-4.2.20-150300.4.24.3
       salt-netapi-client-0.20.0-150300.3.9.4
       saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2
       spacecmd-4.2.19-150300.4.27.2
       spacewalk-admin-4.2.12-150300.3.15.3
       spacewalk-backend-4.2.24-150300.4.29.5
       spacewalk-backend-app-4.2.24-150300.4.29.5
       spacewalk-backend-applet-4.2.24-150300.4.29.5
       spacewalk-backend-config-files-4.2.24-150300.4.29.5
       spacewalk-backend-config-files-common-4.2.24-150300.4.29.5
       spacewalk-backend-config-files-tool-4.2.24-150300.4.29.5
       spacewalk-backend-iss-4.2.24-150300.4.29.5
       spacewalk-backend-iss-export-4.2.24-150300.4.29.5
       spacewalk-backend-package-push-server-4.2.24-150300.4.29.5
       spacewalk-backend-server-4.2.24-150300.4.29.5
       spacewalk-backend-sql-4.2.24-150300.4.29.5
       spacewalk-backend-sql-postgresql-4.2.24-150300.4.29.5
       spacewalk-backend-tools-4.2.24-150300.4.29.5
       spacewalk-backend-xml-export-libs-4.2.24-150300.4.29.5
       spacewalk-backend-xmlrpc-4.2.24-150300.4.29.5
       spacewalk-base-4.2.29-150300.3.27.3
       spacewalk-base-minimal-4.2.29-150300.3.27.3
       spacewalk-base-minimal-config-4.2.29-150300.3.27.3
       spacewalk-certs-tools-4.2.18-150300.3.24.3
       spacewalk-client-tools-4.2.20-150300.4.24.3
       spacewalk-html-4.2.29-150300.3.27.3
       spacewalk-java-4.2.41-150300.3.43.5
       spacewalk-java-config-4.2.41-150300.3.43.5
       spacewalk-java-lib-4.2.41-150300.3.43.5
       spacewalk-java-postgresql-4.2.41-150300.3.43.5
       spacewalk-search-4.2.8-150300.3.12.2
       spacewalk-taskomatic-4.2.41-150300.3.43.5
       subscription-matcher-0.29-150300.6.12.2
       susemanager-doc-indexes-4.2-150300.12.33.4
       susemanager-docs_en-4.2-150300.12.33.2
       susemanager-docs_en-pdf-4.2-150300.12.33.2
       susemanager-schema-4.2.24-150300.3.27.3
       susemanager-sls-4.2.27-150300.3.33.4
       uyuni-config-modules-4.2.27-150300.3.33.4
  o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (x86_64):
       patterns-suma_proxy-4.2-150300.4.12.2
       python3-uyuni-common-libs-4.2.7-150300.3.9.2
  o SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (noarch):
       mgr-daemon-4.2.10-150300.2.9.4
       python3-spacewalk-certs-tools-4.2.18-150300.3.24.3
       python3-spacewalk-check-4.2.20-150300.4.24.3
       python3-spacewalk-client-setup-4.2.20-150300.4.24.3
       python3-spacewalk-client-tools-4.2.20-150300.4.24.3
       spacecmd-4.2.19-150300.4.27.2
       spacewalk-backend-4.2.24-150300.4.29.5
       spacewalk-base-minimal-4.2.29-150300.3.27.3
       spacewalk-base-minimal-config-4.2.29-150300.3.27.3
       spacewalk-certs-tools-4.2.18-150300.3.24.3
       spacewalk-check-4.2.20-150300.4.24.3
       spacewalk-client-setup-4.2.20-150300.4.24.3
       spacewalk-client-tools-4.2.20-150300.4.24.3
       spacewalk-proxy-broker-4.2.12-150300.3.21.3
       spacewalk-proxy-common-4.2.12-150300.3.21.3
       spacewalk-proxy-management-4.2.12-150300.3.21.3
       spacewalk-proxy-package-manager-4.2.12-150300.3.21.3
       spacewalk-proxy-redirect-4.2.12-150300.3.21.3
       spacewalk-proxy-salt-4.2.12-150300.3.21.3
       susemanager-tftpsync-recv-4.2.5-150300.3.6.2


References:

  o https://www.suse.com/security/cve/CVE-2021-41411.html
  o https://www.suse.com/security/cve/CVE-2021-42740.html
  o https://www.suse.com/security/cve/CVE-2021-43138.html
  o https://www.suse.com/security/cve/CVE-2022-31129.html
  o https://bugzilla.suse.com/1172705
  o https://bugzilla.suse.com/1187028
  o https://bugzilla.suse.com/1195455
  o https://bugzilla.suse.com/1195895
  o https://bugzilla.suse.com/1196729
  o https://bugzilla.suse.com/1198168
  o https://bugzilla.suse.com/1198489
  o https://bugzilla.suse.com/1198738
  o https://bugzilla.suse.com/1198903
  o https://bugzilla.suse.com/1199372
  o https://bugzilla.suse.com/1199659
  o https://bugzilla.suse.com/1199913
  o https://bugzilla.suse.com/1199950
  o https://bugzilla.suse.com/1200276
  o https://bugzilla.suse.com/1200296
  o https://bugzilla.suse.com/1200480
  o https://bugzilla.suse.com/1200532
  o https://bugzilla.suse.com/1200573
  o https://bugzilla.suse.com/1200591
  o https://bugzilla.suse.com/1200629
  o https://bugzilla.suse.com/1201142
  o https://bugzilla.suse.com/1201189
  o https://bugzilla.suse.com/1201210
  o https://bugzilla.suse.com/1201220
  o https://bugzilla.suse.com/1201224
  o https://bugzilla.suse.com/1201527
  o https://bugzilla.suse.com/1201606
  o https://bugzilla.suse.com/1201607
  o https://bugzilla.suse.com/1201626
  o https://bugzilla.suse.com/1201753
  o https://bugzilla.suse.com/1201913
  o https://bugzilla.suse.com/1201918
  o https://bugzilla.suse.com/1202142
  o https://bugzilla.suse.com/1202272
  o https://bugzilla.suse.com/1202464
  o https://bugzilla.suse.com/1202724
  o https://bugzilla.suse.com/1202728
  o https://bugzilla.suse.com/1203287
  o https://bugzilla.suse.com/1203288
  o https://bugzilla.suse.com/1203449

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYypc0skNZI30y1K9AQhj+xAAqtOyPzW4YLK+1yxsw1EwbIFhSRpxCkwR
DWHXhTGteRSEAegZTzXCUCsfn8k5wX0+6+VJuE+KvKOewQRQHTFEWW2fUiiNxeA7
127HbayDTu54oQy4iuROiHaIgdHFszdtqoh1TriKNbXImxcoX8waZFFmTjsg2tkh
mg4M+wj+ms+EZAax7GuiOhS/XSk9pzqVWxgL6921nAIvUm9whzHH1iRIqWGpjnfO
gxxg1tSN8q3qFKQu/uogcuOrpkpE9s9LdbeFQUxpFXiX8yYUpIjnw5Rm37hUoJfT
5/HijC7rAz35WQLGtBXJSLByeoV8qQ+uL7VaeSE5xAFROAmfaN69c3XNLTNLt9f/
WwmGvoGQA3st6yAvryYyAiw1abuzhRPI+GB6TghHukF4tLAOCO1k0D6jsh9mZkIP
F+j4WavbRHzLb9CenQswydPecMHL2nz52FScUIl3RO8r2iSgK70sAiZ6tmhOaIsT
Zny96saVPz1GGVytK2fEqf3aJ3fOw1u/V96TZWwrw2k5uo/2wdGR7wu/B87iiwDS
u0iFq8rnXDaeenq8SOd/LuF8sqcIyt1QLvY4Dko7Qse44P5MjDi3BEgQ00WnGsz8
pCR+4gU2mtL3M/r5ZH68tHBZaVRPcYRRJC1HHfQOvowRkvP3AE9yOJfhDd4WPlpr
ZG3wXIokxMI=
=f7Fj
-----END PGP SIGNATURE-----