Recommended update for SUSE Manager 4.2.2 Release Notes SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2021:3162-1 Final 1 1 2021-09-20T15:24:13Z current 2021-09-20T15:24:13Z 2021-09-20T15:24:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for SUSE Manager 4.2.2 Release Notes This update for SUSE Manager 4.2.2 Release Notes provides the following additions: Release notes for SUSE Manager: - Update to 4.2.2 * SUSE Manager is now able to manage Rocky Linux 8 clients * Tech Preview: Inter-Server Sync V2 * Bugs mentioned bsc#1171483, bsc#1173143, bsc#1181223, bsc#1186281, bsc#1186339, bsc#1187335, bsc#1187549, bsc#1188032, bsc#1188042, bsc#1188136, bsc#1188163, bsc#1188193, bsc#1188260, bsc#1188393, bsc#1188400, bsc#1188503, bsc#1188505, bsc#1188551, bsc#1188641, bsc#1188647, bsc#1188656, bsc#1188853, bsc#1188855, bsc#1189011, bsc#1189040, bsc#1189167, bsc#1189419, bsc#1189458, - CVE-2021-40323: Fixed an arbitrary file disclosure/Template Injection (bsc#1189458) - CVE-2021-40324: Fixed an arbitrary file write (bsc#1189458) - CVE-2021-40325: Fixed a problem with the token validation (bsc#1189458) - Please note that with these changes, a valid log data from Anamon (Red Hat Autoinstallation Process) uploaded to cobbler may be rejected. Release notes for SUSE Manager proxy: - Update to 4.2.2 * Bugs mentioned bsc#1181223, bsc#1186026, bsc#1188042, bsc#1189011, bsc#1189263 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3162,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2021-3162,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2021-3162,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2021-3162 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2021-3162/suse-ru-20213162-1/ Link for SUSE-RU-2021:3162-1 https://lists.suse.com/pipermail/sle-updates/2021-September/020230.html E-Mail link for SUSE-RU-2021:3162-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171483 SUSE Bug 1171483 https://bugzilla.suse.com/1173143 SUSE Bug 1173143 https://bugzilla.suse.com/1181223 SUSE Bug 1181223 https://bugzilla.suse.com/1186026 SUSE Bug 1186026 https://bugzilla.suse.com/1186281 SUSE Bug 1186281 https://bugzilla.suse.com/1186339 SUSE Bug 1186339 https://bugzilla.suse.com/1187335 SUSE Bug 1187335 https://bugzilla.suse.com/1187549 SUSE Bug 1187549 https://bugzilla.suse.com/1188032 SUSE Bug 1188032 https://bugzilla.suse.com/1188042 SUSE Bug 1188042 https://bugzilla.suse.com/1188136 SUSE Bug 1188136 https://bugzilla.suse.com/1188163 SUSE Bug 1188163 https://bugzilla.suse.com/1188193 SUSE Bug 1188193 https://bugzilla.suse.com/1188260 SUSE Bug 1188260 https://bugzilla.suse.com/1188393 SUSE Bug 1188393 https://bugzilla.suse.com/1188400 SUSE Bug 1188400 https://bugzilla.suse.com/1188503 SUSE Bug 1188503 https://bugzilla.suse.com/1188505 SUSE Bug 1188505 https://bugzilla.suse.com/1188551 SUSE Bug 1188551 https://bugzilla.suse.com/1188641 SUSE Bug 1188641 https://bugzilla.suse.com/1188647 SUSE Bug 1188647 https://bugzilla.suse.com/1188656 SUSE Bug 1188656 https://bugzilla.suse.com/1188853 SUSE Bug 1188853 https://bugzilla.suse.com/1188855 SUSE Bug 1188855 https://bugzilla.suse.com/1189011 SUSE Bug 1189011 https://bugzilla.suse.com/1189040 SUSE Bug 1189040 https://bugzilla.suse.com/1189167 SUSE Bug 1189167 https://bugzilla.suse.com/1189263 SUSE Bug 1189263 https://bugzilla.suse.com/1189419 SUSE Bug 1189419 https://bugzilla.suse.com/1189458 SUSE Bug 1189458 https://www.suse.com/security/cve/CVE-2021-40323/ SUSE CVE CVE-2021-40323 page https://www.suse.com/security/cve/CVE-2021-40324/ SUSE CVE CVE-2021-40324 page https://www.suse.com/security/cve/CVE-2021-40325/ SUSE CVE CVE-2021-40325 page SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 release-notes-susemanager-4.2.2-3.12.1 release-notes-susemanager-proxy-4.2.2-3.12.1 release-notes-susemanager-proxy-4.2.2-3.12.1 as a component of SUSE Manager Proxy 4.2 release-notes-susemanager-proxy-4.2.2-3.12.1 as a component of SUSE Manager Retail Branch Server 4.2 release-notes-susemanager-4.2.2-3.12.1 as a component of SUSE Manager Server 4.2 Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. CVE-2021-40323 SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Server 4.2:release-notes-susemanager-4.2.2-3.12.1 low 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2021-3162/suse-ru-20213162-1/ https://www.suse.com/security/cve/CVE-2021-40323.html CVE-2021-40323 https://bugzilla.suse.com/1189458 SUSE Bug 1189458 Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. CVE-2021-40324 SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Server 4.2:release-notes-susemanager-4.2.2-3.12.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2021-3162/suse-ru-20213162-1/ https://www.suse.com/security/cve/CVE-2021-40324.html CVE-2021-40324 Cobbler before 3.3.0 allows authorization bypass for modification of settings. CVE-2021-40325 SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.2-3.12.1 SUSE Manager Server 4.2:release-notes-susemanager-4.2.2-3.12.1 low 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2021-3162/suse-ru-20213162-1/ https://www.suse.com/security/cve/CVE-2021-40325.html CVE-2021-40325