Security update for SUSE Manager Server 3.2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0856-1 Final 1 1 2020-04-02T14:48:30Z current 2020-04-02T14:48:30Z 2020-04-02T14:48:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Server 3.2 This update fixes the following issues: py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ (bsc#1165425) redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly 'successful' and 'successfully' spacewalk-backend: - When downloading repo metadata, don't add '/' to the repo url if it already ends with one (bsc#1158899) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) spacewalk-certs-tools: - Add minion option in config file to disable salt mine when generated by bootstrap script (bsc#1163001) spacewalk-client-tools: - Do not crash 'mgr-update-status' because 'long' type is not defined in Python 3 - Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921) - Spell correctly 'successful' and 'successfully' spacewalk-java: - Fix error when adding systems to ssm with 'add to ssm' button (bsc#1160246) - Validate the suseproductchannel table and update missing date when running mgr-sync refresh (bsc#1163538) - Read the subscriptions from the output instead of input (bsc#1140332) - Show additional headers and dependencies for deb packages - Use channel name from product tree instead of constructing it (bsc#1157317) spacewalk-setup: - Spell correctly 'successful' and 'successfully' spacewalk-utils: - Check for delimiter as well when detecting current phase (bsc#1164771) spacewalk-web: - Report merge_subscriptions message in a readable way (bsc#1140332) subscription-matcher: - Add missing library for SLE15 SP2 (slf4j-log4j12) - Make the code usable with Math3 on SLES - Use log4j12 package on newer SLE versions - Aggregate stackable subscriptions with same parameters - Implement new 'swap move' used in optaplanner (bsc#1140332) - Enable aarch64 builds, except for SLE < 15 susemanager: - Fix salt bootstrapping on SLE15 (require python3-pycrypto or python3-M2Crypto to support all variants) (bsc#1164563) - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) - Add bootstrap-repo data for SLE15 SP2 Family susemanager-sls: - Adapt 'mgractionchains' module to work with Salt 3000 - Do not workaround util.syncmodules for SSH minions (bsc#1162609) - Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). susemanager-sync-data: - Add OES 2018 SP2 (bsc#1161862) - Rename RHEL 8 Base product - Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-856,SUSE-SUSE-Manager-Server-3.2-2020-856 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200856-1/ Link for SUSE-SU-2020:0856-1 https://lists.suse.com/pipermail/sle-security-updates/2020-April/006669.html E-Mail link for SUSE-SU-2020:0856-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1085414 SUSE Bug 1085414 https://bugzilla.suse.com/1140332 SUSE Bug 1140332 https://bugzilla.suse.com/1155372 SUSE Bug 1155372 https://bugzilla.suse.com/1157317 SUSE Bug 1157317 https://bugzilla.suse.com/1158899 SUSE Bug 1158899 https://bugzilla.suse.com/1159184 SUSE Bug 1159184 https://bugzilla.suse.com/1160246 SUSE Bug 1160246 https://bugzilla.suse.com/1161862 SUSE Bug 1161862 https://bugzilla.suse.com/1162609 SUSE Bug 1162609 https://bugzilla.suse.com/1162683 SUSE Bug 1162683 https://bugzilla.suse.com/1163001 SUSE Bug 1163001 https://bugzilla.suse.com/1163538 SUSE Bug 1163538 https://bugzilla.suse.com/1164120 SUSE Bug 1164120 https://bugzilla.suse.com/1164563 SUSE Bug 1164563 https://bugzilla.suse.com/1164771 SUSE Bug 1164771 https://bugzilla.suse.com/1165425 SUSE Bug 1165425 https://bugzilla.suse.com/1165921 SUSE Bug 1165921 https://www.suse.com/security/cve/CVE-2018-1077/ SUSE CVE CVE-2018-1077 page https://www.suse.com/security/cve/CVE-2020-1693/ SUSE CVE CVE-2020-1693 page SUSE Manager Server 3.2 py26-compat-salt-2016.11.10-6.35.1 python2-spacewalk-certs-tools-2.8.8.14-3.23.1 python2-spacewalk-check-2.8.22.7-3.12.1 python2-spacewalk-client-setup-2.8.22.7-3.12.1 python2-spacewalk-client-tools-2.8.22.7-3.12.1 redstone-xmlrpc-1.1_20071120-0.11.3.1 spacecmd-2.8.25.14-3.32.1 spacewalk-admin-2.8.4.6-3.12.1 spacewalk-backend-2.8.57.22-3.48.1 spacewalk-backend-app-2.8.57.22-3.48.1 spacewalk-backend-applet-2.8.57.22-3.48.1 spacewalk-backend-cdn-2.8.57.22-3.48.1 spacewalk-backend-config-files-2.8.57.22-3.48.1 spacewalk-backend-config-files-common-2.8.57.22-3.48.1 spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 spacewalk-backend-iss-2.8.57.22-3.48.1 spacewalk-backend-iss-export-2.8.57.22-3.48.1 spacewalk-backend-libs-2.8.57.22-3.48.1 spacewalk-backend-package-push-server-2.8.57.22-3.48.1 spacewalk-backend-server-2.8.57.22-3.48.1 spacewalk-backend-sql-2.8.57.22-3.48.1 spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 spacewalk-backend-tools-2.8.57.22-3.48.1 spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 spacewalk-base-2.8.7.23-3.45.1 spacewalk-base-minimal-2.8.7.23-3.45.1 spacewalk-base-minimal-config-2.8.7.23-3.45.1 spacewalk-certs-tools-2.8.8.14-3.23.1 spacewalk-check-2.8.22.7-3.12.1 spacewalk-client-setup-2.8.22.7-3.12.1 spacewalk-client-tools-2.8.22.7-3.12.1 spacewalk-dobby-2.8.7.23-3.45.1 spacewalk-html-2.8.7.23-3.45.1 spacewalk-java-2.8.78.28-3.47.1 spacewalk-java-apidoc-sources-2.8.78.28-3.47.1 spacewalk-java-config-2.8.78.28-3.47.1 spacewalk-java-lib-2.8.78.28-3.47.1 spacewalk-java-oracle-2.8.78.28-3.47.1 spacewalk-java-postgresql-2.8.78.28-3.47.1 spacewalk-setup-2.8.7.10-3.25.1 spacewalk-taskomatic-2.8.78.28-3.47.1 spacewalk-utils-2.8.18.6-3.12.1 subscription-matcher-0.25-4.15.1 subscription-matcher-kit-ace4a108348a0be2f81ecd121d16dc26401f424c-3.6.1 susemanager-3.2.23-3.40.2 susemanager-sls-3.2.30-3.44.1 susemanager-sync-data-3.2.19-3.35.1 susemanager-tools-3.2.23-3.40.2 susemanager-web-libs-2.8.7.23-3.45.1 py26-compat-salt-2016.11.10-6.35.1 as a component of SUSE Manager Server 3.2 python2-spacewalk-certs-tools-2.8.8.14-3.23.1 as a component of SUSE Manager Server 3.2 python2-spacewalk-client-tools-2.8.22.7-3.12.1 as a component of SUSE Manager Server 3.2 redstone-xmlrpc-1.1_20071120-0.11.3.1 as a component of SUSE Manager Server 3.2 spacecmd-2.8.25.14-3.32.1 as a component of SUSE Manager Server 3.2 spacewalk-admin-2.8.4.6-3.12.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-app-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-applet-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-config-files-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-config-files-common-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-iss-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-iss-export-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-libs-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-package-push-server-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-server-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-sql-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-tools-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 as a component of SUSE Manager Server 3.2 spacewalk-base-2.8.7.23-3.45.1 as a component of SUSE Manager Server 3.2 spacewalk-base-minimal-2.8.7.23-3.45.1 as a component of SUSE Manager Server 3.2 spacewalk-base-minimal-config-2.8.7.23-3.45.1 as a component of SUSE Manager Server 3.2 spacewalk-certs-tools-2.8.8.14-3.23.1 as a component of SUSE Manager Server 3.2 spacewalk-client-tools-2.8.22.7-3.12.1 as a component of SUSE Manager Server 3.2 spacewalk-html-2.8.7.23-3.45.1 as a component of SUSE Manager Server 3.2 spacewalk-java-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-java-config-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-java-lib-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-java-oracle-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-java-postgresql-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-setup-2.8.7.10-3.25.1 as a component of SUSE Manager Server 3.2 spacewalk-taskomatic-2.8.78.28-3.47.1 as a component of SUSE Manager Server 3.2 spacewalk-utils-2.8.18.6-3.12.1 as a component of SUSE Manager Server 3.2 subscription-matcher-0.25-4.15.1 as a component of SUSE Manager Server 3.2 susemanager-3.2.23-3.40.2 as a component of SUSE Manager Server 3.2 susemanager-sls-3.2.30-3.44.1 as a component of SUSE Manager Server 3.2 susemanager-sync-data-3.2.19-3.35.1 as a component of SUSE Manager Server 3.2 susemanager-tools-3.2.23-3.40.2 as a component of SUSE Manager Server 3.2 susemanager-web-libs-2.8.7.23-3.45.1 as a component of SUSE Manager Server 3.2 Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server. CVE-2018-1077 SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.35.1 SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.14-3.23.1 SUSE Manager Server 3.2:python2-spacewalk-client-tools-2.8.22.7-3.12.1 SUSE Manager Server 3.2:redstone-xmlrpc-1.1_20071120-0.11.3.1 SUSE Manager Server 3.2:spacecmd-2.8.25.14-3.32.1 SUSE Manager Server 3.2:spacewalk-admin-2.8.4.6-3.12.1 SUSE Manager Server 3.2:spacewalk-backend-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-base-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.14-3.23.1 SUSE Manager Server 3.2:spacewalk-client-tools-2.8.22.7-3.12.1 SUSE Manager Server 3.2:spacewalk-html-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-java-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-setup-2.8.7.10-3.25.1 SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-utils-2.8.18.6-3.12.1 SUSE Manager Server 3.2:subscription-matcher-0.25-4.15.1 SUSE Manager Server 3.2:susemanager-3.2.23-3.40.2 SUSE Manager Server 3.2:susemanager-sls-3.2.30-3.44.1 SUSE Manager Server 3.2:susemanager-sync-data-3.2.19-3.35.1 SUSE Manager Server 3.2:susemanager-tools-3.2.23-3.40.2 SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.23-3.45.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200856-1/ https://www.suse.com/security/cve/CVE-2018-1077.html CVE-2018-1077 https://bugzilla.suse.com/1085414 SUSE Bug 1085414 A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbitrary code on the Spacewalk server. CVE-2020-1693 SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.35.1 SUSE Manager Server 3.2:python2-spacewalk-certs-tools-2.8.8.14-3.23.1 SUSE Manager Server 3.2:python2-spacewalk-client-tools-2.8.22.7-3.12.1 SUSE Manager Server 3.2:redstone-xmlrpc-1.1_20071120-0.11.3.1 SUSE Manager Server 3.2:spacecmd-2.8.25.14-3.32.1 SUSE Manager Server 3.2:spacewalk-admin-2.8.4.6-3.12.1 SUSE Manager Server 3.2:spacewalk-backend-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-app-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-applet-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-common-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-config-files-tool-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-iss-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-iss-export-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-libs-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-package-push-server-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-server-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-oracle-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-sql-postgresql-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-tools-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-xml-export-libs-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-backend-xmlrpc-2.8.57.22-3.48.1 SUSE Manager Server 3.2:spacewalk-base-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-base-minimal-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-base-minimal-config-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-certs-tools-2.8.8.14-3.23.1 SUSE Manager Server 3.2:spacewalk-client-tools-2.8.22.7-3.12.1 SUSE Manager Server 3.2:spacewalk-html-2.8.7.23-3.45.1 SUSE Manager Server 3.2:spacewalk-java-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-setup-2.8.7.10-3.25.1 SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.28-3.47.1 SUSE Manager Server 3.2:spacewalk-utils-2.8.18.6-3.12.1 SUSE Manager Server 3.2:subscription-matcher-0.25-4.15.1 SUSE Manager Server 3.2:susemanager-3.2.23-3.40.2 SUSE Manager Server 3.2:susemanager-sls-3.2.30-3.44.1 SUSE Manager Server 3.2:susemanager-sync-data-3.2.19-3.35.1 SUSE Manager Server 3.2:susemanager-tools-3.2.23-3.40.2 SUSE Manager Server 3.2:susemanager-web-libs-2.8.7.23-3.45.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200856-1/ https://www.suse.com/security/cve/CVE-2020-1693.html CVE-2020-1693 https://bugzilla.suse.com/1164120 SUSE Bug 1164120