SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:0448-1
Rating:             moderate
References:         #1164227 #1164451 #1171836 #1176018 #1176417 
                    #1176823 #1176898 #1176906 #1177031 #1177184 
                    #1177336 #1177508 #1178303 #1178503 #1178647 
                    #1178839 #1179087 #1179273 #1179410 #1179552 
                    #1179589 #1179872 #1179990 #1180001 #1180127 
                    #1180285 #1180803 #1181356 
Cross-References:   CVE-2021-23901
CVSS scores:
                    CVE-2021-23901 (NVD) : 9.1
 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

   An update that solves one vulnerability and has 27 fixes is
   now available.

Description:

   This update fixes the following issues:

   cpu-mitigations-formula:

   - Handle unsupported target systems gracefully (bsc#1179273)
   - add mitigations for Xen hypervisor

   nutch-core:

   - Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356)

   smdba:

   - Do not remove the database if there is no backup and deal with manifest
   - Fix smdba throws error on mgr-setup/installation
   - Raise an exception on failed external process call
   - Fix TablePrint formatting
   - Rename configuration parameter wal_keep_segments to wal_keep_size
     (jsc#SLE-17030)
   - Revert modifying cpu_tuple_cost
   - Adapted spec file for RHEL8
   - Adapt recover mechanism for postgresql12 and later

   spacecmd:

   - Fix spacecmd with no parameters produces traceback on SLE 11 SP4
     (bsc#1176823)

   spacewalk-backend:

   - Reposync: Fixed Kickstart functionality.
   - Reposync: Fixed URLGrabber error handling.
   - Reposync: Fix modular data handling for cloned channels (bsc#1177508)
   - Truncate author name in the changelog (bsc#1180285)
   - Drop Transfer-Encoding header from proxy respone to fix error response
     messages (bsc#1176906)
   - Prevent tracebacks on missing mail configuration (bsc#1179990)
   - Fix pycurl.error handling in suseLib.py (bsc#1179990)
   - Use sanitized repo label to build reposync repo cache path (bsc#1179410)
   - Quote the proxy settings to be used by Zypper (bsc#1179087)
   - Fix spacewalk-repo-sync to successfully manage and sync ULN repositories
   - Fix errors in spacewalk-debug and align postgresql queries to new DB
     version

   spacewalk-branding:

   - Set Copyright year to 2021

   spacewalk-certs-tools:

   - Improve check for correct CA trust store directory (bsc#1176417)

   spacewalk-java:

   - Fix modular data handling for cloned channels (bsc#1177508)
   - Fix reboot action race condition (bsc#1177031)
   - Fix availability check for debian repositories (bsc#1180127)
   - Ignore duplicate NEVRAs in package profile update (bsc#1176018)
   - Prevent deletion of CLM environments if they're used in an
     autoinstallation profile (bsc#1179552)
   - Register saltkey XMLRPC handler and fix behavior of delete salt key
     (bsc#1179872)
   - Add validation for custom repository labels
   - Fix expanded support detection based on CentOS installations
     (bsc#1179589)
   - Add translation strings for newly added countries and timezones
     (jsc#PM-2081)
   - Fix the activation key handling from kickstart profile (bsc#1178647)
   - Update exception message in findSyncedMandatoryChannels
   - Fix check for available products on ISS Slaves (bsc#1177184)
   - Get media.1/products for cloned channels (bsc#1178303)
   - Calculate size to truncate a history message based on the htmlified
     version (bsc#1178503)
   - Change message "Minion is down" to be more accurate
   - XMLRPC: Report architecture label in the list of installed packages
     (bsc#1176898)

   spacewalk-reports:

   - Fixes no file content in `spacewalk-report config-files`
   - Write `<binary data>` placeholder instead of dumping binary data

   spacewalk-utils:

   - Fix modular data handling for cloned channels (bsc#1177508)

   spacewalk-web:

   - Prevent deletion of CLM environments if they're used in an
     autoinstallation profile (bsc#1179552)
   - Fix mandatory channels JS API to finish loading in case of error
     (bsc#1178839)

   supportutils-plugin-susemanager:

   - Remove checks for obsolete packages
   - Gather new configfiles
   - Add more important informations

   susemanager-doc-indexes:

   - Added new section for bootstrap repository for end of life products in
     Client Configuration Guide
   - Remove old certs before renaming moved to Administration Guide
     (bsc#1171836)
   - Fixed error in Create and Replace CA and Server Certificates of
     Administration Guide (bsc#1180001)
   - Combining activation keys works only with traditional clients. Updated
     in Client Configuration Guide and Reference. (bsc#1164451)

   susemanager-docs_en:

   - Added new section for bootstrap repository for end of life products in
     Client Configuration Guide
   - Remove old certs before renaming moved to Administration Guide
     (bsc#1171836)
   - Fixed error in Create and Replace CA and Server Certificates of
     Administration Guide (bsc#1180001)
   - Combining activation keys works only with traditional clients. Updated
     Client Configuration Guide and Reference. (bsc#1164451)

   susemanager-frontend-libs:

   - Update Bootstrap to 3.1.0

   susemanager-schema:

   - Add new valid countries and timezones (jsc#PM-2081)

   susemanager-sls:

   - Fix apt login for similar channel labels (bsc#1180803)
   - Change behavior of mgrcompat wrapper after deprecation changes on Salt
     3002
   - Make autoinstallation provisoning compatible with GRUB and ELILO in
     addition to GRUB2 only (bsc#1164227)
   - Fix: sync before start action chains (bsc#1177336)

   susemanager-sync-data:

   - Change centos 6 URLs to vault.centos.org
   - Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS
   - Remove duplicate repo definition

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Upgrade the database schema:
   `spacewalk-schema-upgrade` 5. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
 methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
 x86_64):

      smdba-1.7.8-0.3.3.2
      spacewalk-branding-4.0.19-3.21.3

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

      cpu-mitigations-formula-0.3-4.9.2
      nutch-core-1.0.1-4.5.2
      python3-spacewalk-backend-libs-4.0.36-3.41.2
      python3-spacewalk-certs-tools-4.0.18-3.24.2
      spacecmd-4.0.22-3.25.2
      spacewalk-backend-4.0.36-3.41.2
      spacewalk-backend-app-4.0.36-3.41.2
      spacewalk-backend-applet-4.0.36-3.41.2
      spacewalk-backend-config-files-4.0.36-3.41.2
      spacewalk-backend-config-files-common-4.0.36-3.41.2
      spacewalk-backend-config-files-tool-4.0.36-3.41.2
      spacewalk-backend-iss-4.0.36-3.41.2
      spacewalk-backend-iss-export-4.0.36-3.41.2
      spacewalk-backend-package-push-server-4.0.36-3.41.2
      spacewalk-backend-server-4.0.36-3.41.2
      spacewalk-backend-sql-4.0.36-3.41.2
      spacewalk-backend-sql-postgresql-4.0.36-3.41.2
      spacewalk-backend-tools-4.0.36-3.41.2
      spacewalk-backend-xml-export-libs-4.0.36-3.41.2
      spacewalk-backend-xmlrpc-4.0.36-3.41.2
      spacewalk-base-4.0.26-3.39.3
      spacewalk-base-minimal-4.0.26-3.39.3
      spacewalk-base-minimal-config-4.0.26-3.39.3
      spacewalk-certs-tools-4.0.18-3.24.2
      spacewalk-html-4.0.26-3.39.3
      spacewalk-java-4.0.41-3.51.2
      spacewalk-java-config-4.0.41-3.51.2
      spacewalk-java-lib-4.0.41-3.51.2
      spacewalk-java-postgresql-4.0.41-3.51.2
      spacewalk-reports-4.0.6-3.3.2
      spacewalk-taskomatic-4.0.41-3.51.2
      spacewalk-utils-4.0.19-3.24.2
      supportutils-plugin-susemanager-4.0.5-3.6.2
      susemanager-doc-indexes-4.0-10.30.2
      susemanager-docs_en-4.0-10.30.2
      susemanager-docs_en-pdf-4.0-10.30.2
      susemanager-frontend-libs-4.0.3-4.6.2
      susemanager-schema-4.0.24-3.35.2
      susemanager-sls-4.0.32-3.40.2
      susemanager-sync-data-4.0.20-3.32.2
      susemanager-web-libs-4.0.26-3.39.3


References:

   https://www.suse.com/security/cve/CVE-2021-23901.html
   https://bugzilla.suse.com/1164227
   https://bugzilla.suse.com/1164451
   https://bugzilla.suse.com/1171836
   https://bugzilla.suse.com/1176018
   https://bugzilla.suse.com/1176417
   https://bugzilla.suse.com/1176823
   https://bugzilla.suse.com/1176898
   https://bugzilla.suse.com/1176906
   https://bugzilla.suse.com/1177031
   https://bugzilla.suse.com/1177184
   https://bugzilla.suse.com/1177336
   https://bugzilla.suse.com/1177508
   https://bugzilla.suse.com/1178303
   https://bugzilla.suse.com/1178503
   https://bugzilla.suse.com/1178647
   https://bugzilla.suse.com/1178839
   https://bugzilla.suse.com/1179087
   https://bugzilla.suse.com/1179273
   https://bugzilla.suse.com/1179410
   https://bugzilla.suse.com/1179552
   https://bugzilla.suse.com/1179589
   https://bugzilla.suse.com/1179872
   https://bugzilla.suse.com/1179990
   https://bugzilla.suse.com/1180001
   https://bugzilla.suse.com/1180127
   https://bugzilla.suse.com/1180285
   https://bugzilla.suse.com/1180803
   https://bugzilla.suse.com/1181356