drucken bookmarks versenden konfigurieren admin pdf Sicherheit: XML External Entity-Verarbeitung in SUSE Manager Server 4.0
Name: |
XML External Entity-Verarbeitung in SUSE Manager Server 4.0 |
|
ID: |
SUSE-SU-2021:0448-1 |
|
Distribution: |
SUSE |
|
Plattformen: |
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 |
|
Datum: |
Fr, 12. Februar 2021, 20:19 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23901 |
|
Applikationen: |
SUSE Manager Server 4.0 |
|
Originalnachricht |
SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________
Announcement ID: SUSE-SU-2021:0448-1 Rating: moderate References: #1164227 #1164451 #1171836 #1176018 #1176417 #1176823 #1176898 #1176906 #1177031 #1177184 #1177336 #1177508 #1178303 #1178503 #1178647 #1178839 #1179087 #1179273 #1179410 #1179552 #1179589 #1179872 #1179990 #1180001 #1180127 #1180285 #1180803 #1181356 Cross-References: CVE-2021-23901 CVSS scores: CVE-2021-23901 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________
An update that solves one vulnerability and has 27 fixes is now available.
Description:
This update fixes the following issues:
cpu-mitigations-formula:
- Handle unsupported target systems gracefully (bsc#1179273) - add mitigations for Xen hypervisor
nutch-core:
- Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356)
smdba:
- Do not remove the database if there is no backup and deal with manifest - Fix smdba throws error on mgr-setup/installation - Raise an exception on failed external process call - Fix TablePrint formatting - Rename configuration parameter wal_keep_segments to wal_keep_size (jsc#SLE-17030) - Revert modifying cpu_tuple_cost - Adapted spec file for RHEL8 - Adapt recover mechanism for postgresql12 and later
spacecmd:
- Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#1176823)
spacewalk-backend:
- Reposync: Fixed Kickstart functionality. - Reposync: Fixed URLGrabber error handling. - Reposync: Fix modular data handling for cloned channels (bsc#1177508) - Truncate author name in the changelog (bsc#1180285) - Drop Transfer-Encoding header from proxy respone to fix error response messages (bsc#1176906) - Prevent tracebacks on missing mail configuration (bsc#1179990) - Fix pycurl.error handling in suseLib.py (bsc#1179990) - Use sanitized repo label to build reposync repo cache path (bsc#1179410) - Quote the proxy settings to be used by Zypper (bsc#1179087) - Fix spacewalk-repo-sync to successfully manage and sync ULN repositories - Fix errors in spacewalk-debug and align postgresql queries to new DB version
spacewalk-branding:
- Set Copyright year to 2021
spacewalk-certs-tools:
- Improve check for correct CA trust store directory (bsc#1176417)
spacewalk-java:
- Fix modular data handling for cloned channels (bsc#1177508) - Fix reboot action race condition (bsc#1177031) - Fix availability check for debian repositories (bsc#1180127) - Ignore duplicate NEVRAs in package profile update (bsc#1176018) - Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) - Register saltkey XMLRPC handler and fix behavior of delete salt key (bsc#1179872) - Add validation for custom repository labels - Fix expanded support detection based on CentOS installations (bsc#1179589) - Add translation strings for newly added countries and timezones (jsc#PM-2081) - Fix the activation key handling from kickstart profile (bsc#1178647) - Update exception message in findSyncedMandatoryChannels - Fix check for available products on ISS Slaves (bsc#1177184) - Get media.1/products for cloned channels (bsc#1178303) - Calculate size to truncate a history message based on the htmlified version (bsc#1178503) - Change message "Minion is down" to be more accurate - XMLRPC: Report architecture label in the list of installed packages (bsc#1176898)
spacewalk-reports:
- Fixes no file content in `spacewalk-report config-files` - Write `<binary data>` placeholder instead of dumping binary data
spacewalk-utils:
- Fix modular data handling for cloned channels (bsc#1177508)
spacewalk-web:
- Prevent deletion of CLM environments if they're used in an autoinstallation profile (bsc#1179552) - Fix mandatory channels JS API to finish loading in case of error (bsc#1178839)
supportutils-plugin-susemanager:
- Remove checks for obsolete packages - Gather new configfiles - Add more important informations
susemanager-doc-indexes:
- Added new section for bootstrap repository for end of life products in Client Configuration Guide - Remove old certs before renaming moved to Administration Guide (bsc#1171836) - Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) - Combining activation keys works only with traditional clients. Updated in Client Configuration Guide and Reference. (bsc#1164451)
susemanager-docs_en:
- Added new section for bootstrap repository for end of life products in Client Configuration Guide - Remove old certs before renaming moved to Administration Guide (bsc#1171836) - Fixed error in Create and Replace CA and Server Certificates of Administration Guide (bsc#1180001) - Combining activation keys works only with traditional clients. Updated Client Configuration Guide and Reference. (bsc#1164451)
susemanager-frontend-libs:
- Update Bootstrap to 3.1.0
susemanager-schema:
- Add new valid countries and timezones (jsc#PM-2081)
susemanager-sls:
- Fix apt login for similar channel labels (bsc#1180803) - Change behavior of mgrcompat wrapper after deprecation changes on Salt 3002 - Make autoinstallation provisoning compatible with GRUB and ELILO in addition to GRUB2 only (bsc#1164227) - Fix: sync before start action chains (bsc#1177336)
susemanager-sync-data:
- Change centos 6 URLs to vault.centos.org - Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS - Remove duplicate repo definition
How to apply this update:
1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk service: `spacewalk-service start`
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1
Package List:
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64):
smdba-1.7.8-0.3.3.2 spacewalk-branding-4.0.19-3.21.3
- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):
cpu-mitigations-formula-0.3-4.9.2 nutch-core-1.0.1-4.5.2 python3-spacewalk-backend-libs-4.0.36-3.41.2 python3-spacewalk-certs-tools-4.0.18-3.24.2 spacecmd-4.0.22-3.25.2 spacewalk-backend-4.0.36-3.41.2 spacewalk-backend-app-4.0.36-3.41.2 spacewalk-backend-applet-4.0.36-3.41.2 spacewalk-backend-config-files-4.0.36-3.41.2 spacewalk-backend-config-files-common-4.0.36-3.41.2 spacewalk-backend-config-files-tool-4.0.36-3.41.2 spacewalk-backend-iss-4.0.36-3.41.2 spacewalk-backend-iss-export-4.0.36-3.41.2 spacewalk-backend-package-push-server-4.0.36-3.41.2 spacewalk-backend-server-4.0.36-3.41.2 spacewalk-backend-sql-4.0.36-3.41.2 spacewalk-backend-sql-postgresql-4.0.36-3.41.2 spacewalk-backend-tools-4.0.36-3.41.2 spacewalk-backend-xml-export-libs-4.0.36-3.41.2 spacewalk-backend-xmlrpc-4.0.36-3.41.2 spacewalk-base-4.0.26-3.39.3 spacewalk-base-minimal-4.0.26-3.39.3 spacewalk-base-minimal-config-4.0.26-3.39.3 spacewalk-certs-tools-4.0.18-3.24.2 spacewalk-html-4.0.26-3.39.3 spacewalk-java-4.0.41-3.51.2 spacewalk-java-config-4.0.41-3.51.2 spacewalk-java-lib-4.0.41-3.51.2 spacewalk-java-postgresql-4.0.41-3.51.2 spacewalk-reports-4.0.6-3.3.2 spacewalk-taskomatic-4.0.41-3.51.2 spacewalk-utils-4.0.19-3.24.2 supportutils-plugin-susemanager-4.0.5-3.6.2 susemanager-doc-indexes-4.0-10.30.2 susemanager-docs_en-4.0-10.30.2 susemanager-docs_en-pdf-4.0-10.30.2 susemanager-frontend-libs-4.0.3-4.6.2 susemanager-schema-4.0.24-3.35.2 susemanager-sls-4.0.32-3.40.2 susemanager-sync-data-4.0.20-3.32.2 susemanager-web-libs-4.0.26-3.39.3
References:
https://www.suse.com/security/cve/CVE-2021-23901.html https://bugzilla.suse.com/1164227 https://bugzilla.suse.com/1164451 https://bugzilla.suse.com/1171836 https://bugzilla.suse.com/1176018 https://bugzilla.suse.com/1176417 https://bugzilla.suse.com/1176823 https://bugzilla.suse.com/1176898 https://bugzilla.suse.com/1176906 https://bugzilla.suse.com/1177031 https://bugzilla.suse.com/1177184 https://bugzilla.suse.com/1177336 https://bugzilla.suse.com/1177508 https://bugzilla.suse.com/1178303 https://bugzilla.suse.com/1178503 https://bugzilla.suse.com/1178647 https://bugzilla.suse.com/1178839 https://bugzilla.suse.com/1179087 https://bugzilla.suse.com/1179273 https://bugzilla.suse.com/1179410 https://bugzilla.suse.com/1179552 https://bugzilla.suse.com/1179589 https://bugzilla.suse.com/1179872 https://bugzilla.suse.com/1179990 https://bugzilla.suse.com/1180001 https://bugzilla.suse.com/1180127 https://bugzilla.suse.com/1180285 https://bugzilla.suse.com/1180803 https://bugzilla.suse.com/1181356
|
|
|
|