Login
Newsletter
Werbung

Sicherheit: XML External Entity-Verarbeitung in SUSE Manager Server 4.0
Aktuelle Meldungen Distributionen
Name: XML External Entity-Verarbeitung in SUSE Manager Server 4.0
ID: SUSE-SU-2021:0448-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Module for SUSE Manager Server 4.0
Datum: Fr, 12. Februar 2021, 20:19
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23901
Applikationen: SUSE Manager Server 4.0

Originalnachricht


SUSE Security Update: Security update for SUSE Manager Server 4.0
______________________________________________________________________________

Announcement ID: SUSE-SU-2021:0448-1
Rating: moderate
References: #1164227 #1164451 #1171836 #1176018 #1176417
#1176823 #1176898 #1176906 #1177031 #1177184
#1177336 #1177508 #1178303 #1178503 #1178647
#1178839 #1179087 #1179273 #1179410 #1179552
#1179589 #1179872 #1179990 #1180001 #1180127
#1180285 #1180803 #1181356
Cross-References: CVE-2021-23901
CVSS scores:
CVE-2021-23901 (NVD) : 9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0
______________________________________________________________________________

An update that solves one vulnerability and has 27 fixes is
now available.

Description:

This update fixes the following issues:

cpu-mitigations-formula:

- Handle unsupported target systems gracefully (bsc#1179273)
- add mitigations for Xen hypervisor

nutch-core:

- Fix XXE injection in DmozParser CVE-2021-23901 (bsc#1181356)

smdba:

- Do not remove the database if there is no backup and deal with manifest
- Fix smdba throws error on mgr-setup/installation
- Raise an exception on failed external process call
- Fix TablePrint formatting
- Rename configuration parameter wal_keep_segments to wal_keep_size
(jsc#SLE-17030)
- Revert modifying cpu_tuple_cost
- Adapted spec file for RHEL8
- Adapt recover mechanism for postgresql12 and later

spacecmd:

- Fix spacecmd with no parameters produces traceback on SLE 11 SP4
(bsc#1176823)

spacewalk-backend:

- Reposync: Fixed Kickstart functionality.
- Reposync: Fixed URLGrabber error handling.
- Reposync: Fix modular data handling for cloned channels (bsc#1177508)
- Truncate author name in the changelog (bsc#1180285)
- Drop Transfer-Encoding header from proxy respone to fix error response
messages (bsc#1176906)
- Prevent tracebacks on missing mail configuration (bsc#1179990)
- Fix pycurl.error handling in suseLib.py (bsc#1179990)
- Use sanitized repo label to build reposync repo cache path (bsc#1179410)
- Quote the proxy settings to be used by Zypper (bsc#1179087)
- Fix spacewalk-repo-sync to successfully manage and sync ULN repositories
- Fix errors in spacewalk-debug and align postgresql queries to new DB
version

spacewalk-branding:

- Set Copyright year to 2021

spacewalk-certs-tools:

- Improve check for correct CA trust store directory (bsc#1176417)

spacewalk-java:

- Fix modular data handling for cloned channels (bsc#1177508)
- Fix reboot action race condition (bsc#1177031)
- Fix availability check for debian repositories (bsc#1180127)
- Ignore duplicate NEVRAs in package profile update (bsc#1176018)
- Prevent deletion of CLM environments if they're used in an
autoinstallation profile (bsc#1179552)
- Register saltkey XMLRPC handler and fix behavior of delete salt key
(bsc#1179872)
- Add validation for custom repository labels
- Fix expanded support detection based on CentOS installations
(bsc#1179589)
- Add translation strings for newly added countries and timezones
(jsc#PM-2081)
- Fix the activation key handling from kickstart profile (bsc#1178647)
- Update exception message in findSyncedMandatoryChannels
- Fix check for available products on ISS Slaves (bsc#1177184)
- Get media.1/products for cloned channels (bsc#1178303)
- Calculate size to truncate a history message based on the htmlified
version (bsc#1178503)
- Change message "Minion is down" to be more accurate
- XMLRPC: Report architecture label in the list of installed packages
(bsc#1176898)

spacewalk-reports:

- Fixes no file content in `spacewalk-report config-files`
- Write `<binary data>` placeholder instead of dumping binary data

spacewalk-utils:

- Fix modular data handling for cloned channels (bsc#1177508)

spacewalk-web:

- Prevent deletion of CLM environments if they're used in an
autoinstallation profile (bsc#1179552)
- Fix mandatory channels JS API to finish loading in case of error
(bsc#1178839)

supportutils-plugin-susemanager:

- Remove checks for obsolete packages
- Gather new configfiles
- Add more important informations

susemanager-doc-indexes:

- Added new section for bootstrap repository for end of life products in
Client Configuration Guide
- Remove old certs before renaming moved to Administration Guide
(bsc#1171836)
- Fixed error in Create and Replace CA and Server Certificates of
Administration Guide (bsc#1180001)
- Combining activation keys works only with traditional clients. Updated
in Client Configuration Guide and Reference. (bsc#1164451)

susemanager-docs_en:

- Added new section for bootstrap repository for end of life products in
Client Configuration Guide
- Remove old certs before renaming moved to Administration Guide
(bsc#1171836)
- Fixed error in Create and Replace CA and Server Certificates of
Administration Guide (bsc#1180001)
- Combining activation keys works only with traditional clients. Updated
Client Configuration Guide and Reference. (bsc#1164451)

susemanager-frontend-libs:

- Update Bootstrap to 3.1.0

susemanager-schema:

- Add new valid countries and timezones (jsc#PM-2081)

susemanager-sls:

- Fix apt login for similar channel labels (bsc#1180803)
- Change behavior of mgrcompat wrapper after deprecation changes on Salt
3002
- Make autoinstallation provisoning compatible with GRUB and ELILO in
addition to GRUB2 only (bsc#1164227)
- Fix: sync before start action chains (bsc#1177336)

susemanager-sync-data:

- Change centos 6 URLs to vault.centos.org
- Add new channel families for CAASP on ARM64 and HPC15 SP2 LTSS
- Remove duplicate repo definition

How to apply this update:

1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Upgrade the database schema:
`spacewalk-schema-upgrade` 5. Start the Spacewalk service:
`spacewalk-service start`


Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Module for SUSE Manager Server 4.0:

zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-448=1



Package List:

- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x
x86_64):

smdba-1.7.8-0.3.3.2
spacewalk-branding-4.0.19-3.21.3

- SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch):

cpu-mitigations-formula-0.3-4.9.2
nutch-core-1.0.1-4.5.2
python3-spacewalk-backend-libs-4.0.36-3.41.2
python3-spacewalk-certs-tools-4.0.18-3.24.2
spacecmd-4.0.22-3.25.2
spacewalk-backend-4.0.36-3.41.2
spacewalk-backend-app-4.0.36-3.41.2
spacewalk-backend-applet-4.0.36-3.41.2
spacewalk-backend-config-files-4.0.36-3.41.2
spacewalk-backend-config-files-common-4.0.36-3.41.2
spacewalk-backend-config-files-tool-4.0.36-3.41.2
spacewalk-backend-iss-4.0.36-3.41.2
spacewalk-backend-iss-export-4.0.36-3.41.2
spacewalk-backend-package-push-server-4.0.36-3.41.2
spacewalk-backend-server-4.0.36-3.41.2
spacewalk-backend-sql-4.0.36-3.41.2
spacewalk-backend-sql-postgresql-4.0.36-3.41.2
spacewalk-backend-tools-4.0.36-3.41.2
spacewalk-backend-xml-export-libs-4.0.36-3.41.2
spacewalk-backend-xmlrpc-4.0.36-3.41.2
spacewalk-base-4.0.26-3.39.3
spacewalk-base-minimal-4.0.26-3.39.3
spacewalk-base-minimal-config-4.0.26-3.39.3
spacewalk-certs-tools-4.0.18-3.24.2
spacewalk-html-4.0.26-3.39.3
spacewalk-java-4.0.41-3.51.2
spacewalk-java-config-4.0.41-3.51.2
spacewalk-java-lib-4.0.41-3.51.2
spacewalk-java-postgresql-4.0.41-3.51.2
spacewalk-reports-4.0.6-3.3.2
spacewalk-taskomatic-4.0.41-3.51.2
spacewalk-utils-4.0.19-3.24.2
supportutils-plugin-susemanager-4.0.5-3.6.2
susemanager-doc-indexes-4.0-10.30.2
susemanager-docs_en-4.0-10.30.2
susemanager-docs_en-pdf-4.0-10.30.2
susemanager-frontend-libs-4.0.3-4.6.2
susemanager-schema-4.0.24-3.35.2
susemanager-sls-4.0.32-3.40.2
susemanager-sync-data-4.0.20-3.32.2
susemanager-web-libs-4.0.26-3.39.3


References:

https://www.suse.com/security/cve/CVE-2021-23901.html
https://bugzilla.suse.com/1164227
https://bugzilla.suse.com/1164451
https://bugzilla.suse.com/1171836
https://bugzilla.suse.com/1176018
https://bugzilla.suse.com/1176417
https://bugzilla.suse.com/1176823
https://bugzilla.suse.com/1176898
https://bugzilla.suse.com/1176906
https://bugzilla.suse.com/1177031
https://bugzilla.suse.com/1177184
https://bugzilla.suse.com/1177336
https://bugzilla.suse.com/1177508
https://bugzilla.suse.com/1178303
https://bugzilla.suse.com/1178503
https://bugzilla.suse.com/1178647
https://bugzilla.suse.com/1178839
https://bugzilla.suse.com/1179087
https://bugzilla.suse.com/1179273
https://bugzilla.suse.com/1179410
https://bugzilla.suse.com/1179552
https://bugzilla.suse.com/1179589
https://bugzilla.suse.com/1179872
https://bugzilla.suse.com/1179990
https://bugzilla.suse.com/1180001
https://bugzilla.suse.com/1180127
https://bugzilla.suse.com/1180285
https://bugzilla.suse.com/1180803
https://bugzilla.suse.com/1181356
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung