SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:2098-1
Rating:             moderate
References:         #1151558 #1172711 #1175216 #1178767 #1180673 
                    #1182744 #1183573 #1183649 #1183845 #1183864 
                    #1184005 #1184286 #1184311 #1184332 #1184351 
                    #1184361 #1184471 #1184475 #1184561 #1184617 
                    #1184849 #1184892 #1184929 #1184940 #1185042 
                    #1185097 #1185281 #1185506 #1185568 #1185965 
                    #1186025 #1186124 #1186346 #1186508 #1186765 
                    #1186852 #1186858 
Cross-References:   CVE-2021-28657 CVE-2021-31607
CVSS scores:
                    CVE-2021-28657 (NVD) : 5.5
 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-28657 (SUSE): 5.5
 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-31607 (NVD) : 7.8
 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-31607 (SUSE): 7
 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves two vulnerabilities and has 35 fixes
   is now available.

Description:

   This update fixes the following issues:

   cobbler:

   - Make `fence_ipmitool` a wrapper for `fence_ipmilan` using always
     `lanplus`. (bsc#1184361)
   - Remove unused template for `fence_ipmitool`.
   - Prevent some race conditions when writting tftpboot files and the
     destination directory is not existing. (bsc#1186124)
   - Fix trail stripping in case of using UTF symbols. (bsc#1184561)

   golang-github-prometheus-node_exporter:

   - Update to 1.1.2
     * Bug fixes
       + Handle errors from disabled PSI subsystem
       + Sanitize strings from /sys/class/power_supply
       + Silence missing netclass errors
       + Fix ineffassign issue
       + Fix some noisy log lines
       + filesystem_freebsd: Fix label values
       + Fix various procfs parsing errors
       + Handle no data from powersupplyclass
       + udp_queues_linux.go: change upd to udp in two error strings
       + Fix node_scrape_collector_success behaviour
       + Fix NodeRAIDDegraded to not use a string rule expressions
       + Fix node_md_disks state label from fail to failed
       + Handle EPERM for syscall in timex collector
       + bcache: fix typo in a metric name
       + Fix XFS read/write stats
     * Changes
       + Improve filter flag names
       + Add btrfs and powersupplyclass to list of exporters enabled by
         default
     * Features
       + Add fibre channel collector
       + Expose cpu bugs and flags as info metrics
       + Add network_route collector
       + Add zoneinfo collector
     * Enhancements
       + Add more InfiniBand counters
       + Add flag to aggr ipvs metrics to avoid high cardinality metrics
       + Adding backlog/current queue length to qdisc collector
       + Include TCP OutRsts in netstat metrics
       + Add pool size to entropy collector
       + Remove CGO dependencies for OpenBSD amd64
       + bcache: add writeback_rate_debug status
       + Add check state for mdadm arrays via node_md_state metric
       + Expose XFS inode statistics
       + Expose zfs zpool state
       + Added an ability to pass collector.supervisord.url via
         SUPERVISORD_URL environment variable
   - Do not include sources (bsc#1151558)
   - Remove rc symlink

   grafana-formula:

   - Fix Grafana dashboards requiring single series (bsc#1184471)

   patterns-suse-manager:

   - Add require for py27-compat-salt (salt 3002 does not provide
     python2-salt anymore)

   prometheus-exporter-formula:

   - Add support for schema migration (bsc#1186025)

   pxe-yomi-image-sle15:

   - Remove PermitEmptyPasswords from SSH config (Fix bsc#1182744)

   py26-compat-salt:

   - Prevent command injection in the snapper module (bsc#1185281)
     (CVE-2021-31607)

   spacewalk-admin:

   - Stop jabberd when osa-dispatcher is enabled (bsc#1185042)

   spacewalk-backend:


   - Fix binary blob corruptions in tradidional config file deployment
     (bsc#1183864)
   - Fix for GPG checking on synchonizing mirrored dpkg repo (bsc#1184351)
   - switch to www group for satellite logs (bsc#1185097)
   - Fail traditional errata and package actions when they act on retracted
     items
   - Add advisory_status to reposync and ISS
   - Add minrate/timeout configuration values for downloading DEB/RPM packages

   spacewalk-branding:

   - Add the CSS class for retracted errata/packages

   spacewalk-certs-tools:


   - Add support of DISABLE_LOCAL_REPOS=0 for salt minions (bsc#1185568)
   - Add missing environment variable SALT_RUNNING for pkg module to the
     minion configuration
   - Fix typo: activaion -> activation

   spacewalk-java:

   - Change Prometheus exporters formula data schema to make it more generic
     and extendable
   - Do not require advisory_status to be set in ErrataHandler.create
     (bsc#1185965)
   - Speed up pages to compare or add packages to channels (bsc#1178767)
   - Bugfix: Remove the unneeded check that was stopping updating a virtual
     instance type (bsc#1180673)
   - Exclude minions from the list of locally-managed/sandbox systems when
     copying config files (bsc#1184940)
   - Lower case fqdn comparation when calculating minion connection path
     (bsc#1184849)
   - Bugfix: Retracted Patches: Filter minion correctly when executing
     package install (bsc#1184929)
   - Implement retracted patches
   - For a SUSE system get metadata and package from same source (bsc#1184475)
   - Check if the directory exists prior to modular data cleanup (bsc#1184311)
   - Assign right base product for res8 (bsc#1184005)
   - Fix docs link in my organization configuration (bsc#1184286)
   - Only update the kickstart path in cobbler if necessary (bsc#1175216)

   spacewalk-utils:

   - Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports
   - Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04

   spacewalk-web:

   - Upgrade react-select to 4.3.0 and lodash to 4.17.21
   - Show the info about unsynced patches in the Content Lifecycle Management
     screens

   susemanager:

   - Add bootstrap repo data for SUSE Manager 4.1 Proxy
   - Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15
   - Add bootstrap repo data for OES2018-SP3-x86_64 (bsc#1183845)
   - Enable bootstrap repository creation for openSUSE Leap 15.3 for Uyuni
   - Add python3-distro to RES8, SLE15, Ubuntu20.04 and Debian 10 bootstrap
     repositories to fix bootstrapping issues (bsc#1184332)
   - Add python3-pycryptodome to Ubuntu and Debian 10 bootstrap repos
     (bsc#1186346)
   - Add gnupg and its dependencies to debian 10 bootstrap repo

   susemanager-build-keys:

   - Add SUSE Linux Enterprise 15-SP3 Updates for openSUSE Leap 15.3 key
     (bsc#1186852)

   susemanager-doc-indexes:

   - Adds additional dependencies for Debian client registration in Client
     Configuration Guide (bsc#1183649)
   - Remove some openSUSE Leap 15.1 references
   - Add reposync configuration settings to Troubleshooting chapter of the
     Administration Guide
   - Update the entry about module.run for SAP Guide

   susemanager-docs_en:

   - Adds additional dependencies for Debian client registration in Client
     Configuration Guide (bsc#1183649)
   - Remove some openSUSE Leap 15.1 references
   - Add reposync configuration settings to Troubleshooting chapter of the
     Administration Guide
   - Update the entry about module.run for SAP Guide

   susemanager-schema:

   - DB schema & migrations for retracted patches

   susemanager-sls:

   - Exclude openSUSE Leap 15.3 from product installation (bsc#1186858)
   - Enable certificate deployment for Leap 15.3 clients which is needed for
     bootstrapping (bsc#1186765)
   - Do not install python2-salt on Salt 3002.2 Docker build hosts
     (bsc#1185506)
   - Add support for 'disable_local_repos' salt minion config
     parameter(bsc#1185568)
   - Fix insecure JMX configuration (bsc#1184617)
   - Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711)
   - Keep salt-minion when it is installed to prevent update problems with
     dependend packages not available in the bootstrap repo (bsc#1183573)
   - Fix installation of gnupg on Debian 10

   susemanager-sync-data:

   - Add OES2018 SP3 (bsc#1183845)

   tika-core:

   - New upstream version 1.26.
     * Infinite loop in the MP3Parser (bsc#1184892 CVE-2021-28657)
     * Out of memory error while loading a file in PDFBox before 2.0.23.
     * Infinite loop while loading a file in PDFBox before 2.0.23.
     * System.exit vulnerability in Tika's OneNote Parser; out of memory
       errors and/or infinite loops in Tika's ICNSParser, MP3Parser,
       MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser.
     * Excessive memory usage (DoS) vulnerability in Apache Tika's
 PSDParser
     * Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser

   uyuni-common-libs:

   - Maintainer field in debian packages are only recommended (bsc#1186508)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
 methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-2098=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x
 x86_64):

      golang-github-prometheus-node_exporter-1.1.2-3.6.5
      patterns-suma_retail-4.1-6.9.2
      patterns-suma_server-4.1-6.9.2
      python3-uyuni-common-libs-4.1.8-3.9.1
      spacewalk-branding-4.1.12-3.12.2
      susemanager-4.1.26-3.25.1
      susemanager-tools-4.1.26-3.25.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      cobbler-3.0.0+git20190806.32c4bae0-5.11.1
      grafana-formula-0.4.1-3.9.2
      prometheus-exporters-formula-0.9.1-3.22.1
      py26-compat-salt-2016.11.10-6.14.2
      py27-compat-salt-3000.3-6.3.2
      python3-spacewalk-certs-tools-4.1.17-3.17.2
      spacewalk-admin-4.1.9-3.12.2
      spacewalk-backend-4.1.25-4.32.6
      spacewalk-backend-app-4.1.25-4.32.6
      spacewalk-backend-applet-4.1.25-4.32.6
      spacewalk-backend-config-files-4.1.25-4.32.6
      spacewalk-backend-config-files-common-4.1.25-4.32.6
      spacewalk-backend-config-files-tool-4.1.25-4.32.6
      spacewalk-backend-iss-4.1.25-4.32.6
      spacewalk-backend-iss-export-4.1.25-4.32.6
      spacewalk-backend-package-push-server-4.1.25-4.32.6
      spacewalk-backend-server-4.1.25-4.32.6
      spacewalk-backend-sql-4.1.25-4.32.6
      spacewalk-backend-sql-postgresql-4.1.25-4.32.6
      spacewalk-backend-tools-4.1.25-4.32.6
      spacewalk-backend-xml-export-libs-4.1.25-4.32.6
      spacewalk-backend-xmlrpc-4.1.25-4.32.6
      spacewalk-base-4.1.26-3.24.8
      spacewalk-base-minimal-4.1.26-3.24.8
      spacewalk-base-minimal-config-4.1.26-3.24.8
      spacewalk-certs-tools-4.1.17-3.17.2
      spacewalk-html-4.1.26-3.24.8
      spacewalk-java-4.1.36-3.44.1
      spacewalk-java-config-4.1.36-3.44.1
      spacewalk-java-lib-4.1.36-3.44.1
      spacewalk-java-postgresql-4.1.36-3.44.1
      spacewalk-taskomatic-4.1.36-3.44.1
      spacewalk-utils-4.1.16-3.18.2
      spacewalk-utils-extras-4.1.16-3.18.2
      susemanager-build-keys-15.2.4-3.17.1
      susemanager-build-keys-web-15.2.4-3.17.1
      susemanager-doc-indexes-4.1-11.34.8
      susemanager-docs_en-4.1-11.34.2
      susemanager-docs_en-pdf-4.1-11.34.2
      susemanager-schema-4.1.21-3.30.6
      susemanager-sls-4.1.28-3.42.1
      susemanager-sync-data-4.1.14-3.23.2
      susemanager-web-libs-4.1.26-3.24.8
      tika-core-1.26-3.5.2
      uyuni-config-modules-4.1.28-3.42.1


References:

   https://www.suse.com/security/cve/CVE-2021-28657.html
   https://www.suse.com/security/cve/CVE-2021-31607.html
   https://bugzilla.suse.com/1151558
   https://bugzilla.suse.com/1172711
   https://bugzilla.suse.com/1175216
   https://bugzilla.suse.com/1178767
   https://bugzilla.suse.com/1180673
   https://bugzilla.suse.com/1182744
   https://bugzilla.suse.com/1183573
   https://bugzilla.suse.com/1183649
   https://bugzilla.suse.com/1183845
   https://bugzilla.suse.com/1183864
   https://bugzilla.suse.com/1184005
   https://bugzilla.suse.com/1184286
   https://bugzilla.suse.com/1184311
   https://bugzilla.suse.com/1184332
   https://bugzilla.suse.com/1184351
   https://bugzilla.suse.com/1184361
   https://bugzilla.suse.com/1184471
   https://bugzilla.suse.com/1184475
   https://bugzilla.suse.com/1184561
   https://bugzilla.suse.com/1184617
   https://bugzilla.suse.com/1184849
   https://bugzilla.suse.com/1184892
   https://bugzilla.suse.com/1184929
   https://bugzilla.suse.com/1184940
   https://bugzilla.suse.com/1185042
   https://bugzilla.suse.com/1185097
   https://bugzilla.suse.com/1185281
   https://bugzilla.suse.com/1185506
   https://bugzilla.suse.com/1185568
   https://bugzilla.suse.com/1185965
   https://bugzilla.suse.com/1186025
   https://bugzilla.suse.com/1186124
   https://bugzilla.suse.com/1186346
   https://bugzilla.suse.com/1186508
   https://bugzilla.suse.com/1186765
   https://bugzilla.suse.com/1186852
   https://bugzilla.suse.com/1186858