Sicherheit: Mehrere Probleme in SUSE Manager Server 4.2

Lesezeichen hinzufügen

SUSE Security Update: Security update for SUSE Manager Server 4.2
______________________________________________________________________________

Announcement ID: SUSE-SU-2022:3314-1
Rating: critical
References: #1172705 #1187028 #1195455 #1195895 #1196729
#1198168 #1198489 #1198738 #1198903 #1199372
#1199659 #1199913 #1199950 #1200276 #1200296
#1200480 #1200532 #1200573 #1200591 #1200629
#1201142 #1201189 #1201210 #1201220 #1201224
#1201527 #1201606 #1201607 #1201626 #1201753
#1201913 #1201918 #1202142 #1202272 #1202464
#1202728 #1203287 #1203288 #1203449
Cross-References: CVE-2021-41411 CVE-2021-42740 CVE-2021-43138
CVE-2022-31129
CVSS scores:
CVE-2021-41411 (NVD) : 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41411 (SUSE): 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-42740 (NVD) : 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-42740 (SUSE): 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-43138 (NVD) : 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-43138 (SUSE): 7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-31129 (NVD) : 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-31129 (SUSE): 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Manager Server 4.2
______________________________________________________________________________

An update that solves four vulnerabilities and has 35 fixes
is now available.

Description:

This update fixes the following issues:

drools:

- CVE-2021-41411: XML External Entity injection in
KieModuleModelImpl.java. (bsc#1200629)

httpcomponents-asyncclient:

- Provide maven metadata needed by other packages to build

image-sync-formula:

- Update to version 0.1.1661440526.b08d95b
* Add option to sort boot images by version (bsc#1196729)

inter-server-sync:

- Version 0.2.3
* Compress exported sql data #16631
* Add gzip dependency to decompress data file during import process

patterns-suse-manager:

- Strictly require OpenJDK 11 (bsc#1202142)

py27-compat-salt:

- Add support for gpgautoimport in zypperpkg module
- Fix salt.states.file.managed() for follow_symlinks=True and test=True
(bsc#1199372)
- Add support for name, pkgs and diff_attr parameters to upgrade function
for zypper and yum (bsc#1198489)
- Unify logic on using multiple requisites and add onfail_all (bsc#1198738)
- Normalize package names once with pkg.installed/removed using yum
(bsc#1195895)

salt-netapi-client:

- Declare the LICENSE file as license and not doc
- Adapted for Enterprise Linux 9.
- Version 0.20.0
* See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.20.0

saltboot-formula:

- Update to version 0.1.1661440526.b08d95b
* Fallback to local boot if the configured image is not synced
* improve image url modifications - preparation for ftp/http changes

spacecmd:

- Version 4.2.19-1
* Process date values in spacecmd api calls (bsc#1198903)
* Show correct help on calling kickstart_importjson with no arguments
* Fix tracebacks on spacecmd kickstart_export (bsc#1200591)

spacewalk-admin:

- Version 4.2.12-1
* Add --help option to mgr-monitoring-ctl

spacewalk-backend:

- Version 4.2.24-1
* Make reposync use the configured http proxy with mirrorlist
(bsc#1198168)
* Revert proxy listChannels token caching pr#4548
* cleanup leftovers from removing unused xmlrpc endpoint

spacewalk-certs-tools:

- Version 4.2.18-1
* traditional stack bootstrap: install product packages (bsc#1201142)

spacewalk-client-tools:

- Version 4.2.20-1
* Update translation strings

spacewalk-java:

- Version 4.2.41-1
* Fixed date format on scheduler related messages (bsc#1195455)
* Support inherited values for kernel options from Cobbler API
(bsc#1199913)
* Add channel availability check for product migration (bsc#1200296)
* Check if system has all formulas correctly assigned (bsc#1201607)
* Remove group formula assignments and data on group delete (bsc#1201606)
* Fix sync for external repositories (bsc#1201753)
* fix state.apply result parsing in test mode (bsc#1201913)
* Reduce the length of image channel URL (bsc#1201220)
* Calculate dependencies between cloned channels of vendor channels
(bsc#1201626)
* fix symlinks pointing to ongres-stringprep
* Modify parameter type when communicating with the search server
(bsc#1187028)
* Fix initial profile and build host on Image Build page (bsc#1199659)
* Fix the confirm message on the refresh action by adding a link to
pending actions on it (bsc#1172705)
* require new salt-netapi-client version
* Clean grub2 reinstall entry in autoyast snippet (bsc#1199950)

spacewalk-search:

- Version 4.2.8-1
* Add methods to handle session id as String

spacewalk-web:

- Version 4.2.29-1
* CVE-2021-43138: Obtain privileges via the `mapValues()` method.
(bsc#1200480)
* CVE-2021-42740: Command injection in the shell-quote package.
(bsc#1203287)
* CVE-2022-31129: Denial-of-Service moment: inefficient parsing
algorithm (bsc#1203288)
* Fix table header layout for unselectable tables
* Fix initial profile and build host on Image Build page (bsc#1199659)

subscription-matcher:

- Added Guava maximum version requirement.

susemanager:

- Version 4.2.37-1
* mark new dependencies for python-py optional in bootstrap repo to fix
generation for older service packs (bsc#1203449)
- Version 4.2.36-1
* add missing packages on SLES 15
* remove server-migrator.sh from SUSE Manager installations (bsc#1202728)
* mgr-create-bootstrap-repo: flush directory also when called for a
specific label (bsc#1200573)
* add missing packages on SLES 12 SP5 bootstrap repo (bsc#1201918)
* remove python-tornado from bootstrap repo, since no longer required
for salt version >= 3000
* add openSUSE 15.4 product (bsc#1201527)
* add clients tool product to generate bootstrap repo on openSUSE 15.x
(bsc#1201189)

susemanager-doc-indexes:

- Documented mandatory channels in the Disconnected Setup chapter of the
Administration Guide (bsc#1202464)
- Documented how to onboard Ubuntu clients with the Salt bundle as a
regular user
- Documented how to onboard Debian clients with the Salt bundle or plain
Salt as a regular user
- Fixed the names of updates channels for Leap
- Fixed errors in OpenSCAP chapter of Administration Guide
- Added exact command to create the bootstrap repo for Salt bundle and
about how to disable salt-thin
- Removed CentOS 8 from the list of supported client systems
- Extend the notes about using noexec option for /tmp and /var/tmp
(bsc#1201210)
- Reverted single snippet change for two separate books
- Added extend Salt Bundle functionality with Python packages using pip
- Add missing part of the description to enable optional support of the
Salt Bundle with Salt SSH
- Added exact command to create the bootstrap repo for salt bundle and
about how to disable salt-thin
- Salt Configuration Modules are no longer Technology Preview in Salt
Guide.
- Fixed Ubuntu 18 Client registration in Client Configuration Guide
(bsc#1201224)
- Added ports 1232 and 1233 in the Ports section of the Installation and
Upgrade Guide; required for Salt SSH Push (bsc#1200532)
- In the Custom Channel section of the Administration Guide add a note
about synchronizing repositories regularly.
- Removed SUSE Linux Enterprise 11 from the list of supported client
systems

susemanager-docs_en:

- Documented mandatory channels in the Disconnected Setup chapter of the
Administration Guide (bsc#1202464)
- Documented how to onboard Ubuntu clients with the Salt bundle as a
regular user
- Documented how to onboard Debian clients with the Salt bundle or plain
Salt as a regular user
- Fixed the names of updates channels for Leap
- Fixed errors in OpenSCAP chapter of Administration Guide
- Added exact command to create the bootstrap repo for Salt bundle and
about how to disable salt-thin
- Removed CentOS 8 from the list of supported client systems
- Extend the notes about using noexec option for /tmp and /var/tmp
(bsc#1201210)
- Reverted single snippet change for two separate books
- Added extend Salt Bundle functionality with Python packages using pip
- Add missing part of the description to enable optional support of the
Salt Bundle with Salt SSH
- Added exact command to create the bootstrap repo for salt bundle and
about how to disable salt-thin
- Salt Configuration Modules are no longer Technology Preview in Salt
Guide.
- Fixed Ubuntu 18 Client registration in Client Configuration Guide
(bsc#1201224)
- Added ports 1232 and 1233 in the Ports section of the Installation and
Upgrade Guide; required for Salt SSH Push (bsc#1200532)
- In the Custom Channel section of the Administration Guide add a note
about synchronizing repositories regularly.
- Removed SUSE Linux Enterprise 11 from the list of supported client
systems

susemanager-schema:

- Version 4.2.24-1
* Fix migration of image actions (bsc#1202272)

susemanager-sls:

- Version 4.2.27-1
* Copy grains file with util.mgr_switch_to_venv_minion state apply
* Remove the message 'rpm: command not found' on using Salt SSH
with
Debian based systems which has no Salt Bundle
* Prevent possible tracebacks on calling module.run from mgrcompat by
setting proper globals with using LazyLoader
* Fix deploy of SLE Micro CA Certificate (bsc#1200276)

uyuni-common-libs:

- Version 4.2.7-1
* Do not allow creating path if nonexistent user or group in fileutils.

How to apply this update:

1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
service: `spacewalk-service stop` 3. Apply the patch using either zypper
patch or YaST Online Update. 4. Start the Spacewalk service:
`spacewalk-service start`

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Module for SUSE Manager Server 4.2:

zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3314=1

Package List:

- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x
x86_64):

inter-server-sync-0.2.3-150300.8.22.2
inter-server-sync-debuginfo-0.2.3-150300.8.22.2
patterns-suma_retail-4.2-150300.4.12.2
patterns-suma_server-4.2-150300.4.12.2
python3-uyuni-common-libs-4.2.7-150300.3.9.2
susemanager-4.2.37-150300.3.41.1
susemanager-tools-4.2.37-150300.3.41.1

- SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch):

drools-7.17.0-150300.4.6.2
httpcomponents-asyncclient-4.1.4-150300.3.3.2
image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2
py27-compat-salt-3000.3-150300.7.7.23.2
python3-spacewalk-certs-tools-4.2.18-150300.3.24.3
python3-spacewalk-client-tools-4.2.20-150300.4.24.3
salt-netapi-client-0.20.0-150300.3.9.4
saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2
spacecmd-4.2.19-150300.4.27.2
spacewalk-admin-4.2.12-150300.3.15.3
spacewalk-backend-4.2.24-150300.4.29.5
spacewalk-backend-app-4.2.24-150300.4.29.5
spacewalk-backend-applet-4.2.24-150300.4.29.5
spacewalk-backend-config-files-4.2.24-150300.4.29.5
spacewalk-backend-config-files-common-4.2.24-150300.4.29.5
spacewalk-backend-config-files-tool-4.2.24-150300.4.29.5
spacewalk-backend-iss-4.2.24-150300.4.29.5
spacewalk-backend-iss-export-4.2.24-150300.4.29.5
spacewalk-backend-package-push-server-4.2.24-150300.4.29.5
spacewalk-backend-server-4.2.24-150300.4.29.5
spacewalk-backend-sql-4.2.24-150300.4.29.5
spacewalk-backend-sql-postgresql-4.2.24-150300.4.29.5
spacewalk-backend-tools-4.2.24-150300.4.29.5
spacewalk-backend-xml-export-libs-4.2.24-150300.4.29.5
spacewalk-backend-xmlrpc-4.2.24-150300.4.29.5
spacewalk-base-4.2.29-150300.3.27.3
spacewalk-base-minimal-4.2.29-150300.3.27.3
spacewalk-base-minimal-config-4.2.29-150300.3.27.3
spacewalk-certs-tools-4.2.18-150300.3.24.3
spacewalk-client-tools-4.2.20-150300.4.24.3
spacewalk-html-4.2.29-150300.3.27.3
spacewalk-java-4.2.41-150300.3.43.5
spacewalk-java-config-4.2.41-150300.3.43.5
spacewalk-java-lib-4.2.41-150300.3.43.5
spacewalk-java-postgresql-4.2.41-150300.3.43.5
spacewalk-search-4.2.8-150300.3.12.2
spacewalk-taskomatic-4.2.41-150300.3.43.5
subscription-matcher-0.29-150300.6.12.2
susemanager-doc-indexes-4.2-150300.12.33.4
susemanager-docs_en-4.2-150300.12.33.2
susemanager-docs_en-pdf-4.2-150300.12.33.2
susemanager-schema-4.2.24-150300.3.27.3
susemanager-sls-4.2.27-150300.3.33.4
uyuni-config-modules-4.2.27-150300.3.33.4

References:

https://www.suse.com/security/cve/CVE-2021-41411.html
https://www.suse.com/security/cve/CVE-2021-42740.html
https://www.suse.com/security/cve/CVE-2021-43138.html
https://www.suse.com/security/cve/CVE-2022-31129.html
https://bugzilla.suse.com/1172705
https://bugzilla.suse.com/1187028
https://bugzilla.suse.com/1195455
https://bugzilla.suse.com/1195895
https://bugzilla.suse.com/1196729
https://bugzilla.suse.com/1198168
https://bugzilla.suse.com/1198489
https://bugzilla.suse.com/1198738
https://bugzilla.suse.com/1198903
https://bugzilla.suse.com/1199372
https://bugzilla.suse.com/1199659
https://bugzilla.suse.com/1199913
https://bugzilla.suse.com/1199950
https://bugzilla.suse.com/1200276
https://bugzilla.suse.com/1200296
https://bugzilla.suse.com/1200480
https://bugzilla.suse.com/1200532
https://bugzilla.suse.com/1200573
https://bugzilla.suse.com/1200591
https://bugzilla.suse.com/1200629
https://bugzilla.suse.com/1201142
https://bugzilla.suse.com/1201189
https://bugzilla.suse.com/1201210
https://bugzilla.suse.com/1201220
https://bugzilla.suse.com/1201224
https://bugzilla.suse.com/1201527
https://bugzilla.suse.com/1201606
https://bugzilla.suse.com/1201607
https://bugzilla.suse.com/1201626
https://bugzilla.suse.com/1201753
https://bugzilla.suse.com/1201913
https://bugzilla.suse.com/1201918
https://bugzilla.suse.com/1202142
https://bugzilla.suse.com/1202272
https://bugzilla.suse.com/1202464
https://bugzilla.suse.com/1202728
https://bugzilla.suse.com/1203287
https://bugzilla.suse.com/1203288
https://bugzilla.suse.com/1203449