Sicherheit: Denial of Service in SUSE Manager Server 3.2 - Pro-Linux

   SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0341-1
Rating:             moderate
References:         #1089121 #1098826 #1099988 #1104680 #1105720 
                    #1105791 #1110427 #1110757 #1110772 #1111191 
                    #1111686 #1111910 #1111963 #1112121 #1114029 
                    #1114059 #1114115 #1114268 #1114877 #1115029 
                    #1115978 #1116365 #1116566 #1116610 #1116826 
                    #1117759 #1118112 #1118478 #1118917 #1119233 
                    #1119271 #1119320 #1119727 #1119807 #1121038 
                    #1121424 #1122565 #1123902 #1123983 #1124794 
                    #1125097 #987798 
Cross-References:   CVE-2018-17197
Affected Products:
                    SUSE Manager Server 3.2
                    SUSE Manager Proxy 3.2
______________________________________________________________________________

   An update that solves one vulnerability and has 41 fixes is
   now available.

Description:

   This update fixes the following issues:

   branch-network-formula:

   - Netconfig update requires bind directory to exists for bind forward,
     ensure it (bsc#1116365)
   - Rework network update in branch-network formula (bsc#1116365)

   py26-compat-salt:

   - Remove arch from name when pkg.list_pkgs is called with 'attr'
     (bsc#1114029)

   python-susemanager-retail:

   - Force one python version for SLE12 (python2) and SLE15 (python3)
   - Add disklabel: none to migrated RAID

   saltboot-formula:

   - Use FTP active mode for image download
   - Always deploy image when image is specified in partitioning pillar
     (bsc#1119807)
   - Call blockdev.formatted with force=True
   - Allow RAID images to be defined by saltboot formula
     - image information can be provided directly for disk
     - allow "none"  disk label in formula and in that case hide
 partitioning
       information

   smdba:

   - Tuning: add cpu_tuple_cost (bsc#1105791)

   spacecmd:

   - Fix importing state channels using configchannel_import
   - Fix getting file info for latest revision (via configchannel_filedetails)
   - Add functions to merge errata (softwarechannel_errata_merge) and
     packages (softwarechannel_mergepackages) through spacecmd (bsc#987798)

   spacewalk-admin:

   - Use a Salt engine to process return results (bsc#1099988)

   spacewalk-backend:

   - Move channel update close to commit to avoid long lock (bsc#1121424)
   - Adapt Inter Server Sync code to new SCC sync backend
   - Fix issue raising exceptions 'with_traceback' on Python 2
   - Hide Python traceback and show only error message (bsc#1110427)
   - Honor renamed postgresql10 log directory for supportconfig

   spacewalk-branding:

   - Better label visualization when the input is disabled. (bsc#1110772)

   spacewalk-client-tools:

   - Fix XML-RPC type serialization (bsc#1116610)

   spacewalk-java:

   - Improve salt events processing performance (bsc#1125097)
   - Prevent an error when onboarding a RES 6 minion (bsc#1124794)
   - Support products with multiple base channels
   - Fix ordering of base channels to prevent synchronization errors
     (bsc#1123902)
   - Support products with multiple base channels
   - Avoid a NullPointerException error in Taskomatic (bsc#1119271)
   - Reset channel assignments when base channel changes on registration
     (bsc#1118917)
   - Allow bootstrapping minions with a pending minion key being present
     (bsc#1119727)
   - Hide 'unknown virtual host manager' when virtual host manager of
 all
     hosts is known (bsc#1119320)
   - Disable notification types with 'java.notifications_type_disabled'
 in
     rhn.conf (bsc#1111910)
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
     (bsc#1089121)
   - Read OEM Orderitems from DB instead of create always new items
     (bsc#1098826)
   - Fix mgr-sync refresh when subscription was removed (bsc#1105720)
   - XMLRPC API: Include init.sls in channel file list (bsc#1111191)
   - Fix the config channels assignment via SSM (bsc#1117759)
   - Install product packages during bootstrapping minions (bsc#1104680)
   - Fix cloning channels when managing the same errata for both vendor and
     private orgs (bsc#1111686)
   - Introduce Loggerhead-module.js to store logs from the frontend
   - Removed 'Manage Channels' shortcut for vendor channels
 (bsc#1115978)
   - Hide already applied errata and channel entries from the output list in
     audit.listSystemsByPatchStatus (bsc#1111963)
   - Prevent failing KickstartCommand when customPosition is null
     (bsc#1112121)
   - Automatically schedule an Action to refresh minion repos after deletion
     of an assigned channel (bsc#1115029)
   - Performance improvements in channel management functionalities
     (bsc#1114877)
   - Handle with an error message if state file fails to render (bsc#1110757)
   - When changing basechannel the compatible old childchannels are now
     selected by default. (bsc#1110772)
   - Add check for yast autoinstall profiles when setting kickstartTree
     (bsc#1114115)
   - Use a Salt engine to process return results (bsc#1099988)
   - Fix handling of CVEs including multiple patches in CVE audit
     (bsc#1111963)
   - Fix synchronizing Expanded Support Channel with missing architecture
     (bsc#1122565)

   spacewalk-setup:

   - Use a Salt engine to process return results (bsc#1099988)

   spacewalk-utils:

   - Exit with an error if spacewalk-common-channels does not match any
     channel

   spacewalk-web:

   - Show feedback messages after using the retry option on the notification
     messages page
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Fix wording for taskotop (cosmetical only)(bsc#1118112)
   - When changing basechannel the compatible old childchannels are now
     selected by default. (bsc#1110772)

   subscription-matcher:

   - Old style hard bundle merging fix (bsc#1114059)

   susemanager:

   - Add bootstrap repo definition for OES 2018 SP1 (bsc#1116826)
   - Rhnlib was renamed to python2-rhnlib. Change bootstrap data accordingly.
   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Adapt mgr-create-bootstrap-repo for Uyuni and let it create bootstrap
     repos for openSUSE and CentOS
   - Fetch packages from correct channel when creating a bootstrap repository
   - Fix not found package on mgr-create-bootstrap-repo for SLE-15-s390x
     (bsc#1116566)
   - Add python3-six to bootstrap repo for SLES15 (bsc#1118478)

   susemanager-docs_en:

   - Update text and image files.
   - Enhance forms documentation (more attributes).
   - Proxy: for example,  migration from traditional to Salt not supported.
   - RAM requirements for host running kiwi OS images.
   - Notification properties.
   - Update scalability documentation.

   susemanager-schema:

   - Change SCC sync backend to adapt quicker to SCC changes and improve
     speed of syncing metadata and checking for channel dependencies
   - Performance improvements in channel management functionalities
     (bsc#1114877)
   - Use a Salt engine to process return results (bsc#1099988)

   susemanager-sls:

   - Improve salt events processing performance (bsc#1125097)
   - Allow bootstrapping minions with a pending minion key being present
     (bsc#1119727)
   - Use a Salt engine to process return results (bsc#1099988)

   susemanager-sync-data:

   - Make SUSE Manager Tools channel mandatory (bsc#1123983)
   - Add sle-module-web-scripting for OES2018 (bsc#1119233)
   - Add new set of data for the new SCC sync backend
   - Enable SLE15 SP1 family (bsc#1114268)
   - Enable OES2018 SP1 (bsc#1116826)

   tika-core:

   - CVE-2018-17197: Fixed an infinite loop in the SQLite3Parser of Apache
     Tika (bsc#1121038)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
 methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2019-341=1

   - SUSE Manager Proxy 3.2:

      zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2019-341=1

Package List:

   - SUSE Manager Server 3.2 (ppc64le s390x x86_64):

      smdba-1.6.3-0.3.6.13
      spacewalk-branding-2.8.5.13-3.13.14
      susemanager-3.2.15-3.16.13
      susemanager-tools-3.2.15-3.16.13

   - SUSE Manager Server 3.2 (noarch):

      branch-network-formula-0.1.1545038754.c983fa6-3.6.13
      netty-4.1.8.Final-2.7.4
      py26-compat-salt-2016.11.10-6.18.14
      python-susemanager-retail-1.0.1544459934.07229ad-2.9.13
      python2-spacewalk-client-tools-2.8.22.4-3.3.13
      saltboot-formula-0.1.1546527519.591e925-3.9.13
      spacecmd-2.8.25.8-3.12.13
      spacewalk-admin-2.8.4.3-3.3.13
      spacewalk-backend-2.8.57.8-3.10.14
      spacewalk-backend-app-2.8.57.8-3.10.14
      spacewalk-backend-applet-2.8.57.8-3.10.14
      spacewalk-backend-config-files-2.8.57.8-3.10.14
      spacewalk-backend-config-files-common-2.8.57.8-3.10.14
      spacewalk-backend-config-files-tool-2.8.57.8-3.10.14
      spacewalk-backend-iss-2.8.57.8-3.10.14
      spacewalk-backend-iss-export-2.8.57.8-3.10.14
      spacewalk-backend-libs-2.8.57.8-3.10.14
      spacewalk-backend-package-push-server-2.8.57.8-3.10.14
      spacewalk-backend-server-2.8.57.8-3.10.14
      spacewalk-backend-sql-2.8.57.8-3.10.14
      spacewalk-backend-sql-oracle-2.8.57.8-3.10.14
      spacewalk-backend-sql-postgresql-2.8.57.8-3.10.14
      spacewalk-backend-tools-2.8.57.8-3.10.14
      spacewalk-backend-xml-export-libs-2.8.57.8-3.10.14
      spacewalk-backend-xmlrpc-2.8.57.8-3.10.14
      spacewalk-base-2.8.7.12-3.16.12
      spacewalk-base-minimal-2.8.7.12-3.16.12
      spacewalk-base-minimal-config-2.8.7.12-3.16.12
      spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-html-2.8.7.12-3.16.12
      spacewalk-java-2.8.78.18-3.21.1
      spacewalk-java-config-2.8.78.18-3.21.1
      spacewalk-java-lib-2.8.78.18-3.21.1
      spacewalk-java-oracle-2.8.78.18-3.21.1
      spacewalk-java-postgresql-2.8.78.18-3.21.1
      spacewalk-setup-2.8.7.6-3.13.13
      spacewalk-taskomatic-2.8.78.18-3.21.1
      spacewalk-utils-2.8.18.4-3.6.13
      subscription-matcher-0.22-4.9.13
      susemanager-advanced-topics_en-pdf-3.2-11.15.12
      susemanager-best-practices_en-pdf-3.2-11.15.12
      susemanager-docs_en-3.2-11.15.12
      susemanager-getting-started_en-pdf-3.2-11.15.12
      susemanager-jsp_en-3.2-11.15.12
      susemanager-reference_en-pdf-3.2-11.15.12
      susemanager-retail-tools-1.0.1544459934.07229ad-2.9.13
      susemanager-schema-3.2.16-3.16.13
      susemanager-sls-3.2.20-3.18.1
      susemanager-sync-data-3.2.12-3.14.2
      susemanager-web-libs-2.8.7.12-3.16.12
      tika-core-1.20-3.6.13

   - SUSE Manager Proxy 3.2 (noarch):

      python2-spacewalk-check-2.8.22.4-3.3.13
      python2-spacewalk-client-setup-2.8.22.4-3.3.13
      python2-spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-backend-2.8.57.8-3.10.14
      spacewalk-backend-libs-2.8.57.8-3.10.14
      spacewalk-base-minimal-2.8.7.12-3.16.12
      spacewalk-base-minimal-config-2.8.7.12-3.16.12
      spacewalk-check-2.8.22.4-3.3.13
      spacewalk-client-setup-2.8.22.4-3.3.13
      spacewalk-client-tools-2.8.22.4-3.3.13
      spacewalk-proxy-installer-2.8.6.4-3.6.13
      susemanager-web-libs-2.8.7.12-3.16.12

References:

   https://www.suse.com/security/cve/CVE-2018-17197.html
   https://bugzilla.suse.com/1089121
   https://bugzilla.suse.com/1098826
   https://bugzilla.suse.com/1099988
   https://bugzilla.suse.com/1104680
   https://bugzilla.suse.com/1105720
   https://bugzilla.suse.com/1105791
   https://bugzilla.suse.com/1110427
   https://bugzilla.suse.com/1110757
   https://bugzilla.suse.com/1110772
   https://bugzilla.suse.com/1111191
   https://bugzilla.suse.com/1111686
   https://bugzilla.suse.com/1111910
   https://bugzilla.suse.com/1111963
   https://bugzilla.suse.com/1112121
   https://bugzilla.suse.com/1114029
   https://bugzilla.suse.com/1114059
   https://bugzilla.suse.com/1114115
   https://bugzilla.suse.com/1114268
   https://bugzilla.suse.com/1114877
   https://bugzilla.suse.com/1115029
   https://bugzilla.suse.com/1115978
   https://bugzilla.suse.com/1116365
   https://bugzilla.suse.com/1116566
   https://bugzilla.suse.com/1116610
   https://bugzilla.suse.com/1116826
   https://bugzilla.suse.com/1117759
   https://bugzilla.suse.com/1118112
   https://bugzilla.suse.com/1118478
   https://bugzilla.suse.com/1118917
   https://bugzilla.suse.com/1119233
   https://bugzilla.suse.com/1119271
   https://bugzilla.suse.com/1119320
   https://bugzilla.suse.com/1119727
   https://bugzilla.suse.com/1119807
   https://bugzilla.suse.com/1121038
   https://bugzilla.suse.com/1121424
   https://bugzilla.suse.com/1122565
   https://bugzilla.suse.com/1123902
   https://bugzilla.suse.com/1123983
   https://bugzilla.suse.com/1124794
   https://bugzilla.suse.com/1125097
   https://bugzilla.suse.com/987798

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates