SUSE-RU-2023:2566-1

Description

Security update for SUSE Manager Server 4.3 This update fixes the following issues: branch-network-formula: - Update to version 0.1.1680167239.23f2fec * Remove unnecessary import of 'salt.ext.six' cobbler: - Fix cobbler buildiso so that the artifact can be booted by EFI firmware. (bsc#1206060) - Switch packaging from patch based to Git tree based development - S390X systems require their kernel options to have a linebreak at 79 characters (bsc#1207595) - Settings-migration-v1-to-v2.sh will now handle paths with whitespace correctly - Fix renaming Cobbler items (bsc#1204900, bsc#1209149) - 'cobbler buildiso' arguments '--system' and '--profile' are now accepted in the right order (bsc#1210776) cpu-mitigations-formula: - Update to version 0.5.0: * Mark all SUSE Linux Enterprise 15 SP4 and newer and openSUSE 15.4 and newer as supported (bsc#1210835) hub-xmlrpc-api: - Do not strictly require Go 1.18 on SUSE Linux Enterprise 15 SP3 (bsc#1203599) perl-Satcon: - Version 4.3.2-1 * Accept keys with dots python-urlgrabber: - Raise proper exception from urlgrab() when local file is not found (bsc#1208288) spacecmd: - Version 4.3.21-1 * Fix argument parsing of distribution_update (bsc#1210458) - Version 4.3.20-1 * Display activation key details after executing the corresponding command (bsc#1208719) * Show targetted packages before actually removing them (bsc#1207830) spacewalk-admin: - Version 4.3.11-1 * change backup file extension from .orig to .current_time (bsc#1206783) spacewalk-backend: - Version 4.3.21-1 * Add package details to reposync error logging * Fix the mgr-inter-sync not creating valid repository metadata when dealing with empty channels (bsc#1207829) * Filter CLM modular packages using release strings (bsc#1207814) * Fix issues with kickstart syncing on mirrorlist repositories * Do not sync .mirrorlist and other non needed files * reposync: catch local file not found urlgrabber error properly (bsc#1208288) - Version 4.3.20-1 * Fix repo sync for cloud payg connected repositories (bsc#1208772) spacewalk-config: - Version 4.3.10-1 * Add /saltboot directory * Mark /os-images and /tftp as static content spacewalk-java: - Security fixes included in this version update from 4.3.52-1 to 4.3.58-1: * CVE-2023-22644: Fix session information leak (bsc#1210107) * CVE-2023-22644: Do not output cobbler xmlrpc token in debug logs (bsc#1210162) * CVE-2023-22644: fix credentials and other secrets disclosure when debug log is enabled (bsc#1210154) * CVE-2023-22644: Don't output URL parameters for tiny urls (bsc#1210101) * CVE-2023-22644: Do not log SSL certificate / key file content (bsc#1210094) * CVE-2023-22644: Remove web session swap secrets output in logs (bsc#1210086) - Non-security bug fixes included in this version update from 4.3.52-1 to 4.3.58-1: * Version 4.3.58-1 + Make sure that all hibernate connections are closed (bsc#1208687) * Version 4.3.57-1 + Update version of tomcat build dependencies * Version 4.3.55-1 + Fix breadcrumbs on recurring actions pages * Version 4.3.54-1 + Kernel options: only add quotes if there is a space in the value (bsc#1209926) * Version 4.3.53-1 + Update Cobbler profile when a new image is deployed + Add mapping of image URLs for containerized proxy + Remove channels from client after transfer to a different organization (bsc#1209220) + Fix RHEL9 / SLL9 product discovery (bsc#1209993) + Fix displaying system channels when no base product is installed (bsc#1206423) + Fix NPE in cobbler system sync when server has no creator set + Recurring custom states + Removed the expensive 'diff' column (bsc#1208427) + Fix possible 'NullPointerException' when clicking on the 'Create PXE installation configuration' button from Provising page + Fix possible 'NullPointerException' issues when running cobbler-sync-bunch + Do not trigger extra cobbler sync when changing kickstart data (bsc#1208536) + Set jasper development mode to false (bsc#1206191) + Fixed select all for ptf packages list (bsc#1209143) + Added SLES 12 support for ptf removal + Fixed issue with checking ptf repositories on cloned channels + Add support to add optional channels via webUI + Added APIs to allow frontend to install and remove ptf + Show the package summary where applicable to better describe PTF packages + Added CLM filters to match product temporary fixes packages + Restrict product temporary fixes visibility in the UI and in the APIs responses + Fixed empty selection warning in the lock/unlock page + Set GPG Key Url for PTF repositories + Fix deleting custom info pillar (bsc#1209253) + Update report outdated system query to de-duplicate errata id's + Refactor Software / Manage / Packages to use SQL paging (bsc#1206725) + Filter CLM modular packages using release strings (bsc#1207814) + Fix systems subscribed to channel CSV download (bsc#1201063) + Fix cobbler system entries for retail terminals (bsc#1208661) + Make API method systemgroup.listSystemsMinimal read-only (bsc#1208550) + Add missing text for user preferenaces page + Do not include channels from different orgs when listing mandatory channels (bsc#1204270) + Save scheduler user when creating Patch actions manually (bsc#1208321) * Version 4.3.52-1 + Add more restricted arguments to prevent HTTP API logging sensitive data (bsc#1209386, bsc#1209395) * Version 4.3.51-1 + Support multiple gpgkey urls for a channel (bsc#1208540) spacewalk-search: - Version 4.3.9-1 * Add maxPoolSize option to search spacewalk-setup: - Version 4.3.16-1 * Enable netapi clients in master configuration (required for Salt 3006) * Persist report_db_sslrootcert value (bsc#1210349) * Fix migration test * Escape `%` in spec file. * remove useless tomcat configuration (bsc#1206191) * use template for reportdb configuration (bsc#1206783) spacewalk-web: - Version 4.3.31-1 * Fix title on recurring actions edit page - Version 4.3.30-1 * Disable login button with empty password * Ignore mandatory channels results that don't match list of channels (bsc#1204270) * Increase datetimepicker font sizes (bsc#1210437) * Recurring custom states * fix an issue where the datetimepicker shows wrong date (bsc#1209231) * Add support to add optional channels via webUI * Added pages to install and remove ptf * Added CLM filters to match product temporary fixes packages * Refactor Software / Manage / Packages to use SQL paging (bsc#1206725) subscription-matcher: - Relax antlr version requirement supportutils-plugin-susemanager: - Version 4.3.7-1 * fix db connection check tool (bsc#1208586) susemanager: - version 4.3.27-1 * Use newest venv-salt-minion version available to generate the venv-enabled-*.txt file in bootstrap repos (bsc#1211958) - Version 4.3.26-1 * Add bootstrap repository definitions for SLE-Micro 5.4 * Make python3-ordered-set optional for the SLE15 bootstrap repo as it is not required or present in SLE15SP3 or older * Add bootstrap repository definitions for openSUSE Leap 15.5 * add bootstrap repository definitions for SLE-Micro 5.1 (bsc#1209557) * Add SLES15SP5 to bootstrap repo definitions susemanager-build-keys: - Version 15.4.9 * add Debian 12 (bookworm) GPG keys (bsc#1212363) * add new 4096 bit RSA SUSE Package Hub key - Version 15.4.8 * add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc susemanager-docs_en: - Change cleanup Salt Client description - Documentation Salt version updated to 3006 - Added SUSE Linux Enterprise Micro 5.4 support - Added openSUSE Leap version 15.5 - Added SUSE Linux Enterprise version 15 SP5 - Documented new Recurring Actions feature - Adjusted Single Sign-On example in Administration Guide according to Keycloak 21.0.1 update - Add multiple GPG key url usage to Client Configuration Guide to Keycloak 22.0.1 update - Documented custom info is available via pillars in Client Configuration Guide (bsc#1209253) - Added updated options for rhn.conf file in the Administration Guide (bsc#1209508) - Added instruction for Cobbler to use the correct label in Client Config Guide distro label (bsc#1205600) - Adjusted python version and openSUSE Leap version in public cloud document (bsc#1209938) - Fixed calculation of DB max-connections and align it with the supportconfig checking tool in the Tuning Guide - Fixed Troubleshooting Corrupt Repositories procedure - Branding updated for 2023 - New search engine optimization improvements for documentation - Translations are now included in the WebUI help documentation - Local search is now provided with the WebUI help documentation susemanager-schema: - Version 4.3.18-1 * Recurring custom states * Added view to handle ptf packages and updated the procedures to refresh the updatable/installable packages * Fix update of sql function create_new_org * Filter CLM modular packages using release strings (bsc#1207814) susemanager-sls: - Version 4.3.33-1 * fix duplicate packages in state - Version 4.3.32-1 * disable salt-minion and remove its config file on cleanup (bsc#1209277) * Add kiwi supported disk images to be collectable (bsc#1208522) * Rename internal state 'synccustomall' to 'syncall' * Recurring custom states * to update everything on a debian system, call dist-upgrade to be able to install and remove packages * Allow KiwiNG to be used on SLE12 buildhosts (bsc#1204089) * Enforce installation of the PTF GPG key package * Improve error handling in mgr_events.py (bsc#1208687) - Version 4.3.31-1 * support multiple gpgkey urls for a channel (bsc#1208540) * make SUSE Addon GPG key available on all instance (bsc#1208540) susemanager-tftpsync: - Version 4.3.4-1 * Fix server-side cache that's used for only pushing files to proxies that need to be pushed, as well as propagating deletions (bsc#1209215) * Fix removal of proxies section in cobbler settings (bsc#1207063) uyuni-common-libs: - Version 4.3.8-1 * Allow default component for context manager virtual-host-gatherer: - Version 1.0.26-1 * fix cpu calculation in the libvirt module and enhance the data structure by os value How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start`

Affected Systems

• suse•branch-network-formula&distro=SUSE Manager Server Module 4.3

  < 0.1.1680167239.23f2fec-150400.3.3.3

• suse•cobbler&distro=SUSE Manager Server Module 4.3

  < 3.3.3-150400.5.25.3

• suse•cpu-mitigations-formula&distro=SUSE Manager Server Module 4.3

  < 0.5.0-150400.3.3.3

• suse•hub-xmlrpc-api&distro=SUSE Manager Server Module 4.3

  < 0.7-150400.5.6.5

• suse•mgr-daemon&distro=SUSE Manager Proxy Module 4.3

  < 4.3.7-150400.3.9.5

• suse•perl-Satcon&distro=SUSE Manager Server Module 4.3

  < 4.3.2-150400.3.3.5

• suse•python-urlgrabber&distro=SUSE Manager Server Module 4.3

  < 4.1.0-150400.4.3.6.3

• suse•spacecmd&distro=SUSE Manager Proxy Module 4.3

  < 4.3.21-150400.3.18.5

• suse•spacecmd&distro=SUSE Manager Server Module 4.3

  < 4.3.21-150400.3.18.5

• suse•spacewalk-admin&distro=SUSE Manager Server Module 4.3

  < 4.3.11-150400.3.6.6

• suse•spacewalk-backend&distro=SUSE Manager Proxy Module 4.3

  < 4.3.21-150400.3.21.13

• suse•spacewalk-backend&distro=SUSE Manager Server Module 4.3

  < 4.3.21-150400.3.21.13

• suse•spacewalk-config&distro=SUSE Manager Server Module 4.3

  < 4.3.10-150400.3.6.3

• suse•spacewalk-java&distro=SUSE Manager Server Module 4.3

  < 4.3.58-150400.3.46.4

• suse•spacewalk-proxy-installer&distro=SUSE Manager Proxy Module 4.3

  < 4.3.11-150400.3.6.4

• suse•spacewalk-proxy&distro=SUSE Manager Proxy Module 4.3

  < 4.3.16-150400.3.20.6

• suse•spacewalk-search&distro=SUSE Manager Server Module 4.3

  < 4.3.9-150400.3.12.7

• suse•spacewalk-setup&distro=SUSE Manager Server Module 4.3

  < 4.3.16-150400.3.21.6

• suse•spacewalk-web&distro=SUSE Manager Proxy Module 4.3

  < 4.3.31-150400.3.21.7

• suse•spacewalk-web&distro=SUSE Manager Server Module 4.3

  < 4.3.31-150400.3.21.7

• suse•supportutils-plugin-susemanager&distro=SUSE Manager Server Module 4.3

  < 4.3.7-150400.3.9.6

• suse•susemanager-build-keys&distro=SUSE Manager Proxy Module 4.3

  < 15.4.9-150400.3.20.2

• suse•susemanager-build-keys&distro=SUSE Manager Server Module 4.3

  < 15.4.9-150400.3.20.2

• suse•susemanager-docs_en&distro=SUSE Manager Server Module 4.3

  < 4.3-150400.9.27.3

• suse•susemanager-schema&distro=SUSE Manager Server Module 4.3

  < 4.3.18-150400.3.18.7

• suse•susemanager-sls&distro=SUSE Manager Server Module 4.3

  < 4.3.33-150400.3.25.7

• suse•susemanager-tftpsync&distro=SUSE Manager Server Module 4.3

  < 4.3.4-150400.3.9.9

• suse•susemanager&distro=SUSE Manager Server Module 4.3

  < 4.3.27-150400.3.26.5

• suse•uyuni-common-libs&distro=SUSE Manager Proxy Module 4.3

  < 4.3.8-150400.3.12.5

• suse•uyuni-common-libs&distro=SUSE Manager Server Module 4.3

  < 4.3.8-150400.3.12.5

• suse•virtual-host-gatherer&distro=SUSE Manager Server Module 4.3

  < 1.0.26-150400.3.12.3

References (59)

• https://www.suse.com/support/update/announcement/-2023-2566/suse-ru-20232566-1/
• https://bugzilla.suse.com/1201063
• https://bugzilla.suse.com/1203599
• https://bugzilla.suse.com/1204089
• https://bugzilla.suse.com/1204270
• https://bugzilla.suse.com/1204900
• https://bugzilla.suse.com/1205600
• https://bugzilla.suse.com/1206060
• https://bugzilla.suse.com/1206191
• https://bugzilla.suse.com/1206423
• https://bugzilla.suse.com/1206725
• https://bugzilla.suse.com/1206783
• https://bugzilla.suse.com/1207063
• https://bugzilla.suse.com/1207595
• https://bugzilla.suse.com/1207814
• https://bugzilla.suse.com/1207829
• https://bugzilla.suse.com/1207830
• https://bugzilla.suse.com/1208288
• https://bugzilla.suse.com/1208321
• https://bugzilla.suse.com/1208427
• https://bugzilla.suse.com/1208522
• https://bugzilla.suse.com/1208536
• https://bugzilla.suse.com/1208540
• https://bugzilla.suse.com/1208550
• https://bugzilla.suse.com/1208586
• https://bugzilla.suse.com/1208661
• https://bugzilla.suse.com/1208687
• https://bugzilla.suse.com/1208719
• https://bugzilla.suse.com/1208772
• https://bugzilla.suse.com/1208965
• https://bugzilla.suse.com/1209143
• https://bugzilla.suse.com/1209149
• https://bugzilla.suse.com/1209215
• https://bugzilla.suse.com/1209220
• https://bugzilla.suse.com/1209231
• https://bugzilla.suse.com/1209253
• https://bugzilla.suse.com/1209277
• https://bugzilla.suse.com/1209386
• https://bugzilla.suse.com/1209395
• https://bugzilla.suse.com/1209434
• https://bugzilla.suse.com/1209508
• https://bugzilla.suse.com/1209557
• https://bugzilla.suse.com/1209926
• https://bugzilla.suse.com/1209938
• https://bugzilla.suse.com/1209993
• https://bugzilla.suse.com/1210086
• https://bugzilla.suse.com/1210094
• https://bugzilla.suse.com/1210101
• https://bugzilla.suse.com/1210107
• https://bugzilla.suse.com/1210154
• https://bugzilla.suse.com/1210162
• https://bugzilla.suse.com/1210349
• https://bugzilla.suse.com/1210437
• https://bugzilla.suse.com/1210458
• https://bugzilla.suse.com/1210776
• https://bugzilla.suse.com/1210835
• https://bugzilla.suse.com/1211958
• https://bugzilla.suse.com/1212363
• https://www.suse.com/security/cve/CVE-2023-22644