SUSE-RU-2023:2595-1
Vulnerability Summary
Timeline
Description
Security update for SUSE Manager Server 4.2 This update fixes the following issues: branch-network-formula: - Update to version 0.1.1680167239.23f2fec * Remove unnecessary import of 'salt.ext.six' cpu-mitigations-formula: - Update to version 0.5.0: * Mark all SUSE Linux Enterprise 15 SP4 and newer and openSUSE 15.4 and newer as supported (bsc#1210835) hub-xmlrpc-api: - Do not strictly require Go 1.18 on SUSE Linux Enterprise 15 SP3 (bsc#1203599) inter-server-sync: - Version 0.2.8 * Correctly detect product name and product version number * Import image channel data only when related software channel is available (bsc#1211330) perl-Satcon: - Version 4.2.3-1 * Accept keys with dots spacecmd: - Version 4.2.23-1 * Fix argument parsing of distribution_update (bsc#1210458) spacewalk-backend: - Version 4.2.28-1 * Filter CLM modular packages using release strings (bsc#1207814) * Add package details to reposync error logging spacewalk-certs-tools: - Version 4.2.20-1 * Update translations spacewalk-java: - Security fixes in version 4.2.50-1: * CVE-2023-22644: Remove web session swap secrets output in logs (bsc#1210086) * CVE-2023-22644: Do not output URL parameters for tiny urls (bsc#1210101) * CVE-2023-22644: Fix session information leak (bsc#1210107) * CVE-2023-22644: Do not output Cobbler xmlrpc token in debug logs (bsc#1210162) * CVE-2023-22644: Fix credentials and other secrets disclosure when debug log is enabled (bsc#1210154) * CVE-2023-22644: Prevent logging formula data (bsc#1209386, bsc#1209434) - Other non-security issues fixed in version 4.2.50-1: * Fix misleading error message regarding SCC credentials removal (bsc#1207941) * Fix issue with `aclChannelTypeCapable` that prevented errata view in deb arch * Refresh pillars after setting custom values via SSM (bsc#1210659) * Report SSM power management errors in 'rhn_web_ui' (bsc#1210406) * Filter CLM modular packages using release strings (bsc#1207814) * Allow processing big state results (bsc#1210957) * Use glassfish-activation-api instead of gnu-jaf * Fix Intenal Server Error when URI contains invalid sysid (bsc#1186011) * kernel options: only add quotes if there is a space in the value (bsc#1209926) * Fix link to Knowledge Base articles (bsc#1210311) * Remove channels from client after transfer to a different organization (bsc#1209220) * Fix displaying system channels when no base product is installed (bsc#1206423) * Fix broken ifcfg grub option on reinstallation (bsc#1210232) * Fix NPE in Cobbler system sync when server has no creator set * Add listSystemEvents missing API endpoint (bsc#1209877) spacewalk-setup: - Version 4.2.12-1 * Enable netapi clients in master configuration (required for Salt 3006) spacewalk-utils: - Version 4.2.19-1 * spacewalk-hostname-rename remains stuck at refreshing pillars (bsc#1207550) spacewalk-web: - Version 4.2.35-1 * Show loading indicator on formula details pages (bsc#1179747) * Increase datetimepicker font sizes (bsc#1210437) * Fix an issue where the datetimepicker shows wrong date (bsc#1209231) supportutils-plugin-susemanager: - Version 4.2.7-1 * Fix property name to tune for salt events queue processing susemanager: - version 4.3.27-1 * Use newest venv-salt-minion version available to generate the venv-enabled-*.txt file in bootstrap repos (bsc#1211958) - Version 4.2.41-1 * Add bootstrap repository definitions for openSUSE Leap 15.5 * Add bootstrap repository definitions for SUSE Linux Enterprise Server 15 SP5 susemanager-build-keys: - Version 15.3.9 * add SUSE Liberty v2 key (bsc#1212096) * add Debian 12 (bookworm) GPG keys (bsc#1212363) * add new 4096 bit RSA SUSE Package Hub key - Version 15.3.8 * Fix installation of SUSE Linux Enterprise 15 RSA reserve build key * Add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc susemanager-sls: - Version 4.2.34-1 * Trust new Liberty Linux v2 key (bsc#1212096) susemanager-doc-indexes: - Salt version changed to 3006.0 - Added note for clarification between self-installed and cloud instances of Ubuntu - Improved pay-as-you-go documentation in the Install and Upgrade Guide (bsc#1208984) - Added comment about activation keys for LTSS clients in Client Configuration Guide (bsc#1210011) - Updated API script examples to Python 3 in Administration Guide and Large Deployment Guide - Change cleanup Salt Client description - Added instruction for Cobbler to use the correct label in Client Configuration Guide distro label (bsc#1205600) - Added updated options for rhn.conf file in the Administration Guide (bsc#1209508) - Fixed calculation of DB max-connections and align it with the supportconfig checking tool in the Tuning Guide susemanager-docs_en: - Salt version changed to 3006.0 - Added note for clarification between self-installed and cloud instances of Ubuntu - Improved Pay-as-you-go documentation in the Install and Upgrade Guide (bsc#1208984) - Added comment about activation keys for LTSS clients in Client Configuration Guide (bsc#1210011) - Updated API script examples to Python 3 in Administration Guide and Large Deployment Guide - Change cleanup Salt Client description - Added instruction for Cobbler to use the correct label in Client Configuration Guide distro label (bsc#1205600) - Added updated options for rhn.conf file in the Administration Guide (bsc#1209508) - Fixed calculation of DB max-connections and align it with the supportconfig checking tool in the Tuning Guide susemanager-schema: - Version 4.2.28-1 * Filter CLM modular packages using release strings (bsc#1207814) * Repeat schema migrations for module metadata storage (bsc#1209915) susemanager-sls: - Version 4.2.33-1 * Include automatic migration from Salt 3000 to Salt bundle in highstate * Disable salt-minion and remove its config file on cleanup (bsc#1209277) * To update everything on a debian system, call dist-upgrade to be able to install and remove packages virtual-host-gatherer: - Version 1.0.26-1 * Fix cpu calculation in the libvirt module and enhance the data structure by os value How to apply this update: 1. Log in as root user to the SUSE Manager Server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start`
Affected Systems
- suse•branch-network-formula&distro=SUSE Manager Server Module 4.2
< 0.1.1680167239.23f2fec-150300.3.6.2
- suse•cpu-mitigations-formula&distro=SUSE Manager Server Module 4.2
< 0.5.0-150300.3.6.2
- suse•hub-xmlrpc-api&distro=SUSE Manager Server Module 4.2
< 0.7-150300.3.12.3
- suse•inter-server-sync&distro=SUSE Manager Server Module 4.2
< 0.2.8-150300.8.31.2
- suse•perl-Satcon&distro=SUSE Manager Server Module 4.2
< 4.2.3-150300.3.3.3
- suse•spacecmd&distro=SUSE Manager Proxy Module 4.2
< 4.2.23-150300.4.39.4
- suse•spacecmd&distro=SUSE Manager Server Module 4.2
< 4.2.23-150300.4.39.4
- suse•spacewalk-backend&distro=SUSE Manager Proxy Module 4.2
< 4.2.28-150300.4.41.4
- suse•spacewalk-backend&distro=SUSE Manager Server Module 4.2
< 4.2.28-150300.4.41.4
- suse•spacewalk-certs-tools&distro=SUSE Manager Proxy Module 4.2
< 4.2.20-150300.3.30.4
- suse•spacewalk-certs-tools&distro=SUSE Manager Server Module 4.2
< 4.2.20-150300.3.30.4
- suse•spacewalk-java&distro=SUSE Manager Server Module 4.2
< 4.2.50-150300.3.66.5
- suse•spacewalk-proxy-installer&distro=SUSE Manager Proxy Module 4.2
< 4.2.12-150300.3.17.2
- suse•spacewalk-setup&distro=SUSE Manager Server Module 4.2
< 4.2.12-150300.3.18.3
- suse•spacewalk-ssl-cert-check&distro=SUSE Manager Proxy Module 4.2
< 4.2.3-150300.3.3.2
- suse•spacewalk-utils&distro=SUSE Manager Server Module 4.2
< 4.2.19-150300.3.24.2
- suse•spacewalk-web&distro=SUSE Manager Proxy Module 4.2
< 4.2.35-150300.3.44.4
- suse•spacewalk-web&distro=SUSE Manager Server Module 4.2
< 4.2.35-150300.3.44.4
- suse•supportutils-plugin-susemanager&distro=SUSE Manager Server Module 4.2
< 4.2.7-150300.3.15.4
- suse•susemanager-build-keys&distro=SUSE Manager Proxy Module 4.2
< 15.3.9-150300.3.14.1
- suse•susemanager-build-keys&distro=SUSE Manager Server Module 4.2
< 15.3.9-150300.3.14.1
- suse•susemanager-doc-indexes&distro=SUSE Manager Server Module 4.2
< 4.2-150300.12.45.4
- suse•susemanager-docs_en&distro=SUSE Manager Server Module 4.2
< 4.2-150300.12.45.2
- suse•susemanager-schema&distro=SUSE Manager Server Module 4.2
< 4.2.28-150300.3.38.4
- suse•susemanager-sls&distro=SUSE Manager Server Module 4.2
< 4.2.34-150300.3.51.1
- suse•susemanager&distro=SUSE Manager Server Module 4.2
< 4.2.42-150300.3.54.4
- suse•virtual-host-gatherer&distro=SUSE Manager Server Module 4.2
< 1.0.26-150300.3.15.2
References (38)
- https://www.suse.com/support/update/announcement/-2023-2595/suse-ru-20232595-1/
- https://bugzilla.suse.com/1179747
- https://bugzilla.suse.com/1186011
- https://bugzilla.suse.com/1203599
- https://bugzilla.suse.com/1205600
- https://bugzilla.suse.com/1206423
- https://bugzilla.suse.com/1207550
- https://bugzilla.suse.com/1207814
- https://bugzilla.suse.com/1207941
- https://bugzilla.suse.com/1208984
- https://bugzilla.suse.com/1209220
- https://bugzilla.suse.com/1209231
- https://bugzilla.suse.com/1209277
- https://bugzilla.suse.com/1209386
- https://bugzilla.suse.com/1209434
- https://bugzilla.suse.com/1209508
- https://bugzilla.suse.com/1209877
- https://bugzilla.suse.com/1209915
- https://bugzilla.suse.com/1209926
- https://bugzilla.suse.com/1210011
- https://bugzilla.suse.com/1210086
- https://bugzilla.suse.com/1210101
- https://bugzilla.suse.com/1210107
- https://bugzilla.suse.com/1210154
- https://bugzilla.suse.com/1210162
- https://bugzilla.suse.com/1210232
- https://bugzilla.suse.com/1210311
- https://bugzilla.suse.com/1210406
- https://bugzilla.suse.com/1210437
- https://bugzilla.suse.com/1210458
- https://bugzilla.suse.com/1210659
- https://bugzilla.suse.com/1210835
- https://bugzilla.suse.com/1210957
- https://bugzilla.suse.com/1211330
- https://bugzilla.suse.com/1211958
- https://bugzilla.suse.com/1212096
- https://bugzilla.suse.com/1212363
- https://www.suse.com/security/cve/CVE-2023-22644