SUSE-SU-2020:0671-1

Description

Security update for SUSE Manager Server 4.0 This update fixes the following issues: branch-network-formula: - Update formula to include terminal naming and identification image-sync-formula: - Prevent installing xdelta3 package and disable delta functionality on SLE12 branch servers (bsc#1159553) mgr-osad: - Take care that osad is not disabled nor deactivated during update (bsc#1157700, bsc#1158697) patterns-suse-manager: - Add recommends for virtualization-host-formula to suma_server pattern - Add recommends for virtualization-host-formula to retail prometheus-formula: - Bugfix: disabled fields not enabled when checkbox is checked pxe-default-image-sle15: - Adapt to new kiwi version to fix pre registration in the bare-metal image (bsc#1153269) pxe-formula: - Add support for new features in terminal naming - Remove branch_id from pxe form, moved to branch-network form py26-compat-salt: - Replace pycrypto with M2Crypto as dependency for SLE15+ python-susemanager-retail: - Add support for terminal naming block - Add delta support for SLE15 tar.xz bundles redstone-xmlrpc: - Disable external entity parsing (1790381, bsc#1164120, CVE-2020-1693) - Do not download external entities (1555429, bsc#1085414, CVE-2018-1077) salt-netapi-client: - Version 0.17.0 See: https://github.com/SUSE/salt-netapi-client/releases/tag/v0.17.0 spacecmd: - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) spacewalk-admin: - Spell correctly 'successful' and 'successfully' spacewalk-backend: - Fix mgrcfg-client python3 breakage (bsc#1164309) - Update doc link to point to new documentation server - Prevent timestamp format exception on mgr-inter-sync while processing comps (bsc#1157346) - When downloading repo metadata, don't add '/' to the repo url if it already ends with one (bsc#1158899) - Use HTTP proxy settings when fetching the mirrorlist on spacewalk-repo-sync (bsc#1159076) - Enhance suseProducts via ISS to fix SP migration on slave server (bsc#1159184) - Prevent a traceback when reposyncing openSUSE 15.1 (bsc#1158672) - Close config files after reading them (bsc#1158283) - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) spacewalk-certs-tools: - Add 'start_event_grains' minion option to configfile when generated by bootstrap script - Forbid multiple activation keys for salt minions during bootstrap (bsc#1164452) - Add additional minion options to configfile when generated by bootstrap script (bsc#1159492) - Change the order to check the version correctly for RES (bsc#1152795) spacewalk-client-tools: - Spell correctly 'successful' and 'successfully' system-lock-formula: - Clarified terms along documentation and product (bsc#1166061) spacewalk-java: - Feat: enable Salt system lock when CaaSP node is onboarded and add depedency to 'system-lock-formula' (bsc#1165541) - Support non discoverable fqdns via custom grain (bsc#1155281) - Handle the non-existent requested grains gracefully - Get the machineid grain from the minion startup event - Use term 'patch' instead of 'errata' (bsc#1164649) - Enable provisioning API with salt and bootstrap entitled systems - Fix a problem with removing the monitoring entitlement from a system - Improve performance when adding systems to system groups (bsc#1158754) - Migrate pillar and formula data on minion id change (bsc#1161755) - Change doc links pointing to new documentation server - Call saltutil.sync_all before calling highstate (bsc#1152673) - Exclude base products from PAYG (Pay-As-You-Go) instances when doing subscription matching - Show additional headers and dependencies for deb packages - Show adequate message on saving formulas that change only pillar data - Fix mgr-sync add channel when fromdir is configured (bsc#1160184) - Handle not found re-activation key (bsc#1159012) - Write a list of formulas sorted by execution order (bsc#1083326) - Use channel name from product tree instead of constructing it (bsc#1157317) - Read the subscriptions from the output instead of input (bsc#1140332) - Rename rhncfg-actions to mgr-cfg-actions in UI advice (bsc#1137248) - Fix container image import (bsc#1154246) - Add missing permission checks on formula api (bsc#1123274) - Generate metadata with empty vendor (bsc#1158480) - Remove undefined variable from redhat_register snippet - Add a method in API to check if the provided session key is a valid one. - Associate VMs and systems with the same machine ID at bootstrap (bsc#1144176) - Fix minion id when applying engine-events state (bsc#1158181) - Remove unnecessary WARN log entries from Kubernetes integration - Fix for pillar not being refreshed when CaaSP pattern is detected upon software profile update (bsc#1166061) spacewalk-search: - Make rhn-search log to correct file (bsc#1156751) spacewalk-setup: - Spell correctly 'successful' and 'successfully' - create AJP connector for tomcat if it does not exist (bsc#1165927, bsc#1166388) spacewalk-utils: - Spell 'successfully' correctly spacewalk-web: - Don't validate mandatory fields that are not visible (bsc#1158943) - Fix count of changes to build (bsc#1160940) - Report merge_subscriptions message in a readable way (bsc#1140332) - Fix ordering by date (bsc#1158818) subscription-matcher: - Add missing library for SLE15 SP2 (slf4j-log4j12) - Make the code usable with Math3 on SLES - Use log4j12 package on newer SLE versions - Aggregate stackable subscriptions with same parameters - Implement new 'swap move' used in optaplanner (bsc#1140332) - Enable aarch64 builds, except for SLE < 15 susemanager: - Add missing python libraries to RES8/RHEL8/CentOS 8 boostrap repos (bsc#1164875) - Add bootstrap-repo data for OES 2018 SP2 (bsc#1161862) - Add bootstrap-repo data for SLE15 SP2 Family - Fix documentation URL in installer (bsc#1154590) - Update requirements to match documented values (bsc#1154599) susemanager-doc-indexes: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-docs_en: - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage - Adding Additional FQDNS for Proxies with Salt - Reference guide review and update moving content into tabular format - Autogenerate pdf index from antora html nav lists - Documentation needs to address using RHEL8 in the correct way (bsc#1159023) - Traditional clients bootstrap, the example applies to SLES ES 7 only (bsc#1158564) - Remove auditlog-keeper from list - Removed duplicate client requirements entries - Fix missing spaces throughout docs - Added the complete path for using manager-setup - Fix typo in vhm-kubernetes - Cleaned up client registration documents - Improved ubuntu instructions - Explain how to compose a DSN string for monitoring - Added publishing dates to individual book intros - Updated common spacewalk-common-channels usage susemanager-schema: - Add new 'payg' attribute to rhnServer table - Enable re-activation keys for salt managed systems (bsc#1159012) - Generate metadata with empty vendor (bsc#1158480) - Fix rhnActionVirtDelete when migrating from 3.2 to 4.0 (bsc#1158178) susemanager-sls: - Install dmidecode before HW profile update when missing - Add mgr_start_event_grains.sls to update minion config - Add 'product' custom state module to handle installation of SUSE products at client side (bsc#1157447) - Support reading of pillar data for minions from multiple files (bsc#1158754) - Do not workaround util.syncmodules for SSH minions (bsc#1162609) - Force to run util.synccustomall when triggering action chains on SSH minions (bsc#1162683). - Add custom 'is_payg_instance' grain when instance is PAYG and not BYOS. - Adapt sls file for pre-downloading in Ubuntu minions - Sort formulas by execution order (bsc#1083326) - Split remove_traditional_stack into two parts. One for all systems and another for clients not being a Uyuni Server or Proxy (bsc#1121640) - Change the order to check the version correctly for RES (bsc#1152795) - Do not break Servers registering to a Server - Remove the virt-poller cache when applying Virtualization entitlement - Force HTTP request timeout on public cloud grain (bsc#1157975) susemanager-sync-data: - Add OES 2018 SP2 (bsc#1161862) - Rename RHEL 8 Base product - Change channel family name according to SCC data How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service: spacewalk-service start

Affected Systems

• suse•branch-network-formula&distro=SUSE Manager Server Module 4.0

  < 0.1.1580471316.1839544-3.10.2

• suse•image-sync-formula&distro=SUSE Manager Server Module 4.0

  < 0.1.1579102150.4716559-3.11.2

• suse•mgr-osad&distro=SUSE Manager Proxy Module 4.0

  < 4.0.11-3.9.2

• suse•mgr-osad&distro=SUSE Manager Server Module 4.0

  < 4.0.11-3.9.2

• suse•patterns-suse-manager&distro=SUSE Manager Proxy Module 4.0

  < 4.0-9.10.2

• suse•patterns-suse-manager&distro=SUSE Manager Server Module 4.0

  < 4.0-9.10.2

• suse•prometheus-formula&distro=SUSE Manager Server Module 4.0

  < 0.1-4.7.2

• suse•pxe-default-image-sle15&distro=SUSE Manager Server Module 4.0

  < 4.0.1-20200305173027

• suse•pxe-formula&distro=SUSE Manager Server Module 4.0

  < 0.1.1580384994.6076a7e-3.11.2

• suse•py26-compat-salt&distro=SUSE Manager Server Module 4.0

  < 2016.11.10-10.11.2

• suse•python-susemanager-retail&distro=SUSE Manager Server Module 4.0

  < 1.0.1580471316.1839544-3.13.2

• suse•redstone-xmlrpc&distro=SUSE Manager Server Module 4.0

  < 1.1_20071120-0.11.3.2

• suse•salt-netapi-client&distro=SUSE Manager Server Module 4.0

  < 0.17.0-4.3.2

• suse•spacecmd&distro=SUSE Manager Proxy Module 4.0

  < 4.0.18-3.13.2

• suse•spacecmd&distro=SUSE Manager Server Module 4.0

  < 4.0.18-3.13.2

• suse•spacewalk-admin&distro=SUSE Manager Server Module 4.0

  < 4.0.9-3.6.2

• suse•spacewalk-backend&distro=SUSE Manager Proxy Module 4.0

  < 4.0.30-3.23.3

• suse•spacewalk-backend&distro=SUSE Manager Server Module 4.0

  < 4.0.30-3.23.3

• suse•spacewalk-certs-tools&distro=SUSE Manager Proxy Module 4.0

  < 4.0.15-3.15.2

• suse•spacewalk-certs-tools&distro=SUSE Manager Server Module 4.0

  < 4.0.15-3.15.2

• suse•spacewalk-client-tools&distro=SUSE Manager Proxy Module 4.0

  < 4.0.12-3.13.2

• suse•spacewalk-client-tools&distro=SUSE Manager Server Module 4.0

  < 4.0.12-3.13.2

• suse•spacewalk-java&distro=SUSE Manager Server Module 4.0

  < 4.0.31-3.23.1

• suse•spacewalk-search&distro=SUSE Manager Server Module 4.0

  < 4.0.9-3.11.2

• suse•spacewalk-setup&distro=SUSE Manager Server Module 4.0

  < 4.0.13-3.11.1

• suse•spacewalk-utils&distro=SUSE Manager Server Module 4.0

  < 4.0.16-3.15.2

• suse•spacewalk-web&distro=SUSE Manager Proxy Module 4.0

  < 4.0.19-3.18.3

• suse•spacewalk-web&distro=SUSE Manager Server Module 4.0

  < 4.0.19-3.18.3

• suse•subscription-matcher&distro=SUSE Manager Server Module 4.0

  < 0.25-3.3.2

• suse•supportutils-plugin-susemanager-client&distro=SUSE Manager Proxy Module 4.0

  < 4.0.3-3.3.2

• suse•supportutils-plugin-susemanager-proxy&distro=SUSE Manager Proxy Module 4.0

  < 4.0.3-3.3.2

• suse•susemanager-doc-indexes&distro=SUSE Manager Server Module 4.0

  < 4.0-10.18.2

• suse•susemanager-docs_en&distro=SUSE Manager Server Module 4.0

  < 4.0-10.18.2

• suse•susemanager-schema&distro=SUSE Manager Server Module 4.0

  < 4.0.18-3.17.2

• suse•susemanager-sls&distro=SUSE Manager Server Module 4.0

  < 4.0.24-3.17.2

• suse•susemanager-sync-data&distro=SUSE Manager Server Module 4.0

  < 4.0.16-3.15.2

• suse•susemanager&distro=SUSE Manager Server Module 4.0

  < 4.0.22-3.20.3

• suse•system-lock-formula&distro=SUSE Manager Server Module 4.0

  < 0.2-4.5.1

• suse•virtualization-host-formula&distro=SUSE Manager Server Module 4.0

  < 0.2-4.3.2

References (58)

• https://www.suse.com/support/update/announcement/2020/suse-su-20200671-1/
• https://bugzilla.suse.com/1083326
• https://bugzilla.suse.com/1085414
• https://bugzilla.suse.com/1121640
• https://bugzilla.suse.com/1123274
• https://bugzilla.suse.com/1137248
• https://bugzilla.suse.com/1140332
• https://bugzilla.suse.com/1144176
• https://bugzilla.suse.com/1152673
• https://bugzilla.suse.com/1152795
• https://bugzilla.suse.com/1153269
• https://bugzilla.suse.com/1154246
• https://bugzilla.suse.com/1154590
• https://bugzilla.suse.com/1154599
• https://bugzilla.suse.com/1155281
• https://bugzilla.suse.com/1155372
• https://bugzilla.suse.com/1156751
• https://bugzilla.suse.com/1157317
• https://bugzilla.suse.com/1157346
• https://bugzilla.suse.com/1157447
• https://bugzilla.suse.com/1157700
• https://bugzilla.suse.com/1157975
• https://bugzilla.suse.com/1158178
• https://bugzilla.suse.com/1158181
• https://bugzilla.suse.com/1158283
• https://bugzilla.suse.com/1158480
• https://bugzilla.suse.com/1158564
• https://bugzilla.suse.com/1158672
• https://bugzilla.suse.com/1158697
• https://bugzilla.suse.com/1158754
• https://bugzilla.suse.com/1158818
• https://bugzilla.suse.com/1158899
• https://bugzilla.suse.com/1158943
• https://bugzilla.suse.com/1159012
• https://bugzilla.suse.com/1159023
• https://bugzilla.suse.com/1159076
• https://bugzilla.suse.com/1159184
• https://bugzilla.suse.com/1159492
• https://bugzilla.suse.com/1159553
• https://bugzilla.suse.com/1160184
• https://bugzilla.suse.com/1160940
• https://bugzilla.suse.com/1161755
• https://bugzilla.suse.com/1161862
• https://bugzilla.suse.com/1162609
• https://bugzilla.suse.com/1162683
• https://bugzilla.suse.com/1164120
• https://bugzilla.suse.com/1164309
• https://bugzilla.suse.com/1164452
• https://bugzilla.suse.com/1164649
• https://bugzilla.suse.com/1164875
• https://bugzilla.suse.com/1165425
• https://bugzilla.suse.com/1165541
• https://bugzilla.suse.com/1165927
• https://bugzilla.suse.com/1166061
• https://bugzilla.suse.com/1166388
• https://www.suse.com/security/cve/CVE-2018-1077
• https://www.suse.com/security/cve/CVE-2019-16769
• https://www.suse.com/security/cve/CVE-2020-1693