For those that tried to update and got a problem where the services did not
restart, please run the following commands as root on the server:
spacewalk-service status stop
rpm -i --force --replacepkgs salt-netapi-client-0.17.0-1.1.uyuni.noarch.rpm
spacewalk-service status start
The problem happened because the version and the released of the
salt-netapi-client package were the same at the Stable reposity and at the
The commands above will download the RPM from the Patches repository and
will force an installation ignoring the fact that the version installed on the
system is the same that is going to be installed.
Next time we need to provide such a patch, we will avoid such problem by always
providing a new version for all packages (in this case salt-netapi-client
got a patch, but not a new version, while all other packages got the source
code changed and an new version).
Kudos to Torsten Haupt for his help testing the fix for this problem!
On miércoles, 16 de septiembre de 2020 19:15:22 (CEST) Julio González Gil wrote:
today we released an unscheduled maintenance update for CVE-2020-8028
(bsc#1175884), which is a security vulnerability of SUSE Manager and Uyuni
Servers. The bug has been kept under embargo since it was reported to this
day while we prepared a fix and coordinated the release.
Only users that have shell access to the Uyuni server can exploit this
vulnerability. This is not a common setup, shell access to the server should
usually be restricted to the server administrators.
In order to install this update please make sure you are on the most recent
release (2020.07) and use the following commands on the Uyuni server:
zypper update spacewalk-java-lib spacewalk-java spacewalk-java-config
spacewalk-java-postgresql spacewalk-taskomatic spacewalk-admin
spacewalk-setup salt-netapi-client spacewalk-service start
After services start again, the Salt API endpoint will be authenticated and
As the fix changes the way the Salt API endpoint is served, it is expected
to break any third-party scripts or software that may rely on it. We will
take this occasion to remind you that:
- the Salt API endpoint configured by Uyuni at installation time is
exclusively for internal Uyuni use and by default not exposed to the
network. If your custom software depends on using the Salt API directly,
you are relying on something not supported by Uyuni.
- it is possible to define additional API endpoints, and secure them in a
variety of ways, and those are fine for custom scripts. More information
about how to configure those are available at:
If applying the update is not readily feasible, we recommend to restrict
shell access to the Uyuni Server to the minimum set of users who really
need it - which is a standard, recommended security practice in any case.
More information is available at:
Julio González Gil
Release Engineer, SUSE Manager and Uyuni