Hello! ### Cobbler migration Some users have reported that after the Update to Uyuni 2022.10, there are still some problems related to Cobbler, where collections are not migrated, so the cobbler service fails to start at the Uyuni Server. In such situations some features can be broken, such as: - Onboarding new clients - Removing existing clients - XML-RPC via HTTP - spacecmd - spacewalk-common-channels This is not happening for most users, but we are now releasing a patch to address it, and migrate any collections provided by any past cobbler version. ### File descriptors leakage Some users reported that, after updating to Uyuni 2022.10, and after some days, the Server stopped working, and they saw a steady increase of "open files" or "allocated file descriptors". This was caused after the migration to log4j2. Every time a taskomatic job object gets created, it initializes its own logger programmatically to write its logs into a file. The lifecycle of a job object is relatively short, but the log4j2 runtime doesn't know it. When it gets permissions to write into a file, there's nothing to release it after the job is over. Moreover the log4j2 keeps track of loggers based on the class names. It effectively means we mutate the same logger object in memory over and over again with every new taskomatic job. The fix adds functionality to re-initialize the logger when a new job comes around, dropping any file handler it has. ### Security fixes During a SUSE Manager and Uyuni security audit, the SUSE security team reported three vulnerabilities at the spacewalk-java source package (which provides spacewalk-java-* or spacewalk-taskomatic packages): * CVE-2022-31255: Fix directory path traversal vulnerability * CVE-2022-43754: Fix reflected cross site scripting vulnerability * CVE-2022-43753: Fix arbitrary file disclosure vulnerability You can find more details at: https://www.suse.com/security/cve/CVE-2022-31255.html https://www.suse.com/security/cve/CVE-2022-43754.html https://www.suse.com/security/cve/CVE-2022-43753.html A patch for Uyuni 2022.10 to fix all the issues was just published, and because of the security issues, it is strongly recommended you update your server, even if you are not affected by the cobbler migration issues or the file descriptors leakage. You can apply the patch at the Uyuni Server by following the instructions at: https://www.uyuni-project.org/pages/patches.html Thanks to all users that reported the issues, and helped with the debugging. Happy hacking!