SUSE Security Update: SUSE Manager ______________________________________________________________________________ Announcement ID: SUSE-SU-2011:0653-1 Rating: important References: #644072 #644074 #644082 #674859 #685078 #685550 #685551 #689012 #691579 #693574 #694054 #695357 #695392 #697276 Cross-References: CVE-2009-4139 CVE-2011-1594 Affected Products: SUSE Manager 1.2 for SLE 11 SP1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 12 fixes is now available. Description: This security update of SUSE Manager fixes the following vulnerabilities/add the following improvements: * CVE-2009-4139: A cross-site request forgery (CSRF) attack can be used to execute web-actions within the SUSE Manager web user interface with the privileges of the attacked user. * CVE-2011-1594: Open Redirect bug at the login page (Phishing) * using secure SSL ciphersuites only * added a "password strength meter" Additionally the following non-security issues were fixed too: * iso8859-1 handling of file names contained in packages * fix encoding of summary and description of a package if it is wrong * improve error message when gpg key is wrong or missing * do not trigger a resync is file is missing, can cause endless loop * do not send tracebacks as email if reposync failed * fix errata export/import for sync * handle sync with older spacewalk server which do not support weak dependencies * remove misleading information about Changing SUSE Manager hostname * fix monitoring related path name reference * fix malformed url error from pycurl when trying to download products and subscriptions with --from-dir and other minor issues * added proxy authentication to ncc-sync * fixed a syntax error on redirects when debugging is turned on * implement disconnected population of vendor channels * use pycurl instead of urllib for remote requests * catch cannot connect to database error * fix parsing the proxy user from curlrc How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-service start Security Issue references: * CVE-2009-4139 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4139
* CVE-2011-1594 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1594
Indications: Every SUSE Manager user should update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 1.2 for SLE 11 SP1: zypper in -t patch sleman12sp1-suse-manager-201106-4708 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 1.2 for SLE 11 SP1 (x86_64): spacewalk-backend-1.2.74-0.30.3 spacewalk-backend-app-1.2.74-0.30.3 spacewalk-backend-applet-1.2.74-0.30.3 spacewalk-backend-config-files-1.2.74-0.30.3 spacewalk-backend-config-files-common-1.2.74-0.30.3 spacewalk-backend-config-files-tool-1.2.74-0.30.3 spacewalk-backend-iss-1.2.74-0.30.3 spacewalk-backend-iss-export-1.2.74-0.30.3 spacewalk-backend-libs-1.2.74-0.30.3 spacewalk-backend-package-push-server-1.2.74-0.30.3 spacewalk-backend-server-1.2.74-0.30.3 spacewalk-backend-sql-1.2.74-0.30.3 spacewalk-backend-sql-oracle-1.2.74-0.30.3 spacewalk-backend-tools-1.2.74-0.30.3 spacewalk-backend-xml-export-libs-1.2.74-0.30.3 spacewalk-backend-xmlrpc-1.2.74-0.30.3 spacewalk-backend-xp-1.2.74-0.30.3 spacewalk-branding-1.2.2-0.18.2 susemanager-1.2.0-0.38.1 susemanager-tools-1.2.0-0.38.1 - SUSE Manager 1.2 for SLE 11 SP1 (noarch): spacewalk-base-1.2.31-0.25.1 spacewalk-base-minimal-1.2.31-0.25.1 spacewalk-grail-1.2.31-0.25.1 spacewalk-html-1.2.31-0.25.1 spacewalk-java-1.2.115-0.42.1 spacewalk-java-config-1.2.115-0.42.1 spacewalk-java-lib-1.2.115-0.42.1 spacewalk-java-oracle-1.2.115-0.42.1 spacewalk-pxt-1.2.31-0.25.1 spacewalk-setup-1.2.16-0.18.1 spacewalk-sniglets-1.2.31-0.25.1 spacewalk-taskomatic-1.2.115-0.42.1 susemanager-client-config_en-pdf-1.2-0.34.1 susemanager-install_en-pdf-1.2-0.34.1 susemanager-jsp_en-1.2-0.26.3 susemanager-manuals_en-1.2-0.34.1 susemanager-proxy-quick_en-pdf-1.2-0.34.1 susemanager-quick_en-pdf-1.2-0.34.1 susemanager-reference_en-pdf-1.2-0.34.1 References: http://support.novell.com/security/cve/CVE-2009-4139.html http://support.novell.com/security/cve/CVE-2011-1594.html https://bugzilla.novell.com/644072 https://bugzilla.novell.com/644074 https://bugzilla.novell.com/644082 https://bugzilla.novell.com/674859 https://bugzilla.novell.com/685078 https://bugzilla.novell.com/685550 https://bugzilla.novell.com/685551 https://bugzilla.novell.com/689012 https://bugzilla.novell.com/691579 https://bugzilla.novell.com/693574 https://bugzilla.novell.com/694054 https://bugzilla.novell.com/695357 https://bugzilla.novell.com/695392 https://bugzilla.novell.com/697276 http://download.novell.com/patch/finder/?keywords=0730ffb1d77928bc83ed1fb60f... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org