Maintenance update for SUSE Manager 4.2: Server, Proxy and Retail Branch Server

Announcement ID:	SUSE-SU-2023:1831-1
Rating:	important
References:	bsc#1179926 bsc#1197027 bsc#1206562 bsc#1206973 bsc#1207063 bsc#1207308 bsc#1207352 bsc#1207490 bsc#1207799 bsc#1207829 bsc#1207830 bsc#1207838 bsc#1207883 bsc#1208288 bsc#1208321 bsc#1208325 bsc#1208586 bsc#1208687 bsc#1208719 bsc#1208772 bsc#1208908 bsc#1209369 bsc#1209386 bsc#1209434 bsc#1209703 jsc#PED-2777
Cross-References:	CVE-2020-8908 CVE-2022-0860 CVE-2023-22644
CVSS scores:	CVE-2020-8908 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-8908 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-0860 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVE-2022-0860 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-22644 ( NVD ): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Affected Products:	Development Tools Module 15-SP4 openSUSE Leap 15.4 SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.2 Module 4.2 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.2 SUSE Manager Server 4.2 Module 4.2 SUSE Manager Server 4.3

An update that solves three vulnerabilities, contains one feature and has 22 security fixes can now be installed.

Security update for SUSE Manager Server 4.2

Description:

This update fixes the following issues:

cobbler:

• CVE-2022-0860: Unbreak PAM authentication due to missing encode of user input in the PAM auth module of Cobbler (bsc#1197027)
• Fix S390X auto-installation for cases where kernel options are longer than 79 characters (bsc#1207308)
• Switch packaging from patch based to Git tree based development
• All patches that are being removed in this revision are contained in the new Git tree.

guava:

• Upgrade to guava 30.1.1
• CVE-2020-8908: temp directory creation vulnerability in Guava versions prior to 30.0. (bsc#1179926)
• Remove parent reference from ALL distributed pom files
• Avoid version-less dependencies that can cause problems with some tools
• Build the package with ant in order to prevent build cycles using a generated and customized ant build system
• Produce with Java >= 9 binaries that are compatible with Java 8

jsr-305:

• Deliver jsr-305 to SUSE Manager as Guava dependency

mgr-libmod:

• Version 4.2.8-1
• Ignore extra metadata fields for Liberty Linux (bsc#1208908)

spacecmd:

• Version 4.2.22-1
• Display activation key details after executing the corresponding command (bsc#1208719)
• Show targetted packages before actually removing them (bsc#1207830)
• Fix spacecmd not showing any output for softwarechannel_diff and softwarechannel_errata_diff (bsc#1207352)

spacewalk-backend:

• Version 4.2.27-1
• Fix the mgr-inter-sync not creating valid repository metadata when dealing with empty channels (bsc#1207829)
• Fix repo sync for cloud "Pay As You Go" connected repositories (bsc#1208772)
• Fix issues with kickstart syncing on mirrorlist repositories
• Do not sync .mirrorlist and other non needed files
• reposync: catch local file not found urlgrabber error properly (bsc#1208288)

spacewalk-client-tools:

• Version 4.2.23-1
• Update translation strings

spacewalk-java:

• Version 4.2.49-1

• Refactor Java notification synchronize to avoid deadlocks (bsc#1209369)

• Version 4.2.48-1

• Prevent logging formula data (bsc#1209386)
• Use gnu-jaf instead of jaf
• Use reload4j instead of log4j or log4j12
• Use slf4j-reload4j
• Save scheduler user when creating Patch actions manually (bsc#1208321)
• Add mgr_server_is_uyuni minion pillar item
• Do not execute immediately Package Refresh action for the SSH minion (bsc#1208325)
• Mark as failed actions that cannot be scheduled because earliest date is too old
• Update earliest date when rescheduling failed actions (bsc#1206562)
• Fix reconnection of postgres event stream
• fix NumberFormatException when syncing Ubuntu errata (bsc#1207883)
• Fix duplicate keys in image tables (bsc#1207799)
• Fix CLM environments UI for environment labels containing dots (bsc#1207838)

spacewalk-search:

• Version 4.2.10-1
• Use reload4j instead of log4j or log4j12

spacewalk-web:

• Version 4.2.34-1

• Fix datetime picker appearing behind modal edge (bsc#1209703)

• Version 4.2.33-1

• Deprecate jQuery datepicker, integrate React datepicker
• Fix CLM environments UI for environment labels containing dots (bsc#1207838)

subscription-matcher:

• Relax antlr version requirement

supportutils-plugin-susemanager:

• Version 4.2.6-1
• Fix DB connection check tool (bsc#1208586)

susemanager-build-keys:

• Version 15.3.7 (jsc#PED-2777):
• Add new 4096 bit RSA build key gpg-pubkey-3fa1d6ce-63c9481c.asc
• add new 4096 bit RSA reserve build key gpg-pubkey-d588dc46-63c939db.asc
• Add 2022 2048 bit RSA PTF key suse_ptf_key-6F5DA62B.asc
• Add new 4096 bit RSA PTF key suse_ptf_key_2023.asc

susemanager-doc-indexes:

• Removed z196 and z114 from listing in System Z chapter of the Installation and Upgrade Guide (bsc#1206973)
• Branding updated for 2023
• New search engine optimization improvements for documentation
• Translations are now included in the webui help documentation
• Local search is now provided with the webui help documentation

susemanager-docs_en:

• Removed z196 and z114 from listing in System Z chapter of the Installation and Upgrade Guide (bsc#1206973)
• Branding updated for 2023
• New search engine optimization improvements for documentation
• Translations are now included in the WebUI help documentation
• Local search is now provided with the WebUI help documentation

susemanager-sls:

• Version 4.2.32-1
• Improve error handling in mgr_events.py (bsc#1208687)

susemanager-tftpsync:

• Version 4.2.4-1
• Fix removal of proxies section in cobbler settings (bsc#1207063)

uyuni-common-libs:

• Version 4.2.10-1
• Allow default component for context manager.

virtual-host-gatherer:

• Version 1.0.25-1
• Report total CPU numbers in the libvirt module

How to apply this update:

1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.2

Description:

This update fixes the following issues:

mgr-daemon:

• Version 4.2.11-1
• Update translation strings

spacecmd:

• Version 4.2.22-1
• Display activation key details after executing the corresponding command (bsc#1208719)
• Show targetted packages before actually removing them (bsc#1207830)
• Fix spacecmd not showing any output for softwarechannel_diff and softwarechannel_errata_diff (bsc#1207352)

spacewalk-backend:

• Version 4.2.27-1
• Fix the mgr-inter-sync not creating valid repository metadata when dealing with empty channels (bsc#1207829)
• fix repo sync for cloud payg connected repositories (bsc#1208772)
• Fix issues with kickstart syncing on mirrorlist repositories
• Do not sync .mirrorlist and other non needed files
• reposync: catch local file not found urlgrabber error properly (bsc#1208288)

spacewalk-client-tools:

• Version 4.2.23-1
• Update translation strings

spacewalk-proxy:

• Version 4.2.14-1
• Avoid unnecessary debug messages from proxy backend (bsc#1207490)

spacewalk-web:

• Version 4.2.34-1

• Fix datetime picker appearing behind modal edge (bsc#1209703)

• Version 4.2.33-1

• Deprecate jQuery datepicker, integrate React datepicker
• Fix CLM environments UI for environment labels containing dots (bsc#1207838)

susemanager-build-keys:

• Version 15.3.7 (jsc#PED-2777):
• Add new 4096 bit RSA build key gpg-pubkey-3fa1d6ce-63c9481c.asc
• Add new 4096 bit RSA reserve build key gpg-pubkey-d588dc46-63c939db.asc
• Add 2022 2048 bit RSA PTF key suse_ptf_key-6F5DA62B.asc
• Add new 4096 bit RSA PTF key suse_ptf_key_2023.asc

uyuni-common-libs:

• Version 4.2.10-1
• Allow default component for context manager.

How to apply this update:

1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
2. Stop the proxy service: spacewalk-proxy stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-proxy start

Recommended update for jsr-305

Description:

This update for jsr-305 provides the following fix:

- Ship the correct versions of jsr-305 on SUSE Manager repositories (no source changes).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Proxy 4.2 Module 4.2
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2023-1831=1
• SUSE Manager Server 4.2 Module 4.2
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2023-1831=1
• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-1831=1
• Development Tools Module 15-SP4
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2023-1831=1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-1831=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-1831=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-1831=1
• SUSE Linux Enterprise Real Time 15 SP3
  zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-1831=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-1831=1
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-1831=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-1831=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-1831=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2023-1831=1
• SUSE Enterprise Storage 7
  zypper in -t patch SUSE-Storage-7-2023-1831=1

Package List:

• SUSE Manager Proxy 4.2 Module 4.2 (noarch)
  • spacewalk-proxy-salt-4.2.14-150300.3.27.6
  • python3-spacewalk-client-tools-4.2.23-150300.4.33.7
  • spacewalk-client-setup-4.2.23-150300.4.33.7
  • spacewalk-base-minimal-4.2.34-150300.3.41.5
  • python3-spacewalk-client-setup-4.2.23-150300.4.33.7
  • susemanager-build-keys-15.3.6-150300.3.9.5
  • spacewalk-client-tools-4.2.23-150300.4.33.7
  • spacewalk-proxy-management-4.2.14-150300.3.27.6
  • spacecmd-4.2.22-150300.4.36.7
  • mgr-daemon-4.2.11-150300.2.12.5
  • spacewalk-proxy-redirect-4.2.14-150300.3.27.6
  • spacewalk-check-4.2.23-150300.4.33.7
  • spacewalk-base-minimal-config-4.2.34-150300.3.41.5
  • spacewalk-proxy-package-manager-4.2.14-150300.3.27.6
  • susemanager-build-keys-web-15.3.6-150300.3.9.5
  • spacewalk-proxy-common-4.2.14-150300.3.27.6
  • python3-spacewalk-check-4.2.23-150300.4.33.7
  • spacewalk-proxy-broker-4.2.14-150300.3.27.6
  • spacewalk-backend-4.2.27-150300.4.38.7
• SUSE Manager Proxy 4.2 Module 4.2 (x86_64)
  • python3-uyuni-common-libs-4.2.10-150300.3.17.6
• SUSE Manager Server 4.2 Module 4.2 (noarch)
  • guava-30.1.1-150300.4.3.4
  • virtual-host-gatherer-libcloud-1.0.25-150300.3.12.5
  • virtual-host-gatherer-VMware-1.0.25-150300.3.12.5
  • spacewalk-backend-package-push-server-4.2.27-150300.4.38.7
  • spacewalk-backend-xmlrpc-4.2.27-150300.4.38.7
  • spacewalk-java-lib-4.2.49-150300.3.63.3
  • spacewalk-backend-app-4.2.27-150300.4.38.7
  • spacewalk-java-4.2.49-150300.3.63.3
  • spacewalk-base-minimal-config-4.2.34-150300.3.41.5
  • susemanager-sls-4.2.32-150300.3.46.5
  • susemanager-docs_en-pdf-4.2-150300.12.42.5
  • susemanager-doc-indexes-4.2-150300.12.42.6
  • subscription-matcher-0.29-150300.6.15.5
  • virtual-host-gatherer-Nutanix-1.0.25-150300.3.12.5
  • spacewalk-backend-4.2.27-150300.4.38.7
  • spacewalk-search-4.2.10-150300.3.18.6
  • spacewalk-base-minimal-4.2.34-150300.3.41.5
  • spacewalk-backend-sql-postgresql-4.2.27-150300.4.38.7
  • mgr-libmod-4.2.8-150300.3.9.6
  • spacewalk-backend-iss-export-4.2.27-150300.4.38.7
  • susemanager-docs_en-4.2-150300.12.42.5
  • supportutils-plugin-susemanager-4.2.6-150300.3.12.5
  • spacewalk-backend-applet-4.2.27-150300.4.38.7
  • spacewalk-backend-config-files-common-4.2.27-150300.4.38.7
  • spacewalk-html-4.2.34-150300.3.41.5
  • spacewalk-backend-server-4.2.27-150300.4.38.7
  • spacewalk-backend-config-files-tool-4.2.27-150300.4.38.7
  • spacewalk-backend-config-files-4.2.27-150300.4.38.7
  • cobbler-3.1.2-150300.5.22.5
  • spacewalk-base-4.2.34-150300.3.41.5
  • spacewalk-backend-xml-export-libs-4.2.27-150300.4.38.7
  • virtual-host-gatherer-1.0.25-150300.3.12.5
  • spacewalk-backend-iss-4.2.27-150300.4.38.7
  • spacecmd-4.2.22-150300.4.36.7
  • spacewalk-backend-tools-4.2.27-150300.4.38.7
  • virtual-host-gatherer-Kubernetes-1.0.25-150300.3.12.5
  • susemanager-build-keys-15.3.6-150300.3.9.5
  • spacewalk-java-postgresql-4.2.49-150300.3.63.3
  • jsr-305-3.0.2-150200.3.7.5
  • python3-spacewalk-client-tools-4.2.23-150300.4.33.7
  • uyuni-config-modules-4.2.32-150300.3.46.5
  • spacewalk-client-tools-4.2.23-150300.4.33.7
  • spacewalk-backend-sql-4.2.27-150300.4.38.7
  • susemanager-build-keys-web-15.3.6-150300.3.9.5
  • spacewalk-java-config-4.2.49-150300.3.63.3
  • spacewalk-taskomatic-4.2.49-150300.3.63.3
• SUSE Manager Server 4.2 Module 4.2 (ppc64le s390x x86_64)
  • susemanager-tftpsync-4.2.4-150300.3.6.6
  • python3-uyuni-common-libs-4.2.10-150300.3.17.6
• openSUSE Leap 15.4 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
  • jsr-305-javadoc-3.0.2-150200.3.7.5
• Development Tools Module 15-SP4 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise Real Time 15 SP3 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Enterprise Storage 7.1 (noarch)
  • jsr-305-3.0.2-150200.3.7.5
• SUSE Enterprise Storage 7 (noarch)
  • jsr-305-3.0.2-150200.3.7.5

References:

• https://www.suse.com/security/cve/CVE-2020-8908.html
• https://www.suse.com/security/cve/CVE-2022-0860.html
• https://www.suse.com/security/cve/CVE-2023-22644.html
• https://bugzilla.suse.com/show_bug.cgi?id=1179926
• https://bugzilla.suse.com/show_bug.cgi?id=1197027
• https://bugzilla.suse.com/show_bug.cgi?id=1206562
• https://bugzilla.suse.com/show_bug.cgi?id=1206973
• https://bugzilla.suse.com/show_bug.cgi?id=1207063
• https://bugzilla.suse.com/show_bug.cgi?id=1207308
• https://bugzilla.suse.com/show_bug.cgi?id=1207352
• https://bugzilla.suse.com/show_bug.cgi?id=1207490
• https://bugzilla.suse.com/show_bug.cgi?id=1207799
• https://bugzilla.suse.com/show_bug.cgi?id=1207829
• https://bugzilla.suse.com/show_bug.cgi?id=1207830
• https://bugzilla.suse.com/show_bug.cgi?id=1207838
• https://bugzilla.suse.com/show_bug.cgi?id=1207883
• https://bugzilla.suse.com/show_bug.cgi?id=1208288
• https://bugzilla.suse.com/show_bug.cgi?id=1208321
• https://bugzilla.suse.com/show_bug.cgi?id=1208325
• https://bugzilla.suse.com/show_bug.cgi?id=1208586
• https://bugzilla.suse.com/show_bug.cgi?id=1208687
• https://bugzilla.suse.com/show_bug.cgi?id=1208719
• https://bugzilla.suse.com/show_bug.cgi?id=1208772
• https://bugzilla.suse.com/show_bug.cgi?id=1208908
• https://bugzilla.suse.com/show_bug.cgi?id=1209369
• https://bugzilla.suse.com/show_bug.cgi?id=1209386
• https://bugzilla.suse.com/show_bug.cgi?id=1209434
• https://bugzilla.suse.com/show_bug.cgi?id=1209703
• https://jira.suse.com/browse/PED-2777