Mailinglist Archive: opensuse-security-announce (20 mails)

< Previous Next >
[security-announce] SUSE-SU-2011:0653-1: important: SUSE Manager
SUSE Security Update: SUSE Manager
______________________________________________________________________________

Announcement ID: SUSE-SU-2011:0653-1
Rating: important
References: #644072 #644074 #644082 #674859 #685078 #685550
#685551 #689012 #691579 #693574 #694054 #695357
#695392 #697276
Cross-References: CVE-2009-4139 CVE-2011-1594
Affected Products:
SUSE Manager 1.2 for SLE 11 SP1
______________________________________________________________________________

An update that solves two vulnerabilities and has 12 fixes
is now available.

Description:


This security update of SUSE Manager fixes the following
vulnerabilities/add the following improvements:

* CVE-2009-4139: A cross-site request forgery (CSRF)
attack can be used to execute web-actions within the SUSE
Manager web user interface with the privileges of the
attacked user.
* CVE-2011-1594: Open Redirect bug at the login page
(Phishing)
* using secure SSL ciphersuites only
* added a "password strength meter"

Additionally the following non-security issues were fixed
too:

* iso8859-1 handling of file names contained in packages
* fix encoding of summary and description of a package
if it is wrong
* improve error message when gpg key is wrong or missing
* do not trigger a resync is file is missing, can cause
endless loop
* do not send tracebacks as email if reposync failed
* fix errata export/import for sync
* handle sync with older spacewalk server which do not
support weak dependencies
* remove misleading information about Changing SUSE
Manager hostname
* fix monitoring related path name reference
* fix malformed url error from pycurl when trying to
download products and subscriptions with --from-dir and
other minor issues
* added proxy authentication to ncc-sync
* fixed a syntax error on redirects when debugging is
turned on
* implement disconnected population of vendor channels
* use pycurl instead of urllib for remote requests
* catch cannot connect to database error
* fix parsing the proxy user from curlrc

How to apply this update:

1. Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply
the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start

Security Issue references:

* CVE-2009-4139
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4139
>
* CVE-2011-1594
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1594
>

Indications:

Every SUSE Manager user should update.

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Manager 1.2 for SLE 11 SP1:

zypper in -t patch sleman12sp1-suse-manager-201106-4708

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Manager 1.2 for SLE 11 SP1 (x86_64):

spacewalk-backend-1.2.74-0.30.3
spacewalk-backend-app-1.2.74-0.30.3
spacewalk-backend-applet-1.2.74-0.30.3
spacewalk-backend-config-files-1.2.74-0.30.3
spacewalk-backend-config-files-common-1.2.74-0.30.3
spacewalk-backend-config-files-tool-1.2.74-0.30.3
spacewalk-backend-iss-1.2.74-0.30.3
spacewalk-backend-iss-export-1.2.74-0.30.3
spacewalk-backend-libs-1.2.74-0.30.3
spacewalk-backend-package-push-server-1.2.74-0.30.3
spacewalk-backend-server-1.2.74-0.30.3
spacewalk-backend-sql-1.2.74-0.30.3
spacewalk-backend-sql-oracle-1.2.74-0.30.3
spacewalk-backend-tools-1.2.74-0.30.3
spacewalk-backend-xml-export-libs-1.2.74-0.30.3
spacewalk-backend-xmlrpc-1.2.74-0.30.3
spacewalk-backend-xp-1.2.74-0.30.3
spacewalk-branding-1.2.2-0.18.2
susemanager-1.2.0-0.38.1
susemanager-tools-1.2.0-0.38.1

- SUSE Manager 1.2 for SLE 11 SP1 (noarch):

spacewalk-base-1.2.31-0.25.1
spacewalk-base-minimal-1.2.31-0.25.1
spacewalk-grail-1.2.31-0.25.1
spacewalk-html-1.2.31-0.25.1
spacewalk-java-1.2.115-0.42.1
spacewalk-java-config-1.2.115-0.42.1
spacewalk-java-lib-1.2.115-0.42.1
spacewalk-java-oracle-1.2.115-0.42.1
spacewalk-pxt-1.2.31-0.25.1
spacewalk-setup-1.2.16-0.18.1
spacewalk-sniglets-1.2.31-0.25.1
spacewalk-taskomatic-1.2.115-0.42.1
susemanager-client-config_en-pdf-1.2-0.34.1
susemanager-install_en-pdf-1.2-0.34.1
susemanager-jsp_en-1.2-0.26.3
susemanager-manuals_en-1.2-0.34.1
susemanager-proxy-quick_en-pdf-1.2-0.34.1
susemanager-quick_en-pdf-1.2-0.34.1
susemanager-reference_en-pdf-1.2-0.34.1


References:

http://support.novell.com/security/cve/CVE-2009-4139.html
http://support.novell.com/security/cve/CVE-2011-1594.html
https://bugzilla.novell.com/644072
https://bugzilla.novell.com/644074
https://bugzilla.novell.com/644082
https://bugzilla.novell.com/674859
https://bugzilla.novell.com/685078
https://bugzilla.novell.com/685550
https://bugzilla.novell.com/685551
https://bugzilla.novell.com/689012
https://bugzilla.novell.com/691579
https://bugzilla.novell.com/693574
https://bugzilla.novell.com/694054
https://bugzilla.novell.com/695357
https://bugzilla.novell.com/695392
https://bugzilla.novell.com/697276

http://download.novell.com/patch/finder/?keywords=0730ffb1d77928bc83ed1fb60f3b51b9

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages