Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Announcement ID: SUSE-SU-2024:0485-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2023-31582 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2023-31582 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • SUSE Manager Proxy 4.3
  • SUSE Manager Proxy 4.3 Module 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3
  • SUSE Manager Server 4.3 Module 4.3

An update that solves two vulnerabilities, contains one feature and has 44 security fixes can now be installed.

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

Description:

This update fixes the following issues:

mgr-daemon:

  • Version 4.3.8-1
  • Update translation strings

patterns-suse-manager:

  • Add liberate-formula to the required packages for the server to get it installed by default

spacecmd:

  • Version 4.3.26-1
  • Update translation strings

spacewalk-backend:

  • Version 4.3.27-1
  • Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151)
  • Version 4.3.26-1
  • Fix decompressing and renaming bzip2 comps files in reposync
  • Update query to the new credentials structure
  • Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781)
  • Skip syncing packages with incorrect metadata (bsc#1213738)
  • Update translation strings

spacewalk-certs-tools:

  • version 4.3.22-1
  • Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  • Version 4.3.21-1
  • Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  • Version 4.3.20-1
  • Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  • Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588)

spacewalk-client-tools:

  • Version 4.3.18-1
  • Update translation strings

spacewalk-web:

  • Version 4.3.37-1
  • Fix the use of page size preference in systems and packages lists (bsc#1217209)
  • Fix issue displaying Ansible playbook name (bsc#1216657)
  • Add support for PaygNotCompliantWarning notification
  • Bump web.version to 4.3.11

susemanager-build-keys:

  • Version 15.4.10
  • Add new Almalinux 8 GPG Key (bsc#1218849)
  • Refresh extended Uyuni GPG public key

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: spacewalk-proxy stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-proxy start

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

cobbler:

  • Build the appendline correctly for RHEL-family <= 9 (bsc#1216437)
  • Notify to "systemd" when cobblerd startup is finished (bsc#1215982)
  • Enable ppc64(le) buildiso support (bsc#1214077)

grafana-formula:

  • Version 0.10.0
  • Replace legacy message queue metrics with Salt queue metrics
  • Grafana formula should not be supported in a Proxy/Retail

inter-server-sync:

  • Version 0.3.2-1
  • Fix conflict in rhndistchannelmap (bsc#1216114)

jose4j:

  • CVE-2023-31582: Insecure Password-Based Encryption Iteration Count (bsc#1216609)

liberate-formula:

  • Version 0.1.0
  • Provide liberate-formula, a formula for converting a system to SUSE Liberty Linux

patterns-suse-manager:

  • Add liberate-formula to the required packages for the server to get it installed by default

prometheus-formula:

  • Version 0.8.0
  • Fix federation endpoint
  • Add remote write configuration
  • Add group filtering for service discovery relabeling configuration
  • Version 0.7.1
  • Fix PrometheusNotIngestingSamples false positive alerts (bsc#1216550)

prometheus-postgres_exporter:

  • Do not build debug if RHEL >= 8
  • Do not strip if SUSE Linux Enterprise 15 SP3
  • Build at least with with Go >= 1.18 on RHEL
  • Build with Go >= 1.20 elsewhere

saltboot-formula:

  • Update to version 0.1.1701196218.b6b8ca1
  • Remove f-formating to be compatible with python < 3.6
  • Update packaging not to package salt directories
  • Update to version 0.1.1692188980.9aa0455

spacecmd:

  • Version 4.3.26-1
  • Update translation strings

spacewalk-backend:

  • Version 4.3.27-1
  • Fix issue in "spacewalk-repo-sync" when RPM packages contains files with size greater than 4GB (bsc#1219151)
  • Version 4.3.26-1
  • Fix decompressing and renaming bzip2 comps files in reposync
  • Update query to the new credentials structure
  • Remove normalize_orphan_vendor_packages and move it to taskomatic (bsc#1216781)
  • Skip syncing packages with incorrect metadata (bsc#1213738)
  • Update translation strings

spacewalk-certs-tools:

  • version 4.3.22-1
  • Skip deploying the CA into the Salt directory on proxies (bsc#1219850)
  • Version 4.3.21-1
  • Deploy the CA certificate also into the Salt filesystem (bsc#1219577)
  • Version 4.3.20-1
  • Handle server keys in PKCS8 format in mgr-ssl-cert-setup (bsc#1218615)
  • Include reboot info beacon in the bootstrap script for transactional systems (bsc#1217588)

spacewalk-client-tools:

  • Version 4.3.18-1
  • Update translation strings

spacewalk-java:

  • Version 4.3.71-1
  • Generate server SSH key also when bootstrapping regular Minions (bsc#1219449)
  • Version 4.3.70-1
  • Fix the use of page size preference in systems and packages lists (bsc#1217209)
  • Fix issue with disabling token check not working (bsc#1218669)
  • Enforce snakeyaml version requirement (bsc#1215166)
  • Improve the performance of paginated queries when syncing the reporting database (bsc#1211912, bsc#1213079)
  • Do not require entitlement for Pay-as-you-go SUSE Linux Enterprise Server for SAP (bsc#1217069)
  • Use the base product file to show the correct SUSE Manager product in the subscription matching results page
  • Do not require entitlements if SUSE Manager is Pay-as-you-go
  • Exclude SUSE Manager from subscription matching if it's Pay-as-you-go
  • Refactor Credentials to a proper class hierarchy
  • Fix unit test about duplicated packages
  • Prevent installation of packages with same name in a single action (bsc#1214791)
  • When canceling an action which has prerequisites, return hints to get the first action id which can be canceled (bsc#1216988)
  • Fix exception when removing a Debian package (bsc#1216781)
  • Fix XSS in taskomatic XML RPC handler (bsc#1210911)
  • Improve logging for Product Migration (bsc#1218490)
  • Add only 1 IP for Cloud RMT Host in /etc/hosts
  • Change org for orphan vendor packages that an admin can delete (bsc#1216781)
  • Expose the monitoring data for the Salt queue handling the Salt results
  • Provide total number of CPUs for SUSE Linux Enterprise Micro systems to subscription matcher when it is not used as hypervisor to match vCore subscriptions correctly (bsc#1218074)
  • Try to download compressed Ubuntu USN database
  • Add user information to system organization transfer message (bsc#1216753)
  • CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848)
  • Add notification in daily email in addition to in SUSE Manager home page when SUSE Manager Pay-as-you-go is not compliant
  • Fix apidoc link from #top to $call.name (bsc#1213507)
  • Add config option to disable remote commands from web UI (bsc#1217869)
  • Address high rating Sonar issues
  • Refactor SUSE Customer Center registration flow
  • Avoid blocking Taskomatic thread when waiting for queued action (bsc#1211560)
  • Fix modify kickstart profile when using "Always newest tree" option (bsc#1215813)
  • Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981)
  • Handle not existing known_host file in permission check
  • Fix handling of proxy ssh public keys
  • Include reboot required indication for non-Suse distros

spacewalk-setup:

  • Version 4.3.19-1
  • Update query to the new credentials structure
  • Fix setting SUSE Customer Center password during setup

spacewalk-utils:

  • Version 4.3.19-1
  • Add SUSE Linux Enterprise Micro 5.4 and 5.5 to spacewalk-commons-channels

spacewalk-web:

  • Version 4.3.37-1
  • Fix the use of page size preference in systems and packages lists (bsc#1217209)
  • Fix issue displaying Ansible playbook name (bsc#1216657)
  • Add support for PaygNotCompliantWarning notification
  • Bump web.version to 4.3.11

subscription-matcher:

  • Version 0.35
  • Added missing part number
  • Version 0.34
  • Enabled support for Long Term Service Pack Support subscriptions (bsc#1218075)
  • Added SUSE Linux Enterprise Micro vCore handling (bsc#1218074)
  • Added new SKUs and new bundles

supportutils-plugin-susemanager:

  • Version 4.3.10-1
  • Update query to the new credentials structure

susemanager:

  • Version 4.3.34-1
  • Rename Open Enterprise Server label to OES23.4 (bsc#1215514)
  • Verify in Yast FQDN with name returned via DNS reverse lookup
  • CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848)

susemanager-build-keys:

  • Version 15.4.10
  • Add new Almalinux 8 GPG Key (bsc#1218849)
  • Refresh extended Uyuni GPG public key

susemanager-docs_en:

  • Removed obsolete traditional to Salt migration documentation from the System Types section of the Client Configuration Guide and updated the Migrate traditional clients to Salt clients section
  • Fixed navigation bar of Client Configuration Guide (bsc#1218089)
  • Added openSUSE Leap to Supported Features navigation list in Client Configuration Guide (bsc#1218094)
  • Described new monitoring metrics for Salt queue in Administration Guide
  • Fixed xrefs for internal book references
  • Removed mentioning that CVE number for CVE auditing is optional (bsc#1218019)
  • Corrected channel names for CentOS 7 Updates and Extras in CentOS Client Configuration Guide
  • Documented bootstrap settings for SUSE Linux Enterprise Micro in Client Configuration Guide (bsc#1216394)
  • Corrected command mgr-push to mgrpush in Administration Guide (bsc#1215810)
  • Updated Red Hat OVAL data URL and file in CentOS Clients Registration in Client Configution Guide
  • Added Pay-as-you-go for Azure documentation to the Specialized Guides book
  • Added Pay-as-you-go limitations chapter to Pay-as-you-go Guide
  • Removed Ubuntu 18.04 from the list of supported clients
  • Fixed file location in Custom Salt Formulas section of Salt Guide
  • Documented using Virtualization Host formula in Client Configuration

susemanager-schema:

  • Version 4.3.24-1
  • Refactor susecredentials to support the new hierarchy
  • Improve performance of System (bsc#1211254)
  • Change schedule of system-profile-refresh to run on the 2nd Saturday of a month to not collide with normal working times (bsc#1215769)

susemanager-sls:

  • version 4.3.40-1
  • Remove automatic reboot from transactional systems bootstrap (bsc#1218146)
  • Version 4.3.39-1
  • Change certs/RHN-ORG-TRUSTED-SSL-CERT from symlink into a real file (bsc#1219577)
  • Version 4.3.38-1
  • Improve Pay-as-you-go instance detection (bsc#1217784)
  • CVE-2023-32189: Fix issue with Salt SSH keys for Salt SSH Minions (bsc#1170848)
  • Configure reboot method for SUSE Linux Enterprise Micro when applying bootstrap state (bsc#1213981)
  • Include reboot required indication for non SUSE distros

susemanager-sync-data:

  • Version 4.3.16-1
  • Fix OES 23.4 internal name (bsc#1218837)
  • Version 4.3.15-1
  • Update release status and repository description of Open Enterprise Server 23.4 (bsc#1215514)
  • Add new SUSE Liberty Linux 7 Long Term Service Pack Support channel families
  • Rename Red Hat Enterprise Linux and Liberty 8 Base product to remove EOL CentOS 8 from the name

uyuni-reportdb-schema:

  • Version 4.3.9-1
  • Provide reportdb upgrade schema path structure

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Proxy 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-485=1
  • SUSE Manager Server 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-485=1

Package List:

  • SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    • spacewalk-certs-tools-4.3.22-150400.3.25.1
    • mgr-daemon-4.3.8-150400.3.12.5
    • python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    • spacewalk-client-setup-4.3.18-150400.3.24.7
    • python3-spacewalk-check-4.3.18-150400.3.24.7
    • spacewalk-client-tools-4.3.18-150400.3.24.7
    • susemanager-build-keys-15.4.10-150400.3.23.5
    • spacewalk-base-minimal-4.3.37-150400.3.39.7
    • susemanager-build-keys-web-15.4.10-150400.3.23.5
    • python3-spacewalk-client-setup-4.3.18-150400.3.24.7
    • spacewalk-check-4.3.18-150400.3.24.7
    • spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    • spacewalk-backend-4.3.27-150400.3.38.2
    • spacecmd-4.3.26-150400.3.33.5
    • python3-spacewalk-client-tools-4.3.18-150400.3.24.7
  • SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    • patterns-suma_proxy-4.3-150400.5.9.5
  • SUSE Manager Server 4.3 Module 4.3 (noarch)
    • prometheus-formula-0.8.0-150400.3.6.5
    • spacewalk-client-tools-4.3.18-150400.3.24.7
    • grafana-formula-0.10.0-150400.3.15.5
    • spacewalk-backend-config-files-common-4.3.27-150400.3.38.2
    • susemanager-sync-data-4.3.16-150400.3.22.2
    • spacewalk-backend-app-4.3.27-150400.3.38.2
    • uyuni-config-modules-4.3.40-150400.3.44.1
    • spacewalk-backend-server-4.3.27-150400.3.38.2
    • spacewalk-backend-xml-export-libs-4.3.27-150400.3.38.2
    • spacewalk-backend-config-files-tool-4.3.27-150400.3.38.2
    • spacewalk-backend-applet-4.3.27-150400.3.38.2
    • spacewalk-taskomatic-4.3.71-150400.3.74.2
    • python3-spacewalk-certs-tools-4.3.22-150400.3.25.1
    • python3-spacewalk-client-tools-4.3.18-150400.3.24.7
    • liberate-formula-0.1.0-150400.10.3.3
    • spacewalk-backend-sql-postgresql-4.3.27-150400.3.38.2
    • spacewalk-java-postgresql-4.3.71-150400.3.74.2
    • susemanager-docs_en-pdf-4.3-150400.9.53.5
    • spacewalk-java-lib-4.3.71-150400.3.74.2
    • spacewalk-utils-extras-4.3.19-150400.3.21.5
    • spacewalk-java-4.3.71-150400.3.74.2
    • susemanager-docs_en-4.3-150400.9.53.5
    • spacecmd-4.3.26-150400.3.33.5
    • uyuni-reportdb-schema-4.3.9-150400.3.12.7
    • jose4j-0.5.1-150400.3.6.2
    • spacewalk-backend-config-files-4.3.27-150400.3.38.2
    • subscription-matcher-0.35-150400.3.19.5
    • spacewalk-backend-tools-4.3.27-150400.3.38.2
    • cobbler-3.3.3-150400.5.39.5
    • spacewalk-html-4.3.37-150400.3.39.7
    • susemanager-sls-4.3.40-150400.3.44.1
    • spacewalk-backend-xmlrpc-4.3.27-150400.3.38.2
    • spacewalk-setup-4.3.19-150400.3.30.5
    • spacewalk-backend-4.3.27-150400.3.38.2
    • susemanager-schema-4.3.24-150400.3.36.7
    • spacewalk-utils-4.3.19-150400.3.21.5
    • spacewalk-certs-tools-4.3.22-150400.3.25.1
    • supportutils-plugin-susemanager-4.3.10-150400.3.18.5
    • susemanager-schema-utility-4.3.24-150400.3.36.7
    • saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3
    • spacewalk-backend-iss-export-4.3.27-150400.3.38.2
    • spacewalk-backend-sql-4.3.27-150400.3.38.2
    • susemanager-build-keys-15.4.10-150400.3.23.5
    • susemanager-build-keys-web-15.4.10-150400.3.23.5
    • spacewalk-backend-iss-4.3.27-150400.3.38.2
    • spacewalk-base-minimal-4.3.37-150400.3.39.7
    • spacewalk-java-config-4.3.71-150400.3.74.2
    • spacewalk-base-minimal-config-4.3.37-150400.3.39.7
    • spacewalk-backend-package-push-server-4.3.27-150400.3.38.2
    • spacewalk-base-4.3.37-150400.3.39.7
  • SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    • inter-server-sync-0.3.2-150400.3.27.5
    • patterns-suma_server-4.3-150400.5.9.5
    • susemanager-tools-4.3.34-150400.3.45.5
    • patterns-suma_retail-4.3-150400.5.9.5
    • inter-server-sync-debuginfo-0.3.2-150400.3.27.5
    • prometheus-postgres_exporter-0.10.1-150400.3.9.5
    • susemanager-4.3.34-150400.3.45.5

References: