Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2021:2111-1
Rating:	moderate
References:	bsc#1171257 bsc#1173557 bsc#1176293 bsc#1179831 bsc#1180583 bsc#1180584 bsc#1180585 bsc#1181368 bsc#1182281 bsc#1182293 bsc#1182382 bsc#1185092 bsc#1185281 bsc#1186674 jsc#ECO-3212 jsc#SLE-18028 jsc#SLE-18033
Cross-References:	CVE-2021-25315 CVE-2021-31607
CVSS scores:	CVE-2021-25315 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Manager Client Tools for Debian 10

An update that solves two vulnerabilities, contains three features and has 12 security fixes can now be installed.

Description:

This update fixes the following issues:

salt:

Check if dpkgnotify is executable (bsc#1186674)
Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028))
Drop support for Python2. Obsoletes python2-salt package (jsc#SLE-18028)
Virt module updates
network: handle missing ipv4 netmask attribute
more network support
PCI/USB host devices passthrough support
Set distro requirement to oldest supported version in requirements/base.txt
Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315)
Always require python3-distro (bsc#1182293)
Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing
Fix pkg states when DEB package has "all" arch
Do not force beacons configuration to be a list.
Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
Msgpack support for version >= 1.0.0 (bsc#1171257)
Fix issue parsing errors in ansiblegate state module
Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
Transactional_update: detect recursion in the executor
Add subpackage salt-transactional-update (jsc#SLE-18033)
Remove duplicate directories from specfile
Improvements on "ansiblegate" module (bsc#1185092):
New methods: ansible.targets / ansible.discover_playbooks
Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
Regression fix of salt-ssh on processing targets
Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)
Add notify beacon for Debian/Ubuntu systems
Fix zmq bug that causes salt-call to freeze (bsc#1181368)

spacecmd:

Rename system migration to system transfer
Rename SP to product migration
Update translation strings
Add group_addconfigchannel and group_removeconfigchannel
Add group_listconfigchannels and configchannel_listgroups
Fix spacecmd compat with Python 3
Deprecated "Software Crashes" feature
Document advanced package search on '--help' (bsc#1180583)
Fixed advanced search on 'package_listinstalledsystems'
Fixed duplicate results when using multiple search criteria (bsc#1180585)
Fixed "non-advanced" package search when using multiple package names (bsc#1180584)
Update translations
Fix: make spacecmd build on Debian
Add Service Pack migration operations (bsc#1173557)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Manager Client Tools for Debian 10
zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-x86_64-2021-2111=1

Package List:

SUSE Manager Client Tools for Debian 10 (all)
- spacecmd-4.2.8-2.9.1
- salt-common-3002.2+ds-1+2.27.1
- salt-minion-3002.2+ds-1+2.27.1
- scap-security-guide-debian-0.1.55git20210323-2.3.1

Security update for SUSE Manager Client Tools

Description:

Special Instructions and Notes:

Patch Instructions:

Package List:

References: