Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Announcement ID: SUSE-SU-2023:3861-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2023-29409 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2023-29409 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
  • SUSE Manager Proxy 4.3
  • SUSE Manager Proxy 4.3 Module 4.3
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.3
  • SUSE Manager Server 4.3 Module 4.3

An update that solves one vulnerability, contains three features and has 32 security fixes can now be installed.

Recommended update for SUSE Manager Proxy and Retail Branch Server 4.3

Description:

This update fixes the following issues:

spacecmd:

  • Version 4.3.23-1
  • Update translation strings

spacewalk-backend:

  • Version 4.3.23-1
  • Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
  • Add key import debug logging to reposync (bsc#1213675)
  • Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
  • rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  • Implement new RHUI support in reposync

spacewalk-certs-tools:

  • Version 4.3.19-1
  • Support EC Cryptography with mgr-ssl-cert-setup
  • mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)

spacewalk-web:

  • Version 4.3.33-1
  • Update the messages after syncing the products
  • Fix issue that prevented to delete credentials
  • Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration.
  • Hide SSH info for localhost in Pay-as-you-go section
  • Integrate @formatjs/intl as a replacement for t()
  • Fix link interpolation in message maps

supportutils-plugin-susemanager-client:

  • Version 4.3.3-1
  • Write configured crypto-policy in supportconfig
  • Add cloud and Pay-as-you-go checks

supportutils-plugin-susemanager-proxy:

  • Version 4.3.3-1
  • Write configured crypto-policy in supportconfig

uyuni-common-libs:

  • Version 4.3.9-1
  • Workaround for python3-debian bug about collecting control file (bsc#1211525, bsc#1208692)

How to apply this update:

  1. Log in as root user to the SUSE Manager Proxy or Retail Branch Server.
  2. Stop the proxy service: spacewalk-proxy stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-proxy start

Security update for SUSE Manager Server 4.3

Description:

This update fixes the following issues:

billing-data-service:

  • Version 0.3-1
  • Add required dependencies to package and service
  • Change billing api datastructure
  • Require csp-billing-adapter service

cobbler:

  • Fix EFI PXE boot regression (bsc#1214124)
  • Fix isolinux.cfg generation in "cobbler buildiso" (bsc#1207330)

hub-xmlrpc-api:

  • CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.

grafana-formula:

  • Version 0.9.0
  • Add SUSE Linux Enterprise 15 Service Pack 5 to the supported versions (bsc#1215497)

image-sync-formula:

  • Update to version 0.1.1692188980.9aa0455
  • Fix boot image version compare to use numeric instead of string (bsc#1214002)
  • Add support to filter individual image versions in whitelist
  • Delete cache files that are no longer needed

inter-server-sync:

  • Version 0.3.0
  • CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880)
  • Require at least Go 1.19 for building due to CVE-2023-29409
  • Require at least Go 1.18 for building Red Hat packages

prometheus-exporters-formula:

  • Version 1.3.0
  • Add support for Apache exporter >= 1.0.0 (bsc#1214266)

prometheus-postgres_exporter:

  • CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.

saltboot-formula:

  • Update to version 0.1.1692188980.9aa0455
  • Add pillar based saltboot redeploy and repartitioning (jsc#SUMA-158)

spacecmd:

  • Version 4.3.23-1
  • Update translation strings

spacewalk-admin:

  • Version 4.3.13-1
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Add checks for csp-billing-adapter in case of a Pay-as-you-go instance

spacewalk-backend:

  • Version 4.3.23-1
  • Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
  • Add key import debug logging to reposync (bsc#1213675)
  • Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
  • rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  • Implement new RHUI support in reposync

spacewalk-certs-tools:

  • Version 4.3.19-1
  • Support EC Cryptography with mgr-ssl-cert-setup
  • mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)

spacewalk-config:

  • Version 4.3.11-1
  • Allow calling instance-flavor-check via sudo

spacewalk-java:

  • version 4.3.66-1
  • Fix RHUI support for RHEL 7 clients (bsc#1215756)
  • version 4.3.65-1
  • Combine the PAYG credentials and the repository paths when they collide (bsc#1215413)
  • version 4.3.64-1
  • Fix token issue with cloned deb channels (bsc#1214982)
  • Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
  • Improved detection of the best authentication for accessing a repository in case of PAYG credentials (bsc#1215362)
  • Do not warn about missing Client Tools Channel subscription in a PAYG environment
  • version 4.3.63-1
  • Fix X-Instance-Identifier header when doing a product refresh at Cloud RMT Server (bsc#1214889)
  • Version 4.3.62-1
  • Add environment build/promote date to CLM API output (jsc#SUMA-280)
  • Call mgr-libmod with its absolute path
  • Introduce new API to update the products page metadata
  • Extract additional authentication information needed for Pay-as-you-go
  • Fix handling of null credentials in RMT credentials check
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Add rule to count only servers with SUSE Manager Tools as managed clients
  • Create flag to disable update status (bsc#1212730)
  • Fix syntax error in sql query for source package search
  • Catch exceptions and log a message when mailer setup failed (bsc#1213009)
  • Fix logging of libraries using apache-commons-logging
  • Invalidate Pay-as-you-go client credentials after repeated connection failure (bsc#1213445)
  • Restrict product migrations for Pay-as-you-go
  • Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration
  • Restrict cloning channels under different product channels for Pay-as-you-go
  • Avoid sending data to SCC about Pay-as-you-go instances
  • Add saltboot redeploy and repartition based on pillars (jsc#SUMA-158)
  • Add system pillar API access {get|set}Pillar
  • Consider the venv-salt-minion package update as Salt update to prevent backtraces on upgrading Salt with itself (bsc#1211884)
  • Fix processing of pkg.purged results (bsc#1213288)
  • Fix Null Pointer Exception in auth endpoint when an empty body is provided
  • Do not ignore scheduling error in Taskomatic
  • Add compliance checks when running as Pay-as-you-go
  • Add RHUI support to Pay-as-you-go connection feature
  • Fix Debian Packages file generation (bsc#1213716)
  • Fix action executor to prevent blocking Taskomatic for actions that are already finished (bsc#1214121)
  • Fix detection in case RHEL-based products (bsc#1214280)
  • Improve error message when instance-flavor-check tool is not installed
  • Fix auto product refresh in case of SUSE Manager Pay-as-you-go Server
  • Optimize org channel accessibility query (bsc#1211874)
  • Check csp billing adapter status

spacewalk-setup:

  • Version 4.3.18-1
  • Do not rely on rpm runtime status, rather check rhn.conf if is configured (bsc#1210935)
  • Remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup (bsc#1212856)

spacewalk-web:

  • Version 4.3.33-1
  • Update the messages after syncing the products
  • Fix issue that prevented to delete credentials
  • Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration.
  • Hide SSH info for localhost in Pay-as-you-go section
  • Integrate @formatjs/intl as a replacement for t()
  • Fix link interpolation in message maps

supportutils-plugin-susemanager:

  • Version 4.3.9-1
  • Add cloud and Pay-as-you-go checks
  • Write configured crypto-policy in supportconfig

susemanager:

  • Version 4.3.31-1
  • Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)

susemanager-docs_en:

  • Added a note for SUSE Linux Enterprise Micro clients only having Node and Blackbox exporter for monitoring available, in the Administration Guide (bsc#1212246)
  • Added a warning about channel synchronization failure because of invalidated credentials in Connect Pay-as-you-go instance section of the Installation and Upgrade Guide
  • Added a workflow describing channel removal to the Common Workflows Guide
  • Added background information on Ansible playbooks in the Ansible chapter in Administration Guide (bsc#1213077)
  • Added Best practices and image pillars files to Retail Guide
  • Added detailed information about all supported SUSE Linux Enterprise Micro versions
  • Added Saltboot redeployment subchapter in the Retail Guide
  • Changed filename for configuring Tomcat memory usage in Specialized Guides (bsc#1212814)
  • Fixed Ubuntu channel names in Ubuntu chapter of the Client Configuration Guide (bsc#1212827)
  • Improved Red Hat Update Infrastructure documentation (bsc#1215373)
  • Listed supported key types for SSL certificates in Import SSL Certificates section of the Administation Guide
  • Minimal memory requirement is now 16 GB for a SUSE Manager Server installation
  • Removed the step calling rhn-ssl-dbstore from the SSL setup as it is now integrated into mgr-ssl-cert-setup in Administration Guide
  • Replaced plain text with dedicated attribute for AutoYaST
  • Typo correction for cobbler buildiso command in Client Configuration Guide
  • Updated Ansible chapter in Administration Guide for clarity (bsc#1213077)

susemanager-schema:

  • Version 4.3.20-1
  • Add new credentials type RHUI
  • Store the Pay-as-you-go products

susemanager-sls:

  • Version 4.3.35-1
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Do not disable salt-minion on salt-ssh managed clients
  • Keep original traditional stack tools for RHEL7 RHUI connection
  • Include automatic migration from Salt 3000 to Salt Bundle in highstate
  • Use recurse stratedy to merge formula pillar with existing pillars
  • Mask Uyuni roster module password on logs

uyuni-common-libs:

  • Version 4.3.9-1
  • Workaround for python3-debian bug about collecting control file (bsc#1211525, bsc#1208692)

How to apply this update:

  1. Log in as root user to the SUSE Manager Server.
  2. Stop the Spacewalk service: spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Start the Spacewalk service: spacewalk-service start

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Proxy 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-3861=1
  • SUSE Manager Server 4.3 Module 4.3
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-3861=1

Package List:

  • SUSE Manager Proxy 4.3 Module 4.3 (noarch)
    • spacewalk-base-minimal-config-4.3.33-150400.3.27.16
    • supportutils-plugin-susemanager-client-4.3.3-150400.3.3.13
    • spacewalk-base-minimal-4.3.33-150400.3.27.16
    • supportutils-plugin-susemanager-proxy-4.3.3-150400.3.3.13
    • python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
    • spacewalk-certs-tools-4.3.19-150400.3.18.13
    • spacecmd-4.3.23-150400.3.24.13
    • spacewalk-backend-4.3.23-150400.3.27.19
  • SUSE Manager Proxy 4.3 Module 4.3 (x86_64)
    • python3-uyuni-common-libs-4.3.9-150400.3.15.13
  • SUSE Manager Server 4.3 Module 4.3 (noarch)
    • billing-data-service-0.3-150400.10.6.13
    • spacewalk-base-minimal-config-4.3.33-150400.3.27.16
    • spacewalk-backend-iss-export-4.3.23-150400.3.27.19
    • susemanager-schema-4.3.20-150400.3.24.17
    • spacewalk-backend-config-files-4.3.23-150400.3.27.19
    • spacewalk-admin-4.3.13-150400.3.12.13
    • spacewalk-config-4.3.11-150400.3.9.13
    • prometheus-exporters-formula-1.3.0-150400.3.3.13
    • saltboot-formula-0.1.1692188980.9aa0455-150400.3.12.13
    • spacewalk-backend-sql-postgresql-4.3.23-150400.3.27.19
    • spacewalk-java-postgresql-4.3.66-150400.3.60.1
    • spacewalk-backend-sql-4.3.23-150400.3.27.19
    • spacewalk-java-config-4.3.66-150400.3.60.1
    • spacewalk-backend-app-4.3.23-150400.3.27.19
    • spacewalk-base-minimal-4.3.33-150400.3.27.16
    • susemanager-docs_en-pdf-4.3-150400.9.38.2
    • uyuni-config-modules-4.3.35-150400.3.31.12
    • susemanager-schema-utility-4.3.20-150400.3.24.17
    • susemanager-sls-4.3.35-150400.3.31.12
    • spacecmd-4.3.23-150400.3.24.13
    • spacewalk-backend-4.3.23-150400.3.27.19
    • spacewalk-java-4.3.66-150400.3.60.1
    • spacewalk-backend-xmlrpc-4.3.23-150400.3.27.19
    • spacewalk-backend-tools-4.3.23-150400.3.27.19
    • spacewalk-setup-4.3.18-150400.3.27.13
    • spacewalk-backend-applet-4.3.23-150400.3.27.19
    • spacewalk-backend-server-4.3.23-150400.3.27.19
    • spacewalk-certs-tools-4.3.19-150400.3.18.13
    • spacewalk-html-4.3.33-150400.3.27.16
    • grafana-formula-0.9.0-150400.3.12.1
    • spacewalk-backend-config-files-tool-4.3.23-150400.3.27.19
    • spacewalk-backend-xml-export-libs-4.3.23-150400.3.27.19
    • spacewalk-taskomatic-4.3.66-150400.3.60.1
    • susemanager-docs_en-4.3-150400.9.38.2
    • spacewalk-backend-iss-4.3.23-150400.3.27.19
    • cobbler-3.3.3-150400.5.33.13
    • image-sync-formula-0.1.1692188980.9aa0455-150400.3.15.13
    • supportutils-plugin-susemanager-4.3.9-150400.3.15.13
    • spacewalk-base-4.3.33-150400.3.27.16
    • spacewalk-backend-config-files-common-4.3.23-150400.3.27.19
    • python3-spacewalk-certs-tools-4.3.19-150400.3.18.13
    • spacewalk-java-lib-4.3.66-150400.3.60.1
    • spacewalk-backend-package-push-server-4.3.23-150400.3.27.19
  • SUSE Manager Server 4.3 Module 4.3 (ppc64le s390x x86_64)
    • susemanager-4.3.31-150400.3.36.12
    • inter-server-sync-debuginfo-0.3.0-150400.3.21.15
    • susemanager-tools-4.3.31-150400.3.36.12
    • python3-uyuni-common-libs-4.3.9-150400.3.15.13
    • hub-xmlrpc-api-0.7-150400.5.9.15
    • prometheus-postgres_exporter-0.10.1-150400.3.6.17
    • inter-server-sync-0.3.0-150400.3.21.15

References: