Security update for Spacewalk stack

SUSE Security Update: Security update for Spacewalk stack
Announcement ID: SUSE-SU-2014:0222-1
Rating: moderate
References: #834415 #846356 #850925 #850927 #850928 #850929 #850930 #853913 #854090 #858197 #858652
Affected Products:
  • SUSE Manager 1.7 for SLE 11 SP2

  • An update that solves 5 vulnerabilities and has 6 fixes is now available. It includes 8 new package versions.

    Description:


    This Spacewalk stack update fixes the following security
    issues and bugs:

    spacewalk-backend:

    * Check for empty result before printing software
    entitlement. (bnc#853913)
    * Added extra log folder to spacewalk-debug.
    (bnc#854090)
    * Better detection for SUSE KVM and Cloud systems.

    spacewalk-branding:

    * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
    scripting. (bnc#850925)

    spacewalk-certs-tools:

    * Older versions of ssh-copy-id do not support the -o
    switch.
    * ssh-keygen fails with an error when known_hosts
    doesn't exist.
    * Call the new script from the old one and print
    deprecation warning.
    * New ssh-push client initialization script.

    spacewalk-java:

    * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
    scripting. (bnc#850925)
    * CVE-2010-2236: Clean backticks from monitoring-probes
    where appropriate. (bnc#850930)
    * CVE-2012-6149: Fix XSS in notes.jsp. (bnc#850929)
    * CVE-2013-1869: Only follow internal return_urls to
    fix header injection flaw. (bnc#850928)
    * CVE-2013-1871: Fix XSS in edit-address JSPs.
    (bnc#850927)
    * Add the paste event handler in 'onload'. (bnc#846356)

    spacewalk-search:

    * Allow NULL as createdBy and lastModifiedBy to fix
    custom info value index. (bnc#834415)

    spacewalk-utils:

    * clone-by-date: Fix with dependency check enabled.
    (bnc#858652)

    spacewalk-web:

    * CVE-2013-4415: PAGE_SIZE_LABEL_SELECTED cross-site
    scripting. (bnc#850925)
    * Put the given year in the valid range. (bnc#846356)
    * Paste event handler parsing CVE identifiers with
    Javascript. (bnc#846356)

    susemanager:

    * Create bootstrap repositories from SLES4SAP repos.
    (bnc#858197)

    How to apply this update: 1. Log in as root user to the
    SUSE Manager server. 2. Stop the Spacewalk service:
    spacewalk-service stop 3. Apply the patch using either
    zypper patch or YaST Online Update. 4. Start the Spacewalk
    service: spacewalk-service start

    Security Issues:

    * CVE-2010-2236
    >
    * CVE-2012-6149
    >
    * CVE-2013-1869
    >
    * CVE-2013-1871
    >
    * CVE-2013-4415
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Manager 1.7 for SLE 11 SP2:
      zypper in -t patch sleman17sp2-suse-manager-201401-8817

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Manager 1.7 for SLE 11 SP2 (x86_64) [New Version: 1.7.1.11,1.7.27 and 1.7.38.31]:
    • spacewalk-backend-1.7.38.31-0.5.1
    • spacewalk-backend-app-1.7.38.31-0.5.1
    • spacewalk-backend-applet-1.7.38.31-0.5.1
    • spacewalk-backend-config-files-1.7.38.31-0.5.1
    • spacewalk-backend-config-files-common-1.7.38.31-0.5.1
    • spacewalk-backend-config-files-tool-1.7.38.31-0.5.1
    • spacewalk-backend-iss-1.7.38.31-0.5.1
    • spacewalk-backend-iss-export-1.7.38.31-0.5.1
    • spacewalk-backend-libs-1.7.38.31-0.5.1
    • spacewalk-backend-package-push-server-1.7.38.31-0.5.1
    • spacewalk-backend-server-1.7.38.31-0.5.1
    • spacewalk-backend-sql-1.7.38.31-0.5.1
    • spacewalk-backend-sql-oracle-1.7.38.31-0.5.1
    • spacewalk-backend-sql-postgresql-1.7.38.31-0.5.1
    • spacewalk-backend-tools-1.7.38.31-0.5.1
    • spacewalk-backend-xml-export-libs-1.7.38.31-0.5.1
    • spacewalk-backend-xmlrpc-1.7.38.31-0.5.1
    • spacewalk-backend-xp-1.7.38.31-0.5.1
    • spacewalk-branding-1.7.1.11-0.5.1
    • susemanager-1.7.27-0.5.2
    • susemanager-tools-1.7.27-0.5.2
    • SUSE Manager 1.7 for SLE 11 SP2 (noarch) [New Version: 1.7.15.12,1.7.28.20,1.7.3.11,1.7.3.12 and 1.7.54.30]:
    • spacewalk-base-1.7.28.20-0.5.1
    • spacewalk-base-minimal-1.7.28.20-0.5.1
    • spacewalk-certs-tools-1.7.3.11-0.5.1
    • spacewalk-grail-1.7.28.20-0.5.1
    • spacewalk-html-1.7.28.20-0.5.1
    • spacewalk-java-1.7.54.30-0.5.1
    • spacewalk-java-config-1.7.54.30-0.5.1
    • spacewalk-java-lib-1.7.54.30-0.5.1
    • spacewalk-java-oracle-1.7.54.30-0.5.1
    • spacewalk-java-postgresql-1.7.54.30-0.5.1
    • spacewalk-pxt-1.7.28.20-0.5.1
    • spacewalk-search-1.7.3.12-0.5.1
    • spacewalk-sniglets-1.7.28.20-0.5.1
    • spacewalk-taskomatic-1.7.54.30-0.5.1
    • spacewalk-utils-1.7.15.12-0.5.3

    References:

    • http://support.novell.com/security/cve/CVE-2010-2236.html
    • http://support.novell.com/security/cve/CVE-2012-6149.html
    • http://support.novell.com/security/cve/CVE-2013-1869.html
    • http://support.novell.com/security/cve/CVE-2013-1871.html
    • http://support.novell.com/security/cve/CVE-2013-4415.html
    • https://bugzilla.novell.com/834415
    • https://bugzilla.novell.com/846356
    • https://bugzilla.novell.com/850925
    • https://bugzilla.novell.com/850927
    • https://bugzilla.novell.com/850928
    • https://bugzilla.novell.com/850929
    • https://bugzilla.novell.com/850930
    • https://bugzilla.novell.com/853913
    • https://bugzilla.novell.com/854090
    • https://bugzilla.novell.com/858197
    • https://bugzilla.novell.com/858652
    • http://download.novell.com/patch/finder/?keywords=c86d2c06c2403e2323a238c376ec6f16