Security update for rmt-server

Announcement ID:	SUSE-SU-2019:1381-1
Rating:	important
References:	bsc#1107806 bsc#1117722 bsc#1118745 bsc#1125770 bsc#1128858 bsc#1129271 bsc#1129392 bsc#1132160 bsc#1132690 bsc#1134190 bsc#1134428 bsc#1135222
Cross-References:	CVE-2019-11068 CVE-2019-5419
CVSS scores:	CVE-2019-11068 ( SUSE ): 6.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2019-11068 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11068 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5419 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5419 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Description:

This update for rmt-server to version 2.1.4 fixes the following issues:

• Fix duplicate nginx location in rmt-server-pubcloud (bsc#1135222)
• Mirror additional repos that were enabled during mirroring (bsc#1132690)
• Make service IDs consistent across different RMT instances (bsc#1134428)
• Make SMT data import scripts faster (bsc#1134190)
• Fix incorrect triggering of registration sharing (bsc#1129392)
• Fix license mirroring issue in some non-SUSE repositories (bsc#1128858)
• Set CURLOPT_LOW_SPEED_LIMIT to prevent downloads from getting stuck (bsc#1107806)
• Truncate the RMT lockfile when writing a new PID (bsc#1125770)
• Fix missing trailing slashes on custom repository import from SMT (bsc#1118745)
• Zypper authentication plugin (fate#326629)
• Instance verification plugin in rmt-server-pubcloud (fate#326629)
• Update dependencies to fix vulnerabilities in rails (CVE-2019-5419, bsc#1129271) and nokogiri (CVE-2019-11068, bsc#1132160)
• Allow RMT registration to work under HTTP as well as HTTPS.
• Offline migration from SLE 15 to SLE 15 SP1 will add Python2 module
• Online migrations will automatically add additional modules to the client systems depending on the base product
• Supply log severity to journald
• Breaking Change: Added headers to generated CSV files

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-1381=1

Package List:

• Server Applications Module 15 (aarch64 ppc64le s390x x86_64)
  • rmt-server-debuginfo-2.1.4-3.17.1
  • rmt-server-2.1.4-3.17.1

References:

• https://www.suse.com/security/cve/CVE-2019-11068.html
• https://www.suse.com/security/cve/CVE-2019-5419.html
• https://bugzilla.suse.com/show_bug.cgi?id=1107806
• https://bugzilla.suse.com/show_bug.cgi?id=1117722
• https://bugzilla.suse.com/show_bug.cgi?id=1118745
• https://bugzilla.suse.com/show_bug.cgi?id=1125770
• https://bugzilla.suse.com/show_bug.cgi?id=1128858
• https://bugzilla.suse.com/show_bug.cgi?id=1129271
• https://bugzilla.suse.com/show_bug.cgi?id=1129392
• https://bugzilla.suse.com/show_bug.cgi?id=1132160
• https://bugzilla.suse.com/show_bug.cgi?id=1132690
• https://bugzilla.suse.com/show_bug.cgi?id=1134190
• https://bugzilla.suse.com/show_bug.cgi?id=1134428
• https://bugzilla.suse.com/show_bug.cgi?id=1135222