Security update for rmt-server

Announcement ID:	SUSE-SU-2019:1973-1
Rating:	important
References:	bsc#1128858 bsc#1129271 bsc#1129392 bsc#1132160 bsc#1132690 bsc#1134190 bsc#1134428 bsc#1135222 bsc#1136020 bsc#1136081 bsc#1138316 bsc#1140492
Cross-References:	CVE-2019-11068 CVE-2019-5419
CVSS scores:	CVE-2019-11068 ( SUSE ): 6.6 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2019-11068 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-11068 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5419 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5419 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Public Cloud Module 15-SP1 Server Applications Module 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves two vulnerabilities and has 10 security fixes can now be installed.

Description:

This update for rmt-server to version 2.3.1 fixes the following issues:

• Fix mirroring logic when errors are encountered (bsc#1140492)
• Refactor RMT::Mirror to download metadata/licenses in parallel
• Check repo metadata GPG signatures during mirroring (bsc#1132690)
• Add rmt-server-config subpackage with nginx configs (fate#327816, bsc#1136081)
• Fix dependency to removed boot_cli_i18n file (bsc#1136020)
• Add rmt-cli systems list command to list registered systems
• Fix create UUID when system_uuid file empty (bsc#1138316)
• Fix duplicate nginx location in rmt-server-pubcloud (bsc#1135222)
• Mirror additional repos that were enabled during mirroring (bsc#1132690)
• Make service IDs consistent across different RMT instances (bsc#1134428)
• Make SMT data import scripts faster (bsc#1134190)
• Fix incorrect triggering of registration sharing (bsc#1129392)
• Fix license mirroring issue in some non-SUSE repositories (bsc#1128858)
• Update dependencies to fix vulnerabilities in rails (CVE-2019-5419, bsc#1129271) and nokogiri (CVE-2019-11068, bsc#1132160)
• Allow RMT registration to work under HTTP as well as HTTPS.
• Offline migration from SLE 15 to SLE 15 SP1 will add Python2 module
• Online migrations will automatically add additional modules to the client systems depending on the base product
• Supply log severity to journald
• Breaking Change: Added headers to generated CSV files

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Public Cloud Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2019-1973=1
• Server Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-1973=1

Package List:

• Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • rmt-server-pubcloud-2.3.1-3.3.3
  • rmt-server-debuginfo-2.3.1-3.3.3
• Server Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • rmt-server-config-2.3.1-3.3.3
  • rmt-server-2.3.1-3.3.3
  • rmt-server-debuginfo-2.3.1-3.3.3

References:

• https://www.suse.com/security/cve/CVE-2019-11068.html
• https://www.suse.com/security/cve/CVE-2019-5419.html
• https://bugzilla.suse.com/show_bug.cgi?id=1128858
• https://bugzilla.suse.com/show_bug.cgi?id=1129271
• https://bugzilla.suse.com/show_bug.cgi?id=1129392
• https://bugzilla.suse.com/show_bug.cgi?id=1132160
• https://bugzilla.suse.com/show_bug.cgi?id=1132690
• https://bugzilla.suse.com/show_bug.cgi?id=1134190
• https://bugzilla.suse.com/show_bug.cgi?id=1134428
• https://bugzilla.suse.com/show_bug.cgi?id=1135222
• https://bugzilla.suse.com/show_bug.cgi?id=1136020
• https://bugzilla.suse.com/show_bug.cgi?id=1136081
• https://bugzilla.suse.com/show_bug.cgi?id=1138316
• https://bugzilla.suse.com/show_bug.cgi?id=1140492