Security update for SUSE Manager Client Tools

Announcement ID: SUSE-SU-2021:3549-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2021-21996 ( SUSE ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
  • CVE-2021-21996 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Manager Client Tools for Debian 10

An update that solves one vulnerability, contains one feature and has three security fixes can now be installed.

Description:

This update fixes the following issues:

salt:

  • Support querying for JSON data in external sql pillar
  • Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996)
  • Fix wrong relative paths resolution with Jinja renderer when importing subdirectories

scap-security-guide:

  • Updated to 0.1.57 release (jsc#ECO-3319)
  • CIS profile for RHEL 7 is updated
  • initial CIS profiles for Ubuntu 20.04
  • Major improvement of RHEL 9 content
  • new release process implemented using Github actions

spacecmd:

  • Version 4.2.13-1
  • Update translation strings
  • configchannel_updatefile handles directory properly (bsc#1190512)
  • Add schedule_archivecompleted to mass archive actions (bsc#1181223)
  • Remove whoami from the list of unauthenticated commands (bsc#1188977)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Client Tools for Debian 10
    zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-x86_64-2021-3549=1

Package List:

  • SUSE Manager Client Tools for Debian 10 (all)
    • spacecmd-4.2.13-2.18.1
    • scap-security-guide-debian-0.1.57-2.9.1
    • salt-common-3002.2+ds-1+2.36.1
    • salt-minion-3002.2+ds-1+2.36.1

References: