[SUSE-SU-2023:3861-1] Security update for SUSE Manager Server 4.3
Severity
Important
CVEs
1
Security update for SUSE Manager Server 4.3
This update fixes the following issues:
billing-data-service:
- Version 0.3-1
- Add required dependencies to package and service
- Change billing api datastructure
- Require csp-billing-adapter service
cobbler:
- Fix EFI PXE boot regression (bsc#1214124)
- Fix isolinux.cfg generation in 'cobbler buildiso' (bsc#1207330)
hub-xmlrpc-api:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
grafana-formula:
- Version 0.9.0
- Add SUSE Linux Enterprise 15 Service Pack 5 to the supported versions (bsc#1215497)
image-sync-formula:
- Update to version 0.1.1692188980.9aa0455
- Fix boot image version compare to use numeric instead of string (bsc#1214002)
- Add support to filter individual image versions in whitelist
- Delete cache files that are no longer needed
inter-server-sync:
- Version 0.3.0
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880)
- Require at least Go 1.19 for building due to CVE-2023-29409
- Require at least Go 1.18 for building Red Hat packages
prometheus-exporters-formula:
- Version 1.3.0
- Add support for Apache exporter >= 1.0.0 (bsc#1214266)
prometheus-postgres_exporter:
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.
saltboot-formula:
- Update to version 0.1.1692188980.9aa0455
- Add pillar based saltboot redeploy and repartitioning (jsc#SUMA-158)
spacecmd:
- Version 4.3.23-1
- Update translation strings
spacewalk-admin:
- Version 4.3.13-1
- Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
- Add checks for csp-billing-adapter in case of a Pay-as-you-go instance
spacewalk-backend:
- Version 4.3.23-1
- Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
- Add key import debug logging to reposync (bsc#1213675)
- Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
- rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
- Implement new RHUI support in reposync
spacewalk-certs-tools:
- Version 4.3.19-1
- Support EC Cryptography with mgr-ssl-cert-setup
- mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)
spacewalk-config:
- Version 4.3.11-1
- Allow calling instance-flavor-check via sudo
spacewalk-java:
- version 4.3.66-1
- Fix RHUI support for RHEL 7 clients (bsc#1215756)
- version 4.3.65-1
- Combine the PAYG credentials and the repository paths when they collide (bsc#1215413)
- version 4.3.64-1
- Fix token issue with cloned deb channels (bsc#1214982)
- Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
- Improved detection of the best authentication for accessing a repository in case of PAYG credentials (bsc#1215362)
- Do not warn about missing Client Tools Channel subscription in a PAYG environment
- version 4.3.63-1
- Fix X-Instance-Identifier header when doing a product refresh at Cloud RMT Server (bsc#1214889)
- Version 4.3.62-1
- Add environment build/promote date to CLM API output (jsc#SUMA-280)
- Call mgr-libmod with its absolute path
- Introduce new API to update the products page metadata
- Extract additional authentication information needed for Pay-as-you-go
- Fix handling of null credentials in RMT credentials check
- Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
- Add rule to count only servers with SUSE Manager Tools as managed clients
- Create flag to disable update status (bsc#1212730)
- Fix syntax error in sql query for source package search
- Catch exceptions and log a message when mailer setup failed (bsc#1213009)
- Fix logging of libraries using apache-commons-logging
- Invalidate Pay-as-you-go client credentials after repeated connection failure (bsc#1213445)
- Restrict product migrations for Pay-as-you-go
- Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration
- Restrict cloning channels under different product channels for Pay-as-you-go
- Avoid sending data to SCC about Pay-as-you-go instances
- Add saltboot redeploy and repartition based on pillars (jsc#SUMA-158)
- Add system pillar API access {get|set}Pillar
- Consider the venv-salt-minion package update as Salt update to prevent backtraces on upgrading Salt with itself (bsc#1211884)
- Fix processing of pkg.purged results (bsc#1213288)
- Fix Null Pointer Exception in auth endpoint when an empty body is provided
- Do not ignore scheduling error in Taskomatic
- Add compliance checks when running as Pay-as-you-go
- Add RHUI support to Pay-as-you-go connection feature
- Fix Debian Packages file generation (bsc#1213716)
- Fix action executor to prevent blocking Taskomatic for actions that are already finished (bsc#1214121)
- Fix detection in case RHEL-based products (bsc#1214280)
- Improve error message when instance-flavor-check tool is not installed
- Fix auto product refresh in case of SUSE Manager Pay-as-you-go Server
- Optimize org channel accessibility query (bsc#1211874)
- Check csp billing adapter status
spacewalk-setup:
- Version 4.3.18-1
- Do not rely on rpm runtime status, rather check rhn.conf if is configured (bsc#1210935)
- Remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup (bsc#1212856)
spacewalk-web:
- Version 4.3.33-1
- Update the messages after syncing the products
- Fix issue that prevented to delete credentials
- Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration.
- Hide SSH info for
localhost
in Pay-as-you-go section - Integrate @formatjs/intl as a replacement for t()
- Fix link interpolation in message maps
supportutils-plugin-susemanager:
- Version 4.3.9-1
- Add cloud and Pay-as-you-go checks
- Write configured crypto-policy in supportconfig
susemanager:
- Version 4.3.31-1
- Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)
susemanager-docs_en:
- Added a note for SUSE Linux Enterprise Micro clients only having Node and Blackbox exporter for monitoring available, in the Administration Guide (bsc#1212246)
- Added a warning about channel synchronization failure because of invalidated credentials in Connect Pay-as-you-go instance section of the Installation and Upgrade Guide
- Added a workflow describing channel removal to the Common Workflows Guide
- Added background information on Ansible playbooks in the Ansible chapter in Administration Guide (bsc#1213077)
- Added Best practices and image pillars files to Retail Guide
- Added detailed information about all supported SUSE Linux Enterprise Micro versions
- Added Saltboot redeployment subchapter in the Retail Guide
- Changed filename for configuring Tomcat memory usage in Specialized Guides (bsc#1212814)
- Fixed Ubuntu channel names in Ubuntu chapter of the Client Configuration Guide (bsc#1212827)
- Improved Red Hat Update Infrastructure documentation (bsc#1215373)
- Listed supported key types for SSL certificates in Import SSL Certificates section of the Administation Guide
- Minimal memory requirement is now 16 GB for a SUSE Manager Server installation
- Removed the step calling rhn-ssl-dbstore from the SSL setup as it is now integrated into mgr-ssl-cert-setup in Administration Guide
- Replaced plain text with dedicated attribute for AutoYaST
- Typo correction for cobbler buildiso command in Client Configuration Guide
- Updated Ansible chapter in Administration Guide for clarity (bsc#1213077)
susemanager-schema:
- Version 4.3.20-1
- Add new credentials type RHUI
- Store the Pay-as-you-go products
susemanager-sls:
- Version 4.3.35-1
- Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
- Do not disable salt-minion on salt-ssh managed clients
- Keep original traditional stack tools for RHEL7 RHUI connection
- Include automatic migration from Salt 3000 to Salt Bundle in highstate
- Use recurse stratedy to merge formula pillar with existing pillars
- Mask Uyuni roster module password on logs
uyuni-common-libs:
- Version 4.3.9-1
- Workaround for python3-debian bug about collecting control file (bsc#1211525, bsc#1208692)
How to apply this update:
- Log in as root user to the SUSE Manager Server.
- Stop the Spacewalk service:
spacewalk-service stop
- Apply the patch using either zypper patch or YaST Online Update.
- Start the Spacewalk service:
spacewalk-service start
- ID
- SUSE-SU-2023:3861-1
- Severity
- important
- URL
- https://www.suse.com/support/update/announcement/2023/suse-su-20233861-1/
- Published
-
2023-09-28T11:38:00
(11 months ago) - Modified
-
2023-09-28T11:38:00
(11 months ago) - Rights
- Copyright 2024 SUSE LLC. All rights reserved.
- Other Advisories
-
- ALAS-2023-1848
- ALAS-2023-1849
- ALAS2-2023-2208
- ALAS2-2023-2209
- ALAS2-2023-2210
- ALAS2-2023-2211
- ALAS2-2023-2229
- ALAS2-2023-2303
- ALPINE:CVE-2023-29409
- ALSA-2023:5738
- ALSA-2023:7762
- ALSA-2023:7763
- ALSA-2023:7764
- ALSA-2023:7765
- ALSA-2023:7766
- ALSA-2024:0121
- ELSA-2023-5738
- ELSA-2023-7762
- ELSA-2023-7763
- ELSA-2023-7764
- ELSA-2023-7765
- ELSA-2023-7766
- ELSA-2024-0121
- ELSA-2024-2988
- GLSA-202311-09
- GO-2023-1987
- RHSA-2023:5721
- RHSA-2023:5738
- RHSA-2023:7762
- RHSA-2023:7763
- RHSA-2023:7764
- RHSA-2023:7765
- RHSA-2023:7766
- RHSA-2024:0121
- RHSA-2024:2988
- SUSE-SU-2023:3181-1
- SUSE-SU-2023:3263-1
- SUSE-SU-2023:3474-1
- SUSE-SU-2023:3840-1
- SUSE-SU-2023:3841-1
- SUSE-SU-2023:3867-1
- SUSE-SU-2023:3868-1
- SUSE-SU-2023:3875-1
- SUSE-SU-2023:3885-1
- SUSE-SU-2023:3886-1
- SUSE-SU-2023:3888-1
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |