[SUSE-SU-2023:3861-1] Security update for SUSE Manager Server 4.3

This update fixes the following issues:

billing-data-service:

• Version 0.3-1
  • Add required dependencies to package and service
  • Change billing api datastructure
  • Require csp-billing-adapter service

cobbler:

• Fix EFI PXE boot regression (bsc#1214124)
• Fix isolinux.cfg generation in 'cobbler buildiso' (bsc#1207330)

hub-xmlrpc-api:

• CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.

grafana-formula:

• Version 0.9.0
  • Add SUSE Linux Enterprise 15 Service Pack 5 to the supported versions (bsc#1215497)

image-sync-formula:

• Update to version 0.1.1692188980.9aa0455
  • Fix boot image version compare to use numeric instead of string (bsc#1214002)
  • Add support to filter individual image versions in whitelist
  • Delete cache files that are no longer needed

inter-server-sync:

• Version 0.3.0
  • CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880)
  • Require at least Go 1.19 for building due to CVE-2023-29409
  • Require at least Go 1.18 for building Red Hat packages

prometheus-exporters-formula:

• Version 1.3.0
  • Add support for Apache exporter >= 1.0.0 (bsc#1214266)

prometheus-postgres_exporter:

• CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version.

saltboot-formula:

• Update to version 0.1.1692188980.9aa0455
  • Add pillar based saltboot redeploy and repartitioning (jsc#SUMA-158)

spacecmd:

• Version 4.3.23-1
  • Update translation strings

spacewalk-admin:

• Version 4.3.13-1
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Add checks for csp-billing-adapter in case of a Pay-as-you-go instance

spacewalk-backend:

• Version 4.3.23-1
  • Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
  • Add key import debug logging to reposync (bsc#1213675)
  • Add hint about missing auth header for Pay-as-you-go instances (bsc#1213445)
  • rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
  • Implement new RHUI support in reposync

spacewalk-certs-tools:

• Version 4.3.19-1
  • Support EC Cryptography with mgr-ssl-cert-setup
  • mgr-ssl-cert-setup: store CA certificate in database (bsc#1212856)

spacewalk-config:

• Version 4.3.11-1
  • Allow calling instance-flavor-check via sudo

spacewalk-java:

• version 4.3.66-1
  • Fix RHUI support for RHEL 7 clients (bsc#1215756)
• version 4.3.65-1
  • Combine the PAYG credentials and the repository paths when they collide (bsc#1215413)
• version 4.3.64-1
  • Fix token issue with cloned deb channels (bsc#1214982)
  • Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
  • Improved detection of the best authentication for accessing a repository in case of PAYG credentials (bsc#1215362)
  • Do not warn about missing Client Tools Channel subscription in a PAYG environment
• version 4.3.63-1
  • Fix X-Instance-Identifier header when doing a product refresh at Cloud RMT Server (bsc#1214889)
• Version 4.3.62-1
  • Add environment build/promote date to CLM API output (jsc#SUMA-280)
  • Call mgr-libmod with its absolute path
  • Introduce new API to update the products page metadata
  • Extract additional authentication information needed for Pay-as-you-go
  • Fix handling of null credentials in RMT credentials check
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Add rule to count only servers with SUSE Manager Tools as managed clients
  • Create flag to disable update status (bsc#1212730)
  • Fix syntax error in sql query for source package search
  • Catch exceptions and log a message when mailer setup failed (bsc#1213009)
  • Fix logging of libraries using apache-commons-logging
  • Invalidate Pay-as-you-go client credentials after repeated connection failure (bsc#1213445)
  • Restrict product migrations for Pay-as-you-go
  • Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration
  • Restrict cloning channels under different product channels for Pay-as-you-go
  • Avoid sending data to SCC about Pay-as-you-go instances
  • Add saltboot redeploy and repartition based on pillars (jsc#SUMA-158)
  • Add system pillar API access {get|set}Pillar
  • Consider the venv-salt-minion package update as Salt update to prevent backtraces on upgrading Salt with itself (bsc#1211884)
  • Fix processing of pkg.purged results (bsc#1213288)
  • Fix Null Pointer Exception in auth endpoint when an empty body is provided
  • Do not ignore scheduling error in Taskomatic
  • Add compliance checks when running as Pay-as-you-go
  • Add RHUI support to Pay-as-you-go connection feature
  • Fix Debian Packages file generation (bsc#1213716)
  • Fix action executor to prevent blocking Taskomatic for actions that are already finished (bsc#1214121)
  • Fix detection in case RHEL-based products (bsc#1214280)
  • Improve error message when instance-flavor-check tool is not installed
  • Fix auto product refresh in case of SUSE Manager Pay-as-you-go Server
  • Optimize org channel accessibility query (bsc#1211874)
  • Check csp billing adapter status

spacewalk-setup:

• Version 4.3.18-1
  • Do not rely on rpm runtime status, rather check rhn.conf if is configured (bsc#1210935)
  • Remove storing CA in DB directly as it is now part of mgr-ssl-cert-setup (bsc#1212856)

spacewalk-web:

• Version 4.3.33-1
  • Update the messages after syncing the products
  • Fix issue that prevented to delete credentials
  • Add warning message in login UI for Pay-as-you-go with SCC credentials and no forward registration.
  • Hide SSH info for localhost in Pay-as-you-go section
  • Integrate @formatjs/intl as a replacement for t()
  • Fix link interpolation in message maps

supportutils-plugin-susemanager:

• Version 4.3.9-1
  • Add cloud and Pay-as-you-go checks
  • Write configured crypto-policy in supportconfig

susemanager:

• Version 4.3.31-1
  • Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)

susemanager-docs_en:

• Added a note for SUSE Linux Enterprise Micro clients only having Node and Blackbox exporter for monitoring available, in the Administration Guide (bsc#1212246)
• Added a warning about channel synchronization failure because of invalidated credentials in Connect Pay-as-you-go instance section of the Installation and Upgrade Guide
• Added a workflow describing channel removal to the Common Workflows Guide
• Added background information on Ansible playbooks in the Ansible chapter in Administration Guide (bsc#1213077)
• Added Best practices and image pillars files to Retail Guide
• Added detailed information about all supported SUSE Linux Enterprise Micro versions
• Added Saltboot redeployment subchapter in the Retail Guide
• Changed filename for configuring Tomcat memory usage in Specialized Guides (bsc#1212814)
• Fixed Ubuntu channel names in Ubuntu chapter of the Client Configuration Guide (bsc#1212827)
• Improved Red Hat Update Infrastructure documentation (bsc#1215373)
• Listed supported key types for SSL certificates in Import SSL Certificates section of the Administation Guide
• Minimal memory requirement is now 16 GB for a SUSE Manager Server installation
• Removed the step calling rhn-ssl-dbstore from the SSL setup as it is now integrated into mgr-ssl-cert-setup in Administration Guide
• Replaced plain text with dedicated attribute for AutoYaST
• Typo correction for cobbler buildiso command in Client Configuration Guide
• Updated Ansible chapter in Administration Guide for clarity (bsc#1213077)

susemanager-schema:

• Version 4.3.20-1
  • Add new credentials type RHUI
  • Store the Pay-as-you-go products

susemanager-sls:

• Version 4.3.35-1
  • Integrate instance-flavor-check to detect if the instance is Pay-as-you-go
  • Do not disable salt-minion on salt-ssh managed clients
  • Keep original traditional stack tools for RHEL7 RHUI connection
  • Include automatic migration from Salt 3000 to Salt Bundle in highstate
  • Use recurse stratedy to merge formula pillar with existing pillars
  • Mask Uyuni roster module password on logs

uyuni-common-libs:

• Version 4.3.9-1
  • Workaround for python3-debian bug about collecting control file (bsc#1211525, bsc#1208692)

How to apply this update:

1. Log in as root user to the SUSE Manager Server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Start the Spacewalk service: spacewalk-service start