SUSE-RU-2015:0611-1

Source
https://www.suse.com/support/update/announcement/2015/suse-ru-20150611-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-RU-2015:0611-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-RU-2015:0611-1
Related
Published
2015-02-25T20:05:05Z
Modified
2015-02-25T20:05:05Z
Summary
Recommended update for SUSE Manager Server 2.1
Details

This collective update for SUSE Manager Server 2.1 provides the following new features:

* Connect SUSE Manager to the SUSE Customer Center.
* Manage SLE12 systems.
* ISS: export/import information about cloned channels to support
  Service Pack migration on ISS slaves. (FATE#317789)
* New API calls: system.scheduleSPMigration(),
  system.scheduleDistUpgrade(). (FATE#314785, FATE#314340)

Additionally, several issues have been fixed:

auditlog-keeper:

* Fix value too long for type character varying(2048). (bnc#872351)
* Fix init.d script restart. (bsc#872029)

cobbler:

* Require syslinux-x86_64 on s390x. (bsc#884051)
* Fix fetching of profiles for auto-installation. (bsc#880936)
* Fix port guessing in koan. (bsc#855389)
* Add 'copy-default' option to grubby-compat. (bsc#855389)
* Handle elilo in SUSE. (bsc#855389)
* Fix wrong option 'text' in SUSE environment. (bsc#901058)
* Fix re-installation on SLE with static network configuration.
  (bsc#883487)
* Add RHEL 7 as a valid operating system version.

oracle-config:

* No need to pre-require Apache as its user and group are available in
  the base system.

osad:

* Enable and install osad during first installation. (bsc#901958)

pxe-default-image:

* Add bind-utils (dig) to packagelist. (bsc#889739)
* Wait for gateway to become available before register. (bsc#895001)

rhnlib:

* Ensure bytes strings are sent to pyOpenSSL. (bnc#880388)

rhnpush:

* Add default path structure to proxy lookaside that avoids collisions.

sm-ncc-sync-data:

* Add SUSE Cloud 4 channels. (bnc#883057)
* Add channels for SUSE Manager Server 2.1 s390x.
* Fix parent label of the LTSS channel for SLMS.
* Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)
* Add support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)

smdba:

* Fix 'system check breaks backup and other configuration'.
* Implement rotating PostgreSQL backup. (bsc#896244)
* Space reclamation caused ORA-00942: table or view does not exist.
  (bsc#906850)
* Archival of PosgreSQL transaction log does not recover in case of no
  space left on device. (bsc#915140)

spacecmd:

* Fix listupgrades. (bsc#892707)
* Make print_result a static method of SpacewalkShell. (bsc#889605)
* Call listAutoinstallableChannels() for listing distributions.
  (bsc#887879)
* Fix spacecmd schedule listing. (bsc#902494)
* Fix call of setCustomOptions() during kickstart_importjson.
  (bsc#879904)
* Fix configchannel export: do not create 'contents' key for
  directories. (bsc#908849)

spacewalk-backend:

* Insert update tag at the correct place for SLE12. (bsc#907677)
* Trigger generation of metadata if the repo contains no packages.
  (bsc#870159)
* Convert mtime to localtime to prevent invalid times because of DST.
  (bsc#914437)
* Do not exit with error if a vendor channel has no URL associated.
  (bsc#914260)
* Convert empty string to null for DMI values. (bsc#911272)

spacewalk-branding:

* CVE patches adapted for colour blind users. (bnc#872298)
* Underline in icons is removed. (bnc#880001)
* Fix link to macro documentation. (bsc#895961)
* Fix branding in error message. (bsc#902503)

spacewalk-certs-tools:

* Fix removal of existing host key entries. (bsc#886391)
* Remove duplicates from authorized_keys2 as well. (bsc#885889)
* Do not allow registering a SUSE Manager server against itself.
  (bsc#841731)

spacewalk-client-tools:

* Allow unicode characters in proxy username and password.
* Send correct hostname. (bsc#887538)

spacewalk-config:

* Add recommended Apache settings from the Security Team.

spacewalk-java:

* Fix human dates now() staying unmodified. (bnc#880081)
* Allow for null evr and archs on event history detail. (bnc#880327)
* Disable form autocompletion in some places. (bnc#879998)
* Fix datepicker time at xx:xx PM pre-filled with xx:xx AM.
  (bnc#881522)
* Fixed package upgrade via SSM when using the Oracle DB as backend.
  (bnc#889721)
* This update fixes various cross-site scripting (XSS) issues in
  spacewalk-java. (CVE-2014-3654, bnc#902182)
* Sync correct repositories. (bnc#904959)
* Fix pxt page link to point to the ported version of that page.
  (bsc#903720)
* Correctly apply patches to multiple systems in SSM. (bsc#898242)
* Fix CVE audit when some packages of a patch are already installed.
  (bsc#899266)
* Download CSV button does not export all columns ('Base Channel'
  missing). (bsc#896238)
* Read and display only a limited number of logfile lines. (bsc#883009)
* Fix package upgrade via SSM. (bsc#889721)
* Fix logrotate for /var/log/rhn/rhn_web_api.log. (bsc#884081)
* Throw channel name exception if name is already used. (bnc#901675)
* Don't commit when XMLRPCExceptions are thrown. (bsc#908320)
* Remove 'Select All' button from system currency report. (bsc#653265)
* Fix documentation search. (bsc#875452)
* Add API listAutoinstallableChannels(). (bsc#887879)
* Avoid ArrayIndexOutOfBoundsException with invalid URLs. (bsc#892711)
* Avoid NumberFormatException in case of invalid URL. (bsc#892711)
* Lookup kickstart tree only when org is found. (bsc#892711)
* Fix NPE on GET /rhn/common/DownloadFile.do. (bsc#892711)
* Port of the advanced provisioning option page to bootstrap.
  (bnc#862408)
* mgr-sync refresh sets wrong permissions on JSON files. (bnc#907337)
* Fix link to macro documentation. (bsc#895961)
* Forward to 'raw mode' page in case this is an uploaded profile.
  (bsc#904841)
* Enlarge big text area to use more available screen space.
  (bnc#867836)
* Fix links to monitoring documentation. (bsc#906887)
* Fix install type detection. (bsc#875231)
* Point 'Register Clients' link to 'Client Configuration Guide'.
  (bsc#880026)
* Change order of installer type: prefer SUSE Linux. (bsc#860299)
* Fix ISE when clicking system currency. (bnc#905530)
* Set cobbler hostname variable when calling system.createSystemRecord.
  (bnc#904699)
* Fix wrong install=http://nullnull line when calling
  system.createSystemRecord. (bnc#904699)
* Explain snapshot/rollback behavior better. (bsc#808947)
* Fix patch syncing: prevent hibernate.NonUniqueObjectException
  androllback. (bsc#903880)
* Remove 'Add Selected to SSM' from system overview page. (bsc#901776)
* Fix CVE audit in case of multi-version package installed and patch in
  multi channels. (bsc#903723)
* Update channel family membership when channel is updated.
  (bsc#901193)
* Add log warning if uploaded file size > 1MB. (bnc#901927)
* Fix channel package compare. (bsc#904690)
* Fix automatic configuration file deployment via snippet. (bsc#898426)
* Add client hostname or IP to log messages. (bsc#904732)
* Fixed copying text from kickstart snippets. (bsc#880087)
* Fix auditlog config yaml syntax. (bsc#913221)
* Show Proxy tab if system is a proxy even when assigned to cloned
  channels. (bsc#913939)
* Fixed uncaught error which prevent correct error handling.
  (bsc#858971)
* Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)
* Fix more cross-site-scripting (XSS) issues. (CVE-2014-7811,
  bsc#902915)
* Fix basic authentication for HTTP proxies. (bsc#912057)
* Accept repos with same SCC ID and different URLs. (bsc#911808)
* Avoid mgr-sync-refresh failure because clear_log_id was not called.
  (bsc#911166)
* Fix cross-site-scripting (XSS) issue in system-group (CVE-2014-7812,
  bsc#912886)
* Fix 'Select All' buttons display on rhn:list and make it consistent
  with new rl:list. (bsc#909724)
* Fix List tag missing submit parameter for 'Select All' and others.
  (bnc#909724)
* Sort filelist in configfile.compare event history alphabetically.
  (bsc#910243)
* Allow parenthesis in system group description. (bsc#903064)
* Provide new API documentation in PDF format. (bsc#896029)
* Update the example scripts section. (bsc#896029)
* Fixed wording issues on package lock page. (bsc#880022)
* Make text more clear for package profile sync. (bsc#884350)

spacewalk-reports:

* Added channel- and server-group-ids to activation-keys.
* Added spacewalk-report for systems with extra packages.

spacewalk-search:

* Fix package searching in shared channels.

spacewalk-setup:

* Setup /etc/sudoers in SUSE Manager upgrade scripts (bnc#881711)
* No activation if database population should be skipped. (bsc#900956)
* Do not enable spacewalk-service in runlevel 4. (bsc#879992)

spacewalk-utils:

* Fixed spacewalk-hostname-rename to work with PostgreSQL backend.
* Added limitation of spacewalk-clone-by-date for RHEL4 and earlier.
* Add openSUSE 13.2 repositories to spacewalk-common-channels.
* Improve clone-by-date dependency resolution.
* Add CentOS 7 and EPEL 7 channels.
* Fix error if blacklist / removelist is not in scbd configurationfile.

spacewalk-web:

* Fix links to monitoring documentation. (bsc#906887)
* Show Proxy tab if system is a proxy even when assigned to cloned
  channels. (bsc#913939)

supportutils-plugin-susemanager:

* Write current service and repository configuration into
  supportconfig.

susemanager-manualsen, susemanager-jspen:

* Clarification about supported Web browsers. (bsc#889905)
* Update text and image files. (bnc#907527)
* Document NCC to SCC switch with SUSE Manager 2.1. (bnc#907106,
  bnc#907643, bnc#907645, bnc#907646)
* SUSE Manager server update description. (bnc#902373)
* Activation keys and packages. (bnc#767279)
* Cobbler (bnc#880027), Link fix (bnc#881225), Wagon (bnc#884366)
* Install and ship the built PDFs. (bnc#907086)
* Update text and image files (bsc#910494).
* Firewall rules are incomplete - ssh-push and ssh-push-tunnel settings
  missing. (bsc#904703)
* Document SP migration and ISS. (bsc#913215, partially).
* Fix 'beta packages' mentioned in documentation. (bsc#886421).
* User guide: Snapshots: clarify snaphot usage. (bsc#906851).
* Document maximal supported configuration file limit. (bsc#910482).

susemanager-schema:

* Add SLE 12 distribution targets to database.
* Fix evr_t schema upgrade. (bsc#881111)
* Allow evr_t to be compared with NULL in Oracle. (bsc#881111)
* Add support to ppc64le architecture.
* Fix migration script names to fix bare-metal registration.
  (bsc#896109)
* Create regular index instead and have one migration per DB.
  (bsc#905072)
* Drop unique index on package ids. (bsc#905072)
* Fix NPE by setting max_members to 0 instead of NULL. (bsc#912035)
* Fix old migration for future reference. (bsc#911180)
* Avoid NPE when migrating to SCC on Oracle migrated from 1.7.
  (bsc#911180)

susemanager:

* Update the sudoers file after SUSE Manager upgrade. (bnc#881711)
* Fix oracle2postgres.sh (database configuration).
* Replace /etc/motd after setup. (bsc#883379)
* Make mgr-create-bootstrap-repo SCC and SLE 12 aware.
* Abort setup when invalid SSL country code given. (bnc#882468)
* Use noRepoSync parameter always.
* Fixed error message on exception in mgr-sync. (bnc#905263)
* Fixed add product to not trigger redundant addition of base channel.
  (bnc#901928)
* Ask for the authentication beforehand. (bsc#908317)

susemanager-sync-data:

* Add channels for Public Cloud Module. (bsc#907586)
* Add new channel families SLE-WE and SLE-LP.
* Add ATI and nVidia channels for SLED11-SP3. (bsc#901108)
* Add channels for IBM-DLPAR for SLE12 ppc64le.
* Added support for RES7 in SUSE Manager. (bsc#897723, bsc#893608)

suseRegisterInfo:

* Re-add legacy suse_register_info to successfully perform the update.
  (bsc#898428)

zypp-plugin-spacewalk:

* Check for retrieveOnly option in up2date configuration and set
  download_only. (bsc#896254)
* Changed the spec file to force usage of the official python VM.
  (bsc#889363)

yum:

* Preserve query parameters in URLs. (bsc#896844)

struts:

* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through
  1.3.10 allows remote attackers to 'manipulate' the ClassLoader and
  execute arbitrary code via the class parameter, which is passed to
  the getClass method.

apache2-mod_wsgi:

* CVE-2014-0242: Information exposure. (bnc#878553)
* CVE-2014-0240: Local privilege escalation. (bnc#878550)
* CVE-2014-8583: Failure to handle errors when attempting to drop group
  privileges. (bnc#903961)

libyaml-0-2:

* Assert failure when processing wrapped strings (bnc#907809,
  CVE-2014-9130)

tanukiwrapper:

* Allow more than 4G as -Xmx option. (bsc#914900)

The following new packages have been added to the product: susemanager-sync-data, google-gson, python-enum34.

How to apply this update:

  1. Log in as root user to the SUSE Manager server.
  2. Stop the Spacewalk service: spacewalk-service stop
  3. Apply the patch using either zypper patch or YaST Online Update.
  4. Upgrade the database schema with spacewalk-schema-upgrade
  5. Start the Spacewalk service: spacewalk-service start

Security Issues:

* CVE-2014-0114
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>
* CVE-2014-0240
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240>
* CVE-2014-0242
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242>
* CVE-2014-3654
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3654>
* CVE-2014-7811
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7811>
* CVE-2014-7812
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7812>
* CVE-2014-8583
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583>
* CVE-2014-9130
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130>
References

Affected packages