Security update for SUSE Manager 3.2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:3251-1 Final 1 1 2020-11-06T16:03:37Z current 2020-11-06T16:03:37Z 2020-11-06T16:03:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager 3.2 This security update for SUSE Manager 3.2 fixes the following issues: py26-compat-salt: - Properly validate eauth credentials and tokens on SSH calls made by Salt API (bsc#1178319, bsc#1178362, bsc#1178361, CVE-2020-25592, CVE-2020-17490, CVE-2020-16846) spacewalk-java: - Use correct eauth module and credentials for Salt SSH calls (bsc#1178319, CVE-2020-25592) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-3251,SUSE-SUSE-Manager-Server-3.2-2020-3251 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20203251-1/ Link for SUSE-SU-2020:3251-1 https://lists.suse.com/pipermail/sle-security-updates/2020-November/007729.html E-Mail link for SUSE-SU-2020:3251-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1178319 SUSE Bug 1178319 https://bugzilla.suse.com/1178361 SUSE Bug 1178361 https://bugzilla.suse.com/1178362 SUSE Bug 1178362 https://www.suse.com/security/cve/CVE-2020-16846/ SUSE CVE CVE-2020-16846 page https://www.suse.com/security/cve/CVE-2020-17490/ SUSE CVE CVE-2020-17490 page https://www.suse.com/security/cve/CVE-2020-25592/ SUSE CVE CVE-2020-25592 page SUSE Manager Server 3.2 py26-compat-salt-2016.11.10-6.41.1 spacewalk-java-2.8.78.31-3.56.1 spacewalk-java-apidoc-sources-2.8.78.31-3.56.1 spacewalk-java-config-2.8.78.31-3.56.1 spacewalk-java-lib-2.8.78.31-3.56.1 spacewalk-java-oracle-2.8.78.31-3.56.1 spacewalk-java-postgresql-2.8.78.31-3.56.1 spacewalk-taskomatic-2.8.78.31-3.56.1 py26-compat-salt-2016.11.10-6.41.1 as a component of SUSE Manager Server 3.2 spacewalk-java-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 spacewalk-java-config-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 spacewalk-java-lib-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 spacewalk-java-oracle-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 spacewalk-java-postgresql-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 spacewalk-taskomatic-2.8.78.31-3.56.1 as a component of SUSE Manager Server 3.2 An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. CVE-2020-16846 SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.41.1 SUSE Manager Server 3.2:spacewalk-java-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.31-3.56.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203251-1/ https://www.suse.com/security/cve/CVE-2020-16846.html CVE-2020-16846 https://bugzilla.suse.com/1178361 SUSE Bug 1178361 The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions. CVE-2020-17490 SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.41.1 SUSE Manager Server 3.2:spacewalk-java-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.31-3.56.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203251-1/ https://www.suse.com/security/cve/CVE-2020-17490.html CVE-2020-17490 https://bugzilla.suse.com/1178362 SUSE Bug 1178362 In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. CVE-2020-25592 SUSE Manager Server 3.2:py26-compat-salt-2016.11.10-6.41.1 SUSE Manager Server 3.2:spacewalk-java-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-config-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-lib-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-oracle-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-java-postgresql-2.8.78.31-3.56.1 SUSE Manager Server 3.2:spacewalk-taskomatic-2.8.78.31-3.56.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203251-1/ https://www.suse.com/security/cve/CVE-2020-25592.html CVE-2020-25592 https://bugzilla.suse.com/1178319 SUSE Bug 1178319