Recommended update for SUSE Manager 4.2.3 Release Notes SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2021:3551-1 Final 1 1 2021-10-27T13:28:00Z current 2021-10-27T13:28:00Z 2021-10-27T13:28:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for SUSE Manager 4.2.3 Release Notes This update for SUSE Manager 4.2.3 Release Notes provides the following additions: Release notes for SUSE Manager: - Update to 4.2.3 - aarch64 support for CentOS 7/8, Oracle Linux 7/8, Rocky Linux 8, AlmaLinux 8, Amazon Linux 2 and openSUSE Leap 15.3 - Package Locking features is now available for Salt Minions - New XMLRPC API methods for SaltKey - Bugs mentioned: bsc#1171520, bsc#1181223, bsc#1187572, bsc#1187998, bsc#1188315, bsc#1188977, bsc#1189260, bsc#1189422, bsc#1189609, bsc#1189799, bsc#1189818, bsc#1189933, bsc#1190040, bsc#1190123, bsc#1190151, bsc#1190164, bsc#1190166, bsc#1190265, bsc#1190275, bsc#1190276, bsc#1190300, bsc#1190396, bsc#1190405, bsc#1190455, bsc#1190512, bsc#1190602, bsc#1190751, bsc#1190820, bsc#1191123, bsc#1191139, bsc#1191348, bsc#1191551, CVE-2021-40348, CVE-2021-21996 Release notes for SUSE Manager proxy: - Update to 4.2.3 - Bugs mentioned: bsc#1171520, bsc#1181223, bsc#1187998, bsc#1188315, bsc#1188977, bsc#1190405, bsc#1190512, bsc#1190602, bsc#1190751, bsc#1190820, bsc#1191348 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-3551,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2021-3551,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2021-3551,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2021-3551 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2021-3551/suse-ru-20213551-1/ Link for SUSE-RU-2021:3551-1 https://lists.suse.com/pipermail/sle-updates/2021-October/020641.html E-Mail link for SUSE-RU-2021:3551-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171520 SUSE Bug 1171520 https://bugzilla.suse.com/1181223 SUSE Bug 1181223 https://bugzilla.suse.com/1187572 SUSE Bug 1187572 https://bugzilla.suse.com/1187998 SUSE Bug 1187998 https://bugzilla.suse.com/1188315 SUSE Bug 1188315 https://bugzilla.suse.com/1188977 SUSE Bug 1188977 https://bugzilla.suse.com/1189260 SUSE Bug 1189260 https://bugzilla.suse.com/1189422 SUSE Bug 1189422 https://bugzilla.suse.com/1189609 SUSE Bug 1189609 https://bugzilla.suse.com/1189799 SUSE Bug 1189799 https://bugzilla.suse.com/1189818 SUSE Bug 1189818 https://bugzilla.suse.com/1189933 SUSE Bug 1189933 https://bugzilla.suse.com/1190040 SUSE Bug 1190040 https://bugzilla.suse.com/1190123 SUSE Bug 1190123 https://bugzilla.suse.com/1190151 SUSE Bug 1190151 https://bugzilla.suse.com/1190164 SUSE Bug 1190164 https://bugzilla.suse.com/1190166 SUSE Bug 1190166 https://bugzilla.suse.com/1190265 SUSE Bug 1190265 https://bugzilla.suse.com/1190275 SUSE Bug 1190275 https://bugzilla.suse.com/1190276 SUSE Bug 1190276 https://bugzilla.suse.com/1190300 SUSE Bug 1190300 https://bugzilla.suse.com/1190396 SUSE Bug 1190396 https://bugzilla.suse.com/1190405 SUSE Bug 1190405 https://bugzilla.suse.com/1190455 SUSE Bug 1190455 https://bugzilla.suse.com/1190512 SUSE Bug 1190512 https://bugzilla.suse.com/1190602 SUSE Bug 1190602 https://bugzilla.suse.com/1190751 SUSE Bug 1190751 https://bugzilla.suse.com/1190820 SUSE Bug 1190820 https://bugzilla.suse.com/1191123 SUSE Bug 1191123 https://bugzilla.suse.com/1191139 SUSE Bug 1191139 https://bugzilla.suse.com/1191348 SUSE Bug 1191348 https://bugzilla.suse.com/1191551 SUSE Bug 1191551 https://www.suse.com/security/cve/CVE-2021-21996/ SUSE CVE CVE-2021-21996 page https://www.suse.com/security/cve/CVE-2021-40348/ SUSE CVE CVE-2021-40348 page SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 release-notes-susemanager-4.2.3-3.19.1 release-notes-susemanager-proxy-4.2.3-3.15.1 release-notes-susemanager-proxy-4.2.3-3.15.1 as a component of SUSE Manager Proxy 4.2 release-notes-susemanager-proxy-4.2.3-3.15.1 as a component of SUSE Manager Retail Branch Server 4.2 release-notes-susemanager-4.2.3-3.19.1 as a component of SUSE Manager Server 4.2 An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. CVE-2021-21996 SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.3-3.15.1 SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.3-3.15.1 SUSE Manager Server 4.2:release-notes-susemanager-4.2.3-3.19.1 low 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2021-3551/suse-ru-20213551-1/ https://www.suse.com/security/cve/CVE-2021-21996.html CVE-2021-21996 https://bugzilla.suse.com/1190265 SUSE Bug 1190265 https://bugzilla.suse.com/1210934 SUSE Bug 1210934 Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation setup. This can lead to the ability of an attacker to use --option to append arbitrary code to a root-owned file that eventually will be executed by the system. This is fixed in Uyuni spacewalk-admin 4.3.2-1. CVE-2021-40348 SUSE Manager Proxy 4.2:release-notes-susemanager-proxy-4.2.3-3.15.1 SUSE Manager Retail Branch Server 4.2:release-notes-susemanager-proxy-4.2.3-3.15.1 SUSE Manager Server 4.2:release-notes-susemanager-4.2.3-3.19.1 low 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2021-3551/suse-ru-20213551-1/ https://www.suse.com/security/cve/CVE-2021-40348.html CVE-2021-40348 https://bugzilla.suse.com/1190040 SUSE Bug 1190040