Security update for SUSE Manager Client Tools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:14163-1 Final 1 1 2019-09-05T15:32:15Z current 2019-09-05T15:32:15Z 2019-09-05T15:32:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Client Tools This update fixes the following issues: mgr-cfg: - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822) mgr-daemon: - Fix systemd timer configuration on SLE12 (bsc#1142038) mgr-osad: - Fix obsolete for old osad packages, to allow installing mgr-osad even by using osad at yum/zyppper install (bsc#1139453) - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822) mgr-virtualization: - Fix missing python 3 ugettext (bsc#1138494) - Fix package dependencies to prevent file conflict (bsc#1143856) rhnlib: - Add SNI support for clients - Fix initialize ssl connection (bsc#1144155) - Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177) python-gzipstream: - SPEC cleanup - add makefile and pylint configuration - Add Uyuni URL to package - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) spacecmd: - Bugfix: referenced variable before assignment. - Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881) - Add unit tests for custominfo, snippet, scap, ssm, cryptokey and distribution - Fix missing runtime dependencies that made spacecmd return old versions of packages in some cases, even if newer ones were available (bsc#1148311) spacewalk-backend: - Do not overwrite comps and module data with older versions - Fix issue with 'dists' keyword in url hostname - Import packages from all collections of a patch not just first one - Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to 'registration.register_osad' (bsc#1138822) - Do not duplicate 'http://' protocol when using proxies with 'deb' repositories (bsc#1138313) - Fix reposync when dealing with RedHat CDN (bsc#1138358) - Fix for CVE-2019-10136. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. (bsc#1136480) - Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940) - Add journalctl output to spacewalk-debug tarballs - Prevent unnecessary triggering of channel-repodata tasks when GPG signing is disabled (bsc#1137715) - Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#1136029) - Add support for ULN repositories on new Zypper based reposync. - Don't skip Deb package tags on package import (bsc#1130040) - For backend-libs subpackages, exclude files for the server (already part of spacewalk-backend) to avoid conflicts (bsc#1148125) - prevent duplicate key violates on repo-sync with long changelog entries (bsc#1144889) spacewalk-remote-utils: - Add RHEL8 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slesctsp3-client-tools-201907-14163,slesctsp4-client-tools-201907-14163 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-201914163-1/ Link for SUSE-SU-2019:14163-1 https://lists.suse.com/pipermail/sle-security-updates/2019-September/005884.html E-Mail link for SUSE-SU-2019:14163-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1103696 SUSE Bug 1103696 https://bugzilla.suse.com/1104034 SUSE Bug 1104034 https://bugzilla.suse.com/1130040 SUSE Bug 1130040 https://bugzilla.suse.com/1135881 SUSE Bug 1135881 https://bugzilla.suse.com/1136029 SUSE Bug 1136029 https://bugzilla.suse.com/1136480 SUSE Bug 1136480 https://bugzilla.suse.com/1137715 SUSE Bug 1137715 https://bugzilla.suse.com/1137940 SUSE Bug 1137940 https://bugzilla.suse.com/1138313 SUSE Bug 1138313 https://bugzilla.suse.com/1138358 SUSE Bug 1138358 https://bugzilla.suse.com/1138494 SUSE Bug 1138494 https://bugzilla.suse.com/1138822 SUSE Bug 1138822 https://bugzilla.suse.com/1139453 SUSE Bug 1139453 https://bugzilla.suse.com/1142038 SUSE Bug 1142038 https://bugzilla.suse.com/1143856 SUSE Bug 1143856 https://bugzilla.suse.com/1144155 SUSE Bug 1144155 https://bugzilla.suse.com/1144889 SUSE Bug 1144889 https://bugzilla.suse.com/1148125 SUSE Bug 1148125 https://bugzilla.suse.com/1148177 SUSE Bug 1148177 https://bugzilla.suse.com/1148311 SUSE Bug 1148311 https://www.suse.com/security/cve/CVE-2019-10136/ SUSE CVE CVE-2019-10136 page SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-cfg-4.0.9-5.6.3 mgr-cfg-actions-4.0.9-5.6.3 mgr-cfg-client-4.0.9-5.6.3 mgr-cfg-management-4.0.9-5.6.3 mgr-daemon-4.0.7-5.8.2 mgr-osad-4.0.9-5.6.2 mgr-virtualization-host-4.0.8-5.8.3 python2-mgr-cfg-4.0.9-5.6.3 python2-mgr-cfg-actions-4.0.9-5.6.3 python2-mgr-cfg-client-4.0.9-5.6.3 python2-mgr-cfg-management-4.0.9-5.6.3 python2-mgr-osa-common-4.0.9-5.6.2 python2-mgr-osad-4.0.9-5.6.2 python2-mgr-virtualization-common-4.0.8-5.8.3 python2-mgr-virtualization-host-4.0.8-5.8.3 python2-rhnlib-4.0.11-12.16.1 spacecmd-4.0.14-18.51.1 spacewalk-backend-libs-4.0.25-28.42.1 spacewalk-remote-utils-4.0.5-6.12.2 mgr-cfg-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-cfg-actions-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-cfg-client-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-cfg-management-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-daemon-4.0.7-5.8.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-osad-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-virtualization-host-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-cfg-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-cfg-actions-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-cfg-client-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-cfg-management-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-osa-common-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-osad-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-virtualization-common-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-mgr-virtualization-host-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS python2-rhnlib-4.0.11-12.16.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS spacecmd-4.0.14-18.51.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS spacewalk-backend-libs-4.0.25-28.42.1 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS spacewalk-remote-utils-4.0.5-6.12.2 as a component of SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS mgr-cfg-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-cfg-actions-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-cfg-client-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-cfg-management-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-daemon-4.0.7-5.8.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-osad-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS mgr-virtualization-host-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-cfg-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-cfg-actions-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-cfg-client-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-cfg-management-4.0.9-5.6.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-osa-common-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-osad-4.0.9-5.6.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-virtualization-common-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-mgr-virtualization-host-4.0.8-5.8.3 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS python2-rhnlib-4.0.11-12.16.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS spacecmd-4.0.14-18.51.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS spacewalk-backend-libs-4.0.25-28.42.1 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS spacewalk-remote-utils-4.0.5-6.12.2 as a component of SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. CVE-2019-10136 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-cfg-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-cfg-actions-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-cfg-client-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-cfg-management-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-daemon-4.0.7-5.8.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-osad-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:mgr-virtualization-host-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-cfg-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-cfg-actions-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-cfg-client-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-cfg-management-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-osa-common-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-osad-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-virtualization-common-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-mgr-virtualization-host-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:python2-rhnlib-4.0.11-12.16.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:spacecmd-4.0.14-18.51.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:spacewalk-backend-libs-4.0.25-28.42.1 SUSE Linux Enterprise Server 11 SP3-CLIENT-TOOLS:spacewalk-remote-utils-4.0.5-6.12.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-cfg-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-cfg-actions-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-cfg-client-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-cfg-management-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-daemon-4.0.7-5.8.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-osad-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:mgr-virtualization-host-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-cfg-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-cfg-actions-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-cfg-client-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-cfg-management-4.0.9-5.6.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-osa-common-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-osad-4.0.9-5.6.2 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-virtualization-common-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-mgr-virtualization-host-4.0.8-5.8.3 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:python2-rhnlib-4.0.11-12.16.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:spacecmd-4.0.14-18.51.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:spacewalk-backend-libs-4.0.25-28.42.1 SUSE Linux Enterprise Server 11 SP4-CLIENT-TOOLS:spacewalk-remote-utils-4.0.5-6.12.2 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914163-1/ https://www.suse.com/security/cve/CVE-2019-10136.html CVE-2019-10136 https://bugzilla.suse.com/1136480 SUSE Bug 1136480