Security update for SUSE Manager Proxy 3.1 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2266-1 Final 1 1 2017-08-25T11:42:12Z current 2017-08-25T11:42:12Z 2017-08-25T11:42:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Proxy 3.1 This update for SUSE Manager Proxy 3.1 provides several fixes and improvements: The following security issues have been fixed: jabberd: - Fix offered SASL mechanism check. (bsc#1047282, CVE-2017-10807) Additionally, the following non-security issues have been fixed: jabberd: - Fix memory leak in pgsql storage driver. - Fix two double-frees caused by dangling pointers. - wss:// (WebSocket over SSL) support in c2s. - Allow BareJID S10N packets. - SQLite postconnect SQL support. - Support WebSocket fragmented packets. - Module to verify users using e-mail. - Use OpenSSL functions for base64 en/decoding when available. - Option to dump packet-filter matched packets to file. - bcrypt support for PostgreSQL and MySQL storage. - Option to set authreg module per realm. - WebSocket C2S SX plugin. - Support for RSA/DH/ECDH key agreement. - For a detailed description of all fixes, please refer to the changelog. osad: - Reduce maximal size of osad log before rotating. - Perform osad restart in posttrans. (bsc#1039913) spacewalk-backend: - Make master_label static to keep its value when retrying. (bsc#1038321) - Adapt for the new gpgcheck flag for the channels. spacewalk-certs-tools: - Improve text for bootstrap. (bsc#1032324) spacewalk-proxy: - Use query string in upstream HEAD requests. (bsc#1036260) spacewalk-web: - Fix overlapping of elements. (bsc#1031143) - Fix formulas action buttons position. (bsc#1047513) - Do not show old messages. (bsc#1043831) - Add a dynamic counter of the remaining textarea length. - Confirm if navigating away while bootstrapping. spacewalksd: - Fix permissions of PID files in spacewalksd. (bsc#1049936) zypp-plugin-spacewalk: - Fix setting pkg_gpgcheck. - Make pkg_gpgcheck configurable. How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SUSE-Manager-Proxy-3.1-2017-1387 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172266-1/ Link for SUSE-SU-2017:2266-1 https://lists.suse.com/pipermail/sle-security-updates/2017-August/003161.html E-Mail link for SUSE-SU-2017:2266-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1031143 SUSE Bug 1031143 https://bugzilla.suse.com/1032324 SUSE Bug 1032324 https://bugzilla.suse.com/1036260 SUSE Bug 1036260 https://bugzilla.suse.com/1038321 SUSE Bug 1038321 https://bugzilla.suse.com/1039913 SUSE Bug 1039913 https://bugzilla.suse.com/1043831 SUSE Bug 1043831 https://bugzilla.suse.com/1047282 SUSE Bug 1047282 https://bugzilla.suse.com/1047513 SUSE Bug 1047513 https://bugzilla.suse.com/1049936 SUSE Bug 1049936 https://bugzilla.suse.com/1052039 SUSE Bug 1052039 https://www.suse.com/security/cve/CVE-2017-10807/ SUSE CVE CVE-2017-10807 page SUSE Manager Proxy 3.1 jabberd-2.6.1-3.3.1 jabberd-db-2.6.1-3.3.1 jabberd-sqlite-2.6.1-3.3.1 osa-common-5.11.80.3-2.3.1 osad-5.11.80.3-2.3.1 rhnpush-5.5.104.3-2.3.2 spacewalk-backend-2.7.73.7-2.3.1 spacewalk-backend-libs-2.7.73.7-2.3.1 spacewalk-base-minimal-2.7.1.10-2.3.1 spacewalk-base-minimal-config-2.7.1.10-2.3.1 spacewalk-certs-tools-2.7.0.7-2.3.1 spacewalk-proxy-broker-2.7.1.4-2.3.1 spacewalk-proxy-common-2.7.1.4-2.3.1 spacewalk-proxy-management-2.7.1.4-2.3.1 spacewalk-proxy-package-manager-2.7.1.4-2.3.1 spacewalk-proxy-redirect-2.7.1.4-2.3.1 spacewalk-proxy-salt-2.7.1.4-2.3.1 spacewalksd-5.0.26.3-2.3.1 supportutils-plugin-susemanager-client-3.1.2-2.3.1 zypp-plugin-spacewalk-0.9.16-2.3.1 jabberd-2.6.1-3.3.1 as a component of SUSE Manager Proxy 3.1 jabberd-db-2.6.1-3.3.1 as a component of SUSE Manager Proxy 3.1 jabberd-sqlite-2.6.1-3.3.1 as a component of SUSE Manager Proxy 3.1 osa-common-5.11.80.3-2.3.1 as a component of SUSE Manager Proxy 3.1 osad-5.11.80.3-2.3.1 as a component of SUSE Manager Proxy 3.1 rhnpush-5.5.104.3-2.3.2 as a component of SUSE Manager Proxy 3.1 spacewalk-backend-2.7.73.7-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-backend-libs-2.7.73.7-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-base-minimal-2.7.1.10-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-base-minimal-config-2.7.1.10-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-certs-tools-2.7.0.7-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-broker-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-common-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-management-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-package-manager-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-redirect-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalk-proxy-salt-2.7.1.4-2.3.1 as a component of SUSE Manager Proxy 3.1 spacewalksd-5.0.26.3-2.3.1 as a component of SUSE Manager Proxy 3.1 supportutils-plugin-susemanager-client-3.1.2-2.3.1 as a component of SUSE Manager Proxy 3.1 zypp-plugin-spacewalk-0.9.16-2.3.1 as a component of SUSE Manager Proxy 3.1 JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled. CVE-2017-10807 SUSE Manager Proxy 3.1:jabberd-2.6.1-3.3.1 SUSE Manager Proxy 3.1:jabberd-db-2.6.1-3.3.1 SUSE Manager Proxy 3.1:jabberd-sqlite-2.6.1-3.3.1 SUSE Manager Proxy 3.1:osa-common-5.11.80.3-2.3.1 SUSE Manager Proxy 3.1:osad-5.11.80.3-2.3.1 SUSE Manager Proxy 3.1:rhnpush-5.5.104.3-2.3.2 SUSE Manager Proxy 3.1:spacewalk-backend-2.7.73.7-2.3.1 SUSE Manager Proxy 3.1:spacewalk-backend-libs-2.7.73.7-2.3.1 SUSE Manager Proxy 3.1:spacewalk-base-minimal-2.7.1.10-2.3.1 SUSE Manager Proxy 3.1:spacewalk-base-minimal-config-2.7.1.10-2.3.1 SUSE Manager Proxy 3.1:spacewalk-certs-tools-2.7.0.7-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-broker-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-common-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-management-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-package-manager-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-redirect-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalk-proxy-salt-2.7.1.4-2.3.1 SUSE Manager Proxy 3.1:spacewalksd-5.0.26.3-2.3.1 SUSE Manager Proxy 3.1:supportutils-plugin-susemanager-client-3.1.2-2.3.1 SUSE Manager Proxy 3.1:zypp-plugin-spacewalk-0.9.16-2.3.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172266-1/ https://www.suse.com/security/cve/CVE-2017-10807.html CVE-2017-10807 https://bugzilla.suse.com/1047282 SUSE Bug 1047282