Security update for SUSE Manager Server 4.3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4007-1 Final 1 1 2024-11-18T13:20:15Z current 2024-11-18T13:20:15Z 2024-11-18T13:20:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Server 4.3 This update fixes the following issues: release-notes-susemanager: - Update to SUSE Manager 4.3.14 * Ubuntu 24.04 support as client * Product migration from RHEL and Clones to SUSE Liberty Linux * POS image templates now produce compressed images * Date format for API endpoints has been changed to ISO-8601 format * Security issues fixed: CVE-2024-47533, CVE-2024-49502, CVE-2024-49503 * Bugs mentioned: bsc#1146701, bsc#1211899, bsc#1212985, bsc#1217003, bsc#1217338 bsc#1217978, bsc#1218090, bsc#1219450, bsc#1219645, bsc#1219887 bsc#1221435, bsc#1221505, bsc#1223312, bsc#1223988, bsc#1224108 bsc#1224209, bsc#1225603, bsc#1225619, bsc#1225960, bsc#1226090 bsc#1226439, bsc#1226461, bsc#1226478, bsc#1226687, bsc#1226917 bsc#1227133, bsc#1227334, bsc#1227406, bsc#1227526, bsc#1227543 bsc#1227599, bsc#1227606, bsc#1227746, bsc#1228036, bsc#1228101 bsc#1228130, bsc#1228147, bsc#1228286, bsc#1228326, bsc#1228345 bsc#1228412, bsc#1228545, bsc#1228638, bsc#1228851, bsc#1228945 bsc#1229079, bsc#1229178, bsc#1229260, bsc#1229339, bsc#1231332 bsc#1231852, bsc#1231922, bsc#1231900 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/manager/4.3/proxy-httpd:latest-2024-4007,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-2024-4007,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure-2024-4007,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2-2024-4007,Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE-2024-4007,Image SLES15-SP4-Manager-Server-4-3-2024-4007,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2024-4007,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2024-4007,Image SLES15-SP4-Manager-Server-4-3-BYOS-2024-4007,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2024-4007,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2024-4007,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2024-4007,SUSE-2024-4007,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-4007,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4007 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244007-1/ Link for SUSE-SU-2024:4007-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019836.html E-Mail link for SUSE-SU-2024:4007-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1146701 SUSE Bug 1146701 https://bugzilla.suse.com/1211899 SUSE Bug 1211899 https://bugzilla.suse.com/1212985 SUSE Bug 1212985 https://bugzilla.suse.com/1217003 SUSE Bug 1217003 https://bugzilla.suse.com/1217338 SUSE Bug 1217338 https://bugzilla.suse.com/1217978 SUSE Bug 1217978 https://bugzilla.suse.com/1218090 SUSE Bug 1218090 https://bugzilla.suse.com/1219450 SUSE Bug 1219450 https://bugzilla.suse.com/1219645 SUSE Bug 1219645 https://bugzilla.suse.com/1219887 SUSE Bug 1219887 https://bugzilla.suse.com/1221435 SUSE Bug 1221435 https://bugzilla.suse.com/1221505 SUSE Bug 1221505 https://bugzilla.suse.com/1223312 SUSE Bug 1223312 https://bugzilla.suse.com/1223988 SUSE Bug 1223988 https://bugzilla.suse.com/1224108 SUSE Bug 1224108 https://bugzilla.suse.com/1224209 SUSE Bug 1224209 https://bugzilla.suse.com/1225603 SUSE Bug 1225603 https://bugzilla.suse.com/1225619 SUSE Bug 1225619 https://bugzilla.suse.com/1225960 SUSE Bug 1225960 https://bugzilla.suse.com/1226090 SUSE Bug 1226090 https://bugzilla.suse.com/1226439 SUSE Bug 1226439 https://bugzilla.suse.com/1226461 SUSE Bug 1226461 https://bugzilla.suse.com/1226478 SUSE Bug 1226478 https://bugzilla.suse.com/1226687 SUSE Bug 1226687 https://bugzilla.suse.com/1226917 SUSE Bug 1226917 https://bugzilla.suse.com/1227133 SUSE Bug 1227133 https://bugzilla.suse.com/1227334 SUSE Bug 1227334 https://bugzilla.suse.com/1227406 SUSE Bug 1227406 https://bugzilla.suse.com/1227526 SUSE Bug 1227526 https://bugzilla.suse.com/1227543 SUSE Bug 1227543 https://bugzilla.suse.com/1227599 SUSE Bug 1227599 https://bugzilla.suse.com/1227606 SUSE Bug 1227606 https://bugzilla.suse.com/1227746 SUSE Bug 1227746 https://bugzilla.suse.com/1228036 SUSE Bug 1228036 https://bugzilla.suse.com/1228101 SUSE Bug 1228101 https://bugzilla.suse.com/1228130 SUSE Bug 1228130 https://bugzilla.suse.com/1228147 SUSE Bug 1228147 https://bugzilla.suse.com/1228286 SUSE Bug 1228286 https://bugzilla.suse.com/1228326 SUSE Bug 1228326 https://bugzilla.suse.com/1228345 SUSE Bug 1228345 https://bugzilla.suse.com/1228412 SUSE Bug 1228412 https://bugzilla.suse.com/1228545 SUSE Bug 1228545 https://bugzilla.suse.com/1228638 SUSE Bug 1228638 https://bugzilla.suse.com/1228851 SUSE Bug 1228851 https://bugzilla.suse.com/1228945 SUSE Bug 1228945 https://bugzilla.suse.com/1229079 SUSE Bug 1229079 https://bugzilla.suse.com/1229178 SUSE Bug 1229178 https://bugzilla.suse.com/1229260 SUSE Bug 1229260 https://bugzilla.suse.com/1229339 SUSE Bug 1229339 https://bugzilla.suse.com/1231332 SUSE Bug 1231332 https://bugzilla.suse.com/1231852 SUSE Bug 1231852 https://bugzilla.suse.com/1231900 SUSE Bug 1231900 https://bugzilla.suse.com/1231922 SUSE Bug 1231922 https://www.suse.com/security/cve/CVE-2024-47533/ SUSE CVE CVE-2024-47533 page https://www.suse.com/security/cve/CVE-2024-49502/ SUSE CVE CVE-2024-49502 page https://www.suse.com/security/cve/CVE-2024-49503/ SUSE CVE CVE-2024-49503 page Container suse/manager/4.3/proxy-httpd:latest Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 release-notes-susemanager-proxy-4.3.14-150400.3.90.1 release-notes-susemanager-4.3.14-150400.3.122.1 release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of Container suse/manager/4.3/proxy-httpd:latest release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3 release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 release-notes-susemanager-4.3.14-150400.3.122.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE release-notes-susemanager-proxy-4.3.14-150400.3.90.1 as a component of SUSE Manager Proxy 4.3 release-notes-susemanager-4.3.14-150400.3.122.1 as a component of SUSE Manager Server 4.3 Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue. CVE-2024-47533 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3:release-notes-susemanager-4.3.14-150400.3.122.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.14-150400.3.122.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244007-1/ https://www.suse.com/security/cve/CVE-2024-47533.html CVE-2024-47533 https://bugzilla.suse.com/1231332 SUSE Bug 1231332 A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container suse/manager/5.0/x86_64/server:5.0.2.7.8.1: before 5.0.15-150600.3.10.2; SUSE Manager Server Module 4.3: before 4.3.42-150400.3.52.1. CVE-2024-49502 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3:release-notes-susemanager-4.3.14-150400.3.122.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.14-150400.3.122.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244007-1/ https://www.suse.com/security/cve/CVE-2024-49502.html CVE-2024-49502 https://bugzilla.suse.com/1231852 SUSE Bug 1231852 A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SUSE manager allows attackers to execute Javascript code in the organization credentials sub page. This issue affects Container suse/manager/5.0/x86_64/server:5.0.2.7.8.1: before 5.0.15-150600.3.10.2; SUSE Manager Server Module 4.3: before 4.3.42-150400.3.52.1. CVE-2024-49503 Container suse/manager/4.3/proxy-httpd:latest:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Proxy-4-3-BYOS:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.14-150400.3.122.1 Image SLES15-SP4-Manager-Server-4-3:release-notes-susemanager-4.3.14-150400.3.122.1 SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.14-150400.3.90.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.14-150400.3.122.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244007-1/ https://www.suse.com/security/cve/CVE-2024-49503.html CVE-2024-49503 https://bugzilla.suse.com/1231922 SUSE Bug 1231922