This security update of SUSE Manager fixes the following
vulnerabilities/add the following improvements:
- CVE-2009-4139: A cross-site request forgery (CSRF)
attack can be used to execute web-actions within the SUSE
Manager web user interface with the privileges of the
attacked user.
- CVE-2011-1594: Open Redirect bug at the login page
(Phishing)
- using secure SSL ciphersuites only
- added a "password strength meter"
Additionally the following non-security issues were fixed
too:
- iso8859-1 handling of file names contained in packages
- fix encoding of summary and description of a package
if it is wrong
- improve error message when gpg key is wrong or missing
- do not trigger a resync is file is missing, can cause
endless loop
- do not send tracebacks as email if reposync failed
- fix errata export/import for sync
- handle sync with older spacewalk server which do not
support weak dependencies
- remove misleading information about Changing SUSE
Manager hostname
- fix monitoring related path name reference
- fix malformed url error from pycurl when trying to
download products and subscriptions with --from-dir and
other minor issues
- added proxy authentication to ncc-sync
- fixed a syntax error on redirects when debugging is
turned on
- implement disconnected population of vendor channels
- use pycurl instead of urllib for remote requests
- catch cannot connect to database error
- fix parsing the proxy user from curlrc
How to apply this update:
- Log in as root user to the SUSE Manager server. 2.
Stop the Spacewalk service: spacewalk-service stop 3. Apply
the patch using either zypper patch or YaST Online Update.
- Start the Spacewalk service: spacewalk-service start