SUSE Manager (important)

ID SUSE-SU-2011:0653-1
Type suse
Reporter Suse
Modified 2011-06-20T12:08:14


This security update of SUSE Manager fixes the following vulnerabilities/add the following improvements:

  • CVE-2009-4139: A cross-site request forgery (CSRF) attack can be used to execute web-actions within the SUSE Manager web user interface with the privileges of the attacked user.
  • CVE-2011-1594: Open Redirect bug at the login page (Phishing)
  • using secure SSL ciphersuites only
  • added a "password strength meter"

Additionally the following non-security issues were fixed too:

  • iso8859-1 handling of file names contained in packages
  • fix encoding of summary and description of a package if it is wrong
  • improve error message when gpg key is wrong or missing
  • do not trigger a resync is file is missing, can cause endless loop
  • do not send tracebacks as email if reposync failed
  • fix errata export/import for sync
  • handle sync with older spacewalk server which do not support weak dependencies
  • remove misleading information about Changing SUSE Manager hostname
  • fix monitoring related path name reference
  • fix malformed url error from pycurl when trying to download products and subscriptions with --from-dir and other minor issues
  • added proxy authentication to ncc-sync
  • fixed a syntax error on redirects when debugging is turned on
  • implement disconnected population of vendor channels
  • use pycurl instead of urllib for remote requests
  • catch cannot connect to database error
  • fix parsing the proxy user from curlrc

How to apply this update:

  1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update.
  2. Start the Spacewalk service: spacewalk-service start