Bug 1209386

Paolo, I don't think the title or the description are accurate?

Right now it looks as if "the admin password" for SUSE Manager was disclused.

What the user is talking about is about passwords entered in salt formulas.

https://docs.saltproject.io/en/latest/topics/development/conventions/formulas.html
In fact that's a formula we don't even provide (we provide some, but not this one).

In his case, a formula to do something related to Active Directory, and in this case that formula has a parameter 'password' and the content of that parameter is leaked.

FMPOV the best option here would be to hide parameters for `CALL: formulas.save` on the log, and enable them maybe only if debug is enabled.

I don't recommend looking for a parameter called "password", as a formula could also use "pass" or "pwd" or "passwd", or who knows what, and we would not know :-)

For whoever prepares a fix for this:

- For 4.2, if affected, ask the releng for the target!
- For 4.3, PR against `Manager-4.3-MU-4.3.5`
- For master: ask the releng for the target!

For whoever will prepare a fix for this:

- For 4.2, if affected: PR against `Manager-4.2` and ping Marina (she's preparing the 4.2.15 submission.
- For 4.3, PR against `Manager-4.3-MU-4.3.5` and ping Julio (he will prepare the unscheduled MU for this)
- For master: do not do anything until the embargo is lifted. Not even preparing commits in your fork!


Disregard previous comments about target branches.

PR for SUMA 4.3: https://github.com/SUSE/spacewalk/pull/20868
PR for SUMA 4.2: https://github.com/SUSE/spacewalk/pull/20869

This is an instance of CVE-2023-22644 (bsc#1209434)

Closed also for upstream: https://lists.opensuse.org/archives/list/announce@lists.uyuni-project.org/thread/W5WBXQOUV7TT3JCVJ4GGBMF5YLDRT72D/

SUSE-SU-2023:1830-1: An update that has four security fixes can now be installed.

Category: security (moderate)
Bug References: 1209386, 1209395, 1209689, 1209703
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): spacewalk-web-4.3.29-150400.3.18.1
SUSE Manager Server 4.3 Module 4.3 (src): spacewalk-web-4.3.29-150400.3.18.1, spacewalk-java-4.3.52-150400.3.41.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2023:1831-1: An update that solves three vulnerabilities, contains one feature and has 22 security fixes can now be installed.

Category: security (important)
Bug References: 1179926, 1197027, 1206562, 1206973, 1207063, 1207308, 1207352, 1207490, 1207799, 1207829, 1207830, 1207838, 1207883, 1208288, 1208321, 1208325, 1208586, 1208687, 1208719, 1208772, 1208908, 1209369, 1209386, 1209434, 1209703
CVE References: CVE-2020-8908, CVE-2022-0860, CVE-2023-22644
Jira References: PED-2777
Sources used:
SUSE Manager Proxy 4.2 Module 4.2 (src): spacewalk-client-tools-4.2.23-150300.4.33.7, uyuni-common-libs-4.2.10-150300.3.17.6, spacecmd-4.2.22-150300.4.36.7, mgr-daemon-4.2.11-150300.2.12.5, susemanager-build-keys-15.3.6-150300.3.9.5, spacewalk-proxy-4.2.14-150300.3.27.6, spacewalk-web-4.2.34-150300.3.41.5, spacewalk-backend-4.2.27-150300.4.38.7
SUSE Manager Server 4.2 Module 4.2 (src): guava-30.1.1-150300.4.3.4, virtual-host-gatherer-1.0.25-150300.3.12.5, uyuni-common-libs-4.2.10-150300.3.17.6, spacecmd-4.2.22-150300.4.36.7, spacewalk-java-4.2.49-150300.3.63.3, susemanager-sls-4.2.32-150300.3.46.5, susemanager-build-keys-15.3.6-150300.3.9.5, susemanager-doc-indexes-4.2-150300.12.42.6, subscription-matcher-0.29-150300.6.15.5, susemanager-tftpsync-4.2.4-150300.3.6.6, spacewalk-web-4.2.34-150300.3.41.5, spacewalk-backend-4.2.27-150300.4.38.7, spacewalk-search-4.2.10-150300.3.18.6, jsr-305-3.0.2-150200.3.7.5, spacewalk-client-tools-4.2.23-150300.4.33.7, mgr-libmod-4.2.8-150300.3.9.6, susemanager-docs_en-4.2-150300.12.42.5, supportutils-plugin-susemanager-4.2.6-150300.3.12.5, cobbler-3.1.2-150300.5.22.5
openSUSE Leap 15.4 (src): jsr-305-3.0.2-150200.3.7.5
Development Tools Module 15-SP4 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise Real Time 15 SP3 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Enterprise Storage 7.1 (src): jsr-305-3.0.2-150200.3.7.5
SUSE Enterprise Storage 7 (src): jsr-305-3.0.2-150200.3.7.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2023:2566-1: An update that solves one vulnerability, contains one feature and has 58 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1201063, 1203599, 1204089, 1204270, 1204900, 1205600, 1206060, 1206191, 1206423, 1206725, 1206783, 1207063, 1207595, 1207814, 1207829, 1207830, 1208288, 1208321, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208661, 1208687, 1208719, 1208772, 1208965, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209277, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-666
Sources used:
SUSE Manager Proxy 4.3 Module 4.3 (src): susemanager-build-keys-15.4.9-150400.3.20.2, spacecmd-4.3.21-150400.3.18.5, mgr-daemon-4.3.7-150400.3.9.5, spacewalk-web-4.3.31-150400.3.21.7, spacewalk-proxy-4.3.16-150400.3.20.6, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-proxy-installer-4.3.11-150400.3.6.4, uyuni-common-libs-4.3.8-150400.3.12.5
SUSE Manager Server 4.3 Module 4.3 (src): susemanager-4.3.27-150400.3.26.5, spacewalk-setup-4.3.16-150400.3.21.6, python-urlgrabber-4.1.0-150400.4.3.6.3, spacewalk-search-4.3.9-150400.3.12.7, virtual-host-gatherer-1.0.26-150400.3.12.3, perl-Satcon-4.3.2-150400.3.3.5, spacewalk-admin-4.3.11-150400.3.6.6, branch-network-formula-0.1.1680167239.23f2fec-150400.3.3.3, spacewalk-backend-4.3.21-150400.3.21.13, spacewalk-java-4.3.58-150400.3.46.4, supportutils-plugin-susemanager-4.3.7-150400.3.9.6, spacewalk-config-4.3.10-150400.3.6.3, susemanager-sls-4.3.33-150400.3.25.7, spacecmd-4.3.21-150400.3.18.5, hub-xmlrpc-api-0.7-150400.5.6.5, susemanager-docs_en-4.3-150400.9.27.3, susemanager-tftpsync-4.3.4-150400.3.9.9, cpu-mitigations-formula-0.5.0-150400.3.3.3, susemanager-schema-4.3.18-150400.3.18.7, susemanager-build-keys-15.4.9-150400.3.20.2, spacewalk-web-4.3.31-150400.3.21.7, cobbler-3.3.3-150400.5.25.3, uyuni-common-libs-4.3.8-150400.3.12.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2023:2592-1: An update that solves two vulnerabilities, contains one feature and has 90 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 1201059, 1201063, 1203599, 1204089, 1204186, 1204270, 1204900, 1205011, 1205088, 1205600, 1205759, 1206060, 1206146, 1206191, 1206423, 1206520, 1206562, 1206725, 1206783, 1206800, 1206817, 1206861, 1206932, 1206963, 1206973, 1206979, 1206981, 1207063, 1207087, 1207141, 1207297, 1207352, 1207595, 1207792, 1207799, 1207814, 1207829, 1207830, 1207838, 1207867, 1207883, 1208046, 1208119, 1208288, 1208321, 1208325, 1208427, 1208522, 1208536, 1208540, 1208550, 1208586, 1208611, 1208661, 1208687, 1208719, 1208772, 1208908, 1209119, 1209143, 1209149, 1209215, 1209220, 1209231, 1209253, 1209259, 1209277, 1209369, 1209386, 1209395, 1209434, 1209508, 1209557, 1209926, 1209938, 1209993, 1210086, 1210094, 1210101, 1210107, 1210154, 1210162, 1210349, 1210437, 1210458, 1210776, 1210835, 1211956, 1211958, 1212096, 1212363, 1212516
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-666
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4, release-notes-susemanager-4.3.6-150400.3.63.2
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.6-150400.3.55.4
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.6-150400.3.63.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-RU-2023:2595-1: An update that solves one vulnerability, contains one feature and has 36 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1211956, 1211958, 1212096, 1212363
CVE References: CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Proxy 4.2 Module 4.2 (src): spacewalk-backend-4.2.28-150300.4.41.4, spacecmd-4.2.23-150300.4.39.4, spacewalk-web-4.2.35-150300.3.44.4, spacewalk-ssl-cert-check-4.2.3-150300.3.3.2, susemanager-build-keys-15.3.9-150300.3.14.1, spacewalk-proxy-installer-4.2.12-150300.3.17.2, spacewalk-certs-tools-4.2.20-150300.3.30.4
SUSE Manager Server 4.2 Module 4.2 (src): inter-server-sync-0.2.8-150300.8.31.2, spacewalk-java-4.2.50-150300.3.66.5, hub-xmlrpc-api-0.7-150300.3.12.3, susemanager-schema-4.2.28-150300.3.38.4, cpu-mitigations-formula-0.5.0-150300.3.6.2, spacecmd-4.2.23-150300.4.39.4, susemanager-docs_en-4.2-150300.12.45.2, susemanager-4.2.42-150300.3.54.4, perl-Satcon-4.2.3-150300.3.3.3, susemanager-doc-indexes-4.2-150300.12.45.4, susemanager-build-keys-15.3.9-150300.3.14.1, branch-network-formula-0.1.1680167239.23f2fec-150300.3.6.2, spacewalk-backend-4.2.28-150300.4.41.4, spacewalk-certs-tools-4.2.20-150300.3.30.4, spacewalk-utils-4.2.19-150300.3.24.2, susemanager-sls-4.2.34-150300.3.51.1, spacewalk-web-4.2.35-150300.3.44.4, virtual-host-gatherer-1.0.26-150300.3.15.2, spacewalk-setup-4.2.12-150300.3.18.3, supportutils-plugin-susemanager-4.2.7-150300.3.15.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2023:2594-1: An update that solves two vulnerabilities, contains one feature and has 35 security fixes can now be installed.

Category: security (important)
Bug References: 1179747, 1186011, 1203599, 1205600, 1206423, 1207550, 1207814, 1207941, 1208046, 1208984, 1209220, 1209231, 1209277, 1209386, 1209434, 1209508, 1209877, 1209915, 1209926, 1210011, 1210086, 1210101, 1210107, 1210154, 1210162, 1210232, 1210311, 1210406, 1210437, 1210458, 1210659, 1210835, 1210957, 1211330, 1212096, 1212363, 1212517
CVE References: CVE-2022-46146, CVE-2023-22644
Jira References: MSQA-674
Sources used:
SUSE Manager Retail Branch Server 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Server 4.2 (src): release-notes-susemanager-4.2.13-150300.3.81.1
openSUSE Leap 15.3 (src): release-notes-susemanager-4.2.13-150300.3.81.1, release-notes-susemanager-proxy-4.2.13-150300.3.64.2
SUSE Manager Proxy 4.2 (src): release-notes-susemanager-proxy-4.2.13-150300.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.