Bugzilla – Bug 1085414
VUL-1: CVE-2018-1077: spacewalk: XML External Entity (XXE) on in Spacewalk APIs
Last modified: 2024-07-08 13:54:25 UTC
via redhat Spacewalk 2.6 contains an API which has an XXE flaw allowing for the disclosure of potentially sensitive information from the server. References: https://bugzilla.redhat.com/show_bug.cgi?id=1555429 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1077
Only SUSE Manager 3.0 was based on Spacewalk 2.6 and is Eol. 3.1 is based on 2.7 and 3.2 on 2.8. @Marcus, can this be closed? At Bugzilla and CVE archive I can only see Spacewalk 2.6 as affected.
lets close
reopen on request
Patch submitted to our upstream (Uyuni): https://build.opensuse.org/request/show/777627 And to Head, 4.0 and 3.2 devel packages. Fix will be part of next scheduled 4.0 and 3.2 Maintenance updates. Not sure if the bug should stay open until that moment.
if secutrity bugs arew fixed, reassign to securtity-team for further tracking.
SUSE-SU-2020:0671-1: An update that solves two vulnerabilities and has 51 fixes is now available. Category: security (moderate) Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165541,1165927,1166061,1166388 CVE References: CVE-2018-1077,CVE-2020-1693 Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src): branch-network-formula-0.1.1580471316.1839544-3.10.2, image-sync-formula-0.1.1579102150.4716559-3.11.2, mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, prometheus-formula-0.1-4.7.2, pxe-default-image-sle15-4.0.1-20200305173027, pxe-formula-0.1.1580384994.6076a7e-3.11.2, py26-compat-salt-2016.11.10-10.11.2, python-susemanager-retail-1.0.1580471316.1839544-3.13.2, redstone-xmlrpc-1.1_20071120-0.11.3.2, salt-netapi-client-0.17.0-4.3.2, spacecmd-4.0.18-3.13.2, spacewalk-admin-4.0.9-3.6.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-java-4.0.31-3.23.1, spacewalk-search-4.0.9-3.11.2, spacewalk-setup-4.0.13-3.11.1, spacewalk-utils-4.0.16-3.15.2, spacewalk-web-4.0.19-3.18.3, subscription-matcher-0.25-3.3.2, susemanager-4.0.22-3.20.3, susemanager-doc-indexes-4.0-10.18.2, susemanager-docs_en-4.0-10.18.2, susemanager-schema-4.0.18-3.17.2, susemanager-sls-4.0.24-3.17.2, susemanager-sync-data-4.0.16-3.15.2, system-lock-formula-0.2-4.5.1, virtualization-host-formula-0.2-4.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2020:0687-1: An update that has 51 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165541,1166061 CVE References: Sources used: SUSE Manager Server 4.0 (src): release-notes-susemanager-4.0.5-3.38.1 SUSE Manager Retail Branch Server 4.0 (src): release-notes-susemanager-proxy-4.0.5-0.16.26.1 SUSE Manager Proxy 4.0 (src): release-notes-susemanager-proxy-4.0.5-0.16.26.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): release-notes-susemanager-4.0.5-3.38.1, release-notes-susemanager-proxy-4.0.5-0.16.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0671-1: An update that solves three vulnerabilities and has 51 fixes is now available. Category: security (moderate) Bug References: 1083326,1085414,1121640,1123274,1137248,1140332,1144176,1152673,1152795,1153269,1154246,1154590,1154599,1155281,1155372,1156751,1157317,1157346,1157447,1157700,1157975,1158178,1158181,1158283,1158480,1158564,1158672,1158697,1158754,1158818,1158899,1158943,1159012,1159023,1159076,1159184,1159492,1159553,1160184,1160940,1161755,1161862,1162609,1162683,1164120,1164309,1164452,1164649,1164875,1165425,1165541,1165927,1166061,1166388 CVE References: CVE-2018-1077,CVE-2019-16769,CVE-2020-1693 Sources used: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src): branch-network-formula-0.1.1580471316.1839544-3.10.2, image-sync-formula-0.1.1579102150.4716559-3.11.2, mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, prometheus-formula-0.1-4.7.2, pxe-default-image-sle15-4.0.1-20200305173027, pxe-formula-0.1.1580384994.6076a7e-3.11.2, py26-compat-salt-2016.11.10-10.11.2, python-susemanager-retail-1.0.1580471316.1839544-3.13.2, redstone-xmlrpc-1.1_20071120-0.11.3.2, salt-netapi-client-0.17.0-4.3.2, spacecmd-4.0.18-3.13.2, spacewalk-admin-4.0.9-3.6.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-java-4.0.31-3.23.1, spacewalk-search-4.0.9-3.11.2, spacewalk-setup-4.0.13-3.11.1, spacewalk-utils-4.0.16-3.15.2, spacewalk-web-4.0.19-3.18.3, subscription-matcher-0.25-3.3.2, susemanager-4.0.22-3.20.3, susemanager-doc-indexes-4.0-10.18.2, susemanager-docs_en-4.0-10.18.2, susemanager-schema-4.0.18-3.17.2, susemanager-sls-4.0.24-3.17.2, susemanager-sync-data-4.0.16-3.15.2, system-lock-formula-0.2-4.5.1, virtualization-host-formula-0.2-4.3.2 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.0 (src): mgr-osad-4.0.11-3.9.2, patterns-suse-manager-4.0-9.10.2, spacecmd-4.0.18-3.13.2, spacewalk-backend-4.0.30-3.23.3, spacewalk-certs-tools-4.0.15-3.15.2, spacewalk-client-tools-4.0.12-3.13.2, spacewalk-web-4.0.19-3.18.3, supportutils-plugin-susemanager-client-4.0.3-3.3.2, supportutils-plugin-susemanager-proxy-4.0.3-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0856-1: An update that solves two vulnerabilities and has 15 fixes is now available. Category: security (moderate) Bug References: 1085414,1140332,1155372,1157317,1158899,1159184,1160246,1161862,1162609,1162683,1163001,1163538,1164120,1164563,1164771,1165425,1165921 CVE References: CVE-2018-1077,CVE-2020-1693 Sources used: SUSE Manager Server 3.2 (src): py26-compat-salt-2016.11.10-6.35.1, redstone-xmlrpc-1.1_20071120-0.11.3.1, spacecmd-2.8.25.14-3.32.1, spacewalk-admin-2.8.4.6-3.12.1, spacewalk-backend-2.8.57.22-3.48.1, spacewalk-certs-tools-2.8.8.14-3.23.1, spacewalk-client-tools-2.8.22.7-3.12.1, spacewalk-java-2.8.78.28-3.47.1, spacewalk-setup-2.8.7.10-3.25.1, spacewalk-utils-2.8.18.6-3.12.1, spacewalk-web-2.8.7.23-3.45.1, subscription-matcher-0.25-4.15.1, susemanager-3.2.23-3.40.2, susemanager-sls-3.2.30-3.44.1, susemanager-sync-data-3.2.19-3.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2020:0855-1: An update that has 17 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1085414,1140332,1155372,1157317,1158899,1159184,1160246,1161862,1162609,1162683,1163001,1163538,1164120,1164563,1164771,1165425,1165921 CVE References: Sources used: SUSE Manager Server 3.2 (src): release-notes-susemanager-3.2.14-6.50.1 SUSE Manager Proxy 3.2 (src): release-notes-susemanager-proxy-3.2.14-0.16.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.