Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2023:0353-1
Rating:	moderate
References:	bsc#1172110 bsc#1204032 bsc#1204126 bsc#1204302 bsc#1204303 bsc#1204304 bsc#1204305 bsc#1205207 bsc#1205225 bsc#1205227 bsc#1205599 bsc#1206470 jsc#PED-2617
Cross-References:	CVE-2022-31123 CVE-2022-31130 CVE-2022-39201 CVE-2022-39229 CVE-2022-39306 CVE-2022-39307
CVSS scores:	CVE-2022-31123 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L CVE-2022-31123 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-31130 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2022-31130 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-39201 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2022-39201 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-39229 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-39229 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-39306 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2022-39306 ( NVD ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2022-39307 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-39307 ( NVD ): 6.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Client Tools for SLE 15 SUSE Manager Client Tools for SLE Micro 5

An update that solves six vulnerabilities, contains one feature and has six security fixes can now be installed.

Description:

This update fixes the following issues:

dracut-saltboot:

• Update to version 0.1.1673279145.e7616bd
• Add failsafe stop file when salt-minion does not stop (bsc#1172110)
• Copy existing wicked config instead of generating new (bsc#1205599)

grafana:

• Update to version 8.5.15 (jsc#PED-2617):
• CVE-2022-39306: Fix for privilege escalation (bsc#1205225)
• CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
• Update to version 8.5.14:
• CVE-2022-39201: Fix do not forward login cookie in outgoing requests (bsc#1204303)
• CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
• CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
• CVE-2022-39229: Fix blocknig other users from signing in (bsc#1204304)

mgr-osad:

• Version 4.3.7-1
• Updated logrotate configuration (bsc#1206470)

mgr-push:

• Version 4.3.5-1
• Update translation strings

rhnlib:

• Version 4.3.5-1
• Don't get stuck at the end of SSL transfers (bsc#1204032)

spacecmd:

• Version 4.3.18-1
• Add python-dateutil dependency, required to process date values in spacecmd api calls
• Version 4.3.17-1
• Remove python3-simplejson dependency
• Correctly understand 'ssm' keyword on scap scheduling
• Add vendor_advisory information to errata_details call (bsc#1205207)
• Added two missing options to schedule product migration: allow-vendor-change and remove-products-without-successor (bsc#1204126)
• Changed schedule product migration to use the correct API method
• Change default port of "Containerized Proxy configuration" 8022

spacewalk-client-tools:

• Version 4.3.14-1
• Update translation strings

uyuni-common-libs:

• Version 4.3.7-1
• unify user notification code on java side

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-353=1
• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2023-353=1
• SUSE Manager Client Tools for SLE Micro 5
  zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2023-353=1

Package List:

• openSUSE Leap 15.4 (noarch)
  • spacecmd-4.3.18-150000.3.92.1
  • dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1
• SUSE Manager Client Tools for SLE 15 (noarch)
  • python3-rhnlib-4.3.5-150000.3.40.1
  • spacecmd-4.3.18-150000.3.92.1
  • spacewalk-client-setup-4.3.14-150000.3.74.1
  • spacewalk-client-tools-4.3.14-150000.3.74.1
  • dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1
  • mgr-push-4.3.5-150000.1.24.2
  • python3-mgr-push-4.3.5-150000.1.24.2
  • python3-spacewalk-client-tools-4.3.14-150000.3.74.1
  • python3-spacewalk-check-4.3.14-150000.3.74.1
  • python3-spacewalk-client-setup-4.3.14-150000.3.74.1
  • spacewalk-check-4.3.14-150000.3.74.1
  • python3-mgr-osa-common-4.3.7-150000.1.42.1
  • python3-mgr-osad-4.3.7-150000.1.42.1
  • mgr-osad-4.3.7-150000.1.42.1
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • python3-uyuni-common-libs-4.3.7-150000.1.30.1
  • grafana-8.5.15-150000.1.39.1
  • grafana-debuginfo-8.5.15-150000.1.39.1
• SUSE Manager Client Tools for SLE Micro 5 (noarch)
  • dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1

References:

• https://www.suse.com/security/cve/CVE-2022-31123.html
• https://www.suse.com/security/cve/CVE-2022-31130.html
• https://www.suse.com/security/cve/CVE-2022-39201.html
• https://www.suse.com/security/cve/CVE-2022-39229.html
• https://www.suse.com/security/cve/CVE-2022-39306.html
• https://www.suse.com/security/cve/CVE-2022-39307.html
• https://bugzilla.suse.com/show_bug.cgi?id=1172110
• https://bugzilla.suse.com/show_bug.cgi?id=1204032
• https://bugzilla.suse.com/show_bug.cgi?id=1204126
• https://bugzilla.suse.com/show_bug.cgi?id=1204302
• https://bugzilla.suse.com/show_bug.cgi?id=1204303
• https://bugzilla.suse.com/show_bug.cgi?id=1204304
• https://bugzilla.suse.com/show_bug.cgi?id=1204305
• https://bugzilla.suse.com/show_bug.cgi?id=1205207
• https://bugzilla.suse.com/show_bug.cgi?id=1205225
• https://bugzilla.suse.com/show_bug.cgi?id=1205227
• https://bugzilla.suse.com/show_bug.cgi?id=1205599
• https://bugzilla.suse.com/show_bug.cgi?id=1206470
• https://jira.suse.com/browse/PED-2617