Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2024:4011-1
Release Date:	2024-11-18T13:23:33Z
Rating:	moderate
References:	bsc#1213933 bsc#1223142 bsc#1226759 bsc#1227341 bsc#1227578 bsc#1227606 bsc#1228424 bsc#1228685 bsc#1229108 bsc#1229260 bsc#1229432 bsc#1229437 bsc#1229501 bsc#1230136 bsc#1230139 bsc#1230285 bsc#1230288 bsc#1230745 bsc#1231157 bsc#1231206 jsc#MSQA-863
Cross-References:	CVE-2023-3978
CVSS scores:	CVE-2023-3978 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2023-3978 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Client Tools for SLE 15 SUSE Manager Client Tools for SLE Micro 5 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Manager Server 4.3 Module 4.3 SUSE Package Hub 15 15-SP5 SUSE Package Hub 15 15-SP6

An update that solves one vulnerability, contains one feature and has 19 security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

• Security issues fixed:

• CVE-2023-3978: Fixed security bug in x/net dependency (bsc#1213933)

• Other changes and issues fixed:

• Delete unpackaged debug files for RHEL

• Do not include source files in the package for RHEL 9
• Require Go 1.20 when building for RedHat derivatives
• Drop EnvironmentFile from the service definition
• Explicitly unset $ARGS environment variable. Setting environment variables should be done in drop-in systemd configuration files.
• Drop go_nostrip macro. It is not needed with current binutils and Go.
• Migrate from disabled to manual source service type
• Drop BuildRequires: golang-packaging
• Upgrade to version 1.0.8 (bsc#1227341)
  • Update prometheus/client_golang to version 1.19.1
  • Update x/net to version 0.23.0
• Upgrade to version 1.0.7
  • Update protobuf to version 1.33.0
  • Update prometheus/client_golang to version 1.19.0
  • Update prometheus/common to version 0.46.0
  • Standardize landing page
• Upgrade to version 1.0.6
  • Update prometheus/exporter-toolkit to version 0.11.0
  • Update prometheus/client_golang to version 1.18.0
  • Add User-Agent header
• Upgrade to version 1.0.4
  • Update x/crypto to version 0.17.0
  • Update alecthomas/kingpin/v2 to version 2.4.0
  • Update prometheus/common to version 0.45.0
• Upgrade to version 1.0.3
  • Update prometheus/client_golang to version 1.17.0
  • Update x/net 0.17.0
• Upgrade to version 1.0.1
  • Update prometheus/exporter-toolkit to version 0.10.0
  • Update prometheus/common to version 0.44.0
  • Update prometheus/client_golang to version 1.16.0

golang-github-prometheus-promu:

• Require Go >= 1.21 for building
• Packaging improvements:
• Drop export CGO_ENABLED="0". Use the default unless there is a defined requirement or benefit (bsc#1230623).
• Update to version 0.16.0:
• Do not discover user/host for reproducible builds
• Fix example/prometheus build error
• Update to version 0.15.0:
• Add linux/riscv64 to default platforms
• Use yaml.Unmarshalstrict to validate configuration files

spacecmd:

• Version 5.0.10-0
• Speed up softwarechannel_removepackages (bsc#1227606)
• Fix error in 'kickstart_delete' when using wildcards (bsc#1227578)
• Spacecmd bootstrap now works with specified port (bsc#1229437)
• Fix sls backup creation as directory with spacecmd (bsc#1230745)

uyuni-common-libs:

• Version 5.0.5-0
• Enforce directory permissions at repo-sync when creating directories (bsc#1229260)

uyuni-tools:

• version 0.1.23-0
• Ensure namespace is defined in all kubernetes commands
• Use SCC credentials to authenticate against registry.suse.com for kubernetes (bsc#1231157)
• Fix namespace usage on mgrctl cp command
• version 0.1.22-0
• Set projectId also for test packages/images
• mgradm migration should not pull Confidential Computing and Hub image is replicas == 0 (bsc#1229432, bsc#1230136)
• Do not allow SUSE Manager downgrade
• Prevent completion issue when /var/log/uyuni-tools.log is missing
• Fix proxy shared volume flag
• During migration, exclude mgr-sync configuration file (bsc#1228685)
• Migrate from PostgreSQL 14 to PostgreSQL 16 pg_hba.conf and postgresql.conf files (bsc#1231206)
• During migration, handle empty autoinstallation path (bsc#1230285)
• During migration, handle symlinks (bsc#1230288)
• During migration, trust the remote sender's file list (bsc#1228424)
• Use SCC flags during podman pull
• Restore SELinux permission after migration (bsc#1229501)
• Share volumes between containers (bsc#1223142)
• Save supportconfig in current directory (bsc#1226759)
• Fix error code handling on reinstallation (bsc#1230139)
• Fix creating first user and organization
• Add missing variable quotes for install vars (bsc#1229108)
• Add API login and logout calls to allow persistent login

Changes that only impact SUSE Manager 4.3:

mgr-daemon:

• Version 4.3.11-0
• Update translation strings

spacewalk-client-tools:

• Version 4.3.21-0
• Update translation strings

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-4011=1
• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2024-4011=1
• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2024-4011=1
• SUSE Manager Client Tools for SLE Micro 5
  zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2024-4011=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4011=1
• SUSE Package Hub 15 15-SP6
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4011=1
• SUSE Manager Proxy 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-4011=1
• SUSE Manager Server 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4011=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-promu-0.16.0-150000.3.21.4
  • wire-debuginfo-0.6.0-150000.1.17.4
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.8-150000.1.23.3
  • golang-github-lusitaniae-apache_exporter-1.0.8-150000.1.23.3
  • wire-0.6.0-150000.1.17.4
• openSUSE Leap 15.5 (noarch)
  • spacecmd-5.0.10-150000.3.127.3
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-promu-0.16.0-150000.3.21.4
  • wire-debuginfo-0.6.0-150000.1.17.4
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.8-150000.1.23.3
  • golang-github-lusitaniae-apache_exporter-1.0.8-150000.1.23.3
  • wire-0.6.0-150000.1.17.4
• openSUSE Leap 15.6 (noarch)
  • spacecmd-5.0.10-150000.3.127.3
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • mgrctl-debuginfo-0.1.23-150000.1.13.3
  • mgrctl-0.1.23-150000.1.13.3
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.8-150000.1.23.3
  • golang-github-lusitaniae-apache_exporter-1.0.8-150000.1.23.3
  • python3-uyuni-common-libs-5.0.5-150000.1.45.3
• SUSE Manager Client Tools for SLE 15 (noarch)
  • mgrctl-zsh-completion-0.1.23-150000.1.13.3
  • python3-spacewalk-client-setup-4.3.21-150000.3.97.4
  • python3-spacewalk-check-4.3.21-150000.3.97.4
  • spacewalk-client-tools-4.3.21-150000.3.97.4
  • mgr-daemon-4.3.11-150000.1.53.5
  • spacecmd-5.0.10-150000.3.127.3
  • spacewalk-check-4.3.21-150000.3.97.4
  • python3-spacewalk-client-tools-4.3.21-150000.3.97.4
  • mgrctl-lang-0.1.23-150000.1.13.3
  • mgrctl-bash-completion-0.1.23-150000.1.13.3
  • spacewalk-client-setup-4.3.21-150000.3.97.4
• SUSE Manager Client Tools for SLE Micro 5 (aarch64 s390x x86_64)
  • mgrctl-0.1.23-150000.1.13.3
  • mgrctl-debuginfo-0.1.23-150000.1.13.3
• SUSE Manager Client Tools for SLE Micro 5 (noarch)
  • mgrctl-lang-0.1.23-150000.1.13.3
  • mgrctl-bash-completion-0.1.23-150000.1.13.3
  • mgrctl-zsh-completion-0.1.23-150000.1.13.3
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-promu-0.16.0-150000.3.21.4
• SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-promu-0.16.0-150000.3.21.4
• SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
  • golang-github-lusitaniae-apache_exporter-1.0.8-150000.1.23.3
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.8-150000.1.23.3
• SUSE Manager Server 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
  • golang-github-lusitaniae-apache_exporter-1.0.8-150000.1.23.3
  • golang-github-lusitaniae-apache_exporter-debuginfo-1.0.8-150000.1.23.3

References:

• https://www.suse.com/security/cve/CVE-2023-3978.html
• https://bugzilla.suse.com/show_bug.cgi?id=1213933
• https://bugzilla.suse.com/show_bug.cgi?id=1223142
• https://bugzilla.suse.com/show_bug.cgi?id=1226759
• https://bugzilla.suse.com/show_bug.cgi?id=1227341
• https://bugzilla.suse.com/show_bug.cgi?id=1227578
• https://bugzilla.suse.com/show_bug.cgi?id=1227606
• https://bugzilla.suse.com/show_bug.cgi?id=1228424
• https://bugzilla.suse.com/show_bug.cgi?id=1228685
• https://bugzilla.suse.com/show_bug.cgi?id=1229108
• https://bugzilla.suse.com/show_bug.cgi?id=1229260
• https://bugzilla.suse.com/show_bug.cgi?id=1229432
• https://bugzilla.suse.com/show_bug.cgi?id=1229437
• https://bugzilla.suse.com/show_bug.cgi?id=1229501
• https://bugzilla.suse.com/show_bug.cgi?id=1230136
• https://bugzilla.suse.com/show_bug.cgi?id=1230139
• https://bugzilla.suse.com/show_bug.cgi?id=1230285
• https://bugzilla.suse.com/show_bug.cgi?id=1230288
• https://bugzilla.suse.com/show_bug.cgi?id=1230745
• https://bugzilla.suse.com/show_bug.cgi?id=1231157
• https://bugzilla.suse.com/show_bug.cgi?id=1231206
• https://jira.suse.com/browse/MSQA-863