Security update for SUSE Manager Client Tools

Announcement ID: SUSE-SU-2022:3747-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2022-21698 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2022-21698 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2022-31097 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  • CVE-2022-31097 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • CVE-2022-31107 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
  • CVE-2022-31107 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  • SUSE Manager Client Tools for SLE 12
  • SUSE OpenStack Cloud 9
  • SUSE OpenStack Cloud Crowbar 9

An update that solves three vulnerabilities, contains six features and has two security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

  • Update to upstream release 0.11.0 (jsc#SLE-24791)
  • Add TLS support
  • Switch to logger, please check --log.level and --log.format flags
  • Update to version 0.10.1
  • Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
  • Update to version 0.10.0
  • Add Apache Proxy and other metrics
  • Update to version 0.8.0
  • Change commandline flags
  • Add metrics: Apache version, request duration total
  • Adapted to build on Enterprise Linux 8
  • Require building with Go 1.15
  • Add %license macro for LICENSE file

golang-github-prometheus-alertmanager:

  • Do not include sources (bsc#1200725)

golang-github-prometheus-node_exporter:

  • CVE-2022-21698: Denial of service using InstrumentHandlerCounter. (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)

grafana:

  • Update to version 8.3.10
  • Security:
    • CVE-2022-31097: Cross Site Scripting vulnerability in the Unified Alerting (bsc#1201535)
    • CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
  • Update to version 8.3.9
  • Bug fixes:
    • Geomap: Display legend
    • Prometheus: Fix timestamp truncation
  • Update to version 8.3.7
  • Bug fix:
    • Provisioning: Ensure that the default value for orgID is set when provisioning datasources to be deleted.
  • Update to version 8.3.6
  • Features and enhancements:
    • Cloud Monitoring: Reduce request size when listing labels.
    • Explore: Show scalar data result in a table instead of graph.
    • Snapshots: Updates the default external snapshot server URL.
    • Table: Makes footer not overlap table content.
    • Tempo: Add request histogram to service graph datalink.
    • Tempo: Add time range to tempo search query behind a feature flag.
    • Tempo: Auto-clear results when changing query type.
    • Tempo: Display start time in search results as relative time.
    • CloudMonitoring: Fix resource labels in query editor.
    • Cursor sync: Apply the settings without saving the dashboard.
    • LibraryPanels: Fix for Error while cleaning library panels.
    • Logs Panel: Fix timestamp parsing for string dates without timezone.
    • Prometheus: Fix some of the alerting queries that use reduce/math operation.
    • TablePanel: Fix ad-hoc variables not working on default datasources.
    • Text Panel: Fix alignment of elements.
    • Variables: Fix for constant variables in self referencing links.
  • Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)

kiwi-desc-saltboot:

  • Update to version 0.1.1661440542.6cbe0da
  • Use standard susemanager.conf
  • Use salt bundle
  • Add support fo VirtIO disks

mgr-daemon:

  • Version 4.3.6-1
  • Update translation strings

spacecmd:

  • Version 4.3.15-1
  • Process date values in spacecmd api calls (bsc#1198903)

spacewalk-client-tools:

  • Version 4.3.12-1
  • Update translation strings

uyuni-common-libs:

  • Version 4.3.6-1
  • Do not allow creating path if nonexistent user or group in fileutils.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 9
    zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3747=1
  • SUSE OpenStack Cloud Crowbar 9
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3747=1
  • SUSE Manager Client Tools for SLE 12
    zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-3747=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3747=1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3747=1
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2022-3747=1
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3747=1
  • SUSE Linux Enterprise High Performance Computing 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1
  • SUSE Linux Enterprise Server 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1

Package List:

  • SUSE OpenStack Cloud 9 (x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE OpenStack Cloud Crowbar 9 (x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
    • golang-github-lusitaniae-apache_exporter-0.11.0-1.13.1
    • golang-github-prometheus-alertmanager-0.23.0-1.15.2
    • grafana-8.3.10-1.33.2
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
    • python2-uyuni-common-libs-4.3.6-1.27.1
  • SUSE Manager Client Tools for SLE 12 (noarch)
    • python2-spacewalk-client-tools-4.3.12-52.77.1
    • mgr-daemon-4.3.6-1.38.1
    • python2-spacewalk-check-4.3.12-52.77.1
    • spacewalk-check-4.3.12-52.77.1
    • spacewalk-client-setup-4.3.12-52.77.1
    • python2-spacewalk-client-setup-4.3.12-52.77.1
    • kiwi-desc-saltboot-0.1.1661440542.6cbe0da-1.29.1
    • spacecmd-4.3.15-38.109.1
    • spacewalk-client-tools-4.3.12-52.77.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (aarch64 x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (aarch64 ppc64le s390x x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
    • golang-github-prometheus-node_exporter-1.3.0-1.21.1

References: