Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2023:0352-1
Rating:	moderate
References:	bsc#1172110 bsc#1204032 bsc#1204126 bsc#1204302 bsc#1204303 bsc#1204304 bsc#1204305 bsc#1205207 bsc#1205225 bsc#1205227 bsc#1206470 jsc#PED-2617
Cross-References:	CVE-2022-31123 CVE-2022-31130 CVE-2022-39201 CVE-2022-39229 CVE-2022-39306 CVE-2022-39307
CVSS scores:	CVE-2022-31123 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L CVE-2022-31123 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-31130 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2022-31130 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-39201 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2022-39201 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-39229 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-39229 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2022-39306 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2022-39306 ( NVD ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2022-39307 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-39307 ( NVD ): 6.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12

An update that solves six vulnerabilities, contains one feature and has five security fixes can now be installed.

Description:

This update fixes the following issues:

grafana:

• Update to version 8.5.15 (jsc#PED-2617):
• CVE-2022-39306: Fix for privilege escalation (bsc#1205225)
• CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
• Update to version 8.5.14:
• CVE-2022-39201: Fix do not forward login cookie in outgoing requests (bsc#1204303)
• CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
• CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
• CVE-2022-39229: Fix blocknig other users from signing in (bsc#1204304)

kiwi-desc-saltboot:

• Update to version 0.1.1673279145.e7616bd
• Add failsafe stop file when salt-minion does not stop (bsc#1172110)

mgr-osad:

• Version 4.3.7-1
• Updated logrotate configuration (bsc#1206470)

mgr-push:

• Version 4.3.5-1
• Update translation strings

rhnlib:

• Version 4.3.5-1
• Don't get stuck at the end of SSL transfers (bsc#1204032)

spacecmd:

• Version 4.3.18-1
• Add python-dateutil dependency, required to process date values in spacecmd api calls
• Version 4.3.17-1
• Remove python3-simplejson dependency
• Correctly understand 'ssm' keyword on scap scheduling
• Add vendor_advisory information to errata_details call (bsc#1205207)
• Added two missing options to schedule product migration: allow-vendor-change and remove-products-without-successor (bsc#1204126)
• Changed schedule product migration to use the correct API method
• Change default port of "Containerized Proxy configuration" 8022

spacewalk-client-tools:

• Version 4.3.14-1
• Update translation strings

uyuni-common-libs:

• Version 4.3.7-1
• unify user notification code on java side

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2023-352=1

Package List:

• SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • grafana-8.5.15-1.39.1
  • python2-uyuni-common-libs-4.3.7-1.30.1
• SUSE Manager Client Tools for SLE 12 (noarch)
  • python2-mgr-osad-4.3.7-1.42.1
  • spacecmd-4.3.18-38.115.1
  • python2-spacewalk-check-4.3.14-52.83.1
  • mgr-push-4.3.5-1.24.1
  • python2-spacewalk-client-tools-4.3.14-52.83.1
  • spacewalk-client-setup-4.3.14-52.83.1
  • kiwi-desc-saltboot-0.1.1673279145.e7616bd-1.32.1
  • python2-rhnlib-4.3.5-21.46.1
  • mgr-osad-4.3.7-1.42.1
  • python2-spacewalk-client-setup-4.3.14-52.83.1
  • python2-mgr-push-4.3.5-1.24.1
  • spacewalk-check-4.3.14-52.83.1
  • spacewalk-client-tools-4.3.14-52.83.1
  • python2-mgr-osa-common-4.3.7-1.42.1

References:

• https://www.suse.com/security/cve/CVE-2022-31123.html
• https://www.suse.com/security/cve/CVE-2022-31130.html
• https://www.suse.com/security/cve/CVE-2022-39201.html
• https://www.suse.com/security/cve/CVE-2022-39229.html
• https://www.suse.com/security/cve/CVE-2022-39306.html
• https://www.suse.com/security/cve/CVE-2022-39307.html
• https://bugzilla.suse.com/show_bug.cgi?id=1172110
• https://bugzilla.suse.com/show_bug.cgi?id=1204032
• https://bugzilla.suse.com/show_bug.cgi?id=1204126
• https://bugzilla.suse.com/show_bug.cgi?id=1204302
• https://bugzilla.suse.com/show_bug.cgi?id=1204303
• https://bugzilla.suse.com/show_bug.cgi?id=1204304
• https://bugzilla.suse.com/show_bug.cgi?id=1204305
• https://bugzilla.suse.com/show_bug.cgi?id=1205207
• https://bugzilla.suse.com/show_bug.cgi?id=1205225
• https://bugzilla.suse.com/show_bug.cgi?id=1205227
• https://bugzilla.suse.com/show_bug.cgi?id=1206470
• https://jira.suse.com/browse/PED-2617