Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2024:0486-1
Rating:	moderate
References:	bsc#1192154 bsc#1192696 bsc#1193492 bsc#1193686 bsc#1200480 bsc#1204023 bsc#1218838 bsc#1218843 bsc#1218844 jsc#MSQA-719 jsc#PED-7353
Cross-References:	CVE-2020-7753 CVE-2021-3807 CVE-2021-3918 CVE-2021-43138 CVE-2021-43798 CVE-2021-43815 CVE-2022-0155 CVE-2022-41715 CVE-2023-40577
CVSS scores:	CVE-2020-7753 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3807 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3807 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3807 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3918 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3918 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-43138 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-43138 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-43798 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-43798 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-43815 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-43815 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-0155 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2022-41715 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-40577 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-40577 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12

An update that solves nine vulnerabilities and contains two features can now be installed.

Description:

This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

• Do not strip if SUSE Linux Enterprise 15 SP3
• Exclude debug for Red Hat Enterprise Linux >= 8
• Build with Go >= 1.20 when the OS is not Red Hat Enterprise Linux

golang-github-prometheus-alertmanager:

• Create position independent executables (PIE)
• Add System/Monitoring group tag
• Update to version 0.26.0 (jsc#PED-7353): https://github.com/prometheus/alertmanager/releases/tag/v0.26.0
• CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
• Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash
• Templating: Fixed a race condition when using the title function. It is now race-safe
• API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
• API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
• Clustering: Fixes a panic when tls_client_config is empty
• Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
• Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert delivery
• Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
• Integrations: Add Microsoft Teams as a supported integration
• Update to version 0.25.0: https://github.com/prometheus/alertmanager/releases/tag/v0.25.0
• Fail configuration loading if api_key and api_key_file are defined at the same time
• Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior
• Trim contents of Slack API URLs when reading from files
• amtool: Avoid panic when the label value matcher is empty
• Fail configuration loading if api_url is empty for OpsGenie
• Fix email template for resolved notifications
• Add proxy_url support for OAuth2 in HTTP client configuration
• Reload TLS certificate and key from disk when updated
• Add Discord integration
• Add Webex integration
• Add min_version support to select the minimum TLS version in HTTP client configuration
• Add max_version support to select the maximum TLS version in
• Emit warning logs when truncating messages in notifications
• Support HEAD method for the /-/healty and /-/ready endpoints
• Add support for reading global and local SMTP passwords from files
• UI: Add 'Link' button to alerts in list
• UI: Allow to choose the first day of the week as Sunday or Monday
• Update to version 0.24.0: https://github.com/prometheus/alertmanager/releases/tag/v0.24.0
• Fix HTTP client configuration for the SNS receiver
• Fix unclosed file descriptor after reading the silences snapshot file
• Fix field names for mute_time_intervals in JSON marshaling
• Ensure that the root route doesn't have any matchers
• Truncate the message's title to 1024 chars to avoid hitting Slack limits
• Fix the default HTML email template (email.default.html) to match with the canonical source
• Detect SNS FIFO topic based on the rendered value
• Avoid deleting and recreating a silence when an update is possible
• api/v2: Return 200 OK when deleting an expired silence
• amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the update operation
• Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code
• Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS
• Add Telegram integration

mgr-daemon:

• Version 4.3.8-1
• Update translation strings

prometheus-postgres_exporter:

• Remove duplicated call to systemd requirements
• Do not build debug if Red Hat Enterprise Linux >= 8
• Do not strip if SUSE Linux Enterprise 15 SP3
• Build at least with with Go >= 1.18 on Red Hat Enterprise Linux
• Build with Go >= 1.20 elsewhere

spacecmd:

• Version 4.3.26-1
• Update translation strings

spacewalk-client-tools:

• Version 4.3.18-1
• Update translation strings

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2024-486=1

Package List:

• SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • prometheus-postgres_exporter-0.10.1-1.17.2
  • golang-github-prometheus-alertmanager-0.26.0-1.24.2
  • golang-github-lusitaniae-apache_exporter-1.0.0-1.21.2
  • golang-github-prometheus-prometheus-2.45.0-1.50.2
  • grafana-9.5.8-1.60.1
• SUSE Manager Client Tools for SLE 12 (noarch)
  • spacewalk-client-setup-4.3.18-52.95.2
  • mgr-daemon-4.3.8-1.44.2
  • python2-spacewalk-client-setup-4.3.18-52.95.2
  • spacewalk-client-tools-4.3.18-52.95.2
  • spacecmd-4.3.26-38.136.2
  • python2-spacewalk-client-tools-4.3.18-52.95.2
  • python2-spacewalk-check-4.3.18-52.95.2
  • spacewalk-check-4.3.18-52.95.2

References:

• https://www.suse.com/security/cve/CVE-2020-7753.html
• https://www.suse.com/security/cve/CVE-2021-3807.html
• https://www.suse.com/security/cve/CVE-2021-3918.html
• https://www.suse.com/security/cve/CVE-2021-43138.html
• https://www.suse.com/security/cve/CVE-2021-43798.html
• https://www.suse.com/security/cve/CVE-2021-43815.html
• https://www.suse.com/security/cve/CVE-2022-0155.html
• https://www.suse.com/security/cve/CVE-2022-41715.html
• https://www.suse.com/security/cve/CVE-2023-40577.html
• https://bugzilla.suse.com/show_bug.cgi?id=1192154
• https://bugzilla.suse.com/show_bug.cgi?id=1192696
• https://bugzilla.suse.com/show_bug.cgi?id=1193492
• https://bugzilla.suse.com/show_bug.cgi?id=1193686
• https://bugzilla.suse.com/show_bug.cgi?id=1200480
• https://bugzilla.suse.com/show_bug.cgi?id=1204023
• https://bugzilla.suse.com/show_bug.cgi?id=1218838
• https://bugzilla.suse.com/show_bug.cgi?id=1218843
• https://bugzilla.suse.com/show_bug.cgi?id=1218844
• https://jira.suse.com/browse/MSQA-719
• https://jira.suse.com/browse/PED-7353