Security update for SUSE Manager Client Tools
| Announcement ID: | SUSE-SU-2019:2317-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and has 17 security fixes can now be installed.
Description:
This update fixes the following issues:
golang-github-prometheus-prometheus:
- Add support for Uyuni/SUSE Manager service discovery
- Added 0003-Add-Uyuni-service-discovery
- Readded _service file removed in error.
- Update to 2.11.1
- Bug Fix:
- Fix potential panic when prometheus is watching multiple zookeeper paths.
- Update to 2.11.0
- Bug Fix:
- resolve race condition in maxGauge.
- Fix ZooKeeper connection leak.
- Improved atomicity of .tmp block replacement during compaction for usual case.
- Fix "unknown series references" after clean shutdown.
- Re-calculate block size when calling block.Delete.
- Fix unsafe snapshots with head block.
- prometheus_tsdb_compactions_failed_total is now incremented on any compaction failure.
- Changes:
- Remove max_retries from queue_config (it has been unused since rewriting remote-write to utilize the write-ahead-log)
- The meta file BlockStats no longer holds size information. This is now dynamically calculated and kept in memory. It also includes the meta file size which was not included before
- Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to prometheus_tsdb_wal_reader_corruption_errors_total
- Features:
- Add option to use Alertmanager API v2.
- Added humanizePercentage function for templates.
- Include InitContainers in Kubernetes Service Discovery.
- Provide option to compress WAL records using Snappy.
- Enhancements:
- Create new clean segment when starting the WAL.
- Reduce allocations in PromQL aggregations.
- Add storage warnings to LabelValues and LabelNames API results.
- Add prometheus_http_requests_total metric.
- Enable openbsd/arm build.
- Remote-write allocation improvements.
- Query performance improvement: Efficient iteration and search in HashForLabels and HashWithoutLabels.
- Allow injection of arbitrary headers in promtool.
- Allow passing external_labels in alert unit tests groups.
- Allows globs for rules when unit testing.
- Improved postings intersection matching.
- Reduced disk usage for WAL for small setups.
- Optimize queries using regexp for set lookups.
- Rebase patch002-Default-settings.patch
- Update to 2.10.0:
- Bug Fixes:
- TSDB: Don't panic when running out of disk space and recover nicely from the condition
- TSDB: Correctly handle empty labels.
- TSDB: Don't crash on an unknown tombstone reference.
- Storage/remote: Remove queue-manager specific metrics if queue no longer exists.
- PromQL: Correctly display {name="a"}.
- Discovery/kubernetes: Use service rather than ingress as the name for the service workqueue.
- Discovery/azure: Don't panic on a VM with a public IP.
- Web: Fixed Content-Type for js and css instead of using /etc/mime.types.
- API: Encode alert values as string to correctly represent Inf/NaN.
- Features:
- Template expansion: Make external labels available as $externalLabels in alert and console template expansion.
- TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL segment index that TSDB is currently writing to. tsdb
- Scrape: Add scrape_series_added per-scrape metric. #5546
- Enhancements
- Discovery/kubernetes: Add labels __meta_kubernetes_endpoint_node_name and __meta_kubernetes_endpoint_hostname.
- Discovery/azure: Add label __meta_azure_machine_public_ip.
- TSDB: Simplify mergedPostings.Seek, resulting in better performance if there are many posting lists. tsdb
- Log filesystem type on startup.
- Cmd/promtool: Use POST requests for Query and QueryRange. client_golang
- Web: Sort alerts by group name.
- Console templates: Add convenience variables $rawParams, $params, $path.
- Upadte to 2.9.2
- Bug Fixes:
- Make sure subquery range is taken into account for selection
- Exhaust every request body before closing it
- Cmd/promtool: return errors from rule evaluations
- Remote Storage: string interner should not panic in release
- Fix memory allocation regression in mergedPostings.Seek tsdb
- Update to 2.9.1
- Bug Fixes:
- Discovery/kubernetes: fix missing label sanitization
- Remote_write: Prevent reshard concurrent with calling stop
- Update to 2.9.0
- Feature:
- Add honor_timestamps scrape option.
- Enhancements:
- Update Consul to support catalog.ServiceMultipleTags.
- Discovery/kubernetes: add present labels for labels/annotations.
- OpenStack SD: Add ProjectID and UserID meta labels.
- Add GODEBUG and retention to the runtime page.
- Add support for POSTing to /series endpoint.
- Support PUT methods for Lifecycle and Admin APIs.
- Scrape: Add global jitter for HA server.
- Check for cancellation on every step of a range evaluation.
- String interning for labels & values in the remote_write path.
- Don't lose the scrape cache on a failed scrape.
- Reload cert files from disk automatically. common
- Use fixed length millisecond timestamp format for logs. common
- Performance improvements for postings. Bug Fixes:
- Remote Write: fix checkpoint reading.
- Check if label value is valid when unmarshaling external labels from YAML.
- Promparse: sort all labels when parsing.
- Reload rules: copy state on both name and labels.
- Exponentation operator to drop metric name in result of operation.
- Config: resolve more file paths.
- Promtool: resolve relative paths in alert test files.
- Set TLSHandshakeTimeout in HTTP transport. common
- Use fsync to be more resilient to machine crashes.
- Keep series that are still in WAL in checkpoints.
- Update to 2.8.1
- Bug Fixes
- Display the job labels in /targets which was removed accidentally
- Update to 2.8.0
- Change:
- This release uses Write-Ahead Logging (WAL) for the remote_write API. This currently causes a slight increase in memory usage, which will be addressed in future releases.
- Default time retention is used only when no size based retention is specified. These are flags where time retention is specified by the flag --storage.tsdb.retention and size retention by --storage.tsdb.retention.size.
- prometheus_tsdb_storage_blocks_bytes_total is now prometheus_tsdb_storage_blocks_bytes.
- Feature:
- (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical compaction and vertical query merge. It is an optional feature which is controlled by the --storage.tsdb.allow-overlapping-blocks flag, disabled by default.
- Enhancements:
- Use the WAL for remote_write API.
- Query performance improvements.
- UI enhancements with upgrade to Bootstrap 4.
- Reduce time that Alertmanagers are in flux when reloaded.
- Limit number of metrics displayed on UI to 10000.
- (1) Remember All/Unhealthy choice on target-overview when reloading page. (2) Resize text-input area on Graph page on mouseclick.
- In histogram_quantile merge buckets with equivalent le values.
- Show list of offending labels in the error message in many-to-many scenarios.
- Show Storage Retention criteria in effect on /status page.
- Bug Fixes:
- Fix sorting of rule groups.
- Fix support for password_file and bearer_token_file in Kubernetes SD.
- Scrape: catch errors when creating HTTP clients
- Adds new metrics: prometheus_target_scrape_pools_total prometheus_target_scrape_pools_failed_total prometheus_target_scrape_pool_reloads_total prometheus_target_scrape_pool_reloads_failed_total
- Fix panic when aggregator param is not a literal.
mgr-cfg:
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-daemon:
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Fix obsolete for old osad packages, to allow installing mgr-osad even by using osad at yum/zyppper install (bsc#1139453)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-virtualization:
- Fix missing python 3 ugettext (bsc#1138494)
- Fix package dependencies to prevent file conflict (bsc#1143856)
rhnlib:
- Add SNI support for clients
- Fix initialize ssl connection (bsc#1144155)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Bugfix: referenced variable before assignment.
- Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
- Add unit tests for custominfo, snippet, scap, ssm, cryptokey and distribution
- Fix missing runtime dependencies that made spacecmd return old versions of packages in some cases, even if newer ones were available (bsc#1148311)
spacewalk-backend:
- Do not overwrite comps and module data with older versions
- Fix issue with "dists" keyword in url hostname
- Import packages from all collections of a patch not just first one
- Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to "registration.register_osad" (bsc#1138822)
- Do not duplicate "http://" protocol when using proxies with "deb" repositories (bsc#1138313)
- Fix reposync when dealing with RedHat CDN (bsc#1138358)
- Fix for CVE-2019-10136. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. (bsc#1136480)
- Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
- Add journalctl output to spacewalk-debug tarballs
- Prevent unnecessary triggering of channel-repodata tasks when GPG signing is disabled (bsc#1137715)
- Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#1136029)
- Add support for ULN repositories on new Zypper based reposync.
- Don't skip Deb package tags on package import (bsc#1130040)
- For backend-libs subpackages, exclude files for the server (already part of spacewalk-backend) to avoid conflicts (bsc#1148125)
- prevent duplicate key violates on repo-sync with long changelog entries (bsc#1144889)
spacewalk-remote-utils:
- Add RHEL8
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Manager Client Tools for SLE 15
zypper in -t patch SUSE-SLE-Manager-Tools-15-2019-2317=1
Package List:
-
SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
- golang-github-prometheus-alertmanager-0.16.2-3.3.1
- golang-github-prometheus-prometheus-2.11.1-3.6.2
-
SUSE Manager Client Tools for SLE 15 (noarch)
- mgr-osad-4.0.9-1.6.2
- mgr-cfg-actions-4.0.9-1.6.5
- python3-mgr-cfg-4.0.9-1.6.5
- python3-rhnlib-4.0.11-3.10.1
- mgr-cfg-client-4.0.9-1.6.5
- python3-mgr-osa-common-4.0.9-1.6.2
- python3-mgr-osad-4.0.9-1.6.2
- python3-spacewalk-backend-libs-4.0.25-3.23.1
- spacewalk-remote-utils-4.0.5-3.9.2
- mgr-cfg-management-4.0.9-1.6.5
- mgr-virtualization-host-4.0.8-1.8.4
- python3-mgr-cfg-actions-4.0.9-1.6.5
- mgr-daemon-4.0.7-1.8.1
- mgr-cfg-4.0.9-1.6.5
- spacecmd-4.0.14-3.26.1
- python3-mgr-virtualization-common-4.0.8-1.8.4
- python3-mgr-virtualization-host-4.0.8-1.8.4
- python3-mgr-cfg-client-4.0.9-1.6.5
- python3-mgr-cfg-management-4.0.9-1.6.5
References:
- https://www.suse.com/security/cve/CVE-2019-10136.html
- https://bugzilla.suse.com/show_bug.cgi?id=1130040
- https://bugzilla.suse.com/show_bug.cgi?id=1135881
- https://bugzilla.suse.com/show_bug.cgi?id=1136029
- https://bugzilla.suse.com/show_bug.cgi?id=1136480
- https://bugzilla.suse.com/show_bug.cgi?id=1137715
- https://bugzilla.suse.com/show_bug.cgi?id=1137940
- https://bugzilla.suse.com/show_bug.cgi?id=1138313
- https://bugzilla.suse.com/show_bug.cgi?id=1138358
- https://bugzilla.suse.com/show_bug.cgi?id=1138494
- https://bugzilla.suse.com/show_bug.cgi?id=1138822
- https://bugzilla.suse.com/show_bug.cgi?id=1139453
- https://bugzilla.suse.com/show_bug.cgi?id=1142038
- https://bugzilla.suse.com/show_bug.cgi?id=1143856
- https://bugzilla.suse.com/show_bug.cgi?id=1144155
- https://bugzilla.suse.com/show_bug.cgi?id=1144889
- https://bugzilla.suse.com/show_bug.cgi?id=1148125
- https://bugzilla.suse.com/show_bug.cgi?id=1148177
- https://bugzilla.suse.com/show_bug.cgi?id=1148311