Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2021:2675-1
Rating:	moderate
References:	bsc#1175478 bsc#1186242 bsc#1186508 bsc#1186581 bsc#1186650 bsc#1188846 jsc#SLE-18254
Cross-References:	CVE-2021-27962 CVE-2021-28146 CVE-2021-28147 CVE-2021-28148 CVE-2021-29622
CVSS scores:	CVE-2021-27962 ( SUSE ): 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-27962 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVE-2021-28146 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-28147 ( SUSE ): 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-28147 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-28148 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28148 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29622 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Client Tools for SLE 15

An update that solves five vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update fixes the following issues:

ansible:

• The support level for ansible is l2, not l3

dracut-saltboot:

• Force installation of libexpat.so.1 (bsc#1188846)
• Use kernel parameters from PXE formula also for local boot

golang-github-prometheus-prometheus:

• Provide and reload firewalld configuration only for:
• openSUSE Leap 15.0, 15.1, 15.2
• SUSE Linux Enterprise 15, 15 SP1, 15 SP2
• Upgrade to upstream version 2.27.1 (jsc#SLE-18254)
• Bugfix:
• SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622, bsc#1186242)
• UI: Provide errors instead of blank page on TSDB Status Page. #8654 #8659
  • TSDB: Do not panic when writing very large records to the WAL. #8790
  • TSDB: Avoid panic when mmaped memory is referenced after the file is closed. #8723
  • Scaleway Discovery: Fix nil pointer dereference. #8737
  • Consul Discovery: Restart no longer required after config update with no targets. #8766
• Features:
  • Promtool: Retroactive rule evaluation functionality.
  • Configuration: Environment variable expansion for external labels. Behind '--enable-feature=expand-external-labels' flag.
  • Add a flag '--storage.tsdb.max-block-chunk-segment-size' to control the max chunks file size of the blocks for small Prometheus instances.
  • UI: Add a dark theme.
  • AWS Lightsail Discovery: Add AWS Lightsail Discovery.
  • Docker Discovery: Add Docker Service Discovery.
  • OAuth: Allow OAuth 2.0 to be used anywhere an HTTP client is used.
  • Remote Write: Send exemplars via remote write. Experimental and disabled by default.
• Enhancements:
  • Digital Ocean Discovery: Add '__meta_digitalocean_vpc' label.
  • Scaleway Discovery: Read Scaleway secret from a file.
  • Scrape: Add configurable limits for label size and count.
  • UI: Add 16w and 26w time range steps.
  • Templating: Enable parsing strings in humanize functions.
• Update package with changes from server:monitoring (bsc#1175478) Left out removal of 'firewalld' related configuration files as SUSE Linux Enterprise 15-SP1's firewalld package does not contain 'prometheus' configuration yet.

mgr-cfg:

• No visible impact for the user

mgr-custom-info:

• No visible impact for the user

mgr-osad:

• No visible impact for the user

mgr-push:

• No visible impact for the user

mgr-virtualization:

• No visible impact for the user

rhnlib:

• No visible impact for the user

spacecmd:

• Make spacecmd aware of retracted patches/packages
• Enhance help for installation types when creating distributions (bsc#1186581)
• Parse empty argument when nothing in between the separator

spacewalk-client-tools:

• Update translation strings

spacewalk-koan:

• Fix for spacewalk-koan tests after switching to the new Docker images

spacewalk-oscap:

• No visible impact for the user

suseRegisterInfo:

• No visible impact for the user

uyuni-common-libs:

• Handle broken RPM packages to prevent exceptions causing fails on repository synchronization (bsc#1186650)
• Maintainer field in debian packages are only recommended (bsc#1186508)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-2675=1

Package List:

• SUSE Manager Client Tools for SLE 15 (noarch)
  • mgr-custom-info-4.2.2-1.12.1
  • ansible-2.9.21-1.5.1
  • python3-mgr-osad-4.2.6-1.30.1
  • spacewalk-client-setup-4.2.12-3.44.1
  • python3-spacewalk-check-4.2.12-3.44.1
  • mgr-cfg-4.2.3-1.18.1
  • python3-mgr-virtualization-common-4.2.2-1.20.1
  • mgr-cfg-actions-4.2.3-1.18.1
  • python3-mgr-cfg-client-4.2.3-1.18.1
  • mgr-cfg-management-4.2.3-1.18.1
  • python3-spacewalk-oscap-4.2.2-3.12.1
  • suseRegisterInfo-4.2.4-3.15.1
  • python3-mgr-cfg-actions-4.2.3-1.18.1
  • python3-suseRegisterInfo-4.2.4-3.15.1
  • python3-spacewalk-client-tools-4.2.12-3.44.1
  • python3-mgr-cfg-management-4.2.3-1.18.1
  • python3-mgr-cfg-4.2.3-1.18.1
  • mgr-cfg-client-4.2.3-1.18.1
  • spacewalk-oscap-4.2.2-3.12.1
  • spacecmd-4.2.11-3.62.1
  • spacewalk-client-tools-4.2.12-3.44.1
  • python3-mgr-push-4.2.3-1.12.1
  • python3-spacewalk-client-setup-4.2.12-3.44.1
  • python3-rhnlib-4.2.4-3.28.1
  • dracut-saltboot-0.1.1627546504.96a0b3e-1.27.1
  • mgr-osad-4.2.6-1.30.1
  • mgr-push-4.2.3-1.12.1
  • python3-mgr-osa-common-4.2.6-1.30.1
  • spacewalk-check-4.2.12-3.44.1
  • python3-spacewalk-koan-4.2.4-3.21.1
  • spacewalk-koan-4.2.4-3.21.1
  • ansible-doc-2.9.21-1.5.1
  • python3-mgr-virtualization-host-4.2.2-1.20.1
  • mgr-virtualization-host-4.2.2-1.20.1
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • python3-uyuni-common-libs-4.2.5-1.15.1
  • golang-github-prometheus-prometheus-2.27.1-3.31.1

References:

• https://www.suse.com/security/cve/CVE-2021-27962.html
• https://www.suse.com/security/cve/CVE-2021-28146.html
• https://www.suse.com/security/cve/CVE-2021-28147.html
• https://www.suse.com/security/cve/CVE-2021-28148.html
• https://www.suse.com/security/cve/CVE-2021-29622.html
• https://bugzilla.suse.com/show_bug.cgi?id=1175478
• https://bugzilla.suse.com/show_bug.cgi?id=1186242
• https://bugzilla.suse.com/show_bug.cgi?id=1186508
• https://bugzilla.suse.com/show_bug.cgi?id=1186581
• https://bugzilla.suse.com/show_bug.cgi?id=1186650
• https://bugzilla.suse.com/show_bug.cgi?id=1188846
• https://jira.suse.com/browse/SLE-18254