Security update for saphanabootstrap-formula

Announcement ID:	SUSE-SU-2023:0011-1
Rating:	important
References:	bsc#1185643 bsc#1205990
Cross-References:	CVE-2022-45153
CVSS scores:	CVE-2022-45153 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-45153 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for saphanabootstrap-formula fixes the following issues:

• Version bump 0.13.1
• revert changes to spec file to re-enable SLES RPM builds

• CVE-2022-45153: Fixed privilege escalation for arbitrary users in hana/ha_cluster.sls (bsc#1205990)

• Version bump 0.13.0

• pass sid to sudoers in a SLES12 compatible way

• add location constraint to gcp_stonith

• Version bump 0.12.1

• moved templates dir into hana dir in repository to be gitfs compatible

• Version bump 0.12.0

• add SAPHanaSR takeover blocker

• Version bump 0.11.0

• use check_cmd instead of tmp sudoers file
• make sudoers rules more secure

• migrate sudoers to template file

• Version bump 0.10.1

• fix hook removal conditions

• fix majority_maker code on case grain is empty

• Version bump 0.10.0

• allow to disable shared HANA basepath and rework add_hosts code (enables HANA scale-out on AWS)

• do not edit global.ini directly (if not needed)

• Version bump 0.9.1

• fix majority_maker code on case grain is empty

• Version bump 0.9.0

• define vip_mechanism for every provider and reorder resources (same schema for all SAP related formulas)

• Version bump 0.8.1

• use multi-target Hook on HANA scale-out

• Version bump 0.8.0

• add HANA scale-out support

• add idempotence to not affect a running HANA and cluster

• Version bump 0.7.2

• add native fencing for microsoft-azure

• fixes a not working import of dbapi in SUSE/ha-sap-terraform-deployments#703

• removes the installation and extraction of all hdbcli files in the /hana/shared/srHook directory
• fixes execution order of srTakeover/srCostOptMemConfig hook

• renames and updates hook srTakeover to srCostOptMemConfig

• Changing exporter stickiness to => 0 and adjusting the colocation score from +inf to -inf and changing the colocation from Master to Slave. This change fix the impact of a failed exporter in regards to the HANA DB.

• Document extra_parameters in pillar.example (bsc#1185643)

• Change hanadb_exporter default timeout value to 30 seconds

• Set correct stickiness for the azure-lb resource The azure-lb resource receives an stickiness=0 to not influence on transitions calculations as the HANA resources have more priority

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-SAP-12-SP4-2023-11=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SAP-12-SP5-2023-11=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (noarch)
  • saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
  • saphanabootstrap-formula-0.13.1+git.1667812208.4db963e-4.18.1

References:

• https://www.suse.com/security/cve/CVE-2022-45153.html
• https://bugzilla.suse.com/show_bug.cgi?id=1185643
• https://bugzilla.suse.com/show_bug.cgi?id=1205990