Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2024:4019-1
Release Date:	2024-11-18T13:24:46Z
Rating:	important
References:	bsc#1213933 bsc#1223142 bsc#1226759 bsc#1227341 bsc#1227578 bsc#1227606 bsc#1228424 bsc#1228685 bsc#1229108 bsc#1229432 bsc#1229437 bsc#1229501 bsc#1230136 bsc#1230139 bsc#1230285 bsc#1230288 bsc#1230745 bsc#1231157 bsc#1231206 jsc#ECO-3319 jsc#MSQA-863
Cross-References:	CVE-2023-3978
CVSS scores:	CVE-2023-3978 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2023-3978 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:	SUSE Manager Client Tools for RHEL, Liberty and Clones 9

An update that solves one vulnerability, contains two features and has 18 security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-lusitaniae-apache_exporter was updated from version 1.0.1 to 1.0.8:

• Security issues fixed:

• CVE-2023-3978: Fixed security bug in x/net dependency in version 1.0.2 (bsc#1213933)

• Bugs fixed:

• Require Go 1.20 when building for RedHat derivatives

• Version 1.0.8 (bsc#1227341):

  • Update prometheus/client_golang to version 1.19.1
  • Update x/net to version 0.23.0

• Version 1.0.7:

  • Update protobuf to version 1.33.0
  • Update prometheus/client_golang to version 1.19.0
  • Update prometheus/common to version 0.46.0
  • Standardize landing page

• Version 1.0.6:

  • Update prometheus/exporter-toolkit to version 0.11.0
  • Update prometheus/client_golang to version 1.18.0
  • Added User-Agent header

• Version 1.0.4:

  • Update x/crypto to version 0.17.0
  • Update alecthomas/kingpin/v2 to version 2.4.0
  • Update prometheus/common to version 0.45.0

• Version 1.0.3:

  • Update prometheus/client_golang to version 1.17.0
  • Update x/net 0.17.0

• Version 1.0.1:

  • Update prometheus/exporter-toolkit to version 0.10.0
  • Update prometheus/common to version 0.44.0
  • Update prometheus/client_golang to version 1.16.0

scap-security-guide was updated from version 0.1.73 to 0.1.74:

• Version 0.1.74 (jsc#ECO-3319):

• Added Amazon Linux 2023 product

• Introduce new remediation type Kickstart
• Make PAM macros more flexible to variables
• Remove Debian 10 Product
• Remove Red Hat Enterprise Linux 7 product
• Update CIS RHEL9 control file to v2.0.0

spacecmd was updated from version 5.0.9-0 to 5.0.10-0:

• Version 5.0.10-0:

• Speed up softwarechannel_removepackages (bsc#1227606)

• Fixed error in 'kickstart_delete' when using wildcards (bsc#1227578)
• Spacecmd bootstrap now works with specified port (bsc#1229437)
• Fixed sls backup creation as directory with spacecmd (bsc#1230745)

uyuni-tools was updated from version 0.1.21-0 to 0.1.23-0:

• Version 0.1.23-0:

• Ensure namespace is defined in all kubernetes commands

• Use SCC credentials to authenticate against registry.suse.com for kubernetes (bsc#1231157)

• Fixed namespace usage on mgrctl cp command

• Version 0.1.22-0:

• Set projectId also for test packages/images

• mgradm migration should not pull Confidential Computing and Hub image is replicas == 0 (bsc#1229432, bsc#1230136)
• Do not allow SUSE Manager downgrade
• Prevent completion issue when /var/log/uyuni-tools.log is missing
• Fixed proxy shared volume flag
• During migration, exclude mgr-sync configuration file (bsc#1228685)
• Migrate from PostgreSQL 14 to PostgreSQL 16 pg_hba.conf and postgresql.conf files (bsc#1231206)
• During migration, handle empty autoinstallation path (bsc#1230285)
• During migration, handle symlinks (bsc#1230288)
• During migration, trust the remote sender's file list (bsc#1228424)
• Use SCC flags during podman pull
• Restore SELinux permission after migration (bsc#1229501)
• Share volumes between containers (bsc#1223142)
• Save supportconfig in current directory (bsc#1226759)
• Fixed error code handling on reinstallation (bsc#1230139)
• Fixed creation of first user and organization
• Added missing variable quotes for install vars (bsc#1229108)
• Added API login and logout calls to allow persistent login

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9
  zypper in -t patch SUSE-EL-9-CLIENT-TOOLS-2024-4019=1

Package List:

• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le s390x x86_64)
  • mgrctl-0.1.23-1.11.1
  • golang-github-lusitaniae-apache_exporter-1.0.8-1.14.1
  • mgrctl-debuginfo-0.1.23-1.11.1
• SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (noarch)
  • mgrctl-bash-completion-0.1.23-1.11.1
  • mgrctl-zsh-completion-0.1.23-1.11.1
  • spacecmd-5.0.10-1.41.1
  • scap-security-guide-redhat-0.1.74-1.29.1

References:

• https://www.suse.com/security/cve/CVE-2023-3978.html
• https://bugzilla.suse.com/show_bug.cgi?id=1213933
• https://bugzilla.suse.com/show_bug.cgi?id=1223142
• https://bugzilla.suse.com/show_bug.cgi?id=1226759
• https://bugzilla.suse.com/show_bug.cgi?id=1227341
• https://bugzilla.suse.com/show_bug.cgi?id=1227578
• https://bugzilla.suse.com/show_bug.cgi?id=1227606
• https://bugzilla.suse.com/show_bug.cgi?id=1228424
• https://bugzilla.suse.com/show_bug.cgi?id=1228685
• https://bugzilla.suse.com/show_bug.cgi?id=1229108
• https://bugzilla.suse.com/show_bug.cgi?id=1229432
• https://bugzilla.suse.com/show_bug.cgi?id=1229437
• https://bugzilla.suse.com/show_bug.cgi?id=1229501
• https://bugzilla.suse.com/show_bug.cgi?id=1230136
• https://bugzilla.suse.com/show_bug.cgi?id=1230139
• https://bugzilla.suse.com/show_bug.cgi?id=1230285
• https://bugzilla.suse.com/show_bug.cgi?id=1230288
• https://bugzilla.suse.com/show_bug.cgi?id=1230745
• https://bugzilla.suse.com/show_bug.cgi?id=1231157
• https://bugzilla.suse.com/show_bug.cgi?id=1231206
• https://jira.suse.com/browse/ECO-3319
• https://jira.suse.com/browse/MSQA-863