SUSE-SU-2019:2312-1: moderate: Security update for SUSE Manager Client Tools

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Sep 5 13:15:53 MDT 2019


   SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:2312-1
Rating:             moderate
References:         #1130040 #1135881 #1136029 #1136480 #1136667 
                    #1137715 #1137940 #1138313 #1138358 #1138494 
                    #1138822 #1139453 #1142038 #1143856 #1144155 
                    #1144889 #1148125 #1148177 #1148311 
Cross-References:   CVE-2019-10136
Affected Products:
                    SUSE Manager Tools 12
______________________________________________________________________________

   An update that solves one vulnerability and has 18 fixes is
   now available.

Description:


   This update fixes the following issues:

   golang-github-prometheus-prometheus:

   - Add support for Uyuni/SUSE Manager service discovery
     + Added 0003-Add-Uyuni-service-discovery
   - Readded _service file removed in error.
   - Update to 2.11.1
     + Bug Fix:
       * Fix potential panic when prometheus is watching multiple zookeeper
         paths.
   - Update to 2.11.0
     + Bug Fix:
       * resolve race condition in maxGauge.
       * Fix ZooKeeper connection leak.
       * Improved atomicity of .tmp block replacement during compaction for
         usual case.
       * Fix "unknown series references" after clean shutdown.
       * Re-calculate block size when calling block.Delete.
       * Fix unsafe snapshots with head block.
       * prometheus_tsdb_compactions_failed_total is now incremented on any
         compaction failure.
     + Changes:
       * Remove max_retries from queue_config (it has been unused since
         rewriting remote-write to utilize the write-ahead-log)
       * The meta file BlockStats no longer holds size information. This is
         now dynamically calculated and kept in memory. It also includes the
         meta file size which was not included before
       * Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to
         prometheus_tsdb_wal_reader_corruption_errors_total
     + Features:
       * Add option to use Alertmanager API v2.
       * Added humanizePercentage function for templates.
       * Include InitContainers in Kubernetes Service Discovery.
       * Provide option to compress WAL records using Snappy.
     + Enhancements:
       * Create new clean segment when starting the WAL.
       * Reduce allocations in PromQL aggregations.
       * Add storage warnings to LabelValues and LabelNames API results.
       * Add prometheus_http_requests_total metric.
       * Enable openbsd/arm build.
       * Remote-write allocation improvements.
       * Query performance improvement: Efficient iteration and search in
         HashForLabels and HashWithoutLabels.
       * Allow injection of arbitrary headers in promtool.
       * Allow passing external_labels in alert unit tests groups.
       * Allows globs for rules when unit testing.
       * Improved postings intersection matching.
       * Reduced disk usage for WAL for small setups.
       * Optimize queries using regexp for set lookups.
   - Rebase patch002-Default-settings.patch
   - Update to 2.10.0:
     + Bug Fixes:
       * TSDB: Don't panic when running out of disk space and recover nicely
         from the condition
       * TSDB: Correctly handle empty labels.
       * TSDB: Don't crash on an unknown tombstone reference.
       * Storage/remote: Remove queue-manager specific metrics if queue no
         longer exists.
       * PromQL: Correctly display {__name__="a"}.
       * Discovery/kubernetes: Use service rather than ingress as the name
         for the service workqueue.
       * Discovery/azure: Don't panic on a VM with a public IP.
       * Web: Fixed Content-Type for js and css instead of using
         /etc/mime.types.
       * API: Encode alert values as string to correctly represent Inf/NaN.
     + Features:
       * Template expansion: Make external labels available as
         $externalLabels in alert and console template expansion.
       * TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL
         segment index that TSDB is currently writing to. tsdb
       * Scrape: Add scrape_series_added per-scrape metric. #5546
     + Enhancements
       * Discovery/kubernetes: Add labels
         __meta_kubernetes_endpoint_node_name and
         __meta_kubernetes_endpoint_hostname.
       * Discovery/azure: Add label __meta_azure_machine_public_ip.
       * TSDB: Simplify mergedPostings.Seek, resulting in better performance
         if there are many posting lists. tsdb
       * Log filesystem type on startup.
       * Cmd/promtool: Use POST requests for Query and QueryRange.
         client_golang
       * Web: Sort alerts by group name.
       * Console templates: Add convenience variables $rawParams, $params,
         $path.
   - Upadte to 2.9.2
     + Bug Fixes:
       * Make sure subquery range is taken into account for selection
       * Exhaust every request body before closing it
       * Cmd/promtool: return errors from rule evaluations
       * Remote Storage: string interner should not panic in release
       * Fix memory allocation regression in mergedPostings.Seek tsdb
   - Update to 2.9.1
     + Bug Fixes:
       * Discovery/kubernetes: fix missing label sanitization
       * Remote_write: Prevent reshard concurrent with calling stop
   - Update to 2.9.0
     + Feature:
       * Add honor_timestamps scrape option.
     + Enhancements:
       * Update Consul to support catalog.ServiceMultipleTags.
       * Discovery/kubernetes: add present labels for labels/annotations.
       * OpenStack SD: Add ProjectID and UserID meta labels.
       * Add GODEBUG and retention to the runtime page.
       * Add support for POSTing to /series endpoint.
       * Support PUT methods for Lifecycle and Admin APIs.
       * Scrape: Add global jitter for HA server.
       * Check for cancellation on every step of a range evaluation.
       * String interning for labels & values in the remote_write path.
       * Don't lose the scrape cache on a failed scrape.
       * Reload cert files from disk automatically. common
       * Use fixed length millisecond timestamp format for logs. common
       * Performance improvements for postings. Bug Fixes:
       * Remote Write: fix checkpoint reading.
       * Check if label value is valid when unmarshaling external labels from
         YAML.
       * Promparse: sort all labels when parsing.
       * Reload rules: copy state on both name and labels.
       * Exponentation operator to drop metric name in result of operation.
       * Config: resolve more file paths.
       * Promtool: resolve relative paths in alert test files.
       * Set TLSHandshakeTimeout in HTTP transport. common
       * Use fsync to be more resilient to machine crashes.
       * Keep series that are still in WAL in checkpoints.
   - Update to 2.8.1
     + Bug Fixes
       *  Display the job labels in /targets which was removed accidentally
   - Update to 2.8.0
     + Change:
       * This release uses Write-Ahead Logging (WAL) for the remote_write
         API. This currently causes a slight increase in memory usage, which
         will be addressed in future releases.
       * Default time retention is used only when no size based retention is
         specified. These are flags where time retention is specified by the
         flag --storage.tsdb.retention and size retention by
         --storage.tsdb.retention.size.
       * prometheus_tsdb_storage_blocks_bytes_total is now
         prometheus_tsdb_storage_blocks_bytes.
     + Feature:
       * (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical
         compaction and vertical query merge. It is an optional feature which
         is controlled by the --storage.tsdb.allow-overlapping-blocks flag,
         disabled by default.
     + Enhancements:
   	* Use the WAL for remote_write API.
       * Query performance improvements.
       * UI enhancements with upgrade to Bootstrap 4.
       * Reduce time that Alertmanagers are in flux when reloaded.
       * Limit number of metrics displayed on UI to 10000.
       * (1) Remember All/Unhealthy choice on target-overview when reloading
         page. (2) Resize text-input area on Graph page on mouseclick.
       * In histogram_quantile merge buckets with equivalent le values.
       * Show list of offending labels in the error message in many-to-many
         scenarios.
       * Show Storage Retention criteria in effect on /status page.
     + Bug Fixes:
       + Fix sorting of rule groups.
       + Fix support for password_file and bearer_token_file in Kubernetes SD.
       + Scrape: catch errors when creating HTTP clients
       + Adds new metrics: prometheus_target_scrape_pools_total
         prometheus_target_scrape_pools_failed_total
         prometheus_target_scrape_pool_reloads_total
         prometheus_target_scrape_pool_reloads_failed_total
       + Fix panic when aggregator param is not a literal.

   kiwi-desc-saltboot:

   - Update to version 0.1.1564399963.cf19a13
   - Fix incompatibility with Microsoft DNS (bsc#1136667)
   - Updated copyrights and bug reporting link
   - Update to version 0.1.1558613789.64ba093
   - Update to version 0.1.1556553492.2bfae0b

   mgr-cfg:

   - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)

   mgr-daemon:

   - Fix systemd timer configuration on SLE12 (bsc#1142038)

   mgr-osad:

   - Fix obsolete for old osad packages, to allow installing mgr-osad even by
     using osad at yum/zyppper install (bsc#1139453)
   - Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)

   mgr-virtualization:

   - Fix missing python 3 ugettext (bsc#1138494)
   - Fix package dependencies to prevent file conflict (bsc#1143856)

   rhnlib:

   - Add SNI support for clients
   - Fix initialize ssl connection (bsc#1144155)
   - Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)

   spacecmd:

   - Bugfix: referenced variable before assignment.
   - Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
   - Add unit tests for custominfo, snippet, scap, ssm, cryptokey and
     distribution
   - Fix missing runtime dependencies that made spacecmd return old versions
     of packages in some cases, even if newer ones were available
     (bsc#1148311)

   spacewalk-backend:

   - Do not overwrite comps and module data with older versions
   - Fix issue with "dists" keyword in url hostname
   - Import packages from all collections of a patch not just first one
   - Ensure bytes type when using hashlib to avoid traceback
     on XMLRPC call to "registration.register_osad" (bsc#1138822)
   - Do not duplicate "http://" protocol when using proxies with "deb"
     repositories (bsc#1138313)
   - Fix reposync when dealing with RedHat CDN (bsc#1138358)
   - Fix for CVE-2019-10136. An attacker with a valid, but expired,
     authenticated set of headers could move some digits around, artificially
     extending the session validity without modifying the checksum.
     (bsc#1136480)
   - Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
   - Add journalctl output to spacewalk-debug tarballs
   - Prevent unnecessary triggering of channel-repodata tasks when GPG
     signing is disabled (bsc#1137715)
   - Fix spacewalk-repo-sync for Ubuntu repositories in mirror case
     (bsc#1136029)
   - Add support for ULN repositories on new Zypper based reposync.
   - Don't skip Deb package tags on package import (bsc#1130040)
   - For backend-libs subpackages, exclude files for the server (already part
     of spacewalk-backend) to avoid conflicts (bsc#1148125)
   - prevent duplicate key violates on repo-sync with long changelog entries
     (bsc#1144889)

   spacewalk-remote-utils:

   - Add RHEL8


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2019-2312=1



Package List:

   - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-prometheus-2.11.1-1.6.2

   - SUSE Manager Tools 12 (noarch):

      kiwi-desc-saltboot-0.1.1564399963.cf19a13-1.12.1
      mgr-cfg-4.0.9-1.6.4
      mgr-cfg-actions-4.0.9-1.6.4
      mgr-cfg-client-4.0.9-1.6.4
      mgr-cfg-management-4.0.9-1.6.4
      mgr-daemon-4.0.7-1.8.2
      mgr-osad-4.0.9-1.6.2
      mgr-virtualization-host-4.0.8-1.8.3
      python2-mgr-cfg-4.0.9-1.6.4
      python2-mgr-cfg-actions-4.0.9-1.6.4
      python2-mgr-cfg-client-4.0.9-1.6.4
      python2-mgr-cfg-management-4.0.9-1.6.4
      python2-mgr-osa-common-4.0.9-1.6.2
      python2-mgr-osad-4.0.9-1.6.2
      python2-mgr-virtualization-common-4.0.8-1.8.3
      python2-mgr-virtualization-host-4.0.8-1.8.3
      python2-rhnlib-4.0.11-21.16.1
      spacecmd-4.0.14-38.49.1
      spacewalk-backend-libs-4.0.25-55.41.1
      spacewalk-remote-utils-4.0.5-24.12.2


References:

   https://www.suse.com/security/cve/CVE-2019-10136.html
   https://bugzilla.suse.com/1130040
   https://bugzilla.suse.com/1135881
   https://bugzilla.suse.com/1136029
   https://bugzilla.suse.com/1136480
   https://bugzilla.suse.com/1136667
   https://bugzilla.suse.com/1137715
   https://bugzilla.suse.com/1137940
   https://bugzilla.suse.com/1138313
   https://bugzilla.suse.com/1138358
   https://bugzilla.suse.com/1138494
   https://bugzilla.suse.com/1138822
   https://bugzilla.suse.com/1139453
   https://bugzilla.suse.com/1142038
   https://bugzilla.suse.com/1143856
   https://bugzilla.suse.com/1144155
   https://bugzilla.suse.com/1144889
   https://bugzilla.suse.com/1148125
   https://bugzilla.suse.com/1148177
   https://bugzilla.suse.com/1148311



More information about the sle-security-updates mailing list