SUSE-SU-2019:2312-1: moderate: Security update for SUSE Manager Client Tools
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Sep 5 13:15:53 MDT 2019
SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:2312-1
Rating: moderate
References: #1130040 #1135881 #1136029 #1136480 #1136667
#1137715 #1137940 #1138313 #1138358 #1138494
#1138822 #1139453 #1142038 #1143856 #1144155
#1144889 #1148125 #1148177 #1148311
Cross-References: CVE-2019-10136
Affected Products:
SUSE Manager Tools 12
______________________________________________________________________________
An update that solves one vulnerability and has 18 fixes is
now available.
Description:
This update fixes the following issues:
golang-github-prometheus-prometheus:
- Add support for Uyuni/SUSE Manager service discovery
+ Added 0003-Add-Uyuni-service-discovery
- Readded _service file removed in error.
- Update to 2.11.1
+ Bug Fix:
* Fix potential panic when prometheus is watching multiple zookeeper
paths.
- Update to 2.11.0
+ Bug Fix:
* resolve race condition in maxGauge.
* Fix ZooKeeper connection leak.
* Improved atomicity of .tmp block replacement during compaction for
usual case.
* Fix "unknown series references" after clean shutdown.
* Re-calculate block size when calling block.Delete.
* Fix unsafe snapshots with head block.
* prometheus_tsdb_compactions_failed_total is now incremented on any
compaction failure.
+ Changes:
* Remove max_retries from queue_config (it has been unused since
rewriting remote-write to utilize the write-ahead-log)
* The meta file BlockStats no longer holds size information. This is
now dynamically calculated and kept in memory. It also includes the
meta file size which was not included before
* Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to
prometheus_tsdb_wal_reader_corruption_errors_total
+ Features:
* Add option to use Alertmanager API v2.
* Added humanizePercentage function for templates.
* Include InitContainers in Kubernetes Service Discovery.
* Provide option to compress WAL records using Snappy.
+ Enhancements:
* Create new clean segment when starting the WAL.
* Reduce allocations in PromQL aggregations.
* Add storage warnings to LabelValues and LabelNames API results.
* Add prometheus_http_requests_total metric.
* Enable openbsd/arm build.
* Remote-write allocation improvements.
* Query performance improvement: Efficient iteration and search in
HashForLabels and HashWithoutLabels.
* Allow injection of arbitrary headers in promtool.
* Allow passing external_labels in alert unit tests groups.
* Allows globs for rules when unit testing.
* Improved postings intersection matching.
* Reduced disk usage for WAL for small setups.
* Optimize queries using regexp for set lookups.
- Rebase patch002-Default-settings.patch
- Update to 2.10.0:
+ Bug Fixes:
* TSDB: Don't panic when running out of disk space and recover nicely
from the condition
* TSDB: Correctly handle empty labels.
* TSDB: Don't crash on an unknown tombstone reference.
* Storage/remote: Remove queue-manager specific metrics if queue no
longer exists.
* PromQL: Correctly display {__name__="a"}.
* Discovery/kubernetes: Use service rather than ingress as the name
for the service workqueue.
* Discovery/azure: Don't panic on a VM with a public IP.
* Web: Fixed Content-Type for js and css instead of using
/etc/mime.types.
* API: Encode alert values as string to correctly represent Inf/NaN.
+ Features:
* Template expansion: Make external labels available as
$externalLabels in alert and console template expansion.
* TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL
segment index that TSDB is currently writing to. tsdb
* Scrape: Add scrape_series_added per-scrape metric. #5546
+ Enhancements
* Discovery/kubernetes: Add labels
__meta_kubernetes_endpoint_node_name and
__meta_kubernetes_endpoint_hostname.
* Discovery/azure: Add label __meta_azure_machine_public_ip.
* TSDB: Simplify mergedPostings.Seek, resulting in better performance
if there are many posting lists. tsdb
* Log filesystem type on startup.
* Cmd/promtool: Use POST requests for Query and QueryRange.
client_golang
* Web: Sort alerts by group name.
* Console templates: Add convenience variables $rawParams, $params,
$path.
- Upadte to 2.9.2
+ Bug Fixes:
* Make sure subquery range is taken into account for selection
* Exhaust every request body before closing it
* Cmd/promtool: return errors from rule evaluations
* Remote Storage: string interner should not panic in release
* Fix memory allocation regression in mergedPostings.Seek tsdb
- Update to 2.9.1
+ Bug Fixes:
* Discovery/kubernetes: fix missing label sanitization
* Remote_write: Prevent reshard concurrent with calling stop
- Update to 2.9.0
+ Feature:
* Add honor_timestamps scrape option.
+ Enhancements:
* Update Consul to support catalog.ServiceMultipleTags.
* Discovery/kubernetes: add present labels for labels/annotations.
* OpenStack SD: Add ProjectID and UserID meta labels.
* Add GODEBUG and retention to the runtime page.
* Add support for POSTing to /series endpoint.
* Support PUT methods for Lifecycle and Admin APIs.
* Scrape: Add global jitter for HA server.
* Check for cancellation on every step of a range evaluation.
* String interning for labels & values in the remote_write path.
* Don't lose the scrape cache on a failed scrape.
* Reload cert files from disk automatically. common
* Use fixed length millisecond timestamp format for logs. common
* Performance improvements for postings. Bug Fixes:
* Remote Write: fix checkpoint reading.
* Check if label value is valid when unmarshaling external labels from
YAML.
* Promparse: sort all labels when parsing.
* Reload rules: copy state on both name and labels.
* Exponentation operator to drop metric name in result of operation.
* Config: resolve more file paths.
* Promtool: resolve relative paths in alert test files.
* Set TLSHandshakeTimeout in HTTP transport. common
* Use fsync to be more resilient to machine crashes.
* Keep series that are still in WAL in checkpoints.
- Update to 2.8.1
+ Bug Fixes
* Display the job labels in /targets which was removed accidentally
- Update to 2.8.0
+ Change:
* This release uses Write-Ahead Logging (WAL) for the remote_write
API. This currently causes a slight increase in memory usage, which
will be addressed in future releases.
* Default time retention is used only when no size based retention is
specified. These are flags where time retention is specified by the
flag --storage.tsdb.retention and size retention by
--storage.tsdb.retention.size.
* prometheus_tsdb_storage_blocks_bytes_total is now
prometheus_tsdb_storage_blocks_bytes.
+ Feature:
* (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical
compaction and vertical query merge. It is an optional feature which
is controlled by the --storage.tsdb.allow-overlapping-blocks flag,
disabled by default.
+ Enhancements:
* Use the WAL for remote_write API.
* Query performance improvements.
* UI enhancements with upgrade to Bootstrap 4.
* Reduce time that Alertmanagers are in flux when reloaded.
* Limit number of metrics displayed on UI to 10000.
* (1) Remember All/Unhealthy choice on target-overview when reloading
page. (2) Resize text-input area on Graph page on mouseclick.
* In histogram_quantile merge buckets with equivalent le values.
* Show list of offending labels in the error message in many-to-many
scenarios.
* Show Storage Retention criteria in effect on /status page.
+ Bug Fixes:
+ Fix sorting of rule groups.
+ Fix support for password_file and bearer_token_file in Kubernetes SD.
+ Scrape: catch errors when creating HTTP clients
+ Adds new metrics: prometheus_target_scrape_pools_total
prometheus_target_scrape_pools_failed_total
prometheus_target_scrape_pool_reloads_total
prometheus_target_scrape_pool_reloads_failed_total
+ Fix panic when aggregator param is not a literal.
kiwi-desc-saltboot:
- Update to version 0.1.1564399963.cf19a13
- Fix incompatibility with Microsoft DNS (bsc#1136667)
- Updated copyrights and bug reporting link
- Update to version 0.1.1558613789.64ba093
- Update to version 0.1.1556553492.2bfae0b
mgr-cfg:
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-daemon:
- Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
- Fix obsolete for old osad packages, to allow installing mgr-osad even by
using osad at yum/zyppper install (bsc#1139453)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-virtualization:
- Fix missing python 3 ugettext (bsc#1138494)
- Fix package dependencies to prevent file conflict (bsc#1143856)
rhnlib:
- Add SNI support for clients
- Fix initialize ssl connection (bsc#1144155)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
- Bugfix: referenced variable before assignment.
- Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
- Add unit tests for custominfo, snippet, scap, ssm, cryptokey and
distribution
- Fix missing runtime dependencies that made spacecmd return old versions
of packages in some cases, even if newer ones were available
(bsc#1148311)
spacewalk-backend:
- Do not overwrite comps and module data with older versions
- Fix issue with "dists" keyword in url hostname
- Import packages from all collections of a patch not just first one
- Ensure bytes type when using hashlib to avoid traceback
on XMLRPC call to "registration.register_osad" (bsc#1138822)
- Do not duplicate "http://" protocol when using proxies with "deb"
repositories (bsc#1138313)
- Fix reposync when dealing with RedHat CDN (bsc#1138358)
- Fix for CVE-2019-10136. An attacker with a valid, but expired,
authenticated set of headers could move some digits around, artificially
extending the session validity without modifying the checksum.
(bsc#1136480)
- Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
- Add journalctl output to spacewalk-debug tarballs
- Prevent unnecessary triggering of channel-repodata tasks when GPG
signing is disabled (bsc#1137715)
- Fix spacewalk-repo-sync for Ubuntu repositories in mirror case
(bsc#1136029)
- Add support for ULN repositories on new Zypper based reposync.
- Don't skip Deb package tags on package import (bsc#1130040)
- For backend-libs subpackages, exclude files for the server (already part
of spacewalk-backend) to avoid conflicts (bsc#1148125)
- prevent duplicate key violates on repo-sync with long changelog entries
(bsc#1144889)
spacewalk-remote-utils:
- Add RHEL8
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Manager Tools 12:
zypper in -t patch SUSE-SLE-Manager-Tools-12-2019-2312=1
Package List:
- SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):
golang-github-prometheus-prometheus-2.11.1-1.6.2
- SUSE Manager Tools 12 (noarch):
kiwi-desc-saltboot-0.1.1564399963.cf19a13-1.12.1
mgr-cfg-4.0.9-1.6.4
mgr-cfg-actions-4.0.9-1.6.4
mgr-cfg-client-4.0.9-1.6.4
mgr-cfg-management-4.0.9-1.6.4
mgr-daemon-4.0.7-1.8.2
mgr-osad-4.0.9-1.6.2
mgr-virtualization-host-4.0.8-1.8.3
python2-mgr-cfg-4.0.9-1.6.4
python2-mgr-cfg-actions-4.0.9-1.6.4
python2-mgr-cfg-client-4.0.9-1.6.4
python2-mgr-cfg-management-4.0.9-1.6.4
python2-mgr-osa-common-4.0.9-1.6.2
python2-mgr-osad-4.0.9-1.6.2
python2-mgr-virtualization-common-4.0.8-1.8.3
python2-mgr-virtualization-host-4.0.8-1.8.3
python2-rhnlib-4.0.11-21.16.1
spacecmd-4.0.14-38.49.1
spacewalk-backend-libs-4.0.25-55.41.1
spacewalk-remote-utils-4.0.5-24.12.2
References:
https://www.suse.com/security/cve/CVE-2019-10136.html
https://bugzilla.suse.com/1130040
https://bugzilla.suse.com/1135881
https://bugzilla.suse.com/1136029
https://bugzilla.suse.com/1136480
https://bugzilla.suse.com/1136667
https://bugzilla.suse.com/1137715
https://bugzilla.suse.com/1137940
https://bugzilla.suse.com/1138313
https://bugzilla.suse.com/1138358
https://bugzilla.suse.com/1138494
https://bugzilla.suse.com/1138822
https://bugzilla.suse.com/1139453
https://bugzilla.suse.com/1142038
https://bugzilla.suse.com/1143856
https://bugzilla.suse.com/1144155
https://bugzilla.suse.com/1144889
https://bugzilla.suse.com/1148125
https://bugzilla.suse.com/1148177
https://bugzilla.suse.com/1148311
More information about the sle-security-updates
mailing list