SUSE-SU-2023:0352-1: moderate: Security update for SUSE Manager Client Tools

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Feb 10 17:54:20 UTC 2023


   SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2023:0352-1
Rating:             moderate
References:         #1172110 #1204032 #1204126 #1204302 #1204303 
                    #1204304 #1204305 #1205207 #1205225 #1205227 
                    #1206470 PED-2617 
Cross-References:   CVE-2022-31123 CVE-2022-31130 CVE-2022-39201
                    CVE-2022-39229 CVE-2022-39306 CVE-2022-39307
                   
CVSS scores:
                    CVE-2022-31123 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2022-31123 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
                    CVE-2022-31130 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-31130 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
                    CVE-2022-39201 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-39201 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
                    CVE-2022-39229 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
                    CVE-2022-39229 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
                    CVE-2022-39306 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
                    CVE-2022-39306 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
                    CVE-2022-39307 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-39307 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    SUSE Manager Tools 12
______________________________________________________________________________

   An update that solves 6 vulnerabilities, contains one
   feature and has 5 fixes is now available.

Description:


   This update fixes the following issues:

   grafana:

   - Update to version 8.5.15 (jsc#PED-2617):
     * CVE-2022-39306: Fix for privilege escalation (bsc#1205225)
     * CVE-2022-39307: Omit error from http response when user does not
       exists (bsc#1205227)
   - Update to version 8.5.14:
     * CVE-2022-39201: Fix do not forward login cookie in outgoing requests
       (bsc#1204303)
     * CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers
       (bsc#1204305)
     * CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
     * CVE-2022-39229: Fix blocknig other users from signing in (bsc#1204304)

   kiwi-desc-saltboot:

   - Update to version 0.1.1673279145.e7616bd
     * Add failsafe stop file when salt-minion does not stop (bsc#1172110)

   mgr-osad:

   - Version 4.3.7-1
     * Updated logrotate configuration (bsc#1206470)

   mgr-push:

   - Version 4.3.5-1
     * Update translation strings

   rhnlib:

   - Version 4.3.5-1
     * Don't get stuck at the end of SSL transfers (bsc#1204032)

   spacecmd:

   - Version 4.3.18-1
     * Add python-dateutil dependency, required to process date values in
       spacecmd api calls
   - Version 4.3.17-1
     * Remove python3-simplejson dependency
     * Correctly understand 'ssm' keyword on scap scheduling
     * Add vendor_advisory information to errata_details call (bsc#1205207)
     * Added two missing options to schedule product migration:
       allow-vendor-change and remove-products-without-successor (bsc#1204126)
     * Changed schedule product migration to use the correct API method
     * Change default port of "Containerized Proxy configuration" 8022

   spacewalk-client-tools:

   - Version 4.3.14-1
     * Update translation strings

   uyuni-common-libs:

   - Version 4.3.7-1
     * unify user notification code on java side


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2023-352=1



Package List:

   - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):

      grafana-8.5.15-1.39.1
      python2-uyuni-common-libs-4.3.7-1.30.1

   - SUSE Manager Tools 12 (noarch):

      kiwi-desc-saltboot-0.1.1673279145.e7616bd-1.32.1
      mgr-osad-4.3.7-1.42.1
      mgr-push-4.3.5-1.24.1
      python2-mgr-osa-common-4.3.7-1.42.1
      python2-mgr-osad-4.3.7-1.42.1
      python2-mgr-push-4.3.5-1.24.1
      python2-rhnlib-4.3.5-21.46.1
      python2-spacewalk-check-4.3.14-52.83.1
      python2-spacewalk-client-setup-4.3.14-52.83.1
      python2-spacewalk-client-tools-4.3.14-52.83.1
      spacecmd-4.3.18-38.115.1
      spacewalk-check-4.3.14-52.83.1
      spacewalk-client-setup-4.3.14-52.83.1
      spacewalk-client-tools-4.3.14-52.83.1


References:

   https://www.suse.com/security/cve/CVE-2022-31123.html
   https://www.suse.com/security/cve/CVE-2022-31130.html
   https://www.suse.com/security/cve/CVE-2022-39201.html
   https://www.suse.com/security/cve/CVE-2022-39229.html
   https://www.suse.com/security/cve/CVE-2022-39306.html
   https://www.suse.com/security/cve/CVE-2022-39307.html
   https://bugzilla.suse.com/1172110
   https://bugzilla.suse.com/1204032
   https://bugzilla.suse.com/1204126
   https://bugzilla.suse.com/1204302
   https://bugzilla.suse.com/1204303
   https://bugzilla.suse.com/1204304
   https://bugzilla.suse.com/1204305
   https://bugzilla.suse.com/1205207
   https://bugzilla.suse.com/1205225
   https://bugzilla.suse.com/1205227
   https://bugzilla.suse.com/1206470



More information about the sle-security-updates mailing list