SUSE-CU-2023:2913-1: Security update of ses/7.1/ceph/prometheus-server

sle-security-updates at sle-security-updates at
Mon Sep 11 10:52:22 UTC 2023

SUSE Container Update Advisory: ses/7.1/ceph/prometheus-server
Container Advisory ID : SUSE-CU-2023:2913-1
Container Tags        : ses/7.1/ceph/prometheus-server:2.37.6 , ses/7.1/ceph/prometheus-server: , ses/7.1/ceph/prometheus-server:latest , ses/7.1/ceph/prometheus-server:sle15.3.pacific
Container Release     : 3.2.497
Severity              : important
Type                  : security
References            : 1089497 1158763 1201627 1202234 1204023 1206627 1207534 1208049
                        1208298 1208612 1208721 1209229 1209565 1210740 1210999 1211261
                        1211419 1211661 1211741 1211828 1212187 1212187 1212222 1212260
                        1212279 1213189 1213231 1213487 1213517 1213557 1213673 1213853
                        1214054 1214290 CVE-2022-41715 CVE-2022-41723 CVE-2022-4304 CVE-2022-46146
                        CVE-2023-2603 CVE-2023-28370 CVE-2023-31484 CVE-2023-3446 CVE-2023-36054
                        CVE-2023-3817 CVE-2023-4016 

The container ses/7.1/ceph/prometheus-server was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2023:2497-1
Released:    Tue Jun 13 15:37:25 2023
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1211661,1212187
This update for libzypp fixes the following issues:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

Advisory ID: SUSE-SU-2023:2598-1
Released:    Wed Jun 21 15:17:04 2023
Summary:     Security update for golang-github-prometheus-prometheus
Type:        security
Severity:    important
References:  1204023,1208049,1208298,CVE-2022-41715,CVE-2022-41723,CVE-2022-46146
This update for golang-github-prometheus-prometheus fixes the following issues:


- Security issues fixed in this version update to 2.37.6:
  * CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576)
  * CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)
  * CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208298)
- Other non-security bugs fixed and changes in this version update to 2.37.6:    
  * [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
  * [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
  * [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
  * [BUGFIX] Properly close file descriptor when logging unfinished queries.
  * [BUGFIX] TSDB: In the WAL watcher metrics, expose the type='exemplar' label instead of type='unknown' for exemplar
  * [BUGFIX] Alerting: Fix Alertmanager targets not being updated when alerts were queued.
  * [BUGFIX] Hetzner SD: Make authentication files relative to Prometheus config file.
  * [BUGFIX] Promtool: Fix promtool check config not erroring properly on failures.
  * [BUGFIX] Scrape: Keep relabeled scrape interval and timeout on reloads.
  * [BUGFIX] TSDB: Don't increment prometheus_tsdb_compactions_failed_total when context is canceled.
  * [BUGFIX] TSDB: Fix panic if series is not found when deleting series.
  * [BUGFIX] TSDB: Increase prometheus_tsdb_mmap_chunk_corruptions_total on out of sequence errors.
  * [BUGFIX] Uyuni SD: Make authentication files relative to Prometheus configuration file and fix default configuration
  * [BUGFIX] Fix serving of static assets like fonts and favicon.
  * [BUGFIX] promtool: Add --lint-fatal option.
  * [BUGFIX] Changing TotalQueryableSamples from int to int64.
  * [BUGFIX] tsdb/agent: Ignore duplicate exemplars.
  * [BUGFIX] TSDB: Fix chunk overflow appending samples at a variable rate.
  * [BUGFIX] Stop rule manager before TSDB is stopped.
  * [BUGFIX] Kubernetes SD: Explicitly include gcp auth from
  * [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly.
  * [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page.
  * [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false.
  * [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments.
  * [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue.
  * [BUGFIX] PromQL: Properly return an error from histogram_quantile when metrics have the same labelset.
  * [BUGFIX] UI: Fix bug that sets the range input to the resolution.
  * [BUGFIX] TSDB: Fix a query panic when memory-snapshot-on-shutdown is enabled.
  * [BUGFIX] Parser: Specify type in metadata parser errors.
  * [BUGFIX] Scrape: Fix label limit changes not applying.
  * [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch.
  * [BUGFIX] TSDB: Fix panic when m-mapping head chunks onto the disk.
  * [BUGFIX] Azure SD: Fix a regression when public IP Address isn't set.
  * [BUGFIX] Azure SD: Fix panic when public IP Address isn't set.
  * [BUGFIX] Remote-write: Fix deadlock when stopping a shard.
  * [BUGFIX] SD: Fix no such file or directory in K8s SD when not running inside K8s.
  * [BUGFIX] Promtool: Make exit codes more consistent.
  * [BUGFIX] Promtool: Fix flakiness of rule testing.
  * [BUGFIX] Remote-write: Update prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric when write
    irrecoverably fails.
  * [BUGFIX] Storage: Avoid panic in BufferedSeriesIterator.
  * [BUGFIX] TSDB: CompactBlockMetas should produce correct mint/maxt for overlapping blocks.
  * [BUGFIX] TSDB: Fix logging of exemplar storage size.
  * [BUGFIX] UI: Fix overlapping click targets for the alert state checkboxes.
  * [BUGFIX] UI: Fix Unhealthy filter on target page to actually display only Unhealthy targets.
  * [BUGFIX] UI: Fix autocompletion when expression is empty.
  * [BUGFIX] TSDB: Fix deadlock from simultaneous GC and write.
  * [CHANGE] TSDB: Delete *.tmp WAL files when Prometheus starts.
  * [CHANGE] promtool: Add new flag --lint (enabled by default) for the commands check rules and check config, resulting
    in a new exit code (3) for linter errors.
  * [CHANGE] UI: Classic UI removed.
  * [CHANGE] Tracing: Migrate from Jaeger to OpenTelemetry based tracing.
  * [CHANGE] PromQL: Promote negative offset and @ modifer to stable features.
  * [CHANGE] Web: Promote remote-write-receiver to stable.
  * [FEATURE] Nomad SD: New service discovery for Nomad built-in service discovery.
  * [FEATURE] Add lowercase and uppercase relabel action.
  * [FEATURE] SD: Add IONOS Cloud integration.
  * [FEATURE] SD: Add Vultr integration.
  * [FEATURE] SD: Add Linode SD failure count metric.
  * [FEATURE] Add prometheus_ready metric.
  * [FEATURE] Support for automatically setting the variable GOMAXPROCS to the container CPU limit. 
    Enable with the flag `--enable-feature=auto-gomaxprocs`.
  * [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query. 
    Additionally, per-step statistics are available with --enable-feature=promql-per-step-stats and using
    stats=all in the query API. Enable with the flag `--enable-feature=per-step-stats`.
  * [FEATURE] Config: Add stripPort template function.
  * [FEATURE] Promtool: Add cardinality analysis to check metrics, enabled by flag --extended.
  * [FEATURE] SD: Enable target discovery in own K8s namespace.
  * [FEATURE] SD: Add provider ID label in K8s SD.
  * [FEATURE] Web: Add limit field to the rules API.
  * [ENHANCEMENT] Kubernetes SD: Allow attaching node labels for endpoint role.
  * [ENHANCEMENT] PromQL: Optimise creation of signature with/without labels.
  * [ENHANCEMENT] TSDB: Memory optimizations.
  * [ENHANCEMENT] TSDB: Reduce sleep time when reading WAL.
  * [ENHANCEMENT] OAuth2: Add appropriate timeouts and User-Agent header.
  * [ENHANCEMENT] Add stripDomain to template function.
  * [ENHANCEMENT] UI: Enable active search through dropped targets.
  * [ENHANCEMENT] promtool: support matchers when querying label
  * [ENHANCEMENT] Add agent mode identifier.
  * [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup.
  * [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures.
  * [ENHANCEMENT] Azure SD: Add an optional resource_group configuration.
  * [ENHANCEMENT] Kubernetes SD: Support
    EndpointSlice (previously only
    EndpointSlice was supported).
  * [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods.
  * [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens.
  * [ENHANCEMENT] Configuration: Add the ability to disable HTTP2.
  * [ENHANCEMENT] Config: Support overriding minimum TLS version.
  * [ENHANCEMENT] TSDB: Disable the chunk write queue by default and allow configuration with the experimental flag
  * [ENHANCEMENT] HTTP SD: Add a failure counter.
  * [ENHANCEMENT] Azure SD: Set Prometheus User-Agent on requests.
  * [ENHANCEMENT] Uyuni SD: Reduce the number of logins to Uyuni.
  * [ENHANCEMENT] Scrape: Log when an invalid media type is encountered during a scrape.
  * [ENHANCEMENT] Scrape: Accept application/openmetrics-text;version=1.0.0 in addition to version=0.0.1.
  * [ENHANCEMENT] Remote-read: Add an option to not use external labels as selectors for remote read.
  * [ENHANCEMENT] UI: Optimize the alerts page and add a search bar.
  * [ENHANCEMENT] UI: Improve graph colors that were hard to see.
  * [ENHANCEMENT] Config: Allow escaping of $ with $$ when using environment variables with external labels.
  * [ENHANCEMENT] Remote-write: Avoid allocations by buffering concrete structs instead of interfaces.
  * [ENHANCEMENT] Remote-write: Log time series details for out-of-order samples in remote write receiver.
  * [ENHANCEMENT] Remote-write: Shard up more when backlogged.
  * [ENHANCEMENT] TSDB: Use simpler map key to improve exemplar ingest performance.
  * [ENHANCEMENT] TSDB: Avoid allocations when popping from the intersected postings heap.
  * [ENHANCEMENT] TSDB: Make chunk writing non-blocking, avoiding latency spikes in remote-write.
  * [ENHANCEMENT] TSDB: Improve label matching performance.
  * [ENHANCEMENT] UI: Optimize the service discovery page and add a search bar.
  * [ENHANCEMENT] UI: Optimize the target page and add a search bar.

Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

Advisory ID: SUSE-RU-2023:2742-1
Released:    Fri Jun 30 11:40:56 2023
Summary:     Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper
Type:        recommended
Severity:    moderate
References:  1202234,1209565,1211261,1212187,1212222
This update for yast2-pkg-bindings fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)

yast2-pkg-bindings, autoyast:

- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)


- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

Advisory ID: SUSE-RU-2023:2855-1
Released:    Mon Jul 17 16:35:21 2023
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1212260
This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

Advisory ID: SUSE-SU-2023:2882-1
Released:    Wed Jul 19 11:49:39 2023
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1210999,CVE-2023-31484
This update for perl fixes the following issues:

  - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

Advisory ID: SUSE-RU-2023:2885-1
Released:    Wed Jul 19 16:58:43 2023
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1208721,1209229,1211828
This update for glibc fixes the following issues:

- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:


- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

Advisory ID: SUSE-SU-2023:2956-1
Released:    Tue Jul 25 08:33:38 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211419,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

Advisory ID: SUSE-SU-2023:3144-1
Released:    Wed Aug  2 09:28:51 2023
Summary:     Security update for SUSE Manager Client Tools
Type:        security
Severity:    moderate
References:  1208612,1211741,1212279,CVE-2023-28370
This update fixes the following issues:

- Security fixes:
  * CVE-2023-28370: Fixed an open redirect issue in the static file handler (bsc#1211741)


- Use obscpio for go modules service
- Set version number
- Set build date from SOURCE_DATE_EPOCH
- Update to 0.24.0 (bsc#1212279, jsc#PED-4556)
  * Requires go1.19
- Avoid empty validation script
- Add rc symlink for backwards compatibility


- Version 4.3.22-1
  * Bypass traditional systems check on older SUMA instances (bsc#1208612)

Advisory ID: SUSE-SU-2023:3179-1
Released:    Thu Aug  3 13:59:38 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

- Update further expiring certificates that affect tests [bsc#1201627]

Advisory ID: SUSE-RU-2023:3284-1
Released:    Fri Aug 11 10:29:50 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

Advisory ID: SUSE-SU-2023:3291-1
Released:    Fri Aug 11 12:51:21 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

Advisory ID: SUSE-SU-2023:3365-1
Released:    Fri Aug 18 20:35:01 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

Advisory ID: SUSE-RU-2023:3515-1
Released:    Fri Sep  1 15:54:25 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

The following package changes have been done:

- glibc-2.31-150300.52.2 updated
- golang-github-prometheus-prometheus-2.37.6-150100.4.17.1 updated
- krb5-1.19.2-150300.13.1 updated
- libassuan0-2.5.5-150000.4.5.2 updated
- libcap2-2.26-150000.4.9.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.10.1 updated
- libldap-2_4-2-2.4.46-150200.14.17.1 updated
- libldap-data-2.4.46-150200.14.17.1 updated
- libopenssl1_1-hmac-1.1.1d-150200.11.75.1 updated
- libopenssl1_1-1.1.1d-150200.11.75.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-lite20-3.9.2-150200.4.21.1 updated
- libsolv-tools-0.7.24-150200.20.2 updated
- libstdc++6-12.3.0+git1204-150000.1.10.1 updated
- libzypp-17.31.20-150200.75.1 updated
- login_defs-4.8.1-150300.4.9.1 updated
- openssl-1_1-1.1.1d-150200.11.75.1 updated
- perl-base-5.26.1-150300.17.14.1 updated
- procps-3.3.15-150000.7.34.1 updated
- shadow-4.8.1-150300.4.9.1 updated
- system-user-prometheus-1.0.0-150000.10.1 updated
- zypper-1.14.63-150200.59.1 updated
- container:sles15-image-15.0.0-17.20.180 updated

More information about the sle-security-updates mailing list