SUSE-SU-2023:3875-1: important: Security update for SUSE Manager Client Tools
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Sep 28 12:31:06 UTC 2023
# Security update for SUSE Manager Client Tools
Announcement ID: SUSE-SU-2023:3875-1
Rating: important
References:
* #1204501
* #1208046
* #1208270
* #1213691
* #1213880
* ECO-3319
* MSQA-699
* PED-5405
* SLE-24791
Cross-References:
* CVE-2022-32149
* CVE-2022-41723
* CVE-2022-46146
* CVE-2023-29409
CVSS scores:
* CVE-2022-32149 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-32149 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2022-46146 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-29409 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-29409 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Manager Client Tools for RHEL, Liberty and Clones 9
An update that solves four vulnerabilities, contains four features and has one
security fix can now be installed.
## Description:
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
* Security issues fixed:
* CVE-2022-32149: Fix denial of service vulnerability (bsc#1204501)
* CVE-2022-41723: Fix uncontrolled resource consumption (bsc#1208270)
* CVE-2022-46146: Fix authentication bypass vulnarability (bsc#1208046)
* Changes and bugs fixed:
* Updated to 1.0.0 (jsc#PED-5405)
* Improved flag parsing
* Added support for custom headers
* Changes from 0.13.1
* Fix panic caused by missing flagConfig options
* Changes from 0.11.0 (jsc#SLE-24791)
* Add TLS support
* Switch to logger, please check --log.level and --log.format flags
* Changes from 0.10.1
* Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
* Changes from 0.10.0
* Add Apache Proxy and other metrics
* Changes from 0.8.0
* Change commandline flags
* Add metrics: Apache version, request duration total
* Changes from 0.7.0
* Handle OS TERM signals
* Changes from 0.6.0
* Add option to override host name
* Added support for Red Hat Enterprise Linux
* Added AppArmor profile
* Added sandboxing options to systemd service unit
* Build using promu
* Build with Go 1.19
* Exclude s390 architecture
golang-github-prometheus-node_exporter:
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.
golang-github-QubitProducts-exporter_exporter:
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.
prometheus-postgres_exporter:
* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.
scap-security-guide:
* Updated to 0.1.69 (jsc#ECO-3319)
* Introduce a JSON build manifest
* Introduce a script to compare ComplianceAsCode versions
* Introduce CCN profiles for Red Hat Enterprise Linux 9
* Map rules to components
* products/anolis23: supports Anolis OS 23
* Render components to HTML
* Store rendered control files
* Test and use rules to components mapping
* Use distributed product properties
* Revert patch that breaks the SLE hardening (bsc#1213691)
* Changes from 0.1.68 (jsc#ECO-3319)
* Bump OL8 STIG version to V1R6
* Introduce a Product class, make the project work with it
* Introduce Fedora and Firefox CaC profiles for common workstation users
* OL7 DISA STIG v2r11 update
* Publish rendered policy artifacts
* Update ANSSI BP-028 to version 2.0
* Changes from 0.1.67 (jsc#ECO-3319)
* Add utils/controlrefcheck.py
* Red Hat Enterprise Linux 9 STIG Update Q1 2023
* Include warning for NetworkManager keyfiles in Red Hat Enterprise Linux 9
* OL7 stig v2r10 update
* Bump version of OL8 STIG to V1R5
* Various enhancements to SLE profiles
spacecmd:
* Updated to 4.3.23-1
* Update translation strings
## Special Instructions and Notes:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Client Tools for RHEL, Liberty and Clones 9
zypper in -t patch SUSE-EL-9-CLIENT-TOOLS-2023-3875=1
## Package List:
* SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le
s390x x86_64)
* golang-github-lusitaniae-apache_exporter-debugsource-1.0.0-1.8.1
* prometheus-postgres_exporter-0.10.1-1.9.2
* golang-github-QubitProducts-exporter_exporter-debugsource-0.4.0-1.6.1
* golang-github-QubitProducts-exporter_exporter-debuginfo-0.4.0-1.6.1
* golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1
* golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1
* SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (aarch64 ppc64le
x86_64)
* golang-github-prometheus-node_exporter-debuginfo-1.5.0-1.9.2
* golang-github-prometheus-node_exporter-1.5.0-1.9.2
* golang-github-prometheus-node_exporter-debugsource-1.5.0-1.9.2
* SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (noarch)
* scap-security-guide-redhat-0.1.69-1.12.2
* spacecmd-4.3.23-1.18.2
## References:
* https://www.suse.com/security/cve/CVE-2022-32149.html
* https://www.suse.com/security/cve/CVE-2022-41723.html
* https://www.suse.com/security/cve/CVE-2022-46146.html
* https://www.suse.com/security/cve/CVE-2023-29409.html
* https://bugzilla.suse.com/show_bug.cgi?id=1204501
* https://bugzilla.suse.com/show_bug.cgi?id=1208046
* https://bugzilla.suse.com/show_bug.cgi?id=1208270
* https://bugzilla.suse.com/show_bug.cgi?id=1213691
* https://bugzilla.suse.com/show_bug.cgi?id=1213880
* https://jira.suse.com/browse/ECO-3319
* https://jira.suse.com/browse/MSQA-699
* https://jira.suse.com/browse/PED-5405
* https://jira.suse.com/browse/SLE-24791
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20230928/bfd2fe3c/attachment.htm>
More information about the sle-security-updates
mailing list