SUSE-SU-2025:0524-1: moderate: Security update for SUSE Manager Client Tools
SLE-SECURITY-UPDATES
null at suse.de
Fri Feb 14 08:32:34 UTC 2025
# Security update for SUSE Manager Client Tools
Announcement ID: SUSE-SU-2025:0524-1
Release Date: 2025-02-14T07:16:37Z
Rating: moderate
References:
* bsc#1212641
* bsc#1219912
* bsc#1229079
* bsc#1229104
* bsc#1231024
* bsc#1231497
* bsc#1231568
* bsc#1231759
* bsc#1232575
* bsc#1232769
* bsc#1232817
* bsc#1232970
* bsc#1233202
* bsc#1233279
* bsc#1233630
* bsc#1233660
* bsc#1234123
* bsc#1234554
* bsc#1235145
* bsc#1236301
* jsc#MSQA-914
* jsc#PED-11591
* jsc#PED-11649
Cross-References:
* CVE-2023-3128
* CVE-2023-6152
* CVE-2024-22037
* CVE-2024-45337
* CVE-2024-51744
* CVE-2024-6837
* CVE-2024-8118
CVSS scores:
* CVE-2023-3128 ( SUSE ): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
* CVE-2023-3128 ( NVD ): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
* CVE-2023-3128 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-6152 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2023-6152 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* CVE-2024-22037 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L
* CVE-2024-22037 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-22037 ( NVD ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2024-22037 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-45337 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45337 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2024-51744 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2024-51744 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2024-51744 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
* CVE-2024-6837 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-6837 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2024-8118 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
* CVE-2024-8118 ( NVD ): 5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* SUSE Linux Enterprise Desktop 12
* SUSE Linux Enterprise Desktop 12 SP1
* SUSE Linux Enterprise Desktop 12 SP2
* SUSE Linux Enterprise Desktop 12 SP3
* SUSE Linux Enterprise Desktop 12 SP4
* SUSE Linux Enterprise High Performance Computing 12 SP2
* SUSE Linux Enterprise High Performance Computing 12 SP3
* SUSE Linux Enterprise High Performance Computing 12 SP4
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12
* SUSE Linux Enterprise Server 12 SP1
* SUSE Linux Enterprise Server 12 SP2
* SUSE Linux Enterprise Server 12 SP3
* SUSE Linux Enterprise Server 12 SP4
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server for SAP Applications 12
* SUSE Linux Enterprise Server for SAP Applications 12 SP1
* SUSE Linux Enterprise Server for SAP Applications 12 SP2
* SUSE Linux Enterprise Server for SAP Applications 12 SP3
* SUSE Linux Enterprise Server for SAP Applications 12 SP4
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
* SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
* SUSE Manager Client Tools for SLE 12
An update that solves seven vulnerabilities, contains three features and has 13
security fixes can now be installed.
## Description:
This update fixes the following issues:
golang-github-prometheus-prometheus was updated from version 2.45.6 to 2.53.3
(jsc#PED-11649):
* Security issues fixed:
* CVE-2024-51744: Updated golang-jwt to version 5.0 to fix bad error handling
(bsc#1232970)
* Highlights of other changes:
* Performance:
* Significant enhancements to PromQL execution speed, TSDB operations (especially querying and compaction) and remote write operations.
* Default GOGC value lowered to 75 for better memory management.
* Option to limit memory usage from dropped targets added.
* New Features:
* Experimental OpenTelemetry ingestion.
* Automatic memory limit handling.
* Native histogram support, including new functions, UI enhancements, and improved scraping.
* Improved alerting features, such as relabeling rules for AlertmanagerConfig and a new query_offset option.
* Expanded service discovery options with added metadata and support for new services.
* New promtool commands for PromQL formatting, label manipulation, metric pushing, and OpenMetrics dumping.
* Bug Fixes:
* Numerous fixes across scraping, API, TSDB, PromQL, and service discovery.
* For a detailed list of changes consult the package changelog or
https://github.com/prometheus/prometheus/compare/v2.45.6...v2.53.3
golang-github-prometheus-promu was updated to version 0.17.0:
* Added codesign utility function
grafana was updated from version 9.5.18 to 10.4.13
(jsc#PED-11591,jsc#PED-11649):
* Security issues fixed:
* CVE-2024-45337: Prevent possible misuse of ServerConfig.PublicKeyCallback by
upgrading golang.org/x/crypto (bsc#1234554)
* CVE-2023-3128: Fixed authentication bypass using Azure AD OAuth
(bsc#1212641)
* CVE-2023-6152: Add email verification when updating user email (bsc#1219912)
* CVE-2024-6837: Fixed potential data source permission escalation
(bsc#1236301)
* CVE-2024-8118: Fixed permission on external alerting rule write endpoint
(bsc#1231024)
* Potential breaking changes in version 10:
* In panels using the `extract fields` transformation, where one of the
extracted names collides with one of the already existing ields, the
extracted field will be renamed.
* For the existing backend mode users who have table visualization might see
some inconsistencies on their panels. We have updated the table column
naming. This will potentially affect field transformations and/or field
overrides. To resolve this either: update transformation or field override.
* For the existing backend mode users who have Transformations with the `time`
field, might see their transformations are not working. Those panels that
have broken transformations will fail to render. This is because we changed
the field key. To resolve this either: Remove the affected panel and re-
create it; Select the `Time` field again; Edit the `time` field as `Time`
for transformation in `panel.json` or `dashboard.json`
* The following data source permission endpoints have been removed: `GET
/datasources/:datasourceId/permissions` `POST
/api/datasources/:datasourceId/permissions` `DELETE
/datasources/:datasourceId/permissions` `POST
/datasources/:datasourceId/enable-permissions` `POST
/datasources/:datasourceId/disable-permissions`
* Please use the following endpoints instead: `GET /api/access-control/datasources/:uid` for listing data source permissions `POST /api/access-control/datasources/:uid/users/:id`, `POST /api/access-control/datasources/:uid/teams/:id` and `POST /api/access-control/datasources/:uid/buildInRoles/:id` for adding or removing data source permissions
* If you are using Terraform Grafana provider to manage data source
permissions, you will need to upgrade your provider.
* For the existing backend mode users who have table visualization might see
some inconsistencies on their panels. We have updated the table column
naming. This will potentially affect field transformations and/or field
overrides.
* The deprecated `/playlists/{uid}/dashboards` API endpoint has been removed.
Dashboard information can be retrieved from the `/dashboard/...` APIs.
* The `PUT /api/folders/:uid` endpoint no more supports modifying the folder's
`UID`
* Removed all components for the old panel header design.
* Please review https://grafana.com/docs/grafana/next/breaking-
changes/breaking-changes-v10-3/ for more details
* OAuth role mapping enforcement: This change impacts GitHub, Gitlab, Okta,
and Generic OAuth. To avoid overriding manually set roles, enable the
skip_org_role_sync option in the Grafana configuration for your OAuth
provider before upgrading
* Angular has been deprecated
* Grafana legacy alerting has been deprecated
* API keys are migrating to service accounts
* The experimental “dashboard previews” feature is removed
* Usernames are now case-insensitive by default
* Grafana OAuth integrations do not work anymore with email lookups
* The “Alias” field in the CloudWatch data source is removed
* Athena data source plugin must be updated to version >=2.9.3
* Redshift data source plugin must be updated to version >=1.8.3
* DoiT International BigQuery plugin no longer supported
* Please review https://grafana.com/docs/grafana/next/breaking-
changes/breaking-changes-v10-0 for more details
* This update brings many new features, enhancements and fixes highlighted at:
* https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-4/
* https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-3/
* https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-2/
* https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-1/
* https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v10-0/
spacecmd was updated to version 5.0.11-0:
* Updated translation strings
supportutils-plugin-salt was updated to version 1.2.3:
* Adjusted requirements for plugin to allow compatibility with supportutils
3.2.9 release (bsc#1235145)
* Provide backwards-compatible scripts version
supportutils-plugin-susemanager-client was updated to version 5.0.4-0:
* Adjusted requirements for plugin to allow compatibility with supportutils
3.2.9 release (bsc#1235145)
uyuni-tools was updated from version 0.1.23-0 to 0.1.27-0:
* Security issues fixed:
* CVE-2024-22037: Use podman secret to store the database credentials
(bsc#1231497)
* Other changes and bugs fixed:
* Version 0.1.27-0
* Bump the default image tag to 5.0.3
* IsInstalled function fix
* Run systemctl daemon-reload after changing the container image config (bsc#1233279)
* Coco-replicas-upgrade
* Persist search server indexes (bsc#1231759)
* Sync deletes files during migration (bsc#1233660)
* Ignore coco and hub images when applying PTF if they are not ailable (bsc#1229079)
* Add --registry back to mgrpxy (bsc#1233202)
* Only add java.hostname on migrated server if not present
* Consider the configuration file to detect the coco or hub api images should be pulled (bsc#1229104)
* Only raise an error if cloudguestregistryauth fails for PAYG (bsc#1233630)
* Add registry.suse.com login to mgradm upgrade podman list (bsc#1234123)
* Version 0.1.26-0
* Ignore all zypper caches during migration (bsc#1232769)
* Use the uyuni network for all podman containers (bsc#1232817)
* Version 0.1.25-0
* Don't migrate enabled systemd services, recreate them (bsc#1232575)
* Redact JSESSIONID and pxt-session-cookie values from logs and console output (bsc#1231568)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Client Tools for SLE 12
zypper in -t patch SUSE-SLE-Manager-Tools-12-2025-524=1
## Package List:
* SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
* mgrctl-0.1.28-1.16.1
* mgrctl-debuginfo-0.1.28-1.16.1
* golang-github-prometheus-prometheus-2.53.3-1.56.1
* golang-github-prometheus-promu-0.17.0-1.24.1
* grafana-10.4.13-1.66.2
* SUSE Manager Client Tools for SLE 12 (noarch)
* supportutils-plugin-susemanager-client-5.0.4-6.33.1
* mgrctl-zsh-completion-0.1.28-1.16.1
* mgrctl-bash-completion-0.1.28-1.16.1
* supportutils-plugin-salt-1.2.3-6.25.1
* spacecmd-5.0.11-38.153.1
## References:
* https://www.suse.com/security/cve/CVE-2023-3128.html
* https://www.suse.com/security/cve/CVE-2023-6152.html
* https://www.suse.com/security/cve/CVE-2024-22037.html
* https://www.suse.com/security/cve/CVE-2024-45337.html
* https://www.suse.com/security/cve/CVE-2024-51744.html
* https://www.suse.com/security/cve/CVE-2024-6837.html
* https://www.suse.com/security/cve/CVE-2024-8118.html
* https://bugzilla.suse.com/show_bug.cgi?id=1212641
* https://bugzilla.suse.com/show_bug.cgi?id=1219912
* https://bugzilla.suse.com/show_bug.cgi?id=1229079
* https://bugzilla.suse.com/show_bug.cgi?id=1229104
* https://bugzilla.suse.com/show_bug.cgi?id=1231024
* https://bugzilla.suse.com/show_bug.cgi?id=1231497
* https://bugzilla.suse.com/show_bug.cgi?id=1231568
* https://bugzilla.suse.com/show_bug.cgi?id=1231759
* https://bugzilla.suse.com/show_bug.cgi?id=1232575
* https://bugzilla.suse.com/show_bug.cgi?id=1232769
* https://bugzilla.suse.com/show_bug.cgi?id=1232817
* https://bugzilla.suse.com/show_bug.cgi?id=1232970
* https://bugzilla.suse.com/show_bug.cgi?id=1233202
* https://bugzilla.suse.com/show_bug.cgi?id=1233279
* https://bugzilla.suse.com/show_bug.cgi?id=1233630
* https://bugzilla.suse.com/show_bug.cgi?id=1233660
* https://bugzilla.suse.com/show_bug.cgi?id=1234123
* https://bugzilla.suse.com/show_bug.cgi?id=1234554
* https://bugzilla.suse.com/show_bug.cgi?id=1235145
* https://bugzilla.suse.com/show_bug.cgi?id=1236301
* https://jira.suse.com/browse/MSQA-914
* https://jira.suse.com/browse/PED-11591
* https://jira.suse.com/browse/PED-11649
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250214/c1861d9d/attachment.htm>
More information about the sle-security-updates
mailing list