SUSE-SU-2022:3747-1: moderate: Security update for SUSE Manager Client Tools

Wed Oct 26 14:06:41 UTC 2022

   SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3747-1
Rating:             moderate
References:         #1196338 #1198903 #1200725 #1201535 #1201539 
                    SLE-23422 SLE-23439 SLE-24243 SLE-24565 SLE-24791 
                    SUMA-114 
Cross-References:   CVE-2022-21698 CVE-2022-31097 CVE-2022-31107

CVSS scores:
                    CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-31097 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
                    CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
                    CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Products:
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Manager Tools 12
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that solves three vulnerabilities, contains 6
   features and has two fixes is now available.

Description:

   This update fixes the following issues:

   golang-github-lusitaniae-apache_exporter:

   - Update to upstream release 0.11.0 (jsc#SLE-24791)
     * Add TLS support
     * Switch to logger, please check --log.level and --log.format flags
   - Update to version 0.10.1
     * Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
   - Update to version 0.10.0
     * Add Apache Proxy and other metrics
   - Update to version 0.8.0
     * Change commandline flags
     * Add metrics: Apache version, request duration total
   - Adapted to build on Enterprise Linux 8
   - Require building with Go 1.15
   - Add %license macro for LICENSE file

   golang-github-prometheus-alertmanager:

   - Do not include sources (bsc#1200725)

   golang-github-prometheus-node_exporter:

   - CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
     (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)

   grafana:

   - Update to version 8.3.10
     + Security:
       * CVE-2022-31097: Cross Site Scripting vulnerability in the Unified
         Alerting (bsc#1201535)
       * CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
   - Update to version 8.3.9
     + Bug fixes:
       * Geomap: Display legend
       * Prometheus: Fix timestamp truncation
   - Update to version 8.3.7
     + Bug fix:
       * Provisioning: Ensure that the default value for orgID is set when
         provisioning datasources to be deleted.
   - Update to version 8.3.6
     + Features and enhancements:
       * Cloud Monitoring: Reduce request size when listing labels.
       * Explore: Show scalar data result in a table instead of graph.
       * Snapshots: Updates the default external snapshot server URL.
       * Table: Makes footer not overlap table content.
       * Tempo: Add request histogram to service graph datalink.
       * Tempo: Add time range to tempo search query behind a feature flag.
       * Tempo: Auto-clear results when changing query type.
       * Tempo: Display start time in search results as relative time.
       * CloudMonitoring: Fix resource labels in query editor.
       * Cursor sync: Apply the settings without saving the dashboard.
       * LibraryPanels: Fix for Error while cleaning library panels.
       * Logs Panel: Fix timestamp parsing for string dates without timezone.
       * Prometheus: Fix some of the alerting queries that use reduce/math
         operation.
       * TablePanel: Fix ad-hoc variables not working on default datasources.
       * Text Panel: Fix alignment of elements.
       * Variables: Fix for constant variables in self referencing links.
   - Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)

   kiwi-desc-saltboot:

   - Update to version 0.1.1661440542.6cbe0da
     * Use standard susemanager.conf
     * Use salt bundle
     * Add support fo VirtIO disks

   mgr-daemon:

   - Version 4.3.6-1
     * Update translation strings

   spacecmd:

   - Version 4.3.15-1
     * Process date values in spacecmd api calls (bsc#1198903)

   spacewalk-client-tools:

   - Version 4.3.12-1
     * Update translation strings

   uyuni-common-libs:

   - Version 4.3.6-1
     * Do not allow creating path if nonexistent user or group in fileutils.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3747=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3747=1

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-3747=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3747=1

Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE OpenStack Cloud 9 (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):

      golang-github-lusitaniae-apache_exporter-0.11.0-1.13.1
      golang-github-prometheus-alertmanager-0.23.0-1.15.2
      golang-github-prometheus-node_exporter-1.3.0-1.21.1
      grafana-8.3.10-1.33.2
      python2-uyuni-common-libs-4.3.6-1.27.1

   - SUSE Manager Tools 12 (noarch):

      kiwi-desc-saltboot-0.1.1661440542.6cbe0da-1.29.1
      mgr-daemon-4.3.6-1.38.1
      python2-spacewalk-check-4.3.12-52.77.1
      python2-spacewalk-client-setup-4.3.12-52.77.1
      python2-spacewalk-client-tools-4.3.12-52.77.1
      spacecmd-4.3.15-38.109.1
      spacewalk-check-4.3.12-52.77.1
      spacewalk-client-setup-4.3.12-52.77.1
      spacewalk-client-tools-4.3.12-52.77.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

References:

   https://www.suse.com/security/cve/CVE-2022-21698.html
   https://www.suse.com/security/cve/CVE-2022-31097.html
   https://www.suse.com/security/cve/CVE-2022-31107.html
   https://bugzilla.suse.com/1196338
   https://bugzilla.suse.com/1198903
   https://bugzilla.suse.com/1200725
   https://bugzilla.suse.com/1201535
   https://bugzilla.suse.com/1201539