SUSE Security Update: Security Beta update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0311-1
Rating:             moderate
References:         #1190781 #1191454 #1192487 #1193600 #1193688 
                    
Cross-References:   CVE-2021-39226 CVE-2021-43813
CVSS scores:
                    CVE-2021-39226 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
                    CVE-2021-39226 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
                    CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    SUSE Manager Tools 15-BETA
______________________________________________________________________________

   An update that solves two vulnerabilities and has three
   fixes is now available.

Description:

   This update fixes the following issues:

   ansible:

   - Require python macros for building

   grafana:

   - Update to version 7.5.12:
     * Fix markdown path traversal (#42969, bsc#1193688, CVE-2021-43813)
   - Recreate tarballs using the makefile to update the npm and go modules
     required
   - Update to version 7.5.11:
     * Fix Snapshot authentication bypass (bsc#1191454, CVE-2021-39226)
     * Fix certs issue (#40002)
     * Release v7.5.11 (#124)
     * Fix static path matching issue in macaron
     * OAuth: add docs for disableAutoLogin param (#38752) (#38894)
     * Fix #747; remove 'other variables'. (#37866) (#37878)
     * Update alert docs (#33658) (#33659)
     * [7.5.x] Docs: added documentation for the "prepare time
       series"-transformation. (#36836)
     * cherry picked dc5778c303ca555b70e8ca8c28e95997e26ecfc1 (#36813)
     * "Release: Updated versions in package to 7.5.10" (#36792)
     * [v7.5.x] Transformations: add 'prepare time series' transformer
       (#36749)
     * Remove verify-drone from windows (#36775)
     * Update queries.md (#31941) (#36764)
     * Updated content to specify method to use to get keyboard shortcuts
       wh… (#36084) (#36087)
     * ReleaseNotes: Updated changelog and release notes for 7.5.9 (#36057)
       (#36077)
     * "Release: Updated versions in package to 7.5.9" (#36056)
     * Login: Fixes Unauthorized message showing when on login page or
       snapshot page (#35311) (#35880)
     * ReleaseNotes: Updated changelog and release notes for 7.5.8 (#35703)
       (#35822)
     * CI: Upgrade pipeline tool to use main (#35804)
     * CI: try to force v7.5.x instead of master (#35799)
     * CI: supports move from master to main in 7.5.x release branch (#35747)
     * "Release: Updated versions in package to 7.5.8" (#35701)
     * Chore: Bump acorn and lodash-es (#35650)
     * Snapshots: Remove dashboard links from snapshots (#35567) (#35585)
     * [v7.5.x] Datasource: Allow configuring `MaxConnsPerHost` (#35519)
     * Remove docs sync from v7.5.x (#35443)
     * "Release: Updated versions in package to 7.5.7" (#35412)
     * Add max_idle_connections_per_host to config (#35365)
     * Update go.sum to fix failing enterprise pipeline (#35353)
     * [v7.5.x] HTTP Client: Introduce `go-conntrack`  (#35321)
     * Fix Markdown syntax in enterprise/license/_index.md (#34683) (#35210)
     * Update annotations.md (#33218) (#35138)
     * Docs: Add query caching to enterprise docs page (#34751) (#35025)
     * [7.5.x] Admin: hide per role counts for licensed users (#34994)
     * cleanup shortcodes, image paths (#34827)
     * Security: Upgrade Thrift dependency (#34698) (#34702)
     * Docs: Fix Quick Start link on Geting Started Influx page (#34549)
       (#34603)
     * Add link to release notes v7.5.7 (#34460) (#34474)
     * Update 7.5.x landing page (#34447)
     * ReleaseNotes: Updated changelog and release notes for 7.5.7 (#34383)
       (#34428)
   - Update to 7.5.10
     * [v7.5.x] Transformations: add "prepare time series" transformer.
       [#36749]
   - Update to 7.5.9
     * Login: Fix Unauthorized message that is displayed on sign-in or
       snapshot page. [#35880]
   - Drop drop-grafana-aws-sdk-0.3.0-module.patch (upstream)

   mgr-cfg:

   - Version 4.3.4-1
     * Fix installation problem for SLE15SP4 due missing python-selinux
     * Fix python selinux package name depending on build target (bsc#1193600)
     * Do not build python 2 package for SLE15SP4 and higher

   mgr-custom-info:

   - Version 4.3.3-1
     * require python macros for building

   mgr-osad:

   - Version 4.3.3-1
     * require python macros for building
     * Do not build python 2 package for SLE15SP4 and higher

   mgr-push:

   - Version 4.3.2-1
     * Do not build python 2 package for SLE15SP4 and higher

   mgr-virtualization:

   - Version 4.3.2-1
     * require python macros for building
     * Do not build python 2 package for SLE15SP4 and higher

   python-hwdata:

   - Require python macros for building

   rhnlib:

   - Version 4.3.2-1
     * do not build python 2 package for SLE15

   salt:

   - Don't check for cached pillar errors on state.apply (bsc#1190781)

   spacecmd:

   - Version 4.3.5-1
     * require python macros for building

   spacewalk-client-tools:

   - Version 4.3.5-1
     * require python macros for building
     * do not build python 2 package for SLE15

   spacewalk-koan:

   - Version 4.3.2-1
     * Do not build python 2 package for SLE15SP4 and higher

   spacewalk-oscap:

   - Version 4.3.2-1
     * require python macros for building
     * Do not build python 2 package for SLE15SP4 and higher

   spacewalk-remote-utils:

   - Version 4.3.2-1
     * require python macros for building

   suseRegisterInfo:

   - Version 4.3.2-1
     * require python macros for building
     * Do not build python 2 package for SLE15 and higher

   uyuni-common-libs:

   - Version 4.3.2-1
     * Read modularity data from DISTTAG tag as fallback (bsc#1192487)
     * Add decompression of zck files to fileutils
     * require python macros for building

   zypp-plugin-spacewalk:

   - 1.0.11
     * require python macros for building


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 15-BETA:

      zypper in -t patch SUSE-SLE-Manager-Tools-15-BETA-2022-311=1



Package List:

   - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64):

      grafana-7.5.12-159000.4.18.3
      python3-salt-3003.3-159000.8.47.2
      python3-uyuni-common-libs-4.3.2-159000.3.24.4
      salt-3003.3-159000.8.47.2
      salt-api-3003.3-159000.8.47.2
      salt-cloud-3003.3-159000.8.47.2
      salt-doc-3003.3-159000.8.47.2
      salt-master-3003.3-159000.8.47.2
      salt-minion-3003.3-159000.8.47.2
      salt-proxy-3003.3-159000.8.47.2
      salt-ssh-3003.3-159000.8.47.2
      salt-standalone-formulas-configuration-3003.3-159000.8.47.2
      salt-syndic-3003.3-159000.8.47.2

   - SUSE Manager Tools 15-BETA (noarch):

      ansible-2.9.21-159000.3.6.2
      ansible-doc-2.9.21-159000.3.6.2
      mgr-cfg-4.3.4-159000.4.20.2
      mgr-cfg-actions-4.3.4-159000.4.20.2
      mgr-cfg-client-4.3.4-159000.4.20.2
      mgr-cfg-management-4.3.4-159000.4.20.2
      mgr-custom-info-4.3.3-159000.4.12.3
      mgr-osad-4.3.3-159000.4.21.4
      mgr-push-4.3.2-159000.4.12.4
      mgr-virtualization-host-4.3.2-159000.4.12.3
      python3-hwdata-2.3.5-159000.5.10.3
      python3-mgr-cfg-4.3.4-159000.4.20.2
      python3-mgr-cfg-actions-4.3.4-159000.4.20.2
      python3-mgr-cfg-client-4.3.4-159000.4.20.2
      python3-mgr-cfg-management-4.3.4-159000.4.20.2
      python3-mgr-osa-common-4.3.3-159000.4.21.4
      python3-mgr-osad-4.3.3-159000.4.21.4
      python3-mgr-push-4.3.2-159000.4.12.4
      python3-mgr-virtualization-common-4.3.2-159000.4.12.3
      python3-mgr-virtualization-host-4.3.2-159000.4.12.3
      python3-rhnlib-4.3.2-159000.6.21.3
      python3-spacewalk-check-4.3.5-159000.6.36.5
      python3-spacewalk-client-setup-4.3.5-159000.6.36.5
      python3-spacewalk-client-tools-4.3.5-159000.6.36.5
      python3-spacewalk-koan-4.3.2-159000.6.12.3
      python3-spacewalk-oscap-4.3.2-159000.6.12.3
      python3-suseRegisterInfo-4.3.2-159000.6.18.3
      python3-zypp-plugin-spacewalk-1.0.11-159000.6.18.3
      salt-bash-completion-3003.3-159000.8.47.2
      salt-fish-completion-3003.3-159000.8.47.2
      salt-zsh-completion-3003.3-159000.8.47.2
      spacecmd-4.3.5-159000.6.30.3
      spacewalk-check-4.3.5-159000.6.36.5
      spacewalk-client-setup-4.3.5-159000.6.36.5
      spacewalk-client-tools-4.3.5-159000.6.36.5
      spacewalk-koan-4.3.2-159000.6.12.3
      spacewalk-oscap-4.3.2-159000.6.12.3
      spacewalk-remote-utils-4.3.2-159000.6.12.3
      suseRegisterInfo-4.3.2-159000.6.18.3
      zypp-plugin-spacewalk-1.0.11-159000.6.18.3


References:

   https://www.suse.com/security/cve/CVE-2021-39226.html
   https://www.suse.com/security/cve/CVE-2021-43813.html
   https://bugzilla.suse.com/1190781
   https://bugzilla.suse.com/1191454
   https://bugzilla.suse.com/1192487
   https://bugzilla.suse.com/1193600
   https://bugzilla.suse.com/1193688