SUSE: 2022:0311-1 moderate: Security Beta SUSE Manager Client Tools
Summary
This update fixes the following issues: ansible: - Require python macros for building grafana: - Update to version 7.5.12: * Fix markdown path traversal (#42969, bsc#1193688, CVE-2021-43813) - Recreate tarballs using the makefile to update the npm and go modules required - Update to version 7.5.11: * Fix Snapshot authentication bypass (bsc#1191454, CVE-2021-39226) * Fix certs issue (#40002) * Release v7.5.11 (#124) * Fix static path matching issue in macaron * OAuth: add docs for disableAutoLogin param (#38752) (#38894) * Fix #747; remove 'other variables'. (#37866) (#37878) * Update alert docs (#33658) (#33659) * [7.5.x] Docs: added documentation for the "prepare time series"-transformation. (#36836) * cherry picked dc5778c303ca555b70e8ca8c28e95997e26ecfc1 (#36813) * "Release: Updated versions in package to 7.5.10" (#36792) * [v7.5.x] Transformations: add 'prepare time series' transformer (#36749) * Remove verify-drone from windows (#36775) * Update queries.md (#31941) (#36764) * Updated content to specify method to use to get keyboard shortcuts wh… (#36084) (#36087) * ReleaseNotes: Updated changelog and release notes for 7.5.9 (#36057) (#36077) * "Release: Updated versions in package to 7.5.9" (#36056) * Login: Fixes Unauthorized message showing when on login page or snapshot page (#35311) (#35880) * ReleaseNotes: Updated changelog and release notes for 7.5.8 (#35703) (#35822) * CI: Upgrade pipeline tool to use main (#35804) * CI: try to force v7.5.x instead of master (#35799) * CI: supports move from master to main in 7.5.x release branch (#35747) * "Release: Updated versions in package to 7.5.8" (#35701) * Chore: Bump acorn and lodash-es (#35650) * Snapshots: Remove dashboard links from snapshots (#35567) (#35585) * [v7.5.x] Datasource: Allow configuring `MaxConnsPerHost` (#35519) * Remove docs sync from v7.5.x (#35443) * "Release: Updated versions in package to 7.5.7" (#35412) * Add max_idle_connections_per_host to config (#35365) * Update go.sum to fix failing enterprise pipeline (#35353) * [v7.5.x] HTTP Client: Introduce `go-conntrack` (#35321) * Fix Markdown syntax in enterprise/license/_index.md (#34683) (#35210) * Update annotations.md (#33218) (#35138) * Docs: Add query caching to enterprise docs page (#34751) (#35025) * [7.5.x] Admin: hide per role counts for licensed users (#34994) * cleanup shortcodes, image paths (#34827) * Security: Upgrade Thrift dependency (#34698) (#34702) * Docs: Fix Quick Start link on Geting Started Influx page (#34549) (#34603) * Add link to release notes v7.5.7 (#34460) (#34474) * Update 7.5.x landing page (#34447) * ReleaseNotes: Updated changelog and release notes for 7.5.7 (#34383) (#34428) - Update to 7.5.10 * [v7.5.x] Transformations: add "prepare time series" transformer. [#36749] - Update to 7.5.9 * Login: Fix Unauthorized message that is displayed on sign-in or snapshot page. [#35880] - Drop drop-grafana-aws-sdk-0.3.0-module.patch (upstream) mgr-cfg: - Version 4.3.4-1 * Fix installation problem for SLE15SP4 due missing python-selinux * Fix python selinux package name depending on build target (bsc#1193600) * Do not build python 2 package for SLE15SP4 and higher mgr-custom-info: - Version 4.3.3-1 * require python macros for building mgr-osad: - Version 4.3.3-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher mgr-push: - Version 4.3.2-1 * Do not build python 2 package for SLE15SP4 and higher mgr-virtualization: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher python-hwdata: - Require python macros for building rhnlib: - Version 4.3.2-1 * do not build python 2 package for SLE15 salt: - Don't check for cached pillar errors on state.apply (bsc#1190781) spacecmd: - Version 4.3.5-1 * require python macros for building spacewalk-client-tools: - Version 4.3.5-1 * require python macros for building * do not build python 2 package for SLE15 spacewalk-koan: - Version 4.3.2-1 * Do not build python 2 package for SLE15SP4 and higher spacewalk-oscap: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher spacewalk-remote-utils: - Version 4.3.2-1 * require python macros for building suseRegisterInfo: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15 and higher uyuni-common-libs: - Version 4.3.2-1 * Read modularity data from DISTTAG tag as fallback (bsc#1192487) * Add decompression of zck files to fileutils * require python macros for building zypp-plugin-spacewalk: - 1.0.11 * require python macros for building Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-BETA-2022-311=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): grafana-7.5.12-159000.4.18.3 python3-salt-3003.3-159000.8.47.2 python3-uyuni-common-libs-4.3.2-159000.3.24.4 salt-3003.3-159000.8.47.2 salt-api-3003.3-159000.8.47.2 salt-cloud-3003.3-159000.8.47.2 salt-doc-3003.3-159000.8.47.2 salt-master-3003.3-159000.8.47.2 salt-minion-3003.3-159000.8.47.2 salt-proxy-3003.3-159000.8.47.2 salt-ssh-3003.3-159000.8.47.2 salt-standalone-formulas-configuration-3003.3-159000.8.47.2 salt-syndic-3003.3-159000.8.47.2 - SUSE Manager Tools 15-BETA (noarch): ansible-2.9.21-159000.3.6.2 ansible-doc-2.9.21-159000.3.6.2 mgr-cfg-4.3.4-159000.4.20.2 mgr-cfg-actions-4.3.4-159000.4.20.2 mgr-cfg-client-4.3.4-159000.4.20.2 mgr-cfg-management-4.3.4-159000.4.20.2 mgr-custom-info-4.3.3-159000.4.12.3 mgr-osad-4.3.3-159000.4.21.4 mgr-push-4.3.2-159000.4.12.4 mgr-virtualization-host-4.3.2-159000.4.12.3 python3-hwdata-2.3.5-159000.5.10.3 python3-mgr-cfg-4.3.4-159000.4.20.2 python3-mgr-cfg-actions-4.3.4-159000.4.20.2 python3-mgr-cfg-client-4.3.4-159000.4.20.2 python3-mgr-cfg-management-4.3.4-159000.4.20.2 python3-mgr-osa-common-4.3.3-159000.4.21.4 python3-mgr-osad-4.3.3-159000.4.21.4 python3-mgr-push-4.3.2-159000.4.12.4 python3-mgr-virtualization-common-4.3.2-159000.4.12.3 python3-mgr-virtualization-host-4.3.2-159000.4.12.3 python3-rhnlib-4.3.2-159000.6.21.3 python3-spacewalk-check-4.3.5-159000.6.36.5 python3-spacewalk-client-setup-4.3.5-159000.6.36.5 python3-spacewalk-client-tools-4.3.5-159000.6.36.5 python3-spacewalk-koan-4.3.2-159000.6.12.3 python3-spacewalk-oscap-4.3.2-159000.6.12.3 python3-suseRegisterInfo-4.3.2-159000.6.18.3 python3-zypp-plugin-spacewalk-1.0.11-159000.6.18.3 salt-bash-completion-3003.3-159000.8.47.2 salt-fish-completion-3003.3-159000.8.47.2 salt-zsh-completion-3003.3-159000.8.47.2 spacecmd-4.3.5-159000.6.30.3 spacewalk-check-4.3.5-159000.6.36.5 spacewalk-client-setup-4.3.5-159000.6.36.5 spacewalk-client-tools-4.3.5-159000.6.36.5 spacewalk-koan-4.3.2-159000.6.12.3 spacewalk-oscap-4.3.2-159000.6.12.3 spacewalk-remote-utils-4.3.2-159000.6.12.3 suseRegisterInfo-4.3.2-159000.6.18.3 zypp-plugin-spacewalk-1.0.11-159000.6.18.3
References
#1190781 #1191454 #1192487 #1193600 #1193688
Cross- CVE-2021-39226 CVE-2021-43813
CVSS scores:
CVE-2021-39226 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2021-39226 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2021-43813 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-43813 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products:
SUSE Manager Tools 15-BETA
https://www.suse.com/security/cve/CVE-2021-39226.html
https://www.suse.com/security/cve/CVE-2021-43813.html
https://bugzilla.suse.com/1190781
https://bugzilla.suse.com/1191454
https://bugzilla.suse.com/1192487
https://bugzilla.suse.com/1193600
https://bugzilla.suse.com/1193688