SUSE Security Update: Security Beta update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:1531-1
Rating:             important
References:         #1181400 #1190535 #1196338 #1196704 #1197042 
                    #1197417 #1197579 #1197689 SLE-24077 SLE-24138 
                    SLE-24139 SLE-24238 SLE-24239 
Cross-References:   CVE-2020-22935 CVE-2022-21698 CVE-2022-22934
                    CVE-2022-22936 CVE-2022-22941
CVSS scores:
                    CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-22934 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22934 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22936 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22936 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-22941 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-22941 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE Manager Tools 12-BETA
______________________________________________________________________________

   An update that solves 5 vulnerabilities, contains 5
   features and has three fixes is now available.

Description:

   This update fixes the following issues:

   golang-github-prometheus-alertmanager:

   - CVE-2022-21698: Update vendor tarball with prometheus/client_golang
     1.11.1 (bsc#1196338, jsc#SLE-24077)
   - Update to version 0.23.0:
     * amtool: Detect version drift and warn users (#2672)
     * Add ability to skip TLS verification for amtool (#2663)
     * Fix empty isEqual in amtool. (#2668)
     * Fix main tests (#2670)
     * cli: add new template render command (#2538)
     * OpsGenie: refer to alert instead of incident (#2609)
     * Docs: target_match and source_match are DEPRECATED (#2665)
     * Fix test not waiting for cluster member to be ready
   - Added hardening to systemd service(s) (bsc#1181400). Modified:
     prometheus-alertmanager.service

   golang-github-prometheus-node_exporter:

   - CVE-2022-21698: Update vendor tarball with prometheus/client_golang
     1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
   - Update to 1.3.0
     * [CHANGE] Add path label to rapl collector #2146
     * [CHANGE] Exclude filesystems under /run/credentials #2157
     * [CHANGE] Add TCPTimeouts to netstat default filter #2189
     * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
     * [FEATURE] Add darwin powersupply collector #1777
     * [FEATURE] Add support for monitoring GPUs on Linux #1998
     * [FEATURE] Add Darwin thermal collector #2032
     * [FEATURE] Add os release collector #2094
     * [FEATURE] Add netdev.address-info collector #2105
     * [FEATURE] Add clocksource metrics to time collector #2197
     * [ENHANCEMENT] Support glob textfile collector directories #1985
     * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
     * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
     * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
     * [ENHANCEMENT] Add DMI collector #2131
     * [ENHANCEMENT] Add threads metrics to processes collector #2164
     * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector
       #2169
     * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
     * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
     * [BUGFIX] ethtool: Sanitize metric names #2093
     * [BUGFIX] Fix ethtool collector for multiple interfaces #2126
     * [BUGFIX] Fix possible panic on macOS #2133
     * [BUGFIX] Collect flag_info and bug_info only for one core #2156
     * [BUGFIX] Prevent duplicate ethtool metric names #2187
   - Update to 1.2.2
     * Bug fixes Fix processes collector long int parsing #2112
   - Update to 1.2.1
     * Removed Remove obsolete capture permission denied error patch
       capture-permission-denied-error-energy_uj.patch: Already included
       upstream Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector
       log noise #2091 Fix rapl collector log noise #2092
   - Update to 1.2.0
     * Changes Rename filesystem collector flags to match other collectors       #2012 Make node_exporter print usage to STDOUT #203
     * Features Add conntrack statistics metrics #1155 Add ethtool stats
       collector #1832 Add flag to ignore network speed if it is unknown
       #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062
     * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more
       Infiniband counters #2019 netclass: retrieve interface names and
       filter before parsing #2033 Add time zone offset metric #2060 Handle
       errors from disabled PSI subsystem #1983 Fix panic when using
       backwards compatible flags #2000 Fix wrong value for OpenBSD memory
       buffer cache #2015 Only initiate collectors once #2048 Handle small
       backwards jumps in CPU idle #2067
   - Apply patch to capture permission denied error for "energy_uj" file
     (bsc#1190535)

   golang-github-prometheus-prometheus:

   - Build firewalld-prometheus-config only for SUSE Linux Enterprise 15,
     15.1 and 15.2, and require firewalld for it
   - Firewalld-prometheus-config needs to be a Recommends, not a Requires, as
     prometheus does not require it to run
   - Create firewalld-prometheus-config subpackage (bsc#1197042)
   - CVE-2022-21698: Update vendor tarball with prometheus/client_golang
     1.12.1 (bsc#1196338)

   golang-github-prometheus-promu:

   - Update to version 0.13.0:
     * Release 0.13.0 (jsc#SLE-24138, jsc#SLE-24139)
     * Add deprecation note to pkg directory
     * Add windows/arm64
     * Update common Prometheus files
     * Fix typo
     * Release 0.12.0
     * Simplify CGO crossbuilds
     * Update common Prometheus files
     * Release 0.11.1
     * Fix build with "linux" platform
   - Update to 0.5.0
     + Features:
       * Add support for aix/ppc64. #151
       * Fallback to git describe output if no VERSION. #130
     + Enhancements:
       * cmd/release: add --timeout option. #142
       * cmd/release: create release in GitHub if none exists. #148
     + Bug Fixes:
       * cmd/tarball: restore --prefix flag. #133
       * cmd/release: don't leak credentials in case of error. #136

   mgr-cfg:

   - Version 4.3.6-1
     * Fix the condition for preventing building python 2 subpackage for
       SLE15 (bsc#1197579)

   mgr-osad:

   - Version 4.3.6-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   mgr-push:

   - Version 4.3.4-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   mgr-virtualization:

   - Version 4.3.5-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   rhnlib:

   - Version 4.3.4-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   salt:

   - Fix multiple security fixes (bsc#1197417)
     * CVE-2020-22935: Sign authentication replies to prevent MiTM.
     * CVE-2022-22934: Sign pillar data to prevent MiTM attacks.
     * CVE-2022-22936: Prevent job and fileserver replays
     * CVE-2022-22941: Fixed targeting bug, especially visible when using
       syndic and user auth.

   spacecmd:

   - Version 4.3.10-1
     * parse boolean paramaters correctly (bsc#1197689)
     * Add parameter to set containerized proxy SSH port

   spacewalk-client-tools:

   - Version 4.3.9-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   spacewalk-koan:

   - Version 4.3.5-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   spacewalk-oscap:

   - Version 4.3.5-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   suseRegisterInfo:

   - Version 4.3.3-1
     * Fix the condition for preventing building python 2 subpackage for SLE15

   uyuni-common-libs:

   - Version 4.3.4-1
     * implement more decompression algorithms for reposync (bsc#1196704)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Tools 12-BETA:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-BETA-2022-1531=1



Package List:

   - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-alertmanager-0.23.0-4.9.1
      golang-github-prometheus-node_exporter-1.3.0-4.12.1
      golang-github-prometheus-prometheus-2.32.1-4.30.1
      golang-github-prometheus-promu-0.13.0-4.9.1
      python2-salt-3000-53.11.1
      python2-uyuni-common-libs-4.3.4-3.30.1
      python3-salt-3000-53.11.1
      salt-3000-53.11.1
      salt-doc-3000-53.11.1
      salt-minion-3000-53.11.1

   - SUSE Manager Tools 12-BETA (noarch):

      mgr-cfg-4.3.6-4.27.1
      mgr-cfg-actions-4.3.6-4.27.1
      mgr-cfg-client-4.3.6-4.27.1
      mgr-cfg-management-4.3.6-4.27.1
      mgr-osad-4.3.6-4.27.1
      mgr-push-4.3.4-4.18.1
      mgr-virtualization-host-4.3.5-4.18.1
      python2-mgr-cfg-4.3.6-4.27.1
      python2-mgr-cfg-actions-4.3.6-4.27.1
      python2-mgr-cfg-client-4.3.6-4.27.1
      python2-mgr-cfg-management-4.3.6-4.27.1
      python2-mgr-osa-common-4.3.6-4.27.1
      python2-mgr-osad-4.3.6-4.27.1
      python2-mgr-push-4.3.4-4.18.1
      python2-mgr-virtualization-common-4.3.5-4.18.1
      python2-mgr-virtualization-host-4.3.5-4.18.1
      python2-rhnlib-4.3.4-24.27.1
      python2-spacewalk-check-4.3.9-55.45.1
      python2-spacewalk-client-setup-4.3.9-55.45.1
      python2-spacewalk-client-tools-4.3.9-55.45.1
      python2-spacewalk-koan-4.3.5-27.18.1
      python2-spacewalk-oscap-4.3.5-22.18.1
      python2-suseRegisterInfo-4.3.3-28.21.1
      spacecmd-4.3.10-41.39.1
      spacewalk-check-4.3.9-55.45.1
      spacewalk-client-setup-4.3.9-55.45.1
      spacewalk-client-tools-4.3.9-55.45.1
      spacewalk-koan-4.3.5-27.18.1
      spacewalk-oscap-4.3.5-22.18.1
      suseRegisterInfo-4.3.3-28.21.1


References:

   https://www.suse.com/security/cve/CVE-2020-22935.html
   https://www.suse.com/security/cve/CVE-2022-21698.html
   https://www.suse.com/security/cve/CVE-2022-22934.html
   https://www.suse.com/security/cve/CVE-2022-22936.html
   https://www.suse.com/security/cve/CVE-2022-22941.html
   https://bugzilla.suse.com/1181400
   https://bugzilla.suse.com/1190535
   https://bugzilla.suse.com/1196338
   https://bugzilla.suse.com/1196704
   https://bugzilla.suse.com/1197042
   https://bugzilla.suse.com/1197417
   https://bugzilla.suse.com/1197579
   https://bugzilla.suse.com/1197689

SUSE: 2022:1531-1 important: Security Beta SUSE Manager Client Tools

May 4, 2022
An update that solves 5 vulnerabilities, contains 5 features and has three fixes is now available

Summary

This update fixes the following issues: golang-github-prometheus-alertmanager: - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077) - Update to version 0.23.0: * amtool: Detect version drift and warn users (#2672) * Add ability to skip TLS verification for amtool (#2663) * Fix empty isEqual in amtool. (#2668) * Fix main tests (#2670) * cli: add new template render command (#2538) * OpsGenie: refer to alert instead of incident (#2609) * Docs: target_match and source_match are DEPRECATED (#2665) * Fix test not waiting for cluster member to be ready - Added hardening to systemd service(s) (bsc#1181400). Modified: prometheus-alertmanager.service golang-github-prometheus-node_exporter: - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239) - Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187 - Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112 - Update to 1.2.1 * Removed Remove obsolete capture permission denied error patch capture-permission-denied-error-energy_uj.patch: Already included upstream Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092 - Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067 - Apply patch to capture permission denied error for "energy_uj" file (bsc#1190535) golang-github-prometheus-prometheus: - Build firewalld-prometheus-config only for SUSE Linux Enterprise 15, 15.1 and 15.2, and require firewalld for it - Firewalld-prometheus-config needs to be a Recommends, not a Requires, as prometheus does not require it to run - Create firewalld-prometheus-config subpackage (bsc#1197042) - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.12.1 (bsc#1196338) golang-github-prometheus-promu: - Update to version 0.13.0: * Release 0.13.0 (jsc#SLE-24138, jsc#SLE-24139) * Add deprecation note to pkg directory * Add windows/arm64 * Update common Prometheus files * Fix typo * Release 0.12.0 * Simplify CGO crossbuilds * Update common Prometheus files * Release 0.11.1 * Fix build with "linux" platform - Update to 0.5.0 + Features: * Add support for aix/ppc64. #151 * Fallback to git describe output if no VERSION. #130 + Enhancements: * cmd/release: add --timeout option. #142 * cmd/release: create release in GitHub if none exists. #148 + Bug Fixes: * cmd/tarball: restore --prefix flag. #133 * cmd/release: don't leak credentials in case of error. #136 mgr-cfg: - Version 4.3.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 (bsc#1197579) mgr-osad: - Version 4.3.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 mgr-push: - Version 4.3.4-1 * Fix the condition for preventing building python 2 subpackage for SLE15 mgr-virtualization: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 rhnlib: - Version 4.3.4-1 * Fix the condition for preventing building python 2 subpackage for SLE15 salt: - Fix multiple security fixes (bsc#1197417) * CVE-2020-22935: Sign authentication replies to prevent MiTM. * CVE-2022-22934: Sign pillar data to prevent MiTM attacks. * CVE-2022-22936: Prevent job and fileserver replays * CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth. spacecmd: - Version 4.3.10-1 * parse boolean paramaters correctly (bsc#1197689) * Add parameter to set containerized proxy SSH port spacewalk-client-tools: - Version 4.3.9-1 * Fix the condition for preventing building python 2 subpackage for SLE15 spacewalk-koan: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 spacewalk-oscap: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 suseRegisterInfo: - Version 4.3.3-1 * Fix the condition for preventing building python 2 subpackage for SLE15 uyuni-common-libs: - Version 4.3.4-1 * implement more decompression algorithms for reposync (bsc#1196704) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-BETA-2022-1531=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): golang-github-prometheus-alertmanager-0.23.0-4.9.1 golang-github-prometheus-node_exporter-1.3.0-4.12.1 golang-github-prometheus-prometheus-2.32.1-4.30.1 golang-github-prometheus-promu-0.13.0-4.9.1 python2-salt-3000-53.11.1 python2-uyuni-common-libs-4.3.4-3.30.1 python3-salt-3000-53.11.1 salt-3000-53.11.1 salt-doc-3000-53.11.1 salt-minion-3000-53.11.1 - SUSE Manager Tools 12-BETA (noarch): mgr-cfg-4.3.6-4.27.1 mgr-cfg-actions-4.3.6-4.27.1 mgr-cfg-client-4.3.6-4.27.1 mgr-cfg-management-4.3.6-4.27.1 mgr-osad-4.3.6-4.27.1 mgr-push-4.3.4-4.18.1 mgr-virtualization-host-4.3.5-4.18.1 python2-mgr-cfg-4.3.6-4.27.1 python2-mgr-cfg-actions-4.3.6-4.27.1 python2-mgr-cfg-client-4.3.6-4.27.1 python2-mgr-cfg-management-4.3.6-4.27.1 python2-mgr-osa-common-4.3.6-4.27.1 python2-mgr-osad-4.3.6-4.27.1 python2-mgr-push-4.3.4-4.18.1 python2-mgr-virtualization-common-4.3.5-4.18.1 python2-mgr-virtualization-host-4.3.5-4.18.1 python2-rhnlib-4.3.4-24.27.1 python2-spacewalk-check-4.3.9-55.45.1 python2-spacewalk-client-setup-4.3.9-55.45.1 python2-spacewalk-client-tools-4.3.9-55.45.1 python2-spacewalk-koan-4.3.5-27.18.1 python2-spacewalk-oscap-4.3.5-22.18.1 python2-suseRegisterInfo-4.3.3-28.21.1 spacecmd-4.3.10-41.39.1 spacewalk-check-4.3.9-55.45.1 spacewalk-client-setup-4.3.9-55.45.1 spacewalk-client-tools-4.3.9-55.45.1 spacewalk-koan-4.3.5-27.18.1 spacewalk-oscap-4.3.5-22.18.1 suseRegisterInfo-4.3.3-28.21.1

References

#1181400 #1190535 #1196338 #1196704 #1197042

#1197417 #1197579 #1197689 SLE-24077 SLE-24138

SLE-24139 SLE-24238 SLE-24239

Cross- CVE-2020-22935 CVE-2022-21698 CVE-2022-22934

CVE-2022-22936 CVE-2022-22941

CVSS scores:

CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22934 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22934 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22936 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22936 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-22941 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22941 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:

SUSE Manager Tools 12-BETA

https://www.suse.com/security/cve/CVE-2020-22935.html

https://www.suse.com/security/cve/CVE-2022-21698.html

https://www.suse.com/security/cve/CVE-2022-22934.html

https://www.suse.com/security/cve/CVE-2022-22936.html

https://www.suse.com/security/cve/CVE-2022-22941.html

https://bugzilla.suse.com/1181400

https://bugzilla.suse.com/1190535

https://bugzilla.suse.com/1196338

https://bugzilla.suse.com/1196704

https://bugzilla.suse.com/1197042

https://bugzilla.suse.com/1197417

https://bugzilla.suse.com/1197579

https://bugzilla.suse.com/1197689

Severity
Announcement ID: SUSE-SU-2022:1531-1
Rating: important

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo