SUSE: 2022:1531-1 important: Security Beta SUSE Manager Client Tools
Summary
This update fixes the following issues: golang-github-prometheus-alertmanager: - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24077) - Update to version 0.23.0: * amtool: Detect version drift and warn users (#2672) * Add ability to skip TLS verification for amtool (#2663) * Fix empty isEqual in amtool. (#2668) * Fix main tests (#2670) * cli: add new template render command (#2538) * OpsGenie: refer to alert instead of incident (#2609) * Docs: target_match and source_match are DEPRECATED (#2665) * Fix test not waiting for cluster member to be ready - Added hardening to systemd service(s) (bsc#1181400). Modified: prometheus-alertmanager.service golang-github-prometheus-node_exporter: - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239) - Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187 - Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112 - Update to 1.2.1 * Removed Remove obsolete capture permission denied error patch capture-permission-denied-error-energy_uj.patch: Already included upstream Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092 - Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067 - Apply patch to capture permission denied error for "energy_uj" file (bsc#1190535) golang-github-prometheus-prometheus: - Build firewalld-prometheus-config only for SUSE Linux Enterprise 15, 15.1 and 15.2, and require firewalld for it - Firewalld-prometheus-config needs to be a Recommends, not a Requires, as prometheus does not require it to run - Create firewalld-prometheus-config subpackage (bsc#1197042) - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.12.1 (bsc#1196338) golang-github-prometheus-promu: - Update to version 0.13.0: * Release 0.13.0 (jsc#SLE-24138, jsc#SLE-24139) * Add deprecation note to pkg directory * Add windows/arm64 * Update common Prometheus files * Fix typo * Release 0.12.0 * Simplify CGO crossbuilds * Update common Prometheus files * Release 0.11.1 * Fix build with "linux" platform - Update to 0.5.0 + Features: * Add support for aix/ppc64. #151 * Fallback to git describe output if no VERSION. #130 + Enhancements: * cmd/release: add --timeout option. #142 * cmd/release: create release in GitHub if none exists. #148 + Bug Fixes: * cmd/tarball: restore --prefix flag. #133 * cmd/release: don't leak credentials in case of error. #136 mgr-cfg: - Version 4.3.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 (bsc#1197579) mgr-osad: - Version 4.3.6-1 * Fix the condition for preventing building python 2 subpackage for SLE15 mgr-push: - Version 4.3.4-1 * Fix the condition for preventing building python 2 subpackage for SLE15 mgr-virtualization: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 rhnlib: - Version 4.3.4-1 * Fix the condition for preventing building python 2 subpackage for SLE15 salt: - Fix multiple security fixes (bsc#1197417) * CVE-2020-22935: Sign authentication replies to prevent MiTM. * CVE-2022-22934: Sign pillar data to prevent MiTM attacks. * CVE-2022-22936: Prevent job and fileserver replays * CVE-2022-22941: Fixed targeting bug, especially visible when using syndic and user auth. spacecmd: - Version 4.3.10-1 * parse boolean paramaters correctly (bsc#1197689) * Add parameter to set containerized proxy SSH port spacewalk-client-tools: - Version 4.3.9-1 * Fix the condition for preventing building python 2 subpackage for SLE15 spacewalk-koan: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 spacewalk-oscap: - Version 4.3.5-1 * Fix the condition for preventing building python 2 subpackage for SLE15 suseRegisterInfo: - Version 4.3.3-1 * Fix the condition for preventing building python 2 subpackage for SLE15 uyuni-common-libs: - Version 4.3.4-1 * implement more decompression algorithms for reposync (bsc#1196704) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-BETA-2022-1531=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): golang-github-prometheus-alertmanager-0.23.0-4.9.1 golang-github-prometheus-node_exporter-1.3.0-4.12.1 golang-github-prometheus-prometheus-2.32.1-4.30.1 golang-github-prometheus-promu-0.13.0-4.9.1 python2-salt-3000-53.11.1 python2-uyuni-common-libs-4.3.4-3.30.1 python3-salt-3000-53.11.1 salt-3000-53.11.1 salt-doc-3000-53.11.1 salt-minion-3000-53.11.1 - SUSE Manager Tools 12-BETA (noarch): mgr-cfg-4.3.6-4.27.1 mgr-cfg-actions-4.3.6-4.27.1 mgr-cfg-client-4.3.6-4.27.1 mgr-cfg-management-4.3.6-4.27.1 mgr-osad-4.3.6-4.27.1 mgr-push-4.3.4-4.18.1 mgr-virtualization-host-4.3.5-4.18.1 python2-mgr-cfg-4.3.6-4.27.1 python2-mgr-cfg-actions-4.3.6-4.27.1 python2-mgr-cfg-client-4.3.6-4.27.1 python2-mgr-cfg-management-4.3.6-4.27.1 python2-mgr-osa-common-4.3.6-4.27.1 python2-mgr-osad-4.3.6-4.27.1 python2-mgr-push-4.3.4-4.18.1 python2-mgr-virtualization-common-4.3.5-4.18.1 python2-mgr-virtualization-host-4.3.5-4.18.1 python2-rhnlib-4.3.4-24.27.1 python2-spacewalk-check-4.3.9-55.45.1 python2-spacewalk-client-setup-4.3.9-55.45.1 python2-spacewalk-client-tools-4.3.9-55.45.1 python2-spacewalk-koan-4.3.5-27.18.1 python2-spacewalk-oscap-4.3.5-22.18.1 python2-suseRegisterInfo-4.3.3-28.21.1 spacecmd-4.3.10-41.39.1 spacewalk-check-4.3.9-55.45.1 spacewalk-client-setup-4.3.9-55.45.1 spacewalk-client-tools-4.3.9-55.45.1 spacewalk-koan-4.3.5-27.18.1 spacewalk-oscap-4.3.5-22.18.1 suseRegisterInfo-4.3.3-28.21.1
References
#1181400 #1190535 #1196338 #1196704 #1197042
#1197417 #1197579 #1197689 SLE-24077 SLE-24138
SLE-24139 SLE-24238 SLE-24239
Cross- CVE-2020-22935 CVE-2022-21698 CVE-2022-22934
CVE-2022-22936 CVE-2022-22941
CVSS scores:
CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22934 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22934 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22936 (NVD) : 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22936 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-22941 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22941 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Manager Tools 12-BETA
https://www.suse.com/security/cve/CVE-2020-22935.html
https://www.suse.com/security/cve/CVE-2022-21698.html
https://www.suse.com/security/cve/CVE-2022-22934.html
https://www.suse.com/security/cve/CVE-2022-22936.html
https://www.suse.com/security/cve/CVE-2022-22941.html
https://bugzilla.suse.com/1181400
https://bugzilla.suse.com/1190535
https://bugzilla.suse.com/1196338
https://bugzilla.suse.com/1196704
https://bugzilla.suse.com/1197042
https://bugzilla.suse.com/1197417
https://bugzilla.suse.com/1197579
https://bugzilla.suse.com/1197689