SUSE Security Update: Security update for SUSE Manager Server 4.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2145-1
Rating:             important
References:         #1173527 #1182742 #1189501 #1190535 #1191143 
                    #1192850 #1193032 #1193238 #1193707 #1194262 
                    #1194447 #1194594 #1194909 #1195561 #1196067 
                    #1196338 #1196407 #1196702 #1196704 #1197356 
                    #1197429 #1197438 #1197488 #1198221 #1198356 
                    #1198686 #1198914 #1199036 #1199142 #1199149 
                    #1199512 #1199528 #1199577 #1199629 #1199677 
                    #1199888 #1200212 #1200606 SLE-24238 SLE-24239 
                    
Cross-References:   CVE-2022-21698 CVE-2022-21724 CVE-2022-21952
                    CVE-2022-26520 CVE-2022-31248
CVSS scores:
                    CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-21724 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-21724 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
                    CVE-2022-26520 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-26520 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
                    CVE-2022-31248 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.1
                    SUSE Manager Server 4.1
______________________________________________________________________________

   An update that solves 5 vulnerabilities, contains two
   features and has 33 fixes is now available.

Description:

   This update fixes the following issues:

   golang-github-QubitProducts-exporter_exporter:

   - Adapted to build on Enterprise Linux.
   - Fix build for RedHat 7
   - Require Go >= 1.14 also for CentOS
   - Add support for CentOS
   - Replace %{?systemd_requires} with %{?systemd_ordering}

   golang-github-lusitaniae-apache_exporter:

   - Require building with Go 1.15
   - Add %license macro for LICENSE file

   golang-github-prometheus-node_exporter:

   - CVE-2022-21698: Update vendor tarball with prometheus/client_golang
     1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)
   - Update to 1.3.0
     * [CHANGE] Add path label to rapl collector #2146
     * [CHANGE] Exclude filesystems under /run/credentials #2157
     * [CHANGE] Add TCPTimeouts to netstat default filter #2189
     * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771
     * [FEATURE] Add darwin powersupply collector #1777
     * [FEATURE] Add support for monitoring GPUs on Linux #1998
     * [FEATURE] Add Darwin thermal collector #2032
     * [FEATURE] Add os release collector #2094
     * [FEATURE] Add netdev.address-info collector #2105
     * [FEATURE] Add clocksource metrics to time collector #2197
     * [ENHANCEMENT] Support glob textfile collector directories #1985
     * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080
     * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165
     * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123
     * [ENHANCEMENT] Add DMI collector #2131
     * [ENHANCEMENT] Add threads metrics to processes collector #2164
     * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector
       #2169
     * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189
     * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208
     * [BUGFIX] ethtool: Sanitize metric names #2093
     * [BUGFIX] Fix ethtool collector for multiple interfaces #2126
     * [BUGFIX] Fix possible panic on macOS #2133
     * [BUGFIX] Collect flag_info and bug_info only for one core #2156
     * [BUGFIX] Prevent duplicate ethtool metric names #2187
   - Update to 1.2.2
     * Bug fixes Fix processes collector long int parsing #2112
   - Update to 1.2.1
     * Removed Remove obsolete capture permission denied error patch already
       included upstream Fix zoneinfo parsing prometheus/procfs#386 Fix nvme
       collector log noise #2091 Fix rapl collector log noise #2092
   - Update to 1.2.0
     * Changes Rename filesystem collector flags to match other collectors
       #2012 Make node_exporter print usage to STDOUT #203
     * Features Add conntrack statistics metrics #1155 Add ethtool stats
       collector #1832 Add flag to ignore network speed if it is unknown
       #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062
     * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more
       Infiniband counters #2019 netclass: retrieve interface names and
       filter before parsing #2033 Add time zone offset metric #2060 Handle
       errors from disabled PSI subsystem #1983 Fix panic when using
       backwards compatible flags #2000 Fix wrong value for OpenBSD memory
       buffer cache #2015 Only initiate collectors once #2048 Handle small
       backwards jumps in CPU idle #2067
   - Capture permission denied error for "energy_uj" file (bsc#1190535)

   patterns-suse-manager:

   - Golang-github-wrouesnel-postgres_exporter was renamed to
     prometheus-postgres_exporter

   postgresql-jdbc:

   - CVE-2022-26520: Address Arbitrary File Write Vulnerability (bsc#1197356)
   - CVE-2022-21724: Address unchecked class instantiation when loading
     plugins based on class names (bsc#1195561)

   prometheus-exporters-formula:

   - Version 0.9.5
     * Postgres exporter package was renamed for Red Hat
   - Version 0.9.4
     * Postgres exporter package was renamed for SUSE Linux Enterprise Server
       and openSUSE

   prometheus-formula:

   - Version 0.3.7
     * Allow prometheus-formula only for SUSE systems (bsc#1199149)

   py27-compat-salt:

   - Remove redundant overrides causing confusing DEBUG logging (bsc#1189501)

   spacecmd:

   - Version 4.1.18-1
     * implement system.bootstrap (bsc#1194909)

   spacewalk-backend:

   - Version 4.1.31-1
     * Fix traceback on calling spacewalk-repo-sync --show-packages
       (bsc#1193238)
     * Fix virt_notify SQL syntax error (bsc#1199528)
     * Do not raise error on file:// based DEB repo when looking for
       alternative Release files (bsc#1199142)
     * Improve parsing deb packages dependencies (bsc#1194594)
     * Fix reposync update notice formatting and date parsing (bsc#1194447)
     * implement more decompression algorithms for reposync (bsc#1196704)

   spacewalk-java:

   - Version 4.1.46-1
     * Fix changelog to include the reference to CVE-2022-31248
   - Version 4.1.45-1
     * CVE-2022-31248: User enumeration via weak error message (bsc#1199629)
     * CVE-2022-21952: Unauthenticated remote Denial of Service via resource
       exhaustion. (bsc#1199512)
     * During re-activation, recalculate grains if contact method has been
       changed (bsc#1199677)
     * autoinstallation: missing whitespace after install URL (bsc#1199888)
     * Change system details lock tab name to lock/unlock (bsc#1193032)
     * Set profile tag has no-mandatory in XCCDF result (bsc#1194262)
     * Added a notification to inform the administrators about the product
       end-of-life
     * provisioning thought proxy should use proxy for self_update
       (bsc#1199036)
     * Allow removing duplicated packages names in the same Salt action
       (bsc#1198686)
     * Fix ACL rules for config diff download for SLS files (bsc#1198914)
     * fix invalid link to action schedule
     * Redesign the auto errata task to schedule combined actions
       (bsc#1197429)
     * detect free products in Alpha and Beta stage and prevent checks on
       openSUSE products (bsc#1197488)
     * Optimize adding new products function (bsc#1193707)
     * change directory owner and permissions only when needed
     * Fixed broken help link for system overview
     * Finding empty profiles by mac address must be case insensitive
       (bsc#1196407)
     * generate the system ssh key when bootstrapping a salt-ssh client
       (bsc#1194909)

   spacewalk-setup:

   - Version 4.1.11-1
     * spacewalk-setup-cobbler assumes /etc/apache2/conf.d now as a default
       instead of /etc/httpd/conf.d (bsc#1198356)

   spacewalk-utils:

   - Version 4.1.20-1
     * spacewalk-hostname-rename now correctly replaces the hostname for the
       mgr-sync configuration file (bsc#1198356)
     * spacewalk-hostname-rename now utilizes the "--apache2-conf-dir" flag
       for spacewalk-setup-cobbler (bsc#1198356)

   spacewalk-web:

   - Version 4.1.34-1
     * Update Web UI version to 4.1.15
   - Version 4.1.33-1
     * Added support for end of life notifications

   subscription-matcher:

   - Version 0.28
     * Support both antlr3-java and antlr3-runtime as dependencies
     * Make it obvious that log4j12 is used

   susemanager:

   - version 4.1.36-1
     * Add python3-contextvars and python3-immutables to missing bootstrap
       repos (bsc#1200606)
   - version 4.1.35-1
     * Add python3-gnupg to bootstrap repo definition for Ubuntu 20.04
       (bsc#1200212)
   - Version 4.1.34-1
     * mgr-sync: Raise a proper exception when duplicated lines exist in a
       config file (bsc#1182742)
     * fix SLE15 bootstrap repo definition (bsc#1197438)
     * Add SLES15SP4 and SUMA Proxy 4.3 to bootstrap repo definitions
       (bsc#1196702)
     * Add missing dependencies for Salt 3004 into bootstrap repository for
       SLE15 family (bsc#1198221)

   susemanager-doc-indexes:

   - The Large deployments Guide now includes a mention of the proxy
     (bsc#1199577)
   - In the Administration Guide, documented that monitoring tools are now
     available on SUSE Linux Enterprise 12, 15 and openSUSE Leap 15, however,
     Grafana is not available on Proxy (bsc#1191143)
   - In the Administration Guide, renamed the
     golang-github-wrouesnel-postgres_exporter to prometheus-postgres_exporter
   - In the Client Configuration and Retail Guides clarified that mandatory
     channels are automatically checked (bsc#1173527)
   - In the Client Configuration Guide, marked Yomi as unsupported on SUSE
     Linux Enterprise Server 11 and 12
   - Clarified channel label name in Registering Clients with RHUI section of
     the Client Configuration Guide (bsc#1196067)

   susemanager-docs_en:

   - The Large deployments Guide now includes a mention of the proxy
     (bsc#1199577)
   - In the Administration Guide, documented that monitoring tools are now
     available on SUSE Linux Enterprise 12, 15 and openSUSE Leap 15, however,
     Grafana is not available on Proxy (bsc#1191143)
   - In the Administration Guide, renamed the
     golang-github-wrouesnel-postgres_exporter to prometheus-postgres_exporter
   - In the Client Configuration and Retail Guides clarified that mandatory
     channels are automatically checked (bsc#1173527)
   - In the Client Configuration Guide, marked Yomi as unsupported on SUSE
     Linux Enterprise Server 11 and 12
   - Clarified channel label name in Registering Clients with RHUI section of
     the Client Configuration Guide (bsc#1196067)

   susemanager-schema:

   - Version 4.1.26-1
     * add schema update directory from 4.1.25 to 4.1.26

   susemanager-sls:

   - version 4.1.36-1
     * Prevent possible tracebacks on calling module.run from mgrcompat by
       setting proper globals with using LazyLoader

   - Version 4.1.35-1
     * Add support to packages.pkgremove to deal with duplicated pkg names
       (bsc#1198686)
     * Fix bootstrap repository path resolution for Oracle Linux
     * Fix deprecated warning when getting pillar data (bsc#1192850)
     * fixing how the return code is returned in mgrutil runner (bsc#1194909)

   How to apply this update:

   1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk
   service: `spacewalk-service stop` 3. Apply the patch using either zypper
   patch or YaST Online Update. 4. Start the Spacewalk service:
   `spacewalk-service start`


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-2145=1



Package List:

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64):

      golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2
      golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2
      golang-github-lusitaniae-apache_exporter-debuginfo-0.7.0-150200.2.6.2
      golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3
      patterns-suma_retail-4.1-150200.6.12.2
      patterns-suma_server-4.1-150200.6.12.2
      susemanager-4.1.36-150200.3.52.1
      susemanager-tools-4.1.36-150200.3.52.1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch):

      postgresql-jdbc-42.2.10-150200.3.8.2
      prometheus-exporters-formula-0.9.5-150200.3.31.2
      prometheus-formula-0.3.7-150200.3.21.2
      py27-compat-salt-3000.3-150200.6.24.2
      spacecmd-4.1.18-150200.4.39.3
      spacewalk-backend-4.1.31-150200.4.50.4
      spacewalk-backend-app-4.1.31-150200.4.50.4
      spacewalk-backend-applet-4.1.31-150200.4.50.4
      spacewalk-backend-config-files-4.1.31-150200.4.50.4
      spacewalk-backend-config-files-common-4.1.31-150200.4.50.4
      spacewalk-backend-config-files-tool-4.1.31-150200.4.50.4
      spacewalk-backend-iss-4.1.31-150200.4.50.4
      spacewalk-backend-iss-export-4.1.31-150200.4.50.4
      spacewalk-backend-package-push-server-4.1.31-150200.4.50.4
      spacewalk-backend-server-4.1.31-150200.4.50.4
      spacewalk-backend-sql-4.1.31-150200.4.50.4
      spacewalk-backend-sql-postgresql-4.1.31-150200.4.50.4
      spacewalk-backend-tools-4.1.31-150200.4.50.4
      spacewalk-backend-xml-export-libs-4.1.31-150200.4.50.4
      spacewalk-backend-xmlrpc-4.1.31-150200.4.50.4
      spacewalk-base-4.1.34-150200.3.47.6
      spacewalk-base-minimal-4.1.34-150200.3.47.6
      spacewalk-base-minimal-config-4.1.34-150200.3.47.6
      spacewalk-html-4.1.34-150200.3.47.6
      spacewalk-java-4.1.46-150200.3.71.5
      spacewalk-java-config-4.1.46-150200.3.71.5
      spacewalk-java-lib-4.1.46-150200.3.71.5
      spacewalk-java-postgresql-4.1.46-150200.3.71.5
      spacewalk-setup-4.1.11-150200.3.18.2
      spacewalk-taskomatic-4.1.46-150200.3.71.5
      spacewalk-utils-4.1.20-150200.3.30.2
      spacewalk-utils-extras-4.1.20-150200.3.30.2
      subscription-matcher-0.28-150200.3.15.2
      susemanager-doc-indexes-4.1-150200.11.55.4
      susemanager-docs_en-4.1-150200.11.55.2
      susemanager-docs_en-pdf-4.1-150200.11.55.2
      susemanager-schema-4.1.26-150200.3.45.4
      susemanager-sls-4.1.36-150200.3.64.2
      susemanager-web-libs-4.1.34-150200.3.47.6
      uyuni-config-modules-4.1.36-150200.3.64.2


References:

   https://www.suse.com/security/cve/CVE-2022-21698.html
   https://www.suse.com/security/cve/CVE-2022-21724.html
   https://www.suse.com/security/cve/CVE-2022-21952.html
   https://www.suse.com/security/cve/CVE-2022-26520.html
   https://www.suse.com/security/cve/CVE-2022-31248.html
   https://bugzilla.suse.com/1173527
   https://bugzilla.suse.com/1182742
   https://bugzilla.suse.com/1189501
   https://bugzilla.suse.com/1190535
   https://bugzilla.suse.com/1191143
   https://bugzilla.suse.com/1192850
   https://bugzilla.suse.com/1193032
   https://bugzilla.suse.com/1193238
   https://bugzilla.suse.com/1193707
   https://bugzilla.suse.com/1194262
   https://bugzilla.suse.com/1194447
   https://bugzilla.suse.com/1194594
   https://bugzilla.suse.com/1194909
   https://bugzilla.suse.com/1195561
   https://bugzilla.suse.com/1196067
   https://bugzilla.suse.com/1196338
   https://bugzilla.suse.com/1196407
   https://bugzilla.suse.com/1196702
   https://bugzilla.suse.com/1196704
   https://bugzilla.suse.com/1197356
   https://bugzilla.suse.com/1197429
   https://bugzilla.suse.com/1197438
   https://bugzilla.suse.com/1197488
   https://bugzilla.suse.com/1198221
   https://bugzilla.suse.com/1198356
   https://bugzilla.suse.com/1198686
   https://bugzilla.suse.com/1198914
   https://bugzilla.suse.com/1199036
   https://bugzilla.suse.com/1199142
   https://bugzilla.suse.com/1199149
   https://bugzilla.suse.com/1199512
   https://bugzilla.suse.com/1199528
   https://bugzilla.suse.com/1199577
   https://bugzilla.suse.com/1199629
   https://bugzilla.suse.com/1199677
   https://bugzilla.suse.com/1199888
   https://bugzilla.suse.com/1200212
   https://bugzilla.suse.com/1200606