SUSE Security Update: Security update for release-notes-susemanager, release-notes-susemanager-proxy
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:2146-1
Rating:             important
References:         #1187333 #1191143 #1192550 #1193707 #1194594 
                    #1195710 #1196702 #1197400 #1197438 #1197449 
                    #1197488 #1197591 #1197689 #1198221 
Cross-References:   CVE-2021-44906 CVE-2022-21952 CVE-2022-31248
                   
CVSS scores:
                    CVE-2021-44906 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-44906 (SUSE): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
                    CVE-2022-31248 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    SUSE Manager Proxy 4.2
                    SUSE Manager Retail Branch Server 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves three vulnerabilities and has 11
   fixes is now available.

Description:

   This update for release-notes-susemanager, release-notes-susemanager-proxy
   fixes the following issues:

   Release notes for SUSE Manager:

   - Update to 4.2.7
     * Salt has been upgraded to 3004 version
     * Enabled salt bundle as optional
     * Debian 11 client support has been added
     * Alertmanager has been upgraded to 0.23.0
     * Node exporter has been upgraded 1.3.0
     * CVEs fixed: CVE-2021-44906, CVE-2022-21952, CVE-2022-31248
     * Bugs mentioned: bsc#1187333, bsc#1191143, bsc#1192550, bsc#1193707,
       bsc#1194594 bsc#1195710, bsc#1196702, bsc#1197400, bsc#1197438,
       bsc#1197449 bsc#1197488, bsc#1197591, bsc#1197689, bsc#1198221

   Release notes for SUSE Manager proxy:

   - Update to 4.2.7
     * Salt has been upgraded to 3004 version
     * Bugs mentioned: bsc#1187333, bsc#1194594, bsc#1195710, bsc#1197689


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Manager Server 4.2:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2022-2146=1

   - SUSE Manager Retail Branch Server 4.2:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2022-2146=1

   - SUSE Manager Proxy 4.2:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2022-2146=1



Package List:

   - SUSE Manager Server 4.2 (ppc64le s390x x86_64):

      release-notes-susemanager-4.2.7-150300.3.44.1

   - SUSE Manager Retail Branch Server 4.2 (x86_64):

      release-notes-susemanager-proxy-4.2.7-150300.3.31.2

   - SUSE Manager Proxy 4.2 (x86_64):

      release-notes-susemanager-proxy-4.2.7-150300.3.31.2


References:

   https://www.suse.com/security/cve/CVE-2021-44906.html
   https://www.suse.com/security/cve/CVE-2022-21952.html
   https://www.suse.com/security/cve/CVE-2022-31248.html
   https://bugzilla.suse.com/1187333
   https://bugzilla.suse.com/1191143
   https://bugzilla.suse.com/1192550
   https://bugzilla.suse.com/1193707
   https://bugzilla.suse.com/1194594
   https://bugzilla.suse.com/1195710
   https://bugzilla.suse.com/1196702
   https://bugzilla.suse.com/1197400
   https://bugzilla.suse.com/1197438
   https://bugzilla.suse.com/1197449
   https://bugzilla.suse.com/1197488
   https://bugzilla.suse.com/1197591
   https://bugzilla.suse.com/1197689
   https://bugzilla.suse.com/1198221