SUSE: 2022:3747-1 moderate: SUSE Manager Client Tools | LinuxSecuri...

   SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3747-1
Rating:             moderate
References:         #1196338 #1198903 #1200725 #1201535 #1201539 
                    SLE-23422 SLE-23439 SLE-24243 SLE-24565 SLE-24791 
                    SUMA-114 
Cross-References:   CVE-2022-21698 CVE-2022-31097 CVE-2022-31107
                   
CVSS scores:
                    CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-31097 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
                    CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
                    CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Products:
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Manager Tools 12
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________

   An update that solves three vulnerabilities, contains 6
   features and has two fixes is now available.

Description:


   This update fixes the following issues:

   golang-github-lusitaniae-apache_exporter:

   - Update to upstream release 0.11.0 (jsc#SLE-24791)
     * Add TLS support
     * Switch to logger, please check --log.level and --log.format flags
   - Update to version 0.10.1
     * Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
   - Update to version 0.10.0
     * Add Apache Proxy and other metrics
   - Update to version 0.8.0
     * Change commandline flags
     * Add metrics: Apache version, request duration total
   - Adapted to build on Enterprise Linux 8
   - Require building with Go 1.15
   - Add %license macro for LICENSE file

   golang-github-prometheus-alertmanager:

   - Do not include sources (bsc#1200725)

   golang-github-prometheus-node_exporter:

   - CVE-2022-21698: Denial of service using InstrumentHandlerCounter.
     (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)

   grafana:

   - Update to version 8.3.10
     + Security:
       * CVE-2022-31097: Cross Site Scripting vulnerability in the Unified
         Alerting (bsc#1201535)
       * CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
   - Update to version 8.3.9
     + Bug fixes:
       * Geomap: Display legend
       * Prometheus: Fix timestamp truncation
   - Update to version 8.3.7
     + Bug fix:
       * Provisioning: Ensure that the default value for orgID is set when
         provisioning datasources to be deleted.
   - Update to version 8.3.6
     + Features and enhancements:
       * Cloud Monitoring: Reduce request size when listing labels.
       * Explore: Show scalar data result in a table instead of graph.
       * Snapshots: Updates the default external snapshot server URL.
       * Table: Makes footer not overlap table content.
       * Tempo: Add request histogram to service graph datalink.
       * Tempo: Add time range to tempo search query behind a feature flag.
       * Tempo: Auto-clear results when changing query type.
       * Tempo: Display start time in search results as relative time.
       * CloudMonitoring: Fix resource labels in query editor.
       * Cursor sync: Apply the settings without saving the dashboard.
       * LibraryPanels: Fix for Error while cleaning library panels.
       * Logs Panel: Fix timestamp parsing for string dates without timezone.
       * Prometheus: Fix some of the alerting queries that use reduce/math
         operation.
       * TablePanel: Fix ad-hoc variables not working on default datasources.
       * Text Panel: Fix alignment of elements.
       * Variables: Fix for constant variables in self referencing links.
   - Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)

   kiwi-desc-saltboot:

   - Update to version 0.1.1661440542.6cbe0da
     * Use standard susemanager.conf
     * Use salt bundle
     * Add support fo VirtIO disks

   mgr-daemon:

   - Version 4.3.6-1
     * Update translation strings

   spacecmd:

   - Version 4.3.15-1
     * Process date values in spacecmd api calls (bsc#1198903)

   spacewalk-client-tools:

   - Version 4.3.12-1
     * Update translation strings

   uyuni-common-libs:

   - Version 4.3.6-1
     * Do not allow creating path if nonexistent user or group in fileutils.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3747=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3747=1

   - SUSE Manager Tools 12:

      zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-3747=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3747=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3747=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE OpenStack Cloud 9 (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):

      golang-github-lusitaniae-apache_exporter-0.11.0-1.13.1
      golang-github-prometheus-alertmanager-0.23.0-1.15.2
      golang-github-prometheus-node_exporter-1.3.0-1.21.1
      grafana-8.3.10-1.33.2
      python2-uyuni-common-libs-4.3.6-1.27.1

   - SUSE Manager Tools 12 (noarch):

      kiwi-desc-saltboot-0.1.1661440542.6cbe0da-1.29.1
      mgr-daemon-4.3.6-1.38.1
      python2-spacewalk-check-4.3.12-52.77.1
      python2-spacewalk-client-setup-4.3.12-52.77.1
      python2-spacewalk-client-tools-4.3.12-52.77.1
      spacecmd-4.3.15-38.109.1
      spacewalk-check-4.3.12-52.77.1
      spacewalk-client-setup-4.3.12-52.77.1
      spacewalk-client-tools-4.3.12-52.77.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      golang-github-prometheus-node_exporter-1.3.0-1.21.1


References:

   https://www.suse.com/security/cve/CVE-2022-21698.html
   https://www.suse.com/security/cve/CVE-2022-31097.html
   https://www.suse.com/security/cve/CVE-2022-31107.html
   https://bugzilla.suse.com/1196338
   https://bugzilla.suse.com/1198903
   https://bugzilla.suse.com/1200725
   https://bugzilla.suse.com/1201535
   https://bugzilla.suse.com/1201539

SUSE: 2022:3747-1 moderate: SUSE Manager Client Tools

October 26, 2022
An update that solves three vulnerabilities, contains 6 features and has two fixes is now available

Summary

This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Update to upstream release 0.11.0 (jsc#SLE-24791) * Add TLS support * Switch to logger, please check --log.level and --log.format flags - Update to version 0.10.1 * Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data - Update to version 0.10.0 * Add Apache Proxy and other metrics - Update to version 0.8.0 * Change commandline flags * Add metrics: Apache version, request duration total - Adapted to build on Enterprise Linux 8 - Require building with Go 1.15 - Add %license macro for LICENSE file golang-github-prometheus-alertmanager: - Do not include sources (bsc#1200725) golang-github-prometheus-node_exporter: - CVE-2022-21698: Denial of service using InstrumentHandlerCounter. (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114) grafana: - Update to version 8.3.10 + Security: * CVE-2022-31097: Cross Site Scripting vulnerability in the Unified Alerting (bsc#1201535) * CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539) - Update to version 8.3.9 + Bug fixes: * Geomap: Display legend * Prometheus: Fix timestamp truncation - Update to version 8.3.7 + Bug fix: * Provisioning: Ensure that the default value for orgID is set when provisioning datasources to be deleted. - Update to version 8.3.6 + Features and enhancements: * Cloud Monitoring: Reduce request size when listing labels. * Explore: Show scalar data result in a table instead of graph. * Snapshots: Updates the default external snapshot server URL. * Table: Makes footer not overlap table content. * Tempo: Add request histogram to service graph datalink. * Tempo: Add time range to tempo search query behind a feature flag. * Tempo: Auto-clear results when changing query type. * Tempo: Display start time in search results as relative time. * CloudMonitoring: Fix resource labels in query editor. * Cursor sync: Apply the settings without saving the dashboard. * LibraryPanels: Fix for Error while cleaning library panels. * Logs Panel: Fix timestamp parsing for string dates without timezone. * Prometheus: Fix some of the alerting queries that use reduce/math operation. * TablePanel: Fix ad-hoc variables not working on default datasources. * Text Panel: Fix alignment of elements. * Variables: Fix for constant variables in self referencing links. - Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565) kiwi-desc-saltboot: - Update to version 0.1.1661440542.6cbe0da * Use standard susemanager.conf * Use salt bundle * Add support fo VirtIO disks mgr-daemon: - Version 4.3.6-1 * Update translation strings spacecmd: - Version 4.3.15-1 * Process date values in spacecmd api calls (bsc#1198903) spacewalk-client-tools: - Version 4.3.12-1 * Update translation strings uyuni-common-libs: - Version 4.3.6-1 * Do not allow creating path if nonexistent user or group in fileutils. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3747=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3747=1 - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-3747=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3747=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3747=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3747=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3747=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1 - SUSE OpenStack Cloud 9 (x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1 - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): golang-github-lusitaniae-apache_exporter-0.11.0-1.13.1 golang-github-prometheus-alertmanager-0.23.0-1.15.2 golang-github-prometheus-node_exporter-1.3.0-1.21.1 grafana-8.3.10-1.33.2 python2-uyuni-common-libs-4.3.6-1.27.1 - SUSE Manager Tools 12 (noarch): kiwi-desc-saltboot-0.1.1661440542.6cbe0da-1.29.1 mgr-daemon-4.3.6-1.38.1 python2-spacewalk-check-4.3.12-52.77.1 python2-spacewalk-client-setup-4.3.12-52.77.1 python2-spacewalk-client-tools-4.3.12-52.77.1 spacecmd-4.3.15-38.109.1 spacewalk-check-4.3.12-52.77.1 spacewalk-client-setup-4.3.12-52.77.1 spacewalk-client-tools-4.3.12-52.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): golang-github-prometheus-node_exporter-1.3.0-1.21.1

References

#1196338 #1198903 #1200725 #1201535 #1201539

SLE-23422 SLE-23439 SLE-24243 SLE-24565 SLE-24791

SUMA-114

Cross- CVE-2022-21698 CVE-2022-31097 CVE-2022-31107

CVSS scores:

CVE-2022-21698 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-21698 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-31097 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected Products:

SUSE Linux Enterprise Server 12-SP3-BCL

SUSE Linux Enterprise Server 12-SP4-LTSS

SUSE Linux Enterprise Server 12-SP5

SUSE Linux Enterprise Server for SAP 12-SP4

SUSE Manager Tools 12

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud Crowbar 9

https://www.suse.com/security/cve/CVE-2022-21698.html

https://www.suse.com/security/cve/CVE-2022-31097.html

https://www.suse.com/security/cve/CVE-2022-31107.html

https://bugzilla.suse.com/1196338

https://bugzilla.suse.com/1198903

https://bugzilla.suse.com/1200725

https://bugzilla.suse.com/1201535

https://bugzilla.suse.com/1201539

Severity
Announcement ID: SUSE-SU-2022:3747-1
Rating: moderate

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.