Security update for SUSE Manager Client Tools

Announcement ID: SUSE-SU-2019:2312-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2019-10136 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2019-10136 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products:
  • SUSE Linux Enterprise Desktop 12
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise Desktop 12 SP3
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  • SUSE Manager Client Tools for SLE 12

An update that solves one vulnerability and has 18 security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-prometheus-prometheus:

  • Add support for Uyuni/SUSE Manager service discovery
  • Added 0003-Add-Uyuni-service-discovery
  • Readded _service file removed in error.
  • Update to 2.11.1
  • Bug Fix:
    • Fix potential panic when prometheus is watching multiple zookeeper paths.
  • Update to 2.11.0
  • Bug Fix:
    • resolve race condition in maxGauge.
    • Fix ZooKeeper connection leak.
    • Improved atomicity of .tmp block replacement during compaction for usual case.
    • Fix "unknown series references" after clean shutdown.
    • Re-calculate block size when calling block.Delete.
    • Fix unsafe snapshots with head block.
    • prometheus_tsdb_compactions_failed_total is now incremented on any compaction failure.
  • Changes:
    • Remove max_retries from queue_config (it has been unused since rewriting remote-write to utilize the write-ahead-log)
    • The meta file BlockStats no longer holds size information. This is now dynamically calculated and kept in memory. It also includes the meta file size which was not included before
    • Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to prometheus_tsdb_wal_reader_corruption_errors_total
  • Features:
    • Add option to use Alertmanager API v2.
    • Added humanizePercentage function for templates.
    • Include InitContainers in Kubernetes Service Discovery.
    • Provide option to compress WAL records using Snappy.
  • Enhancements:
    • Create new clean segment when starting the WAL.
    • Reduce allocations in PromQL aggregations.
    • Add storage warnings to LabelValues and LabelNames API results.
    • Add prometheus_http_requests_total metric.
    • Enable openbsd/arm build.
    • Remote-write allocation improvements.
    • Query performance improvement: Efficient iteration and search in HashForLabels and HashWithoutLabels.
    • Allow injection of arbitrary headers in promtool.
    • Allow passing external_labels in alert unit tests groups.
    • Allows globs for rules when unit testing.
    • Improved postings intersection matching.
    • Reduced disk usage for WAL for small setups.
    • Optimize queries using regexp for set lookups.
  • Rebase patch002-Default-settings.patch
  • Update to 2.10.0:
  • Bug Fixes:
    • TSDB: Don't panic when running out of disk space and recover nicely from the condition
    • TSDB: Correctly handle empty labels.
    • TSDB: Don't crash on an unknown tombstone reference.
    • Storage/remote: Remove queue-manager specific metrics if queue no longer exists.
    • PromQL: Correctly display {name="a"}.
    • Discovery/kubernetes: Use service rather than ingress as the name for the service workqueue.
    • Discovery/azure: Don't panic on a VM with a public IP.
    • Web: Fixed Content-Type for js and css instead of using /etc/mime.types.
    • API: Encode alert values as string to correctly represent Inf/NaN.
  • Features:
    • Template expansion: Make external labels available as $externalLabels in alert and console template expansion.
    • TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL segment index that TSDB is currently writing to. tsdb
    • Scrape: Add scrape_series_added per-scrape metric. #5546
  • Enhancements
    • Discovery/kubernetes: Add labels __meta_kubernetes_endpoint_node_name and __meta_kubernetes_endpoint_hostname.
    • Discovery/azure: Add label __meta_azure_machine_public_ip.
    • TSDB: Simplify mergedPostings.Seek, resulting in better performance if there are many posting lists. tsdb
    • Log filesystem type on startup.
    • Cmd/promtool: Use POST requests for Query and QueryRange. client_golang
    • Web: Sort alerts by group name.
    • Console templates: Add convenience variables $rawParams, $params, $path.
  • Upadte to 2.9.2
  • Bug Fixes:
    • Make sure subquery range is taken into account for selection
    • Exhaust every request body before closing it
    • Cmd/promtool: return errors from rule evaluations
    • Remote Storage: string interner should not panic in release
    • Fix memory allocation regression in mergedPostings.Seek tsdb
  • Update to 2.9.1
  • Bug Fixes:
    • Discovery/kubernetes: fix missing label sanitization
    • Remote_write: Prevent reshard concurrent with calling stop
  • Update to 2.9.0
  • Feature:
    • Add honor_timestamps scrape option.
  • Enhancements:
    • Update Consul to support catalog.ServiceMultipleTags.
    • Discovery/kubernetes: add present labels for labels/annotations.
    • OpenStack SD: Add ProjectID and UserID meta labels.
    • Add GODEBUG and retention to the runtime page.
    • Add support for POSTing to /series endpoint.
    • Support PUT methods for Lifecycle and Admin APIs.
    • Scrape: Add global jitter for HA server.
    • Check for cancellation on every step of a range evaluation.
    • String interning for labels & values in the remote_write path.
    • Don't lose the scrape cache on a failed scrape.
    • Reload cert files from disk automatically. common
    • Use fixed length millisecond timestamp format for logs. common
    • Performance improvements for postings. Bug Fixes:
    • Remote Write: fix checkpoint reading.
    • Check if label value is valid when unmarshaling external labels from YAML.
    • Promparse: sort all labels when parsing.
    • Reload rules: copy state on both name and labels.
    • Exponentation operator to drop metric name in result of operation.
    • Config: resolve more file paths.
    • Promtool: resolve relative paths in alert test files.
    • Set TLSHandshakeTimeout in HTTP transport. common
    • Use fsync to be more resilient to machine crashes.
    • Keep series that are still in WAL in checkpoints.
  • Update to 2.8.1
  • Bug Fixes
    • Display the job labels in /targets which was removed accidentally
  • Update to 2.8.0
  • Change:
    • This release uses Write-Ahead Logging (WAL) for the remote_write API. This currently causes a slight increase in memory usage, which will be addressed in future releases.
    • Default time retention is used only when no size based retention is specified. These are flags where time retention is specified by the flag --storage.tsdb.retention and size retention by --storage.tsdb.retention.size.
    • prometheus_tsdb_storage_blocks_bytes_total is now prometheus_tsdb_storage_blocks_bytes.
  • Feature:
    • (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical compaction and vertical query merge. It is an optional feature which is controlled by the --storage.tsdb.allow-overlapping-blocks flag, disabled by default.
  • Enhancements:
    • Use the WAL for remote_write API.
    • Query performance improvements.
    • UI enhancements with upgrade to Bootstrap 4.
    • Reduce time that Alertmanagers are in flux when reloaded.
    • Limit number of metrics displayed on UI to 10000.
    • (1) Remember All/Unhealthy choice on target-overview when reloading page. (2) Resize text-input area on Graph page on mouseclick.
    • In histogram_quantile merge buckets with equivalent le values.
    • Show list of offending labels in the error message in many-to-many scenarios.
    • Show Storage Retention criteria in effect on /status page.
  • Bug Fixes:
    • Fix sorting of rule groups.
    • Fix support for password_file and bearer_token_file in Kubernetes SD.
    • Scrape: catch errors when creating HTTP clients
    • Adds new metrics: prometheus_target_scrape_pools_total prometheus_target_scrape_pools_failed_total prometheus_target_scrape_pool_reloads_total prometheus_target_scrape_pool_reloads_failed_total
    • Fix panic when aggregator param is not a literal.

kiwi-desc-saltboot:

  • Update to version 0.1.1564399963.cf19a13
  • Fix incompatibility with Microsoft DNS (bsc#1136667)
  • Updated copyrights and bug reporting link
  • Update to version 0.1.1558613789.64ba093
  • Update to version 0.1.1556553492.2bfae0b

mgr-cfg:

  • Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)

mgr-daemon:

  • Fix systemd timer configuration on SLE12 (bsc#1142038)

mgr-osad:

  • Fix obsolete for old osad packages, to allow installing mgr-osad even by using osad at yum/zyppper install (bsc#1139453)
  • Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)

mgr-virtualization:

  • Fix missing python 3 ugettext (bsc#1138494)
  • Fix package dependencies to prevent file conflict (bsc#1143856)

rhnlib:

  • Add SNI support for clients
  • Fix initialize ssl connection (bsc#1144155)
  • Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)

spacecmd:

  • Bugfix: referenced variable before assignment.
  • Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
  • Add unit tests for custominfo, snippet, scap, ssm, cryptokey and distribution
  • Fix missing runtime dependencies that made spacecmd return old versions of packages in some cases, even if newer ones were available (bsc#1148311)

spacewalk-backend:

  • Do not overwrite comps and module data with older versions
  • Fix issue with "dists" keyword in url hostname
  • Import packages from all collections of a patch not just first one
  • Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to "registration.register_osad" (bsc#1138822)
  • Do not duplicate "http://" protocol when using proxies with "deb" repositories (bsc#1138313)
  • Fix reposync when dealing with RedHat CDN (bsc#1138358)
  • Fix for CVE-2019-10136. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. (bsc#1136480)
  • Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
  • Add journalctl output to spacewalk-debug tarballs
  • Prevent unnecessary triggering of channel-repodata tasks when GPG signing is disabled (bsc#1137715)
  • Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#1136029)
  • Add support for ULN repositories on new Zypper based reposync.
  • Don't skip Deb package tags on package import (bsc#1130040)
  • For backend-libs subpackages, exclude files for the server (already part of spacewalk-backend) to avoid conflicts (bsc#1148125)
  • prevent duplicate key violates on repo-sync with long changelog entries (bsc#1144889)

spacewalk-remote-utils:

  • Add RHEL8

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Manager Client Tools for SLE 12
    zypper in -t patch SUSE-SLE-Manager-Tools-12-2019-2312=1

Package List:

  • SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
    • golang-github-prometheus-prometheus-2.11.1-1.6.2
  • SUSE Manager Client Tools for SLE 12 (noarch)
    • mgr-daemon-4.0.7-1.8.2
    • mgr-osad-4.0.9-1.6.2
    • python2-mgr-osa-common-4.0.9-1.6.2
    • python2-rhnlib-4.0.11-21.16.1
    • mgr-cfg-client-4.0.9-1.6.4
    • mgr-cfg-management-4.0.9-1.6.4
    • python2-mgr-cfg-management-4.0.9-1.6.4
    • mgr-cfg-actions-4.0.9-1.6.4
    • python2-mgr-cfg-client-4.0.9-1.6.4
    • python2-mgr-virtualization-common-4.0.8-1.8.3
    • python2-mgr-virtualization-host-4.0.8-1.8.3
    • spacecmd-4.0.14-38.49.1
    • python2-mgr-cfg-actions-4.0.9-1.6.4
    • spacewalk-remote-utils-4.0.5-24.12.2
    • spacewalk-backend-libs-4.0.25-55.41.1
    • kiwi-desc-saltboot-0.1.1564399963.cf19a13-1.12.1
    • python2-mgr-cfg-4.0.9-1.6.4
    • mgr-virtualization-host-4.0.8-1.8.3
    • python2-mgr-osad-4.0.9-1.6.2
    • mgr-cfg-4.0.9-1.6.4

References: