Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2023:2183-1
Rating:	important
References:	bsc#1047218 bsc#1197284 bsc#1203185 bsc#1203599 bsc#1204023 bsc#1208049 bsc#1208051 bsc#1208060 bsc#1208062 bsc#1208064 bsc#1208965 bsc#1209113 jsc#MSQA-663 jsc#MSQA-665 jsc#PED-3576 jsc#PED-3578
Cross-References:	CVE-2022-27191 CVE-2022-27664 CVE-2022-41715 CVE-2022-46146
CVSS scores:	CVE-2022-27191 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27191 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-27664 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46146 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Manager Client Tools for SLE 12 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9

An update that solves four vulnerabilities, contains four features and has eight security fixes can now be installed.

Description:

This update fixes the following issues:

golang-github-prometheus-alertmanager:

• Security issues fixed:
• CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051)

prometheus-blackbox_exporter:

• Security issues fixed:
• CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208062)
• Other non-security bugs fixed and changes:
• Add min_version parameter of tls_config to allow enabling TLS 1.0 and 1.1 (bsc#1209113)
• On SUSE Linux Enterprise build always with Go >= 1.19 (bsc#1203599)

prometheus-postgres_exporter:

• Security issues fixed:
• CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208060)
• Other non-security issues fixed:
• Adapt the systemd service security configuration to be able to start it on for Red Hat Linux Enterprise systems and clones
• Create the prometheus user for Red Hat Linux Enterprise systems and clones
• Fix broken log-level for values other than debug (bsc#1208965)

golang-github-prometheus-node_exporter:

• Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578):
• CVE-2022-27191: Update go/x/crypto (bsc#1197284)
• CVE-2022-27664: Update go/x/net (bsc#1203185)
• CVE-2022-46146: Update exporter-toolkit (bsc#1208064)
• Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578):
• NOTE: This changes the Go runtime "GOMAXPROCS" to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads.
• [BUGFIX] Fix hwmon label sanitizer
• [BUGFIX] Use native endianness when encoding InetDiagMsg
• [BUGFIX] Fix btrfs device stats always being zero
• [BUGFIX] Fix diskstats exclude flags
• [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning
• [BUGFIX] Fix concurrency issue in ethtool collector
• [BUGFIX] Fix concurrency issue in netdev collector
• [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes
• [BUGFIX] Fix iostat on macos broken by deprecation warning
• [BUGFIX] Fix NodeFileDescriptorLimit alerts
• [BUGFIX] Sanitize rapl zone names
• [BUGFIX] Add file descriptor close safely in test
• [BUGFIX] Fix race condition in os_release.go
• [BUGFIX] Skip ZFS IO metrics if their paths are missing
• [BUGFIX] Handle nil CPU thermal power status on M1
• [BUGFIX] bsd: Ignore filesystems flagged as MNT_IGNORE
• [BUGFIX] Sanitize UTF-8 in dmi collector
• [CHANGE] Merge metrics descriptions in textfile collector
• [FEATURE] Add multiple listeners and systemd socket listener activation
• [FEATURE] [node-mixin] Add darwin dashboard to mixin
• [FEATURE] Add "isolated" metric on cpu collector on linux
• [FEATURE] Add cgroup summary collector
• [FEATURE] Add selinux collector
• [FEATURE] Add slab info collector
• [FEATURE] Add sysctl collector
• [FEATURE] Also track the CPU Spin time for OpenBSD systems
• [FEATURE] Add support for MacOS version
• [ENHANCEMENT] Add RTNL version of netclass collector
• [ENHANCEMENT] [node-mixin] Add missing selectors
• [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default
• [ENHANCEMENT] [node-mixin] Change disk graph to disk table
• [ENHANCEMENT] [node-mixin] Change io time units to %util
• [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd
• [ENHANCEMENT] Add additional vm_stat memory metrics for darwin
• [ENHANCEMENT] Add device filter flags to arp collector
• [ENHANCEMENT] Add diskstats include and exclude device flags
• [ENHANCEMENT] Add node_softirqs_total metric
• [ENHANCEMENT] Add rapl zone name label option
• [ENHANCEMENT] Add slabinfo collector
• [ENHANCEMENT] Allow user to select port on NTP server to query
• [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev
• [ENHANCEMENT] Enable builds against older macOS SDK
• [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name
• [ENHANCEMENT] systemd: Expose systemd minor version
• [ENHANCEMENT] Use netlink for tcpstat collector
• [ENHANCEMENT] Use netlink to get netdev stats
• [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles
• [ENHANCEMENT] Add btrfs device error stats

golang-github-prometheus-prometheus:

• Security issues fixed in this version update to 2.37.6 (jsc#PED-3576):
• CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576)
• CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)
• Other non-security bug fixes and changes in this version update to 2.37.6 (jsc#PED-3576):
• [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
• [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
• [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
• [BUGFIX] Properly close file descriptor when logging unfinished queries.
• [BUGFIX] TSDB: In the WAL watcher metrics, expose the type="exemplar" label instead of type="unknown" for exemplar records.
• [BUGFIX] Alerting: Fix Alertmanager targets not being updated when alerts were queued.
• [BUGFIX] Hetzner SD: Make authentication files relative to Prometheus config file.
• [BUGFIX] Promtool: Fix promtool check config not erroring properly on failures.
• [BUGFIX] Scrape: Keep relabeled scrape interval and timeout on reloads.
• [BUGFIX] TSDB: Don't increment prometheus_tsdb_compactions_failed_total when context is canceled.
• [BUGFIX] TSDB: Fix panic if series is not found when deleting series.
• [BUGFIX] TSDB: Increase prometheus_tsdb_mmap_chunk_corruptions_total on out of sequence errors.
• [BUGFIX] Uyuni SD: Make authentication files relative to Prometheus configuration file and fix default configuration values.
• [BUGFIX] Fix serving of static assets like fonts and favicon.
• [BUGFIX] promtool: Add --lint-fatal option.
• [BUGFIX] Changing TotalQueryableSamples from int to int64.
• [BUGFIX] tsdb/agent: Ignore duplicate exemplars.
• [BUGFIX] TSDB: Fix chunk overflow appending samples at a variable rate.
• [BUGFIX] Stop rule manager before TSDB is stopped.
• [BUGFIX] Kubernetes SD: Explicitly include gcp auth from k8s.io.
• [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly.
• [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page.
• [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false.
• [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments.
• [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue.
• [BUGFIX] PromQL: Properly return an error from histogram_quantile when metrics have the same labelset.
• [BUGFIX] UI: Fix bug that sets the range input to the resolution.
• [BUGFIX] TSDB: Fix a query panic when memory-snapshot-on-shutdown is enabled.
• [BUGFIX] Parser: Specify type in metadata parser errors.
• [BUGFIX] Scrape: Fix label limit changes not applying.
• [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch.
• [BUGFIX] TSDB: Fix panic when m-mapping head chunks onto the disk.
• [BUGFIX] Azure SD: Fix a regression when public IP Address isn't set.
• [BUGFIX] Azure SD: Fix panic when public IP Address isn't set.
• [BUGFIX] Remote-write: Fix deadlock when stopping a shard.
• [BUGFIX] SD: Fix no such file or directory in K8s SD when not running inside K8s.
• [BUGFIX] Promtool: Make exit codes more consistent.
• [BUGFIX] Promtool: Fix flakiness of rule testing.
• [BUGFIX] Remote-write: Update prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric when write irrecoverably fails.
• [BUGFIX] Storage: Avoid panic in BufferedSeriesIterator.
• [BUGFIX] TSDB: CompactBlockMetas should produce correct mint/maxt for overlapping blocks.
• [BUGFIX] TSDB: Fix logging of exemplar storage size.
• [BUGFIX] UI: Fix overlapping click targets for the alert state checkboxes.
• [BUGFIX] UI: Fix Unhealthy filter on target page to actually display only Unhealthy targets.
• [BUGFIX] UI: Fix autocompletion when expression is empty.
• [BUGFIX] TSDB: Fix deadlock from simultaneous GC and write.
• [CHANGE] TSDB: Delete *.tmp WAL files when Prometheus starts.
• [CHANGE] promtool: Add new flag --lint (enabled by default) for the commands check rules and check config, resulting in a new exit code (3) for linter errors.
• [CHANGE] UI: Classic UI removed.
• [CHANGE] Tracing: Migrate from Jaeger to OpenTelemetry based tracing.
• [CHANGE] PromQL: Promote negative offset and @ modifer to stable features.
• [CHANGE] Web: Promote remote-write-receiver to stable.
• [FEATURE] Nomad SD: New service discovery for Nomad built-in service discovery.
• [FEATURE] Add lowercase and uppercase relabel action.
• [FEATURE] SD: Add IONOS Cloud integration.
• [FEATURE] SD: Add Vultr integration.
• [FEATURE] SD: Add Linode SD failure count metric.
• [FEATURE] Add prometheus_ready metric.
• [FEATURE] Support for automatically setting the variable GOMAXPROCS to the container CPU limit. Enable with the flag --enable-feature=auto-gomaxprocs.
• [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query. Additionally, per-step statistics are available with --enable-feature=promql-per-step-stats and using stats=all in the query API. Enable with the flag --enable-feature=per-step-stats.
• [FEATURE] Config: Add stripPort template function.
• [FEATURE] Promtool: Add cardinality analysis to check metrics, enabled by flag --extended.
• [FEATURE] SD: Enable target discovery in own K8s namespace.
• [FEATURE] SD: Add provider ID label in K8s SD.
• [FEATURE] Web: Add limit field to the rules API.
• [ENHANCEMENT] Kubernetes SD: Allow attaching node labels for endpoint role.
• [ENHANCEMENT] PromQL: Optimise creation of signature with/without labels.
• [ENHANCEMENT] TSDB: Memory optimizations.
• [ENHANCEMENT] TSDB: Reduce sleep time when reading WAL.
• [ENHANCEMENT] OAuth2: Add appropriate timeouts and User-Agent header.
• [ENHANCEMENT] Add stripDomain to template function.
• [ENHANCEMENT] UI: Enable active search through dropped targets.
• [ENHANCEMENT] promtool: support matchers when querying label
• [ENHANCEMENT] Add agent mode identifier.
• [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup.
• [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures.
• [ENHANCEMENT] Azure SD: Add an optional resource_group configuration.
• [ENHANCEMENT] Kubernetes SD: Support discovery.k8s.io/v1 EndpointSlice (previously only discovery.k8s.io/v1beta1 EndpointSlice was supported).
• [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods.
• [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens.
• [ENHANCEMENT] Configuration: Add the ability to disable HTTP2.
• [ENHANCEMENT] Config: Support overriding minimum TLS version.
• [ENHANCEMENT] TSDB: Disable the chunk write queue by default and allow configuration with the experimental flag --storage.tsdb.head-chunks-write-queue-size.
• [ENHANCEMENT] HTTP SD: Add a failure counter.
• [ENHANCEMENT] Azure SD: Set Prometheus User-Agent on requests.
• [ENHANCEMENT] Uyuni SD: Reduce the number of logins to Uyuni.
• [ENHANCEMENT] Scrape: Log when an invalid media type is encountered during a scrape.
• [ENHANCEMENT] Scrape: Accept application/openmetrics-text;version=1.0.0 in addition to version=0.0.1.
• [ENHANCEMENT] Remote-read: Add an option to not use external labels as selectors for remote read.
• [ENHANCEMENT] UI: Optimize the alerts page and add a search bar.
• [ENHANCEMENT] UI: Improve graph colors that were hard to see.
• [ENHANCEMENT] Config: Allow escaping of $ with $$ when using environment variables with external labels.
• [ENHANCEMENT] Remote-write: Avoid allocations by buffering concrete structs instead of interfaces.
• [ENHANCEMENT] Remote-write: Log time series details for out-of-order samples in remote write receiver.
• [ENHANCEMENT] Remote-write: Shard up more when backlogged.
• [ENHANCEMENT] TSDB: Use simpler map key to improve exemplar ingest performance.
• [ENHANCEMENT] TSDB: Avoid allocations when popping from the intersected postings heap.
• [ENHANCEMENT] TSDB: Make chunk writing non-blocking, avoiding latency spikes in remote-write.
• [ENHANCEMENT] TSDB: Improve label matching performance.
• [ENHANCEMENT] UI: Optimize the service discovery page and add a search bar.
• [ENHANCEMENT] UI: Optimize the target page and add a search bar.

golang-github-prometheus-promu:

• Non-security bug fixes and changes in this version update to 0.14.0 (jsc#PED-3576):
• [BUGFIX] Set build date from last changelog modification (bsc#1047218)
• [BUGFIX] Validate environment variable value
• [BUGFIX]Set build date from SOURCE_DATE_EPOCH
• [BUGFIX]Make extldflags extensible by configuration.
• [BUGFIX] Avoid bind-mounting to allow building with a remote docker engine
• [BUGFIX] Fix build on SmartOS by not setting gcc's -static flag
• [BUGFIX] Fix git repository url parsing
• [CHANGE] Remove ioutil
• [CHANGE] Update common Prometheus files
• [FEATURE] Add the ability to override tags per GOOS
• [FEATURE] Adding changes to support s390x
• [FEATURE] Added check_licenses Command to Promu
• [ENHANCEMENT] Allow to customize nested options via env variables
• [ENHANCEMENT] Add warning if promu info is unable to determine repo info

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 9
  zypper in -t patch SUSE-OpenStack-Cloud-9-2023-2183=1
• SUSE OpenStack Cloud Crowbar 9
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2023-2183=1
• SUSE Manager Client Tools for SLE 12
  zypper in -t patch SUSE-SLE-Manager-Tools-12-2023-2183=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP4
  zypper in -t patch SUSE-SLE-SAP-12-SP4-2023-2183=1
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2023-2183=1
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2023-2183=1
• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-2183=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-2183=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-2183=1

Package List:

• SUSE OpenStack Cloud 9 (x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE OpenStack Cloud Crowbar 9 (x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Manager Client Tools for SLE 12 (aarch64 ppc64le s390x x86_64)
  • prometheus-blackbox_exporter-0.19.0-1.17.1
  • prometheus-blackbox_exporter-debuginfo-0.19.0-1.17.1
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
  • golang-github-prometheus-promu-0.14.0-1.12.1
  • prometheus-postgres_exporter-0.10.1-1.11.5
  • golang-github-prometheus-prometheus-2.37.6-1.44.3
  • golang-github-prometheus-alertmanager-0.23.0-1.18.3
• SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (aarch64 x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • golang-github-prometheus-node_exporter-1.5.0-1.24.4

References:

• https://www.suse.com/security/cve/CVE-2022-27191.html
• https://www.suse.com/security/cve/CVE-2022-27664.html
• https://www.suse.com/security/cve/CVE-2022-41715.html
• https://www.suse.com/security/cve/CVE-2022-46146.html
• https://bugzilla.suse.com/show_bug.cgi?id=1047218
• https://bugzilla.suse.com/show_bug.cgi?id=1197284
• https://bugzilla.suse.com/show_bug.cgi?id=1203185
• https://bugzilla.suse.com/show_bug.cgi?id=1203599
• https://bugzilla.suse.com/show_bug.cgi?id=1204023
• https://bugzilla.suse.com/show_bug.cgi?id=1208049
• https://bugzilla.suse.com/show_bug.cgi?id=1208051
• https://bugzilla.suse.com/show_bug.cgi?id=1208060
• https://bugzilla.suse.com/show_bug.cgi?id=1208062
• https://bugzilla.suse.com/show_bug.cgi?id=1208064
• https://bugzilla.suse.com/show_bug.cgi?id=1208965
• https://bugzilla.suse.com/show_bug.cgi?id=1209113
• https://jira.suse.com/browse/MSQA-663
• https://jira.suse.com/browse/MSQA-665
• https://jira.suse.com/browse/PED-3576
• https://jira.suse.com/browse/PED-3578