Security update for SUSE Manager Client Tools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:1508-1 Final 1 1 2024-05-06T09:46:36Z current 2024-05-06T09:46:36Z 2024-05-06T09:46:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Client Tools This update fixes the following issues: golang-github-prometheus-node_exporter: - Update to 1.7.0 (jsc#PED-7893, jsc#PED-7928): * [FEATURE] Add ZFS freebsd per dataset stats #2753 * [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721 * [ENHANCEMENT] Parallelize stat calls in Linux filesystem collector #1772 * [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711 * [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric #2778 * [ENHANCEMENT] Improve qdisc collector performance #2779 * [ENHANCEMENT] Add include and exclude filter for hwmon collector #2699 * [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead of procfs #2777 * [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754 * [BUGFIX] Fallback to 32-bit stats in netdev #2757 * [BUGFIX] Close btrfs.FS handle after use #2780 * [BUGFIX] Move RO status before error return #2807 * [BUFFIX] Fix promhttp_metric_handler_errors_total being always active #2808 * [BUGFIX] Fix nfsd v4 index miss #2824 - Update to 1.6.1: (no source code changes in this release) - BuildRequire go1.20 - Update to 1.6.0: * [CHANGE] Fix cpustat when some cpus are offline #2318 * [CHANGE] Remove metrics of offline CPUs in CPU collector #2605 * [CHANGE] Deprecate ntp collector #2603 * [CHANGE] Remove bcache `cache_readaheads_totals` metrics #2583 * [CHANGE] Deprecate supervisord collector #2685 * [FEATURE] Enable uname collector on NetBSD #2559 * [FEATURE] NetBSD support for the meminfo collector #2570 * [FEATURE] NetBSD support for CPU collector #2626 * [FEATURE] Add FreeBSD collector for netisr subsystem #2668 * [FEATURE] Add softirqs collector #2669 * [ENHANCEMENT] Add suspended as a `node_zfs_zpool_state` #2449 * [ENHANCEMENT] Add administrative state of Linux network interfaces #2515 * [ENHANCEMENT] Log current value of GOMAXPROCS #2537 * [ENHANCEMENT] Add profiler options for perf collector #2542 * [ENHANCEMENT] Allow root path as metrics path #2590 * [ENHANCEMENT] Add cpu frequency governor metrics #2569 * [ENHANCEMENT] Add new landing page #2622 * [ENHANCEMENT] Reduce privileges needed for btrfs device stats #2634 * [ENHANCEMENT] Add ZFS `memory_available_bytes` #2687 * [ENHANCEMENT] Use `SCSI_IDENT_SERIAL` as serial in diskstats #2612 * [ENHANCEMENT] Read missing from netlink netclass attributes from sysfs #2669 * [BUGFIX] perf: fixes for automatically detecting the correct tracefs mountpoints #2553 * [BUGFIX] Fix `thermal_zone` collector noise @2554 * [BUGFIX] Fix a problem fetching the user wire count on FreeBSD 2584 * [BUGFIX] interrupts: Fix fields on linux aarch64 #2631 * [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605 * [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637 * [BUGFIX] Fix bad reporting of `node_cpu_seconds_total` in OpenBSD #2663 - Change go_modules archive in _service to use obscpio file grafana: - Packaging improvements: * Changed deprecated `disabled` service mode to `manual` * Drop golang-packaging macros * Drop explicit mod=vendor as it is enabled automatically - Update to version 9.5.18: * [SECURITY] CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155) - Update to version 9.5.17: * [FEATURE] Alerting: Backport use Alertmanager API v2 - Require Go 1.20 - Update to version 9.5.16: * [SECURITY] CVE-2023-6152: Add email verification when updating user email (bsc#1219912) * [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL - Update to version 9.5.15: * [FEATURE] Alerting: Attempt to retry retryable errors - Update to version 9.5.14: * [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error * [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied * [BUGFIX] LDAP: Fix enable users on successfull login - Update to version 9.5.13: * [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder * [BUGFIX] Licensing: Pass func to update env variables when starting plugin - Update to version 9.5.12: * [FEATURE] Azure: Add support for Workload Identity authentication - Update to version 9.5.9: * [FEATURE] SSE: Fix DSNode to not panic when response has empty response * [FEATURE] Prometheus: Handle the response with different field key order * [BUGFIX] LDAP: Fix user disabling mgr-daemon: - Version 4.3.9-0 * Update translation strings spacecmd: - Version 4.3.27-0 * Update translation strings spacewalk-client-tools: - Version 4.3.19-0 * Update translation strings spacewalk-koan: - Version 4.3.6-0 * Change Docker image location for test uyuni-common-libs: - Version 4.3.10-0 * Add support for package signature type V4 RSA/SHA384 * Add support for package signature type V4 RSA/SHA512 (bsc#1221465) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-1508,SUSE-SLE-Manager-Tools-12-2024-1508,SUSE-SLE-SERVER-12-SP5-2024-1508 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20241508-1/ Link for SUSE-SU-2024:1508-1 https://lists.suse.com/pipermail/sle-updates/2024-May/035169.html E-Mail link for SUSE-SU-2024:1508-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219912 SUSE Bug 1219912 https://bugzilla.suse.com/1221465 SUSE Bug 1221465 https://bugzilla.suse.com/1222155 SUSE Bug 1222155 https://www.suse.com/security/cve/CVE-2023-6152/ SUSE CVE CVE-2023-6152 page https://www.suse.com/security/cve/CVE-2024-1313/ SUSE CVE CVE-2024-1313 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Manager Client Tools 12 golang-github-prometheus-alertmanager-0.26.0-1.27.2 golang-github-prometheus-node_exporter-1.7.0-1.30.2 golang-github-prometheus-promu-0.14.0-1.18.1 grafana-9.5.18-1.63.1 mgr-daemon-4.3.9-1.47.1 python2-spacewalk-check-4.3.19-52.98.1 python2-spacewalk-client-setup-4.3.19-52.98.1 python2-spacewalk-client-tools-4.3.19-52.98.1 python2-spacewalk-koan-4.3.6-24.36.1 python2-uyuni-common-libs-4.3.10-1.39.1 spacecmd-4.3.27-38.139.1 spacewalk-check-4.3.19-52.98.1 spacewalk-client-setup-4.3.19-52.98.1 spacewalk-client-tools-4.3.19-52.98.1 spacewalk-koan-4.3.6-24.36.1 golang-github-prometheus-node_exporter-1.7.0-1.30.2 as a component of SUSE Linux Enterprise Server 12 SP5 golang-github-prometheus-node_exporter-1.7.0-1.30.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 golang-github-prometheus-alertmanager-0.26.0-1.27.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-node_exporter-1.7.0-1.30.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-promu-0.14.0-1.18.1 as a component of SUSE Manager Client Tools 12 grafana-9.5.18-1.63.1 as a component of SUSE Manager Client Tools 12 mgr-daemon-4.3.9-1.47.1 as a component of SUSE Manager Client Tools 12 python2-spacewalk-check-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 python2-spacewalk-client-setup-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 python2-spacewalk-client-tools-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 python2-spacewalk-koan-4.3.6-24.36.1 as a component of SUSE Manager Client Tools 12 python2-uyuni-common-libs-4.3.10-1.39.1 as a component of SUSE Manager Client Tools 12 spacecmd-4.3.27-38.139.1 as a component of SUSE Manager Client Tools 12 spacewalk-check-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 spacewalk-client-setup-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 spacewalk-client-tools-4.3.19-52.98.1 as a component of SUSE Manager Client Tools 12 spacewalk-koan-4.3.6-24.36.1 as a component of SUSE Manager Client Tools 12 A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up. CVE-2023-6152 SUSE Linux Enterprise Server 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.27.2 SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Manager Client Tools 12:golang-github-prometheus-promu-0.14.0-1.18.1 SUSE Manager Client Tools 12:grafana-9.5.18-1.63.1 SUSE Manager Client Tools 12:mgr-daemon-4.3.9-1.47.1 SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-koan-4.3.6-24.36.1 SUSE Manager Client Tools 12:python2-uyuni-common-libs-4.3.10-1.39.1 SUSE Manager Client Tools 12:spacecmd-4.3.27-38.139.1 SUSE Manager Client Tools 12:spacewalk-check-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-koan-4.3.6-24.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241508-1/ https://www.suse.com/security/cve/CVE-2023-6152.html CVE-2023-6152 https://bugzilla.suse.com/1219912 SUSE Bug 1219912 It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. CVE-2024-1313 SUSE Linux Enterprise Server 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.27.2 SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.7.0-1.30.2 SUSE Manager Client Tools 12:golang-github-prometheus-promu-0.14.0-1.18.1 SUSE Manager Client Tools 12:grafana-9.5.18-1.63.1 SUSE Manager Client Tools 12:mgr-daemon-4.3.9-1.47.1 SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.19-52.98.1 SUSE Manager Client Tools 12:python2-spacewalk-koan-4.3.6-24.36.1 SUSE Manager Client Tools 12:python2-uyuni-common-libs-4.3.10-1.39.1 SUSE Manager Client Tools 12:spacecmd-4.3.27-38.139.1 SUSE Manager Client Tools 12:spacewalk-check-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.19-52.98.1 SUSE Manager Client Tools 12:spacewalk-koan-4.3.6-24.36.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20241508-1/ https://www.suse.com/security/cve/CVE-2024-1313.html CVE-2024-1313 https://bugzilla.suse.com/1222155 SUSE Bug 1222155