Security update for SUSE Manager Client Tools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4010-1 Final 1 1 2024-11-18T13:22:17Z current 2024-11-18T13:22:17Z 2024-11-18T13:22:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Client Tools This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Security issues fixed: * CVE-2023-3978: Fixed security bug in x/net dependency (bsc#1213933) - Other changes and issues fixed: * Delete unpackaged debug files for RHEL * Do not include source files in the package for RHEL 9 * Require Go 1.20 when building for RedHat derivatives * Drop EnvironmentFile from the service definition * Explicitly unset $ARGS environment variable. Setting environment variables should be done in drop-in systemd configuration files. * Drop go_nostrip macro. It is not needed with current binutils and Go. * Migrate from `disabled` to `manual` source service type * Drop BuildRequires: golang-packaging * Upgrade to version 1.0.8 (bsc#1227341) + Update prometheus/client_golang to version 1.19.1 + Update x/net to version 0.23.0 * Upgrade to version 1.0.7 + Update protobuf to version 1.33.0 + Update prometheus/client_golang to version 1.19.0 + Update prometheus/common to version 0.46.0 + Standardize landing page * Upgrade to version 1.0.6 + Update prometheus/exporter-toolkit to version 0.11.0 + Update prometheus/client_golang to version 1.18.0 + Add User-Agent header * Upgrade to version 1.0.4 + Update x/crypto to version 0.17.0 + Update alecthomas/kingpin/v2 to version 2.4.0 + Update prometheus/common to version 0.45.0 * Upgrade to version 1.0.3 + Update prometheus/client_golang to version 1.17.0 + Update x/net 0.17.0 * Upgrade to version 1.0.1 + Update prometheus/exporter-toolkit to version 0.10.0 + Update prometheus/common to version 0.44.0 + Update prometheus/client_golang to version 1.16.0 golang-github-prometheus-promu: - Require Go >= 1.21 for building - Packaging improvements: * Drop export CGO_ENABLED='0'. Use the default unless there is a defined requirement or benefit (bsc#1230623). - Update to version 0.16.0: * Do not discover user/host for reproducible builds * Fix example/prometheus build error - Update to version 0.15.0: * Add linux/riscv64 to default platforms * Use yaml.Unmarshalstrict to validate configuration files spacecmd: - Version 5.0.10-0 * Speed up softwarechannel_removepackages (bsc#1227606) * Fix error in 'kickstart_delete' when using wildcards (bsc#1227578) * Spacecmd bootstrap now works with specified port (bsc#1229437) * Fix sls backup creation as directory with spacecmd (bsc#1230745) uyuni-common-libs: - Version 5.0.5-0 * Enforce directory permissions at repo-sync when creating directories (bsc#1229260) uyuni-tools: - Version 0.1.23-0 * Ensure namespace is defined in all kubernetes commands * Use SCC credentials to authenticate against registry.suse.com for kubernetes (bsc#1231157) * Fix namespace usage on mgrctl cp command - Version 0.1.22-0 * Set projectId also for test packages/images * mgradm migration should not pull Confidential Computing and Hub image is replicas == 0 (bsc#1229432, bsc#1230136) * Do not allow SUSE Manager downgrade * Prevent completion issue when /var/log/uyuni-tools.log is missing * Fix proxy shared volume flag * During migration, exclude mgr-sync configuration file (bsc#1228685) * Migrate from PostgreSQL 14 to PostgreSQL 16 pg_hba.conf and postgresql.conf files (bsc#1231206) * During migration, handle empty autoinstallation path (bsc#1230285) * During migration, handle symlinks (bsc#1230288) * During migration, trust the remote sender's file list (bsc#1228424) * Use SCC flags during podman pull * Restore SELinux permission after migration (bsc#1229501) * Share volumes between containers (bsc#1223142) * Save supportconfig in current directory (bsc#1226759) * Fix error code handling on reinstallation (bsc#1230139) * Fix creating first user and organization * Add missing variable quotes for install vars (bsc#1229108) * Add API login and logout calls to allow persistent login Changes that only impact SUSE Manager 4.3: mgr-daemon: - Version 4.3.11-0 * Update translation strings spacewalk-client-tools: - Version 4.3.21-0 * Update translation strings The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-4010,SUSE-SLE-Manager-Tools-12-2024-4010 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244010-1/ Link for SUSE-SU-2024:4010-1 https://lists.suse.com/pipermail/sle-security-updates/2024-November/019834.html E-Mail link for SUSE-SU-2024:4010-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1213933 SUSE Bug 1213933 https://bugzilla.suse.com/1223142 SUSE Bug 1223142 https://bugzilla.suse.com/1226759 SUSE Bug 1226759 https://bugzilla.suse.com/1227341 SUSE Bug 1227341 https://bugzilla.suse.com/1227578 SUSE Bug 1227578 https://bugzilla.suse.com/1227606 SUSE Bug 1227606 https://bugzilla.suse.com/1228424 SUSE Bug 1228424 https://bugzilla.suse.com/1228685 SUSE Bug 1228685 https://bugzilla.suse.com/1229108 SUSE Bug 1229108 https://bugzilla.suse.com/1229260 SUSE Bug 1229260 https://bugzilla.suse.com/1229432 SUSE Bug 1229432 https://bugzilla.suse.com/1229437 SUSE Bug 1229437 https://bugzilla.suse.com/1229501 SUSE Bug 1229501 https://bugzilla.suse.com/1230136 SUSE Bug 1230136 https://bugzilla.suse.com/1230139 SUSE Bug 1230139 https://bugzilla.suse.com/1230285 SUSE Bug 1230285 https://bugzilla.suse.com/1230288 SUSE Bug 1230288 https://bugzilla.suse.com/1230623 SUSE Bug 1230623 https://bugzilla.suse.com/1230745 SUSE Bug 1230745 https://bugzilla.suse.com/1231157 SUSE Bug 1231157 https://bugzilla.suse.com/1231206 SUSE Bug 1231206 https://www.suse.com/security/cve/CVE-2023-3978/ SUSE CVE CVE-2023-3978 page SUSE Manager Client Tools 12 golang-github-lusitaniae-apache_exporter-1.0.8-1.24.3 golang-github-prometheus-promu-0.16.0-1.21.3 mgr-daemon-4.3.11-1.53.2 mgrctl-0.1.23-1.13.2 mgrctl-bash-completion-0.1.23-1.13.2 mgrctl-lang-0.1.23-1.13.2 mgrctl-zsh-completion-0.1.23-1.13.2 python2-spacewalk-check-4.3.21-52.104.2 python2-spacewalk-client-setup-4.3.21-52.104.2 python2-spacewalk-client-tools-4.3.21-52.104.2 python2-uyuni-common-libs-5.0.5-1.45.2 spacecmd-5.0.10-38.150.2 spacewalk-check-4.3.21-52.104.2 spacewalk-client-setup-4.3.21-52.104.2 spacewalk-client-tools-4.3.21-52.104.2 wire-0.6.0-1.15.3 golang-github-lusitaniae-apache_exporter-1.0.8-1.24.3 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-promu-0.16.0-1.21.3 as a component of SUSE Manager Client Tools 12 mgr-daemon-4.3.11-1.53.2 as a component of SUSE Manager Client Tools 12 mgrctl-0.1.23-1.13.2 as a component of SUSE Manager Client Tools 12 mgrctl-bash-completion-0.1.23-1.13.2 as a component of SUSE Manager Client Tools 12 mgrctl-zsh-completion-0.1.23-1.13.2 as a component of SUSE Manager Client Tools 12 python2-spacewalk-check-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 python2-spacewalk-client-setup-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 python2-spacewalk-client-tools-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 python2-uyuni-common-libs-5.0.5-1.45.2 as a component of SUSE Manager Client Tools 12 spacecmd-5.0.10-38.150.2 as a component of SUSE Manager Client Tools 12 spacewalk-check-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 spacewalk-client-setup-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 spacewalk-client-tools-4.3.21-52.104.2 as a component of SUSE Manager Client Tools 12 Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. CVE-2023-3978 SUSE Manager Client Tools 12:golang-github-lusitaniae-apache_exporter-1.0.8-1.24.3 SUSE Manager Client Tools 12:golang-github-prometheus-promu-0.16.0-1.21.3 SUSE Manager Client Tools 12:mgr-daemon-4.3.11-1.53.2 SUSE Manager Client Tools 12:mgrctl-0.1.23-1.13.2 SUSE Manager Client Tools 12:mgrctl-bash-completion-0.1.23-1.13.2 SUSE Manager Client Tools 12:mgrctl-zsh-completion-0.1.23-1.13.2 SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.21-52.104.2 SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.21-52.104.2 SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.21-52.104.2 SUSE Manager Client Tools 12:python2-uyuni-common-libs-5.0.5-1.45.2 SUSE Manager Client Tools 12:spacecmd-5.0.10-38.150.2 SUSE Manager Client Tools 12:spacewalk-check-4.3.21-52.104.2 SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.21-52.104.2 SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.21-52.104.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244010-1/ https://www.suse.com/security/cve/CVE-2023-3978.html CVE-2023-3978 https://bugzilla.suse.com/1213933 SUSE Bug 1213933