Описание
Security update for SUSE Manager Client Tools
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Update to upstream release 0.11.0 (jsc#SLE-24791)
- Add TLS support
- Switch to logger, please check --log.level and --log.format flags
- Update to version 0.10.1
- Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data
- Update to version 0.10.0
- Add Apache Proxy and other metrics
- Update to version 0.8.0
- Change commandline flags
- Add metrics: Apache version, request duration total
- Adapted to build on Enterprise Linux 8
- Require building with Go 1.15
- Add %license macro for LICENSE file
golang-github-prometheus-alertmanager:
- Do not include sources (bsc#1200725)
golang-github-prometheus-node_exporter:
- CVE-2022-21698: Denial of service using InstrumentHandlerCounter. (bsc#1196338, jsc#SLE-24243, jsc#SUMA-114)
grafana:
- Update to version 8.3.10
- Security:
- CVE-2022-31097: Cross Site Scripting vulnerability in the Unified Alerting (bsc#1201535)
- CVE-2022-31107: OAuth account takeover vulnerability (bsc#1201539)
- Security:
- Update to version 8.3.9
- Bug fixes:
- Geomap: Display legend
- Prometheus: Fix timestamp truncation
- Bug fixes:
- Update to version 8.3.7
- Bug fix:
- Provisioning: Ensure that the default value for orgID is set when provisioning datasources to be deleted.
- Bug fix:
- Update to version 8.3.6
- Features and enhancements:
- Cloud Monitoring: Reduce request size when listing labels.
- Explore: Show scalar data result in a table instead of graph.
- Snapshots: Updates the default external snapshot server URL.
- Table: Makes footer not overlap table content.
- Tempo: Add request histogram to service graph datalink.
- Tempo: Add time range to tempo search query behind a feature flag.
- Tempo: Auto-clear results when changing query type.
- Tempo: Display start time in search results as relative time.
- CloudMonitoring: Fix resource labels in query editor.
- Cursor sync: Apply the settings without saving the dashboard.
- LibraryPanels: Fix for Error while cleaning library panels.
- Logs Panel: Fix timestamp parsing for string dates without timezone.
- Prometheus: Fix some of the alerting queries that use reduce/math operation.
- TablePanel: Fix ad-hoc variables not working on default datasources.
- Text Panel: Fix alignment of elements.
- Variables: Fix for constant variables in self referencing links.
- Features and enhancements:
- Update to version 8.3.5 (jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565)
kiwi-desc-saltboot:
- Update to version 0.1.1661440542.6cbe0da
- Use standard susemanager.conf
- Use salt bundle
- Add support fo VirtIO disks
mgr-daemon:
- Version 4.3.6-1
- Update translation strings
spacecmd:
- Version 4.3.15-1
- Process date values in spacecmd api calls (bsc#1198903)
spacewalk-client-tools:
- Version 4.3.12-1
- Update translation strings
uyuni-common-libs:
- Version 4.3.6-1
- Do not allow creating path if nonexistent user or group in fileutils.
Список пакетов
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Manager Client Tools 12
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2022:3747-1
- E-Mail link for SUSE-SU-2022:3747-1
- SUSE Security Ratings
- SUSE Bug 1196338
- SUSE Bug 1198903
- SUSE Bug 1200725
- SUSE Bug 1201535
- SUSE Bug 1201539
- SUSE CVE CVE-2022-21698 page
- SUSE CVE CVE-2022-31097 page
- SUSE CVE CVE-2022-31107 page
Описание
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Затронутые продукты
Ссылки
- CVE-2022-21698
- SUSE Bug 1196338
Описание
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
Затронутые продукты
Ссылки
- CVE-2022-31097
- SUSE Bug 1201535
Описание
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
Затронутые продукты
Ссылки
- CVE-2022-31107
- SUSE Bug 1201539