Описание
Security update for SUSE Manager Client Tools
This update fixes the following issues:
golang-github-lusitaniae-apache_exporter:
- Do not strip if SUSE Linux Enterprise 15 SP3
- Exclude debug for Red Hat Enterprise Linux >= 8
- Build with Go >= 1.20 when the OS is not Red Hat Enterprise Linux
mgr-daemon:
- Version 4.3.8-1
- Update translation strings
prometheus-postgres_exporter:
- Remove duplicated call to systemd requirements
- Do not build debug if Red Hat Enterprise Linux >= 8
- Do not strip if SUSE Linux Enterprise 15 SP3
- Build at least with with Go >= 1.18 on Red Hat Enterprise Linux
- Build with Go >= 1.20 elsewhere
spacecmd:
- Version 4.3.26-1
- Update translation strings
spacewalk-client-tools:
- Version 4.3.18-1
- Update translation strings
uyuni-proxy-systemd-services:
- Version 4.3.10-1
- Update the image version
- Version 4.3.9-1
- Integrate the containerized proxy into the usual rel-eng workflow
Список пакетов
Container suse/manager/5.0/x86_64/server:latest
Image server-image
SUSE Manager Client Tools 15
SUSE Manager Client Tools for SLE Micro 5
SUSE Manager Proxy Module 4.3
SUSE Manager Server Module 4.3
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2024:0487-1
- E-Mail link for SUSE-SU-2024:0487-1
- SUSE Security Ratings
- SUSE Bug 1192154
- SUSE Bug 1192696
- SUSE Bug 1193492
- SUSE Bug 1193686
- SUSE Bug 1200480
- SUSE Bug 1204023
- SUSE Bug 1218843
- SUSE Bug 1218844
- SUSE CVE CVE-2020-7753 page
- SUSE CVE CVE-2021-3807 page
- SUSE CVE CVE-2021-3918 page
- SUSE CVE CVE-2021-43138 page
- SUSE CVE CVE-2021-43798 page
- SUSE CVE CVE-2021-43815 page
- SUSE CVE CVE-2022-0155 page
- SUSE CVE CVE-2022-41715 page
Описание
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Затронутые продукты
Ссылки
- CVE-2020-7753
- SUSE Bug 1218843
Описание
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Затронутые продукты
Ссылки
- CVE-2021-3807
- SUSE Bug 1192154
Описание
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Затронутые продукты
Ссылки
- CVE-2021-3918
- SUSE Bug 1192696
Описание
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Затронутые продукты
Ссылки
- CVE-2021-43138
- SUSE Bug 1200480
Описание
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Затронутые продукты
Ссылки
- CVE-2021-43798
- SUSE Bug 1193492
Описание
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.
Затронутые продукты
Ссылки
- CVE-2021-43815
- SUSE Bug 1193686
Описание
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Затронутые продукты
Ссылки
- CVE-2022-0155
- SUSE Bug 1218844
Описание
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Затронутые продукты
Ссылки
- CVE-2022-41715
- SUSE Bug 1204023
- SUSE Bug 1208441