Описание
Security update for SUSE Manager Client Tools
This update fixes the following issues:
golang-github-prometheus-node_exporter:
- Update to 1.7.0 (jsc#PED-7893, jsc#PED-7928):
- [FEATURE] Add ZFS freebsd per dataset stats #2753
- [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721
- [ENHANCEMENT] Parallelize stat calls in Linux filesystem collector #1772
- [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711
- [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric #2778
- [ENHANCEMENT] Improve qdisc collector performance #2779
- [ENHANCEMENT] Add include and exclude filter for hwmon collector #2699
- [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead of procfs #2777
- [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754
- [BUGFIX] Fallback to 32-bit stats in netdev #2757
- [BUGFIX] Close btrfs.FS handle after use #2780
- [BUGFIX] Move RO status before error return #2807
- [BUFFIX] Fix promhttp_metric_handler_errors_total being always active #2808
- [BUGFIX] Fix nfsd v4 index miss #2824
- Update to 1.6.1: (no source code changes in this release)
- BuildRequire go1.20
- Update to 1.6.0:
- [CHANGE] Fix cpustat when some cpus are offline #2318
- [CHANGE] Remove metrics of offline CPUs in CPU collector #2605
- [CHANGE] Deprecate ntp collector #2603
- [CHANGE] Remove bcache
cache_readaheads_totalsmetrics #2583 - [CHANGE] Deprecate supervisord collector #2685
- [FEATURE] Enable uname collector on NetBSD #2559
- [FEATURE] NetBSD support for the meminfo collector #2570
- [FEATURE] NetBSD support for CPU collector #2626
- [FEATURE] Add FreeBSD collector for netisr subsystem #2668
- [FEATURE] Add softirqs collector #2669
- [ENHANCEMENT] Add suspended as a
node_zfs_zpool_state#2449 - [ENHANCEMENT] Add administrative state of Linux network interfaces #2515
- [ENHANCEMENT] Log current value of GOMAXPROCS #2537
- [ENHANCEMENT] Add profiler options for perf collector #2542
- [ENHANCEMENT] Allow root path as metrics path #2590
- [ENHANCEMENT] Add cpu frequency governor metrics #2569
- [ENHANCEMENT] Add new landing page #2622
- [ENHANCEMENT] Reduce privileges needed for btrfs device stats #2634
- [ENHANCEMENT] Add ZFS
memory_available_bytes#2687 - [ENHANCEMENT] Use
SCSI_IDENT_SERIALas serial in diskstats #2612 - [ENHANCEMENT] Read missing from netlink netclass attributes from sysfs #2669
- [BUGFIX] perf: fixes for automatically detecting the correct tracefs mountpoints #2553
- [BUGFIX] Fix
thermal_zonecollector noise @2554 - [BUGFIX] Fix a problem fetching the user wire count on FreeBSD 2584
- [BUGFIX] interrupts: Fix fields on linux aarch64 #2631
- [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605
- [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637
- [BUGFIX] Fix bad reporting of
node_cpu_seconds_totalin OpenBSD #2663
- Change go_modules archive in _service to use obscpio file
grafana:
- Packaging improvements:
- Changed deprecated
disabledservice mode tomanual - Drop golang-packaging macros
- Drop explicit mod=vendor as it is enabled automatically
- Changed deprecated
- Update to version 9.5.18:
- [SECURITY] CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)
- Update to version 9.5.17:
- [FEATURE] Alerting: Backport use Alertmanager API v2
- Require Go 1.20
- Update to version 9.5.16:
- [SECURITY] CVE-2023-6152: Add email verification when updating user email (bsc#1219912)
- [BUGFIX] Annotations: Split cleanup into separate queries and deletes to avoid deadlocks on MySQL
- Update to version 9.5.15:
- [FEATURE] Alerting: Attempt to retry retryable errors
- Update to version 9.5.14:
- [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id labels in state after Error
- [BUGFIX] Transformations: Config overrides being lost when config from query transform is applied
- [BUGFIX] LDAP: Fix enable users on successfull login
- Update to version 9.5.13:
- [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
- [BUGFIX] Licensing: Pass func to update env variables when starting plugin
- Update to version 9.5.12:
- [FEATURE] Azure: Add support for Workload Identity authentication
- Update to version 9.5.9:
- [FEATURE] SSE: Fix DSNode to not panic when response has empty response
- [FEATURE] Prometheus: Handle the response with different field key order
- [BUGFIX] LDAP: Fix user disabling
mgr-daemon:
- Version 4.3.9-0
- Update translation strings
spacecmd:
- Version 4.3.27-0
- Update translation strings
spacewalk-client-tools:
- Version 4.3.19-0
- Update translation strings
spacewalk-koan:
- Version 4.3.6-0
- Change Docker image location for test
uyuni-common-libs:
- Version 4.3.10-0
- Add support for package signature type V4 RSA/SHA384
- Add support for package signature type V4 RSA/SHA512 (bsc#1221465)
Список пакетов
SUSE Linux Enterprise Server 12 SP5
golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5
golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Manager Client Tools 12
golang-github-prometheus-alertmanager-0.26.0-1.27.2
golang-github-prometheus-node_exporter-1.7.0-1.30.2
golang-github-prometheus-promu-0.14.0-1.18.1
grafana-9.5.18-1.63.1
mgr-daemon-4.3.9-1.47.1
python2-spacewalk-check-4.3.19-52.98.1
python2-spacewalk-client-setup-4.3.19-52.98.1
python2-spacewalk-client-tools-4.3.19-52.98.1
python2-spacewalk-koan-4.3.6-24.36.1
python2-uyuni-common-libs-4.3.10-1.39.1
spacecmd-4.3.27-38.139.1
spacewalk-check-4.3.19-52.98.1
spacewalk-client-setup-4.3.19-52.98.1
spacewalk-client-tools-4.3.19-52.98.1
spacewalk-koan-4.3.6-24.36.1
Ссылки
- Link for SUSE-SU-2024:1508-1
- E-Mail link for SUSE-SU-2024:1508-1
- SUSE Security Ratings
- SUSE Bug 1219912
- SUSE Bug 1221465
- SUSE Bug 1222155
- SUSE CVE CVE-2023-6152 page
- SUSE CVE CVE-2024-1313 page
Описание
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.27.2
SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.7.0-1.30.2
Ссылки
- CVE-2023-6152
- SUSE Bug 1219912
Описание
It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5:golang-github-prometheus-node_exporter-1.7.0-1.30.2
SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.27.2
SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.7.0-1.30.2
Ссылки
- CVE-2024-1313
- SUSE Bug 1222155