Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.6519
Security update for SUSE Manager Client Tools
15 December 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Client Tools
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2022-36062 CVE-2022-35957 CVE-2022-31107
CVE-2022-31097 CVE-2022-29170 CVE-2021-43815
CVE-2021-43813 CVE-2021-43798 CVE-2021-41244
CVE-2021-41174 CVE-2021-36222 CVE-2021-3711
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20224439-1
Comment: CVSS (Max): 9.8 CVE-2021-3711 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:4439-1
Rating: moderate
References: #1188571 #1189520 #1192383 #1192763 #1193492 #1193686
#1199810 #1201535 #1201539 #1202945 #1203283 #1203596
#1203597 #1203599
Cross-References: CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244
CVE-2021-43798 CVE-2021-43813 CVE-2021-43815 CVE-2022-29170
CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
Affected Products:
SUSE Manager Tools 12
______________________________________________________________________________
An update that solves 12 vulnerabilities, contains one feature and has two
fixes is now available.
Description:
This update fixes the following issues:
golang-github-boynux-squid_exporter:
o Exclude s390 architecture
o Enhanced to build on Enterprise Linux 8
grafana:
o Version update from 8.3.10 to 8.5.13 (jsc#PED-2145)
o Security fixes: * CVE-2022-36062: (bsc#1203596) * CVE-2022-35957: (bsc#
1203597) * CVE-2022-31107: (bsc#1201539) * CVE-2022-31097: (bsc#1201535) *
CVE-2022-29170: (bsc#1199810) * CVE-2021-43813, CVE-2021-43815: (bsc#
1193686) * CVE-2021-43798: (bsc#1193492) * CVE-2021-41244: (bsc#1192763) *
CVE-2021-41174: (bsc#1192383) * CVE-2021-3711: (bsc#1189520) *
CVE-2021-36222: (bsc#1188571)
o Features and enhancements: * AccessControl: Disable user remove and user
update roles when they do not have the permissions * AccessControl:
Provisioning for teams * Alerting: Add custom grouping to Alert Panel *
Alerting: Add safeguard for migrations that might cause dataloss *
Alerting: AlertingProxy to elevate permissions for request forwarded to
data proxy when RBAC enabled * Alerting: Grafana uses > instead of >= when
checking the For duration * Alerting: Move slow queries in the scheduler to
another goroutine * Alerting: Remove disabled flag for data source when
migrating alerts * Alerting: Show notification tab of legacy alerting only
to editor * Alerting: Update migration to migrate only alerts that belon to
existing org\dashboard * Alerting: Use expanded labels in dashboard
annotations * Alerting: Use time.Ticker instead of alerting.Ticker in
ngalert * Analytics: Add user id tracking to google analytics * Angular:
Add AngularJS plugin support deprecation plan to docs site * API: Add usage
stats preview endpoint * API: Extract OpenAPI specification from source
code using go-swagger * Auth: implement auto_sign_up for auth.jwt * Azure
monitor Logs: Optimize data fetching in resource picker * Azure Monitor
Logs: Order subscriptions in resource picker by name * Azure Monitor:
Include datasource ref when interpolating variables. * AzureMonitor: Add
support for not equals and startsWith operators when creating Azure Metrics
dimension filters. * AzureMonitor: Do not quote variables when a custom
"All" variable option is used * AzureMonitor: Filter list of resources by
resourceType * AzureMonitor: Update allowed namespaces * BarChart: color by
field, x time field, bar radius, label skipping * Chore: Implement
OpenTelemetry in Grafana * Cloud Monitoring: Adds metric type to Metric
drop down options * CloudMonitor: Correctly encode default project response
* CloudWatch: Add all ElastiCache Redis Metrics * CloudWatch: Add Data
Lifecycle Manager metrics and dimension * CloudWatch: Add Missing
Elasticache Host-level metrics * CloudWatch: Add multi-value template
variable support for log group names in logs query builder * CloudWatch:
Add new AWS/ES metrics. #43034, @sunker * Cloudwatch: Add support for AWS/
PrivateLink* metrics and dimensions * Cloudwatch: Add support for new AWS/
RDS EBS* metrics * Cloudwatch: Add syntax highlighting and autocomplete for
"Metric Search" * Cloudwatch: Add template variable query function for
listing log groups * Configuration: Add ability to customize okta login
button name and icon * Elasticsearch: Add deprecation notice for < 7.10
versions. * Explore: Support custom display label for exemplar links for
Prometheus datasource * Hotkeys: Make time range absolute/permanent *
InfluxDB: Use backend for influxDB by default via feature toggle * Legend:
Use correct unit for percent and count calculations * Logs: Escape windows
newline into single newline * Loki: Add unpack to autocomplete suggestions
* Loki: Use millisecond steps in Grafana 8.5.x. * Playlists: Enable sharing
direct links to playlists * Plugins: Allow using both Function and Class
components for app plugins * Plugins: Expose emotion/react to plugins to
prevent load failures * Plugins: Introduce HTTP 207 Multi Status response
to api/ds/query * Rendering: Add support for renderer token * Setting:
Support configuring feature toggles with bools instead of just passing an
array * SQLStore: Prevent concurrent migrations * SSE: Add Mode to drop NaN
/Inf/Null in Reduction operations * Tempo: Switch out Select with
AsyncSelect component to get loading state in Tempo Search * TimeSeries:
Add migration for Graph panel's transform series override * TimeSeries: Add
support for negative Y and constant transform * TimeSeries: Preserve null/
undefined values when performing negative y transform * Traces: Filter by
service/span name and operation in Tempo and Jaeger * Transformations: Add
'JSON' field type to ConvertFieldTypeTransformer * Transformations: Add an
All Unique Values Reducer * Transformers: avoid error when the
ExtractFields source field is missing
o Breaking changes: * For a data source query made via /api/ds/query:
+ If the DatasourceQueryMultiStatus feature is enabled and the data source
response has an error set as part of the DataResponse, the resulting HTTP
status code is now '207 Multi Status' instead of '400 Bad gateway' + If the
DatasourceQueryMultiStatus feature is not enabled and the data source
response has an error set as part of the DataResponse, the resulting HTTP
status code is '400 BadRequest' (no breaking change) * For a proxied
request, e.g. Grafana's datasource or plugin proxy:
+ If the request is cancelled, e.g. from the browser/by the client, the
HTTP status code is now '499 Client closed' request instead of 502 Bad
gateway If the request times out, e.g. takes longer time than allowed, the
HTTP status code is now '504 Gateway timeout' instead of '502 Bad gateway'.
+ The change in behavior is that negative-valued series are now stacked
downwards from 0 (in their own stacks), rather than downwards from the top
of the positive stacks. We now automatically group stacks by Draw style,
Line interpolation, and Bar alignment, making it impossible to stack bars
on top of lines, or smooth lines on top of stepped lines + The meaning of
the default data source has now changed from being a persisted property in
a panel. Before when you selected the default data source for a panel and
later changed the default data source to another data source it would
change all panels who were configured to use the default data source. From
now on the default data source is just the default for new panels and
changing the default will not impact any currently saved dashboards + The
Tooltip component provided by @grafana/ui is no longer automatically
interactive (that is you can hover onto it and click a link or select
text). It will from now on by default close automatically when you mouse
out from the trigger element. To make tooltips behave like before set the
new interactive property to true.
o Deprecations: * /api/tsdb/query API has been deprecated, please use /api/ds
/query instead * AngularJS plugin support is now in a deprecated state. The
documentation site has an article with more details on why, when, and how
o Bug fixes: * Alerting: Add contact points provisioning API * Alerting: add
field for custom slack endpoint * Alerting: Add resolved count to
notification title when both firing and resolved present * Alerting: Alert
rule should wait For duration when execution error state is Alerting *
Alerting: Allow disabling override timings for notification policies *
Alerting: Allow serving images from custom url path * Alerting: Apply
Custom Headers to datasource queries * Alerting: Classic conditions can now
display multiple values * Alerting: correctly show all alerts in a folder *
Alerting: Display query from grafana-managed alert rules on /api/v1/rules *
Alerting: Do not overwrite existing alert rule condition * Alerting:
Enhance support for arbitrary group names in managed alerts * Alerting: Fix
access to alerts for viewer with editor permissions when RBAC is disabled *
Alerting: Fix anonymous access to alerting * Alerting: Fix migrations by
making send_alerts_to field nullable * Alerting: Fix RBAC actions for
notification policies * Alerting: Fix use of > instead of >= when checking
the For duration * Alerting: Remove double quotes from matchers * API:
Include userId, orgId, uname in request logging middleware * Auth:
Guarantee consistency of signed SigV4 headers * Azure Monitor : Adding json
formatting of error messages in Panel Header Corner and Inspect Error Tab *
Azure Monitor: Add 2 more Curated Dashboards for VM Insights * Azure
Monitor: Bug Fix for incorrect variable cascading for template variables *
Azure Monitor: Fix space character encoding for metrics query link to Azure
Portal * Azure Monitor: Fixes broken log queries that use workspace * Azure
Monitor: Small bug fixes for Resource Picker * AzureAd Oauth: Fix
strictMode to reject users without an assigned role * AzureMonitor: Fixes
metric definition for Azure Storage queue/file/blob/table resources *
Cloudwatch : Fixed reseting metric name when changing namespace in Metric
Query * CloudWatch: Added missing MemoryDB Namespace metrics * CloudWatch:
Fix MetricName resetting on Namespace change. * Cloudwatch: Fix template
variables in variable queries. * CloudWatch: Fix variable query tag
migration * CloudWatch: Handle new error codes for MetricInsights *
CloudWatch: List all metrics properly in SQL autocomplete * CloudWatch:
Prevent log groups from being removed on query change * CloudWatch: Remove
error message when using multi-valued template vars in region field *
CloudWatch: Run query on blur in logs query field * CloudWatch: Use default
http client from aws-sdk-go * Dashboard: Fix dashboard update permission
check * Dashboard: Fixes random scrolling on time range change * Dashboard:
Template variables are now correctly persisted when clicking breadcrumb
links * DashboardExport: Fix exporting and importing dashboards where query
data source ended up as incorrect * DashboardPage: Remember scroll position
when coming back panel edit / view panel * Dashboards: Fixes repeating by
row and no refresh * Dashboards: Show changes in save dialog * DataSource:
Default data source is no longer a persisted state but just the default
data source for new panels * DataSourcePlugin API: Allow queries import
when changing data source type * Elasticsearch: Respect
maxConcurrentShardRequests datasource setting * Explore: Allow users to
save Explore state to a new panel in a new dashboard * Explore: Avoid
locking timepicker when range is inverted. * Explore: Fix closing split
pane when logs panel is used * Explore: Prevent direct access to explore if
disabled via feature toggle * Explore: Remove return to panel button *
FileUpload: clicking the Upload file button now opens their modal correctly
* Gauge: Fixes blank viz when data link exists and orientation was
horizontal * GrafanaUI: Fix color of links in error Tooltips in light theme
* Histogram Panel: Take decimal into consideration * InfluxDB: Fixes
invalid no data alerts. #48295, @yesoreyeram * Instrumentation: Fix HTTP
request instrumentation of authentication failures * Instrumentation: Make
backend plugin metrics endpoints available with optional authentication *
Instrumentation: Proxy status code correction and various improvements *
LibraryPanels: Fix library panels not connecting properly in imported
dashboards * LibraryPanels: Prevent long descriptions and names from
obscuring the delete button * Logger: Use specified format for file logger
* Logging: Introduce feature toggle to activate gokit/log format * Logs:
Handle missing fields in dataframes better * Loki: Improve unpack parser
handling * ManageDashboards: Fix error when deleting all dashboards from
folder view * Middleware: Fix IPv6 host parsing in CSRF check * Navigation:
Prevent navbar briefly showing on login * NewsPanel: Add support for Atom
feeds. #45390, @kaydelaney * OAuth: Fix parsing of ID token if header
contains non-string value * Panel Edit: Options search now works correctly
when a logarithmic scale option is set * Panel Edit: Visualization search
now works correctly with special characters * Plugins Catalog: Fix styling
of hyperlinks * Plugins: Add deprecation notice for /api/tsdb/query
endpoint * Plugins: Adding support for traceID field to accept variables *
Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios *
Postgres: Return tables with hyphenated schemes * PostgreSQL:
__unixEpochGroup to support arithmetic expression as argument * Profile/
Help: Expose option to disable profile section and help menu * Prometheus:
Enable new visual query builder by default * Provisioning: Fix duplicate
validation when multiple organizations have been configured inserted *
RBAC: Fix Anonymous Editors missing dashboard controls * RolePicker: Fix
menu position on smaller screens * SAML: Allow disabling of SAML signups *
Search: Sort results correctly when using postgres * Security: Fixes minor
code scanning security warnings in old vendored javascript libs * Table
panel: Fix horizontal scrolling when pagination is enabled * Table panel:
Show datalinks for cell display modes JSON View and Gauge derivates *
Table: Fix filter crashes table * Table: New pagination option *
TablePanel: Add cell inspect option * TablePanel: Do not prefix columns
with frame name if multipleframes and override active * TagsInput: Fix tags
remove button accessibility issues * Tempo / Trace Viewer: Support Span
Links in Trace Viewer * Tempo: Download span references in data inspector *
Tempo: Separate trace to logs and loki search datasource config *
TextPanel: Sanitize after markdown has been rendered to html * TimeRange:
Fixes updating time range from url and browser history * TimeSeries: Fix
detection & rendering of sparse datapoints * Timeseries: Fix outside range
stale state * TimeSeries: Properly stack series with missing datapoints *
TimeSeries: Sort tooltip values based on raw values * Tooltip: Fix links
not legible in Tooltips when using light theme * Tooltip: Sort decimals
using standard numeric compare * Trace View: Show number of child spans *
Transformations: Support escaped characters in key-value pair parsing *
Transforms: Labels to fields, fix label picker layout * Variables: Ensure
variables in query params are correctly recognised * Variables: Fix crash
when changing query variable datasource * Variables: Fixes issue with data
source variables not updating queries with variable * Visualizations: Stack
negative-valued series downwards
o Plugin development fixes: * Card: Increase clickable area when meta items
are present. * ClipboardButton: Use a fallback when the Clipboard API is
unavailable * Loki: Fix operator description propup from being shortened. *
OAuth: Add setting to skip org assignment for external users * Tooltips:
Make tooltips non interactive by default * Tracing: Add option to map tag
names to log label names in trace to logs settings
prometheus-blackbox_exporter:
o Add requirement for go1.18 (bsc#1203599)
spacecmd:
o Version 4.3.16-1 * Fix dict_keys not supporting indexing in
systems_setconfigchannelorger * Improve Proxy FQDN hint message * Added a
warning message for traditional stack deprecation * Stop always showing
help for valid proxy_container_config calls * Remove "Undefined return
code" from debug messages (bsc#1203283)
spacewalk-client-tools:
o Version 4.3.13-1 * Update translation strings
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Tools 12:
zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-4439=1
Package List:
o SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):
golang-github-boynux-squid_exporter-1.6-1.9.1
grafana-8.5.13-1.36.2
prometheus-blackbox_exporter-0.19.0-1.14.1
prometheus-blackbox_exporter-debuginfo-0.19.0-1.14.1
o SUSE Manager Tools 12 (noarch):
python2-spacewalk-check-4.3.13-52.80.1
python2-spacewalk-client-setup-4.3.13-52.80.1
python2-spacewalk-client-tools-4.3.13-52.80.1
spacecmd-4.3.16-38.112.1
spacewalk-check-4.3.13-52.80.1
spacewalk-client-setup-4.3.13-52.80.1
spacewalk-client-tools-4.3.13-52.80.1
References:
o https://www.suse.com/security/cve/CVE-2021-36222.html
o https://www.suse.com/security/cve/CVE-2021-3711.html
o https://www.suse.com/security/cve/CVE-2021-41174.html
o https://www.suse.com/security/cve/CVE-2021-41244.html
o https://www.suse.com/security/cve/CVE-2021-43798.html
o https://www.suse.com/security/cve/CVE-2021-43813.html
o https://www.suse.com/security/cve/CVE-2021-43815.html
o https://www.suse.com/security/cve/CVE-2022-29170.html
o https://www.suse.com/security/cve/CVE-2022-31097.html
o https://www.suse.com/security/cve/CVE-2022-31107.html
o https://www.suse.com/security/cve/CVE-2022-35957.html
o https://www.suse.com/security/cve/CVE-2022-36062.html
o https://bugzilla.suse.com/1188571
o https://bugzilla.suse.com/1189520
o https://bugzilla.suse.com/1192383
o https://bugzilla.suse.com/1192763
o https://bugzilla.suse.com/1193492
o https://bugzilla.suse.com/1193686
o https://bugzilla.suse.com/1199810
o https://bugzilla.suse.com/1201535
o https://bugzilla.suse.com/1201539
o https://bugzilla.suse.com/1202945
o https://bugzilla.suse.com/1203283
o https://bugzilla.suse.com/1203596
o https://bugzilla.suse.com/1203597
o https://bugzilla.suse.com/1203599
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY5qqIckNZI30y1K9AQjrRw//c/FVPvqmGH7omXxLu9pkaDEw1Evf+oES
L5c4Hksh6bDRw5HZR+EMb548g++jwZOZGMl5wh2OzRVvjt3upE08bUVtfMHVkKui
JLDqNW5EwKuapC7amb3NzUOCtiqbBBN4gEppOTMG80CndXN8ol7yR66rNp2pq6Cj
O9yUcdQLmWSJpkYkfZH/ZugCSERbzeYA2GZPsoPt91nVqntksJioEOwTzMuAmRWc
S3uP3GEyl50EWdMpTmVREgIU/Z+TSFccsvZ/rEt9ns2JDcMNrCzqTYdXfQPJ6tOI
N4COUQ/C26x6JKFDpkuoH/x56AzvgTNIPYz6lCSPORf5xVSPwHOrH0NzmM8AYo2O
5VSwKJSzfRc7X9Unsagh6PNIPvjGN1BqbyHhx5CBs48Ud70eDugGK0h6CR5ZA1S+
ElZUXQy9JHNZO/7SbtA/AAfL/f2gMAI/81kvkDmg4qDqKLeWZnZOBO83tsLdqo6k
3WKQAa43iKbcIc1qWYpu778aduOhESK8KsztqfvzdcfV6hxJIJVgbGFI2fT78eQ6
ggbl07Q3kJuIboA13a4N34iKQZy49PJHL7SBc0UmNAJndJY1NrHNbHWizpM9nPT8
DR8ey++mY5hyu9Kn4IBFvsJ2fOeNVrtCoL0TNCWztxbOpQEtZsr7Sgnl/90pxCCe
OzVTUdkMbcM=
=9b+7
-----END PGP SIGNATURE-----