Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2554
Security Beta update for SUSE Manager Client Tools and Salt
26 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: salt
SUSE Manager Client Tools
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2016-8647 CVE-2023-6152 CVE-2017-7550
CVE-2018-10874 CVE-2016-9587 CVE-2023-5764
CVE-2024-0690 CVE-2020-14365
Original Bulletin:
https://www.suse.com/support/update/announcement/2024/suse-su-20241427-1
Comment: CVSS (Max): 8.5 CVE-2017-7550 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVSS Source: [SUSE], NIST
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Beta update for SUSE Manager Client Tools and Salt
Announcement ID: SUSE-SU-2024:1427-1
Rating: moderate
o bsc#1008037
o bsc#1008038
o bsc#1010940
o bsc#1019021
o bsc#1038785
o bsc#1059235
o bsc#1099805
o bsc#1166389
o bsc#1171823
o bsc#1174145
References: o bsc#1174302
o bsc#1175993
o bsc#1177948
o bsc#1216854
o bsc#1219002
o bsc#1219887
o bsc#1219912
o bsc#1220371
o bsc#1221092
o jsc#MSQA-759
o CVE-2016-8647
o CVE-2016-9587
o CVE-2017-7550
o CVE-2018-10874
Cross-References: o CVE-2020-14365
o CVE-2023-5764
o CVE-2023-6152
o CVE-2024-0690
o CVE-2016-8647 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/
S:U/C:N/I:H/A:N
o CVE-2016-8647 ( NVD ): 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/
S:U/C:N/I:L/A:N
o CVE-2016-9587 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/
S:U/C:H/I:H/A:H
o CVE-2017-7550 ( SUSE ): 8.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/
S:C/C:H/I:H/A:H
o CVE-2017-7550 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/
S:U/C:H/I:H/A:H
o CVE-2017-7550 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
S:U/C:H/I:H/A:H
o CVE-2018-10874 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N
/S:U/C:H/I:H/A:H
o CVE-2018-10874 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/
CVSS scores: S:U/C:H/I:H/A:H
o CVE-2020-14365 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N
/S:U/C:N/I:H/A:H
o CVE-2020-14365 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/
S:U/C:N/I:H/A:H
o CVE-2023-5764 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/
S:U/C:H/I:H/A:N
o CVE-2023-5764 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/
S:U/C:H/I:H/A:H
o CVE-2023-6152 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/
S:U/C:N/I:L/A:L
o CVE-2024-0690 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/
S:U/C:N/I:N/A:H
o CVE-2024-0690 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/
S:U/C:H/I:N/A:N
o openSUSE Leap 15.3
o openSUSE Leap 15.4
o openSUSE Leap 15.5
o openSUSE Leap 15.6
o SUSE Linux Enterprise Desktop 15
o SUSE Linux Enterprise Desktop 15 SP1
o SUSE Linux Enterprise Desktop 15 SP2
o SUSE Linux Enterprise Desktop 15 SP3
o SUSE Linux Enterprise Desktop 15 SP4
o SUSE Linux Enterprise Desktop 15 SP5
o SUSE Linux Enterprise Desktop 15 SP6
o SUSE Linux Enterprise High Performance Computing 15
o SUSE Linux Enterprise High Performance Computing 15 SP1
o SUSE Linux Enterprise High Performance Computing 15 SP2
o SUSE Linux Enterprise High Performance Computing 15 SP3
o SUSE Linux Enterprise High Performance Computing 15 SP4
o SUSE Linux Enterprise High Performance Computing 15 SP5
o SUSE Linux Enterprise Micro 5.0
o SUSE Linux Enterprise Micro 5.1
o SUSE Linux Enterprise Micro 5.2
o SUSE Linux Enterprise Micro 5.3
Affected o SUSE Linux Enterprise Micro 5.4
Products: o SUSE Linux Enterprise Micro 5.5
o SUSE Linux Enterprise Real Time 15 SP1
o SUSE Linux Enterprise Real Time 15 SP2
o SUSE Linux Enterprise Real Time 15 SP3
o SUSE Linux Enterprise Real Time 15 SP4
o SUSE Linux Enterprise Real Time 15 SP5
o SUSE Linux Enterprise Real Time 15 SP6
o SUSE Linux Enterprise Server 15
o SUSE Linux Enterprise Server 15 SP1
o SUSE Linux Enterprise Server 15 SP2
o SUSE Linux Enterprise Server 15 SP3
o SUSE Linux Enterprise Server 15 SP4
o SUSE Linux Enterprise Server 15 SP5
o SUSE Linux Enterprise Server 15 SP6
o SUSE Linux Enterprise Server for SAP Applications 15
o SUSE Linux Enterprise Server for SAP Applications 15 SP1
o SUSE Linux Enterprise Server for SAP Applications 15 SP2
o SUSE Linux Enterprise Server for SAP Applications 15 SP3
o SUSE Linux Enterprise Server for SAP Applications 15 SP4
o SUSE Linux Enterprise Server for SAP Applications 15 SP5
o SUSE Linux Enterprise Server for SAP Applications 15 SP6
o SUSE Manager Client Tools Beta for SLE 15
o SUSE Manager Client Tools Beta for SLE Micro 5
An update that solves eight vulnerabilities, contains one feature and has 11
security fixes can now be installed.
Description:
This update fixes the following issues:
POS_Image-Graphical7:
o Update to version 0.1.1710765237.46af599
o Move image services to dracut-saltboot package
o Use salt bundle
o Update to version 0.1.1645440615.7f1328c
o Remove deprecated kiwi functions
POS_Image-JeOS7:
o Update to version 0.1.1710765237.46af599
o Move image services to dracut-saltboot package
o Use salt bundle
o Update to version 0.1.1645440615.7f1328c
o Remove deprecated kiwi functions
ansible:
o CVE-2023-5764: Address issues where internal templating can cause unsafe
variables to lose their unsafe designation (bsc#1216854)
o breaking_changes: assert - Nested templating may result in an inability for
the conditional to be evaluated. See the porting guide for more
information.
o CVE-2024-0690: Address issue where ANSIBLE_NO_LOG was ignored (bsc#1219002)
o CVE-2020-14365: Do a GPG validation if the disable_gpg_check option is not
set. (bsc#1175993)
o Don't Require python-coverage, it is needed only for testing (bsc#1177948)
o CVE-2018-10874: Inventory variables are loaded from current working
directory when running ad-hoc command that can lead to code execution
(included upstream in 2.6.1) (bsc#1099805)
dracut-saltboot:
o Update to version 0.1.1710765237.46af599
o Load only first available leaseinfo (bsc#1221092)
o Update to version 0.1.1681904360.84ef141
grafana:
o Require Go 1.20
o Update to version 9.5.16:
o [SECURITY] CVE-2023-6152: Add email verification when updating user email
(bsc#1219912)
o [BUGFIX] Annotations: Split cleanup into separate queries and deletes to
avoid deadlocks on MySQL
o Update to version 9.5.15:
o [FEATURE] Alerting: Attempt to retry retryable errors
o Update to version 9.5.14:
o [BUGFIX] Alerting: Fix state manager to not keep datasource_uid and ref_id
labels in state after Error
o [BUGFIX] Transformations: Config overrides being lost when config from
query transform is applied
o [BUGFIX] LDAP: Fix enable users on successfull login
o Update to version 9.5.13:
o [BUGFIX] BrowseDashboards: Only remember the most recent expanded folder
o [BUGFIX] Licensing: Pass func to update env variables when starting plugin
o Update to version 9.5.12:
o [FEATURE] Azure: Add support for Workload Identity authentication
o Update to version 9.5.9:
o [FEATURE] SSE: Fix DSNode to not panic when response has empty response
o [FEATURE] Prometheus: Handle the response with different field key order
o [BUGFIX] LDAP: Fix user disabling
golang-github-prometheus-node_exporter:
o Add device_error label for filesystem metrics.
o Update rtnetlink library to fix errors during ARP metrics collection.
o Update to 1.7.0 (jsc#PED-7893, jsc#PED-7928):
o [FEATURE] Add ZFS freebsd per dataset stats #2753
o [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721
o [ENHANCEMENT] Parallelize stat calls in Linux filesystem collector #1772
o [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711
o [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric #2778
o [ENHANCEMENT] Improve qdisc collector performance #2779
o [ENHANCEMENT] Add include and exclude filter for hwmon collector #2699
o [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead of procfs #
2777
o [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754
o [BUGFIX] Fallback to 32-bit stats in netdev #2757
o [BUGFIX] Close btrfs.FS handle after use #2780
o [BUGFIX] Move RO status before error return #2807
o [BUFFIX] Fix promhttp_metric_handler_errors_total being always active #2808
o [BUGFIX] Fix nfsd v4 index miss #2824
o Update to 1.6.1: (no source code changes in this release)
o BuildRequire go1.20
o Update to 1.6.0:
o [CHANGE] Fix cpustat when some cpus are offline #2318
o [CHANGE] Remove metrics of offline CPUs in CPU collector #2605
o [CHANGE] Deprecate ntp collector #2603
o [CHANGE] Remove bcache cache_readaheads_totals metrics #2583
o [CHANGE] Deprecate supervisord collector #2685
o [FEATURE] Enable uname collector on NetBSD #2559
o [FEATURE] NetBSD support for the meminfo collector #2570
o [FEATURE] NetBSD support for CPU collector #2626
o [FEATURE] Add FreeBSD collector for netisr subsystem #2668
o [FEATURE] Add softirqs collector #2669
o [ENHANCEMENT] Add suspended as a node_zfs_zpool_state #2449
o [ENHANCEMENT] Add administrative state of Linux network interfaces #2515
o [ENHANCEMENT] Log current value of GOMAXPROCS #2537
o [ENHANCEMENT] Add profiler options for perf collector #2542
o [ENHANCEMENT] Allow root path as metrics path #2590
o [ENHANCEMENT] Add cpu frequency governor metrics #2569
o [ENHANCEMENT] Add new landing page #2622
o [ENHANCEMENT] Reduce privileges needed for btrfs device stats #2634
o [ENHANCEMENT] Add ZFS memory_available_bytes #2687
o [ENHANCEMENT] Use SCSI_IDENT_SERIAL as serial in diskstats #2612
o [ENHANCEMENT] Read missing from netlink netclass attributes from sysfs #
2669
o [BUGFIX] perf: fixes for automatically detecting the correct tracefs
mountpoints #2553
o [BUGFIX] Fix thermal_zone collector noise @2554
o [BUGFIX] Fix a problem fetching the user wire count on FreeBSD 2584
o [BUGFIX] interrupts: Fix fields on linux aarch64 #2631
o [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605
o [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637
o [BUGFIX] Fix bad reporting of node_cpu_seconds_total in OpenBSD #2663
o Change go_modules archive in _service to use obscpio file
spacecmd:
o Version 5.0.5-0
o Update translation strings
spacewalk-client-tools:
o Version 5.0.4-0
o Remove rhn-profile-sync rhn_register spacewalk-channel and
spacewalk-update-status
supportutils-plugin-susemanager-client:
o Version 5.0.3-0
o Remove rhnsd from client actions and server backend
uyuni-tools:
o Version 0.1.7-0
o Fix wrong Cobbler spacewalk_authentication_endpoint property after upgrade
or migration
o Fix migration script using missing awk in migration image
o Version 0.1.6-0
o Pull image from authenticated registry
o Port 80 should be published to the port 80 of the containers. 8080 is squid
o Autogenerate the database password
o Add mgrctl term command
o Fix --version flag
o Deny uyuni to suma upgrade and viceversa
o Refactor upgrade to clarify script end adding post upgrade script (bsc#
1219887)
o Add mgradm install podman arguments to define big volumes storage
o k8s migration use same functions as upgrade
o Allow to use images from RPM if present
o Schedule a system list refresh after migrate if not runned before
o Ignore error on optional flag
o Fix migration of multiple autoinstallable distributions
o Obsolete uyuni-proxy-systemd-service package by mgrpxy
o Add GitHub workflow for checking changelog
o Allow installation using --image image:tag
o Add command to register Peripheral server to Hub
o Add Node exporter (9100) and Taskomatic (9800) ports to the list of open
TCP ports
o Fix minimal administrator password length
o Do not assume the current host is a cluster node when getting kubelet
version
o Add mgrpxy start, stop and restart commands
o Remove shm size constraints on the server
o Add mgrpxy and mgradm status commands
o Use uninstall commands dry run by default to avoid unintended removals
o Make first user mandatory at install time
o Add inspect and upgrade command
o Improve error handling when exec.Command is used
o Start/Stop/Restart command with kubernetes
o Version 0.1.5-0
o Install aardvark-dns if netavark is installed (bsc#1220371)
Special Instructions and Notes:
Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Client Tools Beta for SLE 15
zypper in -t patch SUSE-SLE-Manager-Tools-15-BETA-2024-1427=1
o SUSE Manager Client Tools Beta for SLE Micro 5
zypper in -t patch SUSE-SLE-Manager-Tools-Beta-For-Micro-5-2024-1427=1
Package List:
o SUSE Manager Client Tools Beta for SLE 15 (noarch)
ansible-2.9.27-159000.3.12.2
ansible-doc-2.9.27-159000.3.12.2
python3-spacewalk-check-5.0.4-159000.6.54.2
spacecmd-5.0.5-159000.6.48.2
supportutils-plugin-susemanager-client-5.0.3-159000.6.21.2
mgrctl-zsh-completion-0.1.7-159000.3.8.1
python3-spacewalk-client-tools-5.0.4-159000.6.54.2
POS_Image-Graphical7-0.1.1710765237.46af599-159000.3.24.2
spacewalk-client-setup-5.0.4-159000.6.54.2
dracut-saltboot-0.1.1710765237.46af599-159000.3.33.2
spacewalk-client-tools-5.0.4-159000.6.54.2
POS_Image-JeOS7-0.1.1710765237.46af599-159000.3.24.2
mgrctl-bash-completion-0.1.7-159000.3.8.1
spacewalk-check-5.0.4-159000.6.54.2
python3-spacewalk-client-setup-5.0.4-159000.6.54.2
o SUSE Manager Client Tools Beta for SLE 15 (aarch64 ppc64le s390x x86_64)
mgrctl-0.1.7-159000.3.8.1
grafana-debuginfo-9.5.16-159000.4.30.2
grafana-9.5.16-159000.4.30.2
o SUSE Manager Client Tools Beta for SLE Micro 5 (aarch64 s390x x86_64)
mgrctl-0.1.7-159000.3.8.1
golang-github-prometheus-node_exporter-1.5.0-159000.6.2.1
o SUSE Manager Client Tools Beta for SLE Micro 5 (noarch)
mgrctl-bash-completion-0.1.7-159000.3.8.1
mgrctl-zsh-completion-0.1.7-159000.3.8.1
References:
o https://www.suse.com/security/cve/CVE-2016-8647.html
o https://www.suse.com/security/cve/CVE-2016-9587.html
o https://www.suse.com/security/cve/CVE-2017-7550.html
o https://www.suse.com/security/cve/CVE-2018-10874.html
o https://www.suse.com/security/cve/CVE-2020-14365.html
o https://www.suse.com/security/cve/CVE-2023-5764.html
o https://www.suse.com/security/cve/CVE-2023-6152.html
o https://www.suse.com/security/cve/CVE-2024-0690.html
o https://bugzilla.suse.com/show_bug.cgi?id=1008037
o https://bugzilla.suse.com/show_bug.cgi?id=1008038
o https://bugzilla.suse.com/show_bug.cgi?id=1010940
o https://bugzilla.suse.com/show_bug.cgi?id=1019021
o https://bugzilla.suse.com/show_bug.cgi?id=1038785
o https://bugzilla.suse.com/show_bug.cgi?id=1059235
o https://bugzilla.suse.com/show_bug.cgi?id=1099805
o https://bugzilla.suse.com/show_bug.cgi?id=1166389
o https://bugzilla.suse.com/show_bug.cgi?id=1171823
o https://bugzilla.suse.com/show_bug.cgi?id=1174145
o https://bugzilla.suse.com/show_bug.cgi?id=1174302
o https://bugzilla.suse.com/show_bug.cgi?id=1175993
o https://bugzilla.suse.com/show_bug.cgi?id=1177948
o https://bugzilla.suse.com/show_bug.cgi?id=1216854
o https://bugzilla.suse.com/show_bug.cgi?id=1219002
o https://bugzilla.suse.com/show_bug.cgi?id=1219887
o https://bugzilla.suse.com/show_bug.cgi?id=1219912
o https://bugzilla.suse.com/show_bug.cgi?id=1220371
o https://bugzilla.suse.com/show_bug.cgi?id=1221092
o https://jira.suse.com/browse/MSQA-759
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================