Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

               Security update for SUSE Manager Client Tools
                             15 December 2022


        AusCERT Security Bulletin Summary

Product:           SUSE Manager Client Tools
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-36062 CVE-2022-35957 CVE-2022-31107
                   CVE-2022-31097 CVE-2022-29170 CVE-2021-43815
                   CVE-2021-43813 CVE-2021-43798 CVE-2021-41244
                   CVE-2021-41174 CVE-2021-36222 CVE-2021-3711

Original Bulletin: 

Comment: CVSS (Max):  9.8 CVE-2021-3711 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Client Tools


Announcement ID:   SUSE-SU-2022:4439-1
Rating:            moderate
References:        #1188571 #1189520 #1192383 #1192763 #1193492 #1193686
                   #1199810 #1201535 #1201539 #1202945 #1203283 #1203596
                   #1203597 #1203599
Cross-References:  CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244
                   CVE-2021-43798 CVE-2021-43813 CVE-2021-43815 CVE-2022-29170
                   CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
Affected Products:
                   SUSE Manager Tools 12

An update that solves 12 vulnerabilities, contains one feature and has two
fixes is now available.


This update fixes the following issues:

  o Exclude s390 architecture
  o Enhanced to build on Enterprise Linux 8


  o Version update from 8.3.10 to 8.5.13 (jsc#PED-2145)
  o Security fixes: * CVE-2022-36062: (bsc#1203596) * CVE-2022-35957: (bsc#
    1203597) * CVE-2022-31107: (bsc#1201539) * CVE-2022-31097: (bsc#1201535) *
    CVE-2022-29170: (bsc#1199810) * CVE-2021-43813, CVE-2021-43815: (bsc#
    1193686) * CVE-2021-43798: (bsc#1193492) * CVE-2021-41244: (bsc#1192763) *
    CVE-2021-41174: (bsc#1192383) * CVE-2021-3711: (bsc#1189520) *
    CVE-2021-36222: (bsc#1188571)
  o Features and enhancements: * AccessControl: Disable user remove and user
    update roles when they do not have the permissions * AccessControl:
    Provisioning for teams * Alerting: Add custom grouping to Alert Panel *
    Alerting: Add safeguard for migrations that might cause dataloss *
    Alerting: AlertingProxy to elevate permissions for request forwarded to
    data proxy when RBAC enabled * Alerting: Grafana uses > instead of >= when
    checking the For duration * Alerting: Move slow queries in the scheduler to
    another goroutine * Alerting: Remove disabled flag for data source when
    migrating alerts * Alerting: Show notification tab of legacy alerting only
    to editor * Alerting: Update migration to migrate only alerts that belon to
    existing org\dashboard * Alerting: Use expanded labels in dashboard
    annotations * Alerting: Use time.Ticker instead of alerting.Ticker in
    ngalert * Analytics: Add user id tracking to google analytics * Angular:
    Add AngularJS plugin support deprecation plan to docs site * API: Add usage
    stats preview endpoint * API: Extract OpenAPI specification from source
    code using go-swagger * Auth: implement auto_sign_up for auth.jwt * Azure
    monitor Logs: Optimize data fetching in resource picker * Azure Monitor
    Logs: Order subscriptions in resource picker by name * Azure Monitor:
    Include datasource ref when interpolating variables. * AzureMonitor: Add
    support for not equals and startsWith operators when creating Azure Metrics
    dimension filters. * AzureMonitor: Do not quote variables when a custom
    "All" variable option is used * AzureMonitor: Filter list of resources by
    resourceType * AzureMonitor: Update allowed namespaces * BarChart: color by
    field, x time field, bar radius, label skipping * Chore: Implement
    OpenTelemetry in Grafana * Cloud Monitoring: Adds metric type to Metric
    drop down options * CloudMonitor: Correctly encode default project response
    * CloudWatch: Add all ElastiCache Redis Metrics * CloudWatch: Add Data
    Lifecycle Manager metrics and dimension * CloudWatch: Add Missing
    Elasticache Host-level metrics * CloudWatch: Add multi-value template
    variable support for log group names in logs query builder * CloudWatch:
    Add new AWS/ES metrics. #43034, @sunker * Cloudwatch: Add support for AWS/
    PrivateLink* metrics and dimensions * Cloudwatch: Add support for new AWS/
    RDS EBS* metrics * Cloudwatch: Add syntax highlighting and autocomplete for
    "Metric Search" * Cloudwatch: Add template variable query function for
    listing log groups * Configuration: Add ability to customize okta login
    button name and icon * Elasticsearch: Add deprecation notice for < 7.10
    versions. * Explore: Support custom display label for exemplar links for
    Prometheus datasource * Hotkeys: Make time range absolute/permanent *
    InfluxDB: Use backend for influxDB by default via feature toggle * Legend:
    Use correct unit for percent and count calculations * Logs: Escape windows
    newline into single newline * Loki: Add unpack to autocomplete suggestions
    * Loki: Use millisecond steps in Grafana 8.5.x. * Playlists: Enable sharing
    direct links to playlists * Plugins: Allow using both Function and Class
    components for app plugins * Plugins: Expose emotion/react to plugins to
    prevent load failures * Plugins: Introduce HTTP 207 Multi Status response
    to api/ds/query * Rendering: Add support for renderer token * Setting:
    Support configuring feature toggles with bools instead of just passing an
    array * SQLStore: Prevent concurrent migrations * SSE: Add Mode to drop NaN
    /Inf/Null in Reduction operations * Tempo: Switch out Select with
    AsyncSelect component to get loading state in Tempo Search * TimeSeries:
    Add migration for Graph panel's transform series override * TimeSeries: Add
    support for negative Y and constant transform * TimeSeries: Preserve null/
    undefined values when performing negative y transform * Traces: Filter by
    service/span name and operation in Tempo and Jaeger * Transformations: Add
    'JSON' field type to ConvertFieldTypeTransformer * Transformations: Add an
    All Unique Values Reducer * Transformers: avoid error when the
    ExtractFields source field is missing
  o Breaking changes: * For a data source query made via /api/ds/query:
    + If the DatasourceQueryMultiStatus feature is enabled and the data source
    response has an error set as part of the DataResponse, the resulting HTTP
    status code is now '207 Multi Status' instead of '400 Bad gateway' + If the
    DatasourceQueryMultiStatus feature is not enabled and the data source
    response has an error set as part of the DataResponse, the resulting HTTP
    status code is '400 BadRequest' (no breaking change) * For a proxied
    request, e.g. Grafana's datasource or plugin proxy:
    + If the request is cancelled, e.g. from the browser/by the client, the
    HTTP status code is now '499 Client closed' request instead of 502 Bad
    gateway If the request times out, e.g. takes longer time than allowed, the
    HTTP status code is now '504 Gateway timeout' instead of '502 Bad gateway'.
    + The change in behavior is that negative-valued series are now stacked
    downwards from 0 (in their own stacks), rather than downwards from the top
    of the positive stacks. We now automatically group stacks by Draw style,
    Line interpolation, and Bar alignment, making it impossible to stack bars
    on top of lines, or smooth lines on top of stepped lines + The meaning of
    the default data source has now changed from being a persisted property in
    a panel. Before when you selected the default data source for a panel and
    later changed the default data source to another data source it would
    change all panels who were configured to use the default data source. From
    now on the default data source is just the default for new panels and
    changing the default will not impact any currently saved dashboards + The
    Tooltip component provided by @grafana/ui is no longer automatically
    interactive (that is you can hover onto it and click a link or select
    text). It will from now on by default close automatically when you mouse
    out from the trigger element. To make tooltips behave like before set the
    new interactive property to true.
  o Deprecations: * /api/tsdb/query API has been deprecated, please use /api/ds
    /query instead * AngularJS plugin support is now in a deprecated state. The
    documentation site has an article with more details on why, when, and how
  o Bug fixes: * Alerting: Add contact points provisioning API * Alerting: add
    field for custom slack endpoint * Alerting: Add resolved count to
    notification title when both firing and resolved present * Alerting: Alert
    rule should wait For duration when execution error state is Alerting *
    Alerting: Allow disabling override timings for notification policies *
    Alerting: Allow serving images from custom url path * Alerting: Apply
    Custom Headers to datasource queries * Alerting: Classic conditions can now
    display multiple values * Alerting: correctly show all alerts in a folder *
    Alerting: Display query from grafana-managed alert rules on /api/v1/rules *
    Alerting: Do not overwrite existing alert rule condition * Alerting:
    Enhance support for arbitrary group names in managed alerts * Alerting: Fix
    access to alerts for viewer with editor permissions when RBAC is disabled *
    Alerting: Fix anonymous access to alerting * Alerting: Fix migrations by
    making send_alerts_to field nullable * Alerting: Fix RBAC actions for
    notification policies * Alerting: Fix use of > instead of >= when checking
    the For duration * Alerting: Remove double quotes from matchers * API:
    Include userId, orgId, uname in request logging middleware * Auth:
    Guarantee consistency of signed SigV4 headers * Azure Monitor : Adding json
    formatting of error messages in Panel Header Corner and Inspect Error Tab *
    Azure Monitor: Add 2 more Curated Dashboards for VM Insights * Azure
    Monitor: Bug Fix for incorrect variable cascading for template variables *
    Azure Monitor: Fix space character encoding for metrics query link to Azure
    Portal * Azure Monitor: Fixes broken log queries that use workspace * Azure
    Monitor: Small bug fixes for Resource Picker * AzureAd Oauth: Fix
    strictMode to reject users without an assigned role * AzureMonitor: Fixes
    metric definition for Azure Storage queue/file/blob/table resources *
    Cloudwatch : Fixed reseting metric name when changing namespace in Metric
    Query * CloudWatch: Added missing MemoryDB Namespace metrics * CloudWatch:
    Fix MetricName resetting on Namespace change. * Cloudwatch: Fix template
    variables in variable queries. * CloudWatch: Fix variable query tag
    migration * CloudWatch: Handle new error codes for MetricInsights *
    CloudWatch: List all metrics properly in SQL autocomplete * CloudWatch:
    Prevent log groups from being removed on query change * CloudWatch: Remove
    error message when using multi-valued template vars in region field *
    CloudWatch: Run query on blur in logs query field * CloudWatch: Use default
    http client from aws-sdk-go * Dashboard: Fix dashboard update permission
    check * Dashboard: Fixes random scrolling on time range change * Dashboard:
    Template variables are now correctly persisted when clicking breadcrumb
    links * DashboardExport: Fix exporting and importing dashboards where query
    data source ended up as incorrect * DashboardPage: Remember scroll position
    when coming back panel edit / view panel * Dashboards: Fixes repeating by
    row and no refresh * Dashboards: Show changes in save dialog * DataSource:
    Default data source is no longer a persisted state but just the default
    data source for new panels * DataSourcePlugin API: Allow queries import
    when changing data source type * Elasticsearch: Respect
    maxConcurrentShardRequests datasource setting * Explore: Allow users to
    save Explore state to a new panel in a new dashboard * Explore: Avoid
    locking timepicker when range is inverted. * Explore: Fix closing split
    pane when logs panel is used * Explore: Prevent direct access to explore if
    disabled via feature toggle * Explore: Remove return to panel button *
    FileUpload: clicking the Upload file button now opens their modal correctly
    * Gauge: Fixes blank viz when data link exists and orientation was
    horizontal * GrafanaUI: Fix color of links in error Tooltips in light theme
    * Histogram Panel: Take decimal into consideration * InfluxDB: Fixes
    invalid no data alerts. #48295, @yesoreyeram * Instrumentation: Fix HTTP
    request instrumentation of authentication failures * Instrumentation: Make
    backend plugin metrics endpoints available with optional authentication *
    Instrumentation: Proxy status code correction and various improvements *
    LibraryPanels: Fix library panels not connecting properly in imported
    dashboards * LibraryPanels: Prevent long descriptions and names from
    obscuring the delete button * Logger: Use specified format for file logger
    * Logging: Introduce feature toggle to activate gokit/log format * Logs:
    Handle missing fields in dataframes better * Loki: Improve unpack parser
    handling * ManageDashboards: Fix error when deleting all dashboards from
    folder view * Middleware: Fix IPv6 host parsing in CSRF check * Navigation:
    Prevent navbar briefly showing on login * NewsPanel: Add support for Atom
    feeds. #45390, @kaydelaney * OAuth: Fix parsing of ID token if header
    contains non-string value * Panel Edit: Options search now works correctly
    when a logarithmic scale option is set * Panel Edit: Visualization search
    now works correctly with special characters * Plugins Catalog: Fix styling
    of hyperlinks * Plugins: Add deprecation notice for /api/tsdb/query
    endpoint * Plugins: Adding support for traceID field to accept variables *
    Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios *
    Postgres: Return tables with hyphenated schemes * PostgreSQL:
    __unixEpochGroup to support arithmetic expression as argument * Profile/
    Help: Expose option to disable profile section and help menu * Prometheus:
    Enable new visual query builder by default * Provisioning: Fix duplicate
    validation when multiple organizations have been configured inserted *
    RBAC: Fix Anonymous Editors missing dashboard controls * RolePicker: Fix
    menu position on smaller screens * SAML: Allow disabling of SAML signups *
    Search: Sort results correctly when using postgres * Security: Fixes minor
    code scanning security warnings in old vendored javascript libs * Table
    panel: Fix horizontal scrolling when pagination is enabled * Table panel:
    Show datalinks for cell display modes JSON View and Gauge derivates *
    Table: Fix filter crashes table * Table: New pagination option *
    TablePanel: Add cell inspect option * TablePanel: Do not prefix columns
    with frame name if multipleframes and override active * TagsInput: Fix tags
    remove button accessibility issues * Tempo / Trace Viewer: Support Span
    Links in Trace Viewer * Tempo: Download span references in data inspector *
    Tempo: Separate trace to logs and loki search datasource config *
    TextPanel: Sanitize after markdown has been rendered to html * TimeRange:
    Fixes updating time range from url and browser history * TimeSeries: Fix
    detection & rendering of sparse datapoints * Timeseries: Fix outside range
    stale state * TimeSeries: Properly stack series with missing datapoints *
    TimeSeries: Sort tooltip values based on raw values * Tooltip: Fix links
    not legible in Tooltips when using light theme * Tooltip: Sort decimals
    using standard numeric compare * Trace View: Show number of child spans *
    Transformations: Support escaped characters in key-value pair parsing *
    Transforms: Labels to fields, fix label picker layout * Variables: Ensure
    variables in query params are correctly recognised * Variables: Fix crash
    when changing query variable datasource * Variables: Fixes issue with data
    source variables not updating queries with variable * Visualizations: Stack
    negative-valued series downwards
  o Plugin development fixes: * Card: Increase clickable area when meta items
    are present. * ClipboardButton: Use a fallback when the Clipboard API is
    unavailable * Loki: Fix operator description propup from being shortened. *
    OAuth: Add setting to skip org assignment for external users * Tooltips:
    Make tooltips non interactive by default * Tracing: Add option to map tag
    names to log label names in trace to logs settings


  o Add requirement for go1.18 (bsc#1203599)


  o Version 4.3.16-1 * Fix dict_keys not supporting indexing in
    systems_setconfigchannelorger * Improve Proxy FQDN hint message * Added a
    warning message for traditional stack deprecation * Stop always showing
    help for valid proxy_container_config calls * Remove "Undefined return
    code" from debug messages (bsc#1203283)


  o Version 4.3.13-1 * Update translation strings

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Manager Tools 12:
    zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-4439=1

Package List:

  o SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):
  o SUSE Manager Tools 12 (noarch):


  o https://www.suse.com/security/cve/CVE-2021-36222.html
  o https://www.suse.com/security/cve/CVE-2021-3711.html
  o https://www.suse.com/security/cve/CVE-2021-41174.html
  o https://www.suse.com/security/cve/CVE-2021-41244.html
  o https://www.suse.com/security/cve/CVE-2021-43798.html
  o https://www.suse.com/security/cve/CVE-2021-43813.html
  o https://www.suse.com/security/cve/CVE-2021-43815.html
  o https://www.suse.com/security/cve/CVE-2022-29170.html
  o https://www.suse.com/security/cve/CVE-2022-31097.html
  o https://www.suse.com/security/cve/CVE-2022-31107.html
  o https://www.suse.com/security/cve/CVE-2022-35957.html
  o https://www.suse.com/security/cve/CVE-2022-36062.html
  o https://bugzilla.suse.com/1188571
  o https://bugzilla.suse.com/1189520
  o https://bugzilla.suse.com/1192383
  o https://bugzilla.suse.com/1192763
  o https://bugzilla.suse.com/1193492
  o https://bugzilla.suse.com/1193686
  o https://bugzilla.suse.com/1199810
  o https://bugzilla.suse.com/1201535
  o https://bugzilla.suse.com/1201539
  o https://bugzilla.suse.com/1202945
  o https://bugzilla.suse.com/1203283
  o https://bugzilla.suse.com/1203596
  o https://bugzilla.suse.com/1203597
  o https://bugzilla.suse.com/1203599

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/