A SUSE Manager Client Tools security update has been released for openSUSE Leap 15.4/15.5 and SUSE Linux Enterprise.

SUSE-SU-2023:3868-1: important: Security update for SUSE Manager Client Tools

# Security update for SUSE Manager Client Tools

Announcement ID: SUSE-SU-2023:3868-1
Rating: important
References:

* #1204501
* #1208046
* #1208270
* #1208298
* #1208692
* #1211525
* #1213880
* MSQA-699
* PED-5405
* PED-5406

Cross-References:

* CVE-2022-32149
* CVE-2022-41723
* CVE-2022-46146
* CVE-2023-29409

CVSS scores:

* CVE-2022-32149 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-32149 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2022-46146 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-29409 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-29409 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:

* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15
* SUSE Linux Enterprise Desktop 15 SP1
* SUSE Linux Enterprise Desktop 15 SP2
* SUSE Linux Enterprise Desktop 15 SP3
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15
* SUSE Linux Enterprise High Performance Computing 15 SP1
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.0
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Real Time 15 SP1
* SUSE Linux Enterprise Real Time 15 SP2
* SUSE Linux Enterprise Real Time 15 SP3
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15
* SUSE Linux Enterprise Server 15 SP1
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15
* SUSE Linux Enterprise Server for SAP Applications 15 SP1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Client Tools for SLE 15
* SUSE Manager Client Tools for SLE Micro 5
* SUSE Manager Proxy 4.2
* SUSE Manager Proxy 4.2 Module 4.2
* SUSE Manager Proxy 4.3
* SUSE Manager Proxy 4.3 Module 4.3
* SUSE Manager Retail Branch Server 4.2
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.2
* SUSE Manager Server 4.2 Module 4.2
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3

An update that solves four vulnerabilities, contains three features and has
three security fixes can now be installed.

## Description:

This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

* Security issues fixed:
* CVE-2022-32149: Fix denial of service vulnerability (bsc#1204501)
* CVE-2022-41723: Fix uncontrolled resource consumption (bsc#1208270)
* CVE-2022-46146: Fix authentication bypass vulnarability (bsc#1208046)
* Changes and bugs fixed:
* Updated to 1.0.0 (jsc#PED-5405)
* Improved flag parsing
* Added support for custom headers
* Changes from 0.13.1
* Fix panic caused by missing flagConfig options
* Added AppArmor profile
* Added sandboxing options to systemd service unit
* Build using promu
* Build with Go 1.19
* Exclude s390 architecture

golang-github-prometheus-prometheus:

* This update introduces breaking changes. Please, read carefully the provided
informations.
* Security issues fixed:
* CVE-2022-41723: Fix uncontrolled resource consumption by updating Go to
version 1.20.1 (bsc#1208298)
* Updated to 2.45.0 (jsc#PED-5406):
* [FEATURE] API: New limit parameter to limit the number of items returned by
`/api/v1/status/tsdb` endpoint
* [FEATURE] Config: Add limits to global config
* [FEATURE] Consul SD: Added support for `path_prefix`
* [FEATURE] Native histograms: Add option to scrape both classic and native
histograms.
* [FEATURE] Native histograms: Added support for two more arithmetic operators
`avg_over_time` and `sum_over_time`
* [FEATURE] Promtool: When providing the block id, only one block will be
loaded and analyzed
* [FEATURE] Remote-write: New Azure ad configuration to support remote writing
directly to Azure Monitor workspace
* [FEATURE] TSDB: Samples per chunk are now configurable with flag
`storage.tsdb.samples-per-chunk`. By default set to its former value 120
* [ENHANCEMENT] Native histograms: bucket size can now be limited to avoid
scrape fails
* [ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL sooner
* [BUGFIX] Native histograms: ChunkSeries iterator now checks if a new sample
can be appended to the open chunk
* [BUGFIX] Native histograms: Fix Histogram Appender `Appendable()` segfault
* [BUGFIX] Native histograms: Fix setting reset header to gauge histograms in
seriesToChunkEncoder
* [BUGFIX] TSDB: Tombstone intervals are not modified after Get() call
* [BUGFIX] TSDB: Use path/filepath to set the WAL directory.
* Changes from 2.44.0:
* [FEATURE] Remote-read: Handle native histograms
* [FEATURE] Promtool: Health and readiness check of prometheus server in CLI
* [FEATURE] PromQL: Add `query_samples_total` metric, the total number of
samples loaded by all queries
* [ENHANCEMENT] Storage: Optimise buffer used to iterate through samples
* [ENHANCEMENT] Scrape: Reduce memory allocations on target labels
* [ENHANCEMENT] PromQL: Use faster heap method for `topk()` / `bottomk()`
* [ENHANCEMENT] Rules API: Allow filtering by rule name
* [ENHANCEMENT] Native Histograms: Various fixes and improvements
* [ENHANCEMENT] UI: Search of scraping pools is now case-insensitive
* [ENHANCEMENT] TSDB: Add an affirmative log message for successful WAL repair
* [BUGFIX] TSDB: Block compaction failed when shutting down
* [BUGFIX] TSDB: Out-of-order chunks could be ignored if the write-behind log
was deleted
* Changes from 2.43.1
* [BUGFIX] Labels: Set() after Del() would be ignored, which broke some
relabeling rules
* Changes from 2.43.0:
* [FEATURE] Promtool: Add HTTP client configuration to query commands
* [FEATURE] Scrape: Add `include_scrape_configs` to include scrape configs
from different files
* [FEATURE] HTTP client: Add `no_proxy` to exclude URLs from proxied requests
* [FEATURE] HTTP client: Add `proxy_from_enviroment` to read proxies from env
variables
* [ENHANCEMENT] API: Add support for setting lookback delta per query via the
API
* [ENHANCEMENT] API: Change HTTP status code from 503/422 to 499 if a request
is canceled
* [ENHANCEMENT] Scrape: Allow exemplars for all metric types
* [ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders size
* [ENHANCEMENT] TSDB: Automatically remove incorrect snapshot with index that
is ahead of WAL
* [ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to be more
comprehensible
* [ENHANCEMENT] UI: Scope `group by` labels to metric in autocompletion
* [BUGFIX] Scrape: Fix `prometheus_target_scrape_pool_target_limit` metric not
set before reloading
* [BUGFIX] TSDB: Correctly update `prometheus_tsdb_head_chunks_removed_total`
and `prometheus_tsdb_head_chunks` metrics when reading WAL
* [BUGFIX] TSDB: Use the correct unit (seconds) when recording out-of-order
append deltas in the `prometheus_tsdb_sample_ooo_delta` metric
* Changes from 2.42.0: This release comes with a new feature coverage for
native histograms and breaking changes. If you are trying native histograms
already, we recommend you remove the `wal` directory when upgrading. Because
the old WAL record for native histograms is not backward compatible in
v2.42.0, this will lead to some data loss for the latest data. Additionally,
if you scrape "float histograms" or use recording rules on native histograms
in v2.42.0 (which writes float histograms), it is a one-way street since
older versions do not support float histograms.
* [CHANGE] **breaking** TSDB: Changed WAL record format for the experimental
native histograms
* [FEATURE] Add 'keep_firing_for' field to alerting rules
* [FEATURE] Promtool: Add support of selecting timeseries for TSDB dump
* [ENHANCEMENT] Agent: Native histogram support.
* [ENHANCEMENT] Rules: Support native histograms in recording rules
* [ENHANCEMENT] SD: Add container ID as a meta label for pod targets for
Kubernetes
* [ENHANCEMENT] SD: Add VM size label to azure service discovery
* [ENHANCEMENT] Support native histograms in federation
* [ENHANCEMENT] TSDB: Add gauge histogram support
* [ENHANCEMENT] TSDB/Scrape: Support FloatHistogram that represents buckets as
float64 values
* [ENHANCEMENT] UI: Show individual scrape pools on /targets page
* Changes from 2.41.0:
* [FEATURE] Relabeling: Add keepequal and dropequal relabel actions
* [FEATURE] Add support for HTTP proxy headers
* [ENHANCEMENT] Reload private certificates when changed on disk
* [ENHANCEMENT] Add max_version to specify maximum TLS version in tls_config
* [ENHANCEMENT] Add goos and goarch labels to prometheus_build_info
* [ENHANCEMENT] SD: Add proxy support for EC2 and LightSail SDs
* [ENHANCEMENT] SD: Add new metric prometheus_sd_file_watcher_errors_total
* [ENHANCEMENT] Remote Read: Use a pool to speed up marshalling
* [ENHANCEMENT] TSDB: Improve handling of tombstoned chunks in iterators
* [ENHANCEMENT] TSDB: Optimize postings offset table reading
* [BUGFIX] Scrape: Validate the metric name, label names, and label values
after relabeling
* [BUGFIX] Remote Write receiver and rule manager: Fix error handling
* Changes from 2.40.7:
* [BUGFIX] TSDB: Fix queries involving negative buckets of native histograms
* Changes from 2.40.5:
* [BUGFIX] TSDB: Fix queries involving native histograms due to improper reset
of iterators
* Changes from 2.40.3:
* [BUGFIX] TSDB: Fix compaction after a deletion is called
* Changes from 2.40.2:
* [BUGFIX] UI: Fix black-on-black metric name color in dark mode
* Changes from 2.40.1:
* [BUGFIX] TSDB: Fix alignment for atomic int64 for 32 bit architecture
* [BUGFIX] Scrape: Fix accept headers
* Changes from 2.40.0:
* [FEATURE] Add experimental support for native histograms. Enable with the
flag --enable-feature=native-histograms.
* [FEATURE] SD: Add service discovery for OVHcloud
* [ENHANCEMENT] Kubernetes SD: Use protobuf encoding
* [ENHANCEMENT] TSDB: Use golang.org/x/exp/slices for improved sorting speed
* [ENHANCEMENT] Consul SD: Add enterprise admin partitions. Adds
__meta_consul_partition label. Adds partition config in consul_sd_config
* [BUGFIX] API: Fix API error codes for /api/v1/labels and /api/v1/series
* Changes from 2.39.1:
* [BUGFIX] Rules: Fix notifier relabel changing the labels on active alerts
* Changes from 2.39.0:
* [FEATURE] experimental TSDB: Add support for ingesting out-of-order samples.
This is configured via out_of_order_time_window field in the config file;
check config file docs for more info
* [ENHANCEMENT] API: /-/healthy and /-/ready API calls now also respond to a
HEAD request on top of existing GET support.
* [ENHANCEMENT] PuppetDB SD: Add __meta_puppetdb_query label.
* [ENHANCEMENT] AWS EC2 SD: Add __meta_ec2_region label.
* [ENHANCEMENT] AWS Lightsail SD: Add __meta_lightsail_region label.
* [ENHANCEMENT] Scrape: Optimise relabeling by re-using memory.
* [ENHANCEMENT] TSDB: Improve WAL replay timings.
* [ENHANCEMENT] TSDB: Optimise memory by not storing unnecessary data in the
memory.
* [ENHANCEMENT] TSDB: Allow overlapping blocks by default.
\--storage.tsdb.allow-overlapping-blocks now has no effect.
* [ENHANCEMENT] UI: Click to copy label-value pair from query result to
clipboard.
* [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
* [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
* [BUGFIX] PromQL: Properly close file descriptor when logging unfinished
queries.
* [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing
more than desired.
* Changes from 2.38.0:
* [FEATURE]: Web: Add a /api/v1/format_query HTTP API endpoint that allows
pretty-formatting PromQL expressions.
* [FEATURE]: UI: Add support for formatting PromQL expressions in the UI.
* [FEATURE]: DNS SD: Support MX records for discovering targets.
* [FEATURE]: Templates: Add toTime() template function that allows converting
sample timestamps to Go time.Time values
* [ENHANCEMENT]: Kubernetes SD: Add __meta_kubernetes_service_port_number meta
label indicating the service port number.
__meta_kubernetes_pod_container_image meta label indicating the container
image.
* [ENHANCEMENT]: PromQL: When a query panics, also log the query itself
alongside the panic message.
* [ENHANCEMENT]: UI: Tweak colors in the dark theme to improve the contrast
ratio.
* [ENHANCEMENT]: Web: Speed up calls to /api/v1/rules by avoiding locks and
using atomic types instead.
* [ENHANCEMENT]: Scrape: Add a no-default-scrape-port feature flag, which
omits or removes any default HTTP (:80) or HTTPS (:443) ports in the
target's scrape address.
* [BUGFIX]: TSDB: In the WAL watcher metrics, expose the type="exemplar" label
instead of type="unknown" for exemplar records.
* [BUGFIX]: TSDB: Fix race condition around allocating series IDs during chunk
snapshot loading.

golang-github-QubitProducts-exporter_exporter:

* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.

grafana:

* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.

prometheus-blackbox_exporter:

* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.

prometheus-postgres_exporter:

* CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to
8192 bits to avoid DoSing client/server while validating signatures for
extremely large RSA keys. (bsc#1213880) There are no direct source changes.
The CVE is fixed rebuilding the sources with the patched Go version.

python-pyvmomi:

* Preparing submission to SUSE:SLE-15-SP3:Update as part of ECO PED-3623.

spacecmd:

* Updated to 4.3.23-1
* Update translation strings

supportutils-plugin-susemanager-client:

* Updated to 4.3.3-1
* Write configured crypto-policy in supportconfig
* Add cloud and Pay-as-you-go checks

uyuni-common-libs:

* Updated to 4.3.9-1
* Workaround for python3-debian bug about collecting control file
(bsc#1211525, bsc#1208692)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-3868=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-3868=1

* SUSE Manager Client Tools for SLE 15
zypper in -t patch SUSE-SLE-Manager-Tools-15-2023-3868=1

* SUSE Manager Client Tools for SLE Micro 5
zypper in -t patch SUSE-SLE-Manager-Tools-For-Micro-5-2023-3868=1

* SUSE Manager Proxy 4.2 Module 4.2
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2023-3868=1

* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-3868=1

* SUSE Manager Server 4.2 Module 4.2
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2023-3868=1

* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2023-3868=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* prometheus-postgres_exporter-0.10.1-150000.1.14.3
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* openSUSE Leap 15.4 (noarch)
* supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2
* spacecmd-4.3.23-150000.3.104.2
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* prometheus-postgres_exporter-0.10.1-150000.1.14.3
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* openSUSE Leap 15.5 (noarch)
* supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2
* spacecmd-4.3.23-150000.3.104.2
* SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* prometheus-postgres_exporter-0.10.1-150000.1.14.3
* firewalld-prometheus-config-0.1-150000.3.50.3
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* grafana-9.5.5-150000.1.54.3
* golang-github-prometheus-prometheus-2.45.0-150000.3.50.3
* grafana-debuginfo-9.5.5-150000.1.54.3
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* python3-uyuni-common-libs-4.3.9-150000.1.36.2
* SUSE Manager Client Tools for SLE 15 (noarch)
* supportutils-plugin-susemanager-client-4.3.3-150000.3.21.2
* python3-pyvmomi-6.7.3-150000.1.6.2
* spacecmd-4.3.23-150000.3.104.2
* SUSE Manager Client Tools for SLE Micro 5 (aarch64 s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* SUSE Manager Proxy 4.2 Module 4.2 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* prometheus-blackbox_exporter-0.24.0-150000.1.23.3
* SUSE Manager Server 4.2 Module 4.2 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* prometheus-postgres_exporter-0.10.1-150000.1.14.3
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2
* SUSE Manager Server 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
* golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.18.3
* golang-github-lusitaniae-apache_exporter-1.0.0-150000.1.17.2
* golang-github-lusitaniae-apache_exporter-debuginfo-1.0.0-150000.1.17.2

## References:

* https://www.suse.com/security/cve/CVE-2022-32149.html
* https://www.suse.com/security/cve/CVE-2022-41723.html
* https://www.suse.com/security/cve/CVE-2022-46146.html
* https://www.suse.com/security/cve/CVE-2023-29409.html
* https://bugzilla.suse.com/show_bug.cgi?id=1204501
* https://bugzilla.suse.com/show_bug.cgi?id=1208046
* https://bugzilla.suse.com/show_bug.cgi?id=1208270
* https://bugzilla.suse.com/show_bug.cgi?id=1208298
* https://bugzilla.suse.com/show_bug.cgi?id=1208692
* https://bugzilla.suse.com/show_bug.cgi?id=1211525
* https://bugzilla.suse.com/show_bug.cgi?id=1213880
* https://jira.suse.com/browse/MSQA-699
* https://jira.suse.com/browse/PED-5405
* https://jira.suse.com/browse/PED-5406