Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

     SUSE-SU-2019:2312-1 Security update for SUSE Manager Client Tools
                             6 September 2019


        AusCERT Security Bulletin Summary

Product:           SUSE
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10136  

Reference:         ESB-2019.2516

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Client Tools


Announcement ID:   SUSE-SU-2019:2312-1
Rating:            moderate
References:        #1130040 #1135881 #1136029 #1136480 #1136667 #1137715
                   #1137940 #1138313 #1138358 #1138494 #1138822 #1139453
                   #1142038 #1143856 #1144155 #1144889 #1148125 #1148177
Cross-References:  CVE-2019-10136
Affected Products:
                   SUSE Manager Tools 12

An update that solves one vulnerability and has 18 fixes is now available.


This update fixes the following issues:

  o Add support for Uyuni/SUSE Manager service discovery + Added
  o Readded _service file removed in error.
  o Update to 2.11.1 + Bug Fix: * Fix potential panic when prometheus is
    watching multiple zookeeper paths.
  o Update to 2.11.0 + Bug Fix: * resolve race condition in maxGauge. * Fix
    ZooKeeper connection leak. * Improved atomicity of .tmp block replacement
    during compaction for usual case. * Fix "unknown series references" after
    clean shutdown. * Re-calculate block size when calling block.Delete. * Fix
    unsafe snapshots with head block. *
    prometheus_tsdb_compactions_failed_total is now incremented on any
    compaction failure. + Changes: * Remove max_retries from queue_config (it
    has been unused since rewriting remote-write to utilize the
    write-ahead-log) * The meta file BlockStats no longer holds size
    information. This is now dynamically calculated and kept in memory. It also
    includes the meta file size which was not included before * Renamed metric
    from prometheus_tsdb_wal_reader_corruption_errors to
    prometheus_tsdb_wal_reader_corruption_errors_total + Features: * Add option
    to use Alertmanager API v2. * Added humanizePercentage function for
    templates. * Include InitContainers in Kubernetes Service Discovery. *
    Provide option to compress WAL records using Snappy. + Enhancements: *
    Create new clean segment when starting the WAL. * Reduce allocations in
    PromQL aggregations. * Add storage warnings to LabelValues and LabelNames
    API results. * Add prometheus_http_requests_total metric. * Enable openbsd/
    arm build. * Remote-write allocation improvements. * Query performance
    improvement: Efficient iteration and search in HashForLabels and
    HashWithoutLabels. * Allow injection of arbitrary headers in promtool. *
    Allow passing external_labels in alert unit tests groups. * Allows globs
    for rules when unit testing. * Improved postings intersection matching. *
    Reduced disk usage for WAL for small setups. * Optimize queries using
    regexp for set lookups.
  o Rebase patch002-Default-settings.patch
  o Update to 2.10.0: + Bug Fixes: * TSDB: Don't panic when running out of disk
    space and recover nicely from the condition * TSDB: Correctly handle empty
    labels. * TSDB: Don't crash on an unknown tombstone reference. * Storage/
    remote: Remove queue-manager specific metrics if queue no longer exists. *
    PromQL: Correctly display {__name__="a"}. * Discovery/kubernetes: Use
    service rather than ingress as the name for the service workqueue. *
    Discovery/azure: Don't panic on a VM with a public IP. * Web: Fixed
    Content-Type for js and css instead of using /etc/mime.types. * API: Encode
    alert values as string to correctly represent Inf/NaN. + Features: *
    Template expansion: Make external labels available as $externalLabels in
    alert and console template expansion. * TSDB: Add
    prometheus_tsdb_wal_segment_current metric for the WAL segment index that
    TSDB is currently writing to. tsdb * Scrape: Add scrape_series_added
    per-scrape metric. #5546 + Enhancements * Discovery/kubernetes: Add labels
    __meta_kubernetes_endpoint_node_name and
    __meta_kubernetes_endpoint_hostname. * Discovery/azure: Add label
    __meta_azure_machine_public_ip. * TSDB: Simplify mergedPostings.Seek,
    resulting in better performance if there are many posting lists. tsdb * Log
    filesystem type on startup. * Cmd/promtool: Use POST requests for Query and
    QueryRange. client_golang * Web: Sort alerts by group name. * Console
    templates: Add convenience variables $rawParams, $params, $path.
  o Upadte to 2.9.2 + Bug Fixes: * Make sure subquery range is taken into
    account for selection * Exhaust every request body before closing it * Cmd/
    promtool: return errors from rule evaluations * Remote Storage: string
    interner should not panic in release * Fix memory allocation regression in
    mergedPostings.Seek tsdb
  o Update to 2.9.1 + Bug Fixes: * Discovery/kubernetes: fix missing label
    sanitization * Remote_write: Prevent reshard concurrent with calling stop
  o Update to 2.9.0 + Feature: * Add honor_timestamps scrape option. +
    Enhancements: * Update Consul to support catalog.ServiceMultipleTags. *
    Discovery/kubernetes: add present labels for labels/annotations. *
    OpenStack SD: Add ProjectID and UserID meta labels. * Add GODEBUG and
    retention to the runtime page. * Add support for POSTing to /series
    endpoint. * Support PUT methods for Lifecycle and Admin APIs. * Scrape: Add
    global jitter for HA server. * Check for cancellation on every step of a
    range evaluation. * String interning for labels & values in the
    remote_write path. * Don't lose the scrape cache on a failed scrape. *
    Reload cert files from disk automatically. common * Use fixed length
    millisecond timestamp format for logs. common * Performance improvements
    for postings. Bug Fixes: * Remote Write: fix checkpoint reading. * Check if
    label value is valid when unmarshaling external labels from YAML. *
    Promparse: sort all labels when parsing. * Reload rules: copy state on both
    name and labels. * Exponentation operator to drop metric name in result of
    operation. * Config: resolve more file paths. * Promtool: resolve relative
    paths in alert test files. * Set TLSHandshakeTimeout in HTTP transport.
    common * Use fsync to be more resilient to machine crashes. * Keep series
    that are still in WAL in checkpoints.
  o Update to 2.8.1 + Bug Fixes * Display the job labels in /targets which was
    removed accidentally
  o Update to 2.8.0 + Change: * This release uses Write-Ahead Logging (WAL) for
    the remote_write API. This currently causes a slight increase in memory
    usage, which will be addressed in future releases. * Default time retention
    is used only when no size based retention is specified. These are flags
    where time retention is specified by the flag --storage.tsdb.retention and
    size retention by --storage.tsdb.retention.size. *
    prometheus_tsdb_storage_blocks_bytes_total is now
    prometheus_tsdb_storage_blocks_bytes. + Feature: * (EXPERIMENTAL) Time
    overlapping blocks are now allowed; vertical compaction and vertical query
    merge. It is an optional feature which is controlled by the
    --storage.tsdb.allow-overlapping-blocks flag, disabled by default. +

* Use the WAL for remote_write API. * Query performance improvements. * UI
enhancements with upgrade to Bootstrap 4. * Reduce time that Alertmanagers are
in flux when reloaded. * Limit number of metrics displayed on UI to 10000. *
(1) Remember All/Unhealthy choice on target-overview when reloading page. (2)
Resize text-input area on Graph page on mouseclick. * In histogram_quantile
merge buckets with equivalent le values. * Show list of offending labels in the
error message in many-to-many scenarios. * Show Storage Retention criteria in
effect on /status page. + Bug Fixes: + Fix sorting of rule groups. + Fix
support for password_file and bearer_token_file in Kubernetes SD. + Scrape:
catch errors when creating HTTP clients + Adds new metrics:
prometheus_target_scrape_pool_reloads_failed_total + Fix panic when aggregator
param is not a literal.

  o Update to version 0.1.1564399963.cf19a13
  o Fix incompatibility with Microsoft DNS (bsc#1136667)
  o Updated copyrights and bug reporting link
  o Update to version 0.1.1558613789.64ba093
  o Update to version 0.1.1556553492.2bfae0b


  o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


  o Fix systemd timer configuration on SLE12 (bsc#1142038)


  o Fix obsolete for old osad packages, to allow installing mgr-osad even by
    using osad at yum/zyppper install (bsc#1139453)
  o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


  o Fix missing python 3 ugettext (bsc#1138494)
  o Fix package dependencies to prevent file conflict (bsc#1143856)


  o Add SNI support for clients
  o Fix initialize ssl connection (bsc#1144155)
  o Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)


  o Bugfix: referenced variable before assignment.
  o Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
  o Add unit tests for custominfo, snippet, scap, ssm, cryptokey and
  o Fix missing runtime dependencies that made spacecmd return old versions of
    packages in some cases, even if newer ones were available (bsc#1148311)


  o Do not overwrite comps and module data with older versions
  o Fix issue with "dists" keyword in url hostname
  o Import packages from all collections of a patch not just first one
  o Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to
    "registration.register_osad" (bsc#1138822)
  o Do not duplicate "http://" protocol when using proxies with "deb"
    repositories (bsc#1138313)
  o Fix reposync when dealing with RedHat CDN (bsc#1138358)
  o Fix for CVE-2019-10136. An attacker with a valid, but expired,
    authenticated set of headers could move some digits around, artificially
    extending the session validity without modifying the checksum. (bsc#
  o Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
  o Add journalctl output to spacewalk-debug tarballs
  o Prevent unnecessary triggering of channel-repodata tasks when GPG signing
    is disabled (bsc#1137715)
  o Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#
  o Add support for ULN repositories on new Zypper based reposync.
  o Don't skip Deb package tags on package import (bsc#1130040)
  o For backend-libs subpackages, exclude files for the server (already part of
    spacewalk-backend) to avoid conflicts (bsc#1148125)
  o prevent duplicate key violates on repo-sync with long changelog entries


  o Add RHEL8

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Manager Tools 12:
    zypper in -t patch SUSE-SLE-Manager-Tools-12-2019-2312=1

Package List:

  o SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64):
  o SUSE Manager Tools 12 (noarch):


  o https://www.suse.com/security/cve/CVE-2019-10136.html
  o https://bugzilla.suse.com/1130040
  o https://bugzilla.suse.com/1135881
  o https://bugzilla.suse.com/1136029
  o https://bugzilla.suse.com/1136480
  o https://bugzilla.suse.com/1136667
  o https://bugzilla.suse.com/1137715
  o https://bugzilla.suse.com/1137940
  o https://bugzilla.suse.com/1138313
  o https://bugzilla.suse.com/1138358
  o https://bugzilla.suse.com/1138494
  o https://bugzilla.suse.com/1138822
  o https://bugzilla.suse.com/1139453
  o https://bugzilla.suse.com/1142038
  o https://bugzilla.suse.com/1143856
  o https://bugzilla.suse.com/1144155
  o https://bugzilla.suse.com/1144889
  o https://bugzilla.suse.com/1148125
  o https://bugzilla.suse.com/1148177
  o https://bugzilla.suse.com/1148311

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967