Operating System:

[SUSE]

Published:

09 September 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3407
     SUSE-SU-2019:2317-1 Security update for SUSE Manager Client Tools
                             9 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SUSE Manager Client Tools
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10136  

Reference:         ESB-2019.3386
                   ESB-2019.3385
                   ESB-2019.2516
                   ESB-2019.2432

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2019/suse-su-20192317-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for SUSE Manager Client Tools

______________________________________________________________________________

Announcement ID:   SUSE-SU-2019:2317-1
Rating:            moderate
References:        #1130040 #1135881 #1136029 #1136480 #1137715 #1137940
                   #1138313 #1138358 #1138494 #1138822 #1139453 #1142038
                   #1143856 #1144155 #1144889 #1148125 #1148177 #1148311
Cross-References:  CVE-2019-10136
Affected Products:
                   SUSE Manager Tools 15
                   SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
                   SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________

An update that solves one vulnerability and has 17 fixes is now available.

Description:


This update fixes the following issues:
golang-github-prometheus-prometheus:

  o Add support for Uyuni/SUSE Manager service discovery + Added
    0003-Add-Uyuni-service-discovery
  o Readded _service file removed in error.
  o Update to 2.11.1 + Bug Fix: * Fix potential panic when prometheus is
    watching multiple zookeeper paths.
  o Update to 2.11.0 + Bug Fix: * resolve race condition in maxGauge. * Fix
    ZooKeeper connection leak. * Improved atomicity of .tmp block replacement
    during compaction for usual case. * Fix "unknown series references" after
    clean shutdown. * Re-calculate block size when calling block.Delete. * Fix
    unsafe snapshots with head block. *
    prometheus_tsdb_compactions_failed_total is now incremented on any
    compaction failure. + Changes: * Remove max_retries from queue_config (it
    has been unused since rewriting remote-write to utilize the
    write-ahead-log) * The meta file BlockStats no longer holds size
    information. This is now dynamically calculated and kept in memory. It also
    includes the meta file size which was not included before * Renamed metric
    from prometheus_tsdb_wal_reader_corruption_errors to
    prometheus_tsdb_wal_reader_corruption_errors_total + Features: * Add option
    to use Alertmanager API v2. * Added humanizePercentage function for
    templates. * Include InitContainers in Kubernetes Service Discovery. *
    Provide option to compress WAL records using Snappy. + Enhancements: *
    Create new clean segment when starting the WAL. * Reduce allocations in
    PromQL aggregations. * Add storage warnings to LabelValues and LabelNames
    API results. * Add prometheus_http_requests_total metric. * Enable openbsd/
    arm build. * Remote-write allocation improvements. * Query performance
    improvement: Efficient iteration and search in HashForLabels and
    HashWithoutLabels. * Allow injection of arbitrary headers in promtool. *
    Allow passing external_labels in alert unit tests groups. * Allows globs
    for rules when unit testing. * Improved postings intersection matching. *
    Reduced disk usage for WAL for small setups. * Optimize queries using
    regexp for set lookups.
  o Rebase patch002-Default-settings.patch
  o Update to 2.10.0: + Bug Fixes: * TSDB: Don't panic when running out of disk
    space and recover nicely from the condition * TSDB: Correctly handle empty
    labels. * TSDB: Don't crash on an unknown tombstone reference. * Storage/
    remote: Remove queue-manager specific metrics if queue no longer exists. *
    PromQL: Correctly display {__name__="a"}. * Discovery/kubernetes: Use
    service rather than ingress as the name for the service workqueue. *
    Discovery/azure: Don't panic on a VM with a public IP. * Web: Fixed
    Content-Type for js and css instead of using /etc/mime.types. * API: Encode
    alert values as string to correctly represent Inf/NaN. + Features: *
    Template expansion: Make external labels available as $externalLabels in
    alert and console template expansion. * TSDB: Add
    prometheus_tsdb_wal_segment_current metric for the WAL segment index that
    TSDB is currently writing to. tsdb * Scrape: Add scrape_series_added
    per-scrape metric. #5546 + Enhancements * Discovery/kubernetes: Add labels
    __meta_kubernetes_endpoint_node_name and
    __meta_kubernetes_endpoint_hostname. * Discovery/azure: Add label
    __meta_azure_machine_public_ip. * TSDB: Simplify mergedPostings.Seek,
    resulting in better performance if there are many posting lists. tsdb * Log
    filesystem type on startup. * Cmd/promtool: Use POST requests for Query and
    QueryRange. client_golang * Web: Sort alerts by group name. * Console
    templates: Add convenience variables $rawParams, $params, $path.
  o Upadte to 2.9.2 + Bug Fixes: * Make sure subquery range is taken into
    account for selection * Exhaust every request body before closing it * Cmd/
    promtool: return errors from rule evaluations * Remote Storage: string
    interner should not panic in release * Fix memory allocation regression in
    mergedPostings.Seek tsdb
  o Update to 2.9.1 + Bug Fixes: * Discovery/kubernetes: fix missing label
    sanitization * Remote_write: Prevent reshard concurrent with calling stop
  o Update to 2.9.0 + Feature: * Add honor_timestamps scrape option. +
    Enhancements: * Update Consul to support catalog.ServiceMultipleTags. *
    Discovery/kubernetes: add present labels for labels/annotations. *
    OpenStack SD: Add ProjectID and UserID meta labels. * Add GODEBUG and
    retention to the runtime page. * Add support for POSTing to /series
    endpoint. * Support PUT methods for Lifecycle and Admin APIs. * Scrape: Add
    global jitter for HA server. * Check for cancellation on every step of a
    range evaluation. * String interning for labels & values in the
    remote_write path. * Don't lose the scrape cache on a failed scrape. *
    Reload cert files from disk automatically. common * Use fixed length
    millisecond timestamp format for logs. common * Performance improvements
    for postings. Bug Fixes: * Remote Write: fix checkpoint reading. * Check if
    label value is valid when unmarshaling external labels from YAML. *
    Promparse: sort all labels when parsing. * Reload rules: copy state on both
    name and labels. * Exponentation operator to drop metric name in result of
    operation. * Config: resolve more file paths. * Promtool: resolve relative
    paths in alert test files. * Set TLSHandshakeTimeout in HTTP transport.
    common * Use fsync to be more resilient to machine crashes. * Keep series
    that are still in WAL in checkpoints.
  o Update to 2.8.1 + Bug Fixes * Display the job labels in /targets which was
    removed accidentally
  o Update to 2.8.0 + Change: * This release uses Write-Ahead Logging (WAL) for
    the remote_write API. This currently causes a slight increase in memory
    usage, which will be addressed in future releases. * Default time retention
    is used only when no size based retention is specified. These are flags
    where time retention is specified by the flag --storage.tsdb.retention and
    size retention by --storage.tsdb.retention.size. *
    prometheus_tsdb_storage_blocks_bytes_total is now
    prometheus_tsdb_storage_blocks_bytes. + Feature: * (EXPERIMENTAL) Time
    overlapping blocks are now allowed; vertical compaction and vertical query
    merge. It is an optional feature which is controlled by the
    --storage.tsdb.allow-overlapping-blocks flag, disabled by default. +
    Enhancements:

* Use the WAL for remote_write API. * Query performance improvements. * UI
enhancements with upgrade to Bootstrap 4. * Reduce time that Alertmanagers are
in flux when reloaded. * Limit number of metrics displayed on UI to 10000. *
(1) Remember All/Unhealthy choice on target-overview when reloading page. (2)
Resize text-input area on Graph page on mouseclick. * In histogram_quantile
merge buckets with equivalent le values. * Show list of offending labels in the
error message in many-to-many scenarios. * Show Storage Retention criteria in
effect on /status page. + Bug Fixes: + Fix sorting of rule groups. + Fix
support for password_file and bearer_token_file in Kubernetes SD. + Scrape:
catch errors when creating HTTP clients + Adds new metrics:
prometheus_target_scrape_pools_total
prometheus_target_scrape_pools_failed_total
prometheus_target_scrape_pool_reloads_total
prometheus_target_scrape_pool_reloads_failed_total + Fix panic when aggregator
param is not a literal.
mgr-cfg:

  o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


mgr-daemon:

  o Fix systemd timer configuration on SLE12 (bsc#1142038)


mgr-osad:

  o Fix obsolete for old osad packages, to allow installing mgr-osad even by
    using osad at yum/zyppper install (bsc#1139453)
  o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)


mgr-virtualization:

  o Fix missing python 3 ugettext (bsc#1138494)
  o Fix package dependencies to prevent file conflict (bsc#1143856)


rhnlib:

  o Add SNI support for clients
  o Fix initialize ssl connection (bsc#1144155)
  o Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)


spacecmd:

  o Bugfix: referenced variable before assignment.
  o Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
  o Add unit tests for custominfo, snippet, scap, ssm, cryptokey and
    distribution
  o Fix missing runtime dependencies that made spacecmd return old versions of
    packages in some cases, even if newer ones were available (bsc#1148311)

spacewalk-backend:

  o Do not overwrite comps and module data with older versions
  o Fix issue with "dists" keyword in url hostname
  o Import packages from all collections of a patch not just first one
  o Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to
    "registration.register_osad" (bsc#1138822)
  o Do not duplicate "http://" protocol when using proxies with "deb"
    repositories (bsc#1138313)
  o Fix reposync when dealing with RedHat CDN (bsc#1138358)
  o Fix for CVE-2019-10136. An attacker with a valid, but expired,
    authenticated set of headers could move some digits around, artificially
    extending the session validity without modifying the checksum. (bsc#
    1136480)
  o Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
  o Add journalctl output to spacewalk-debug tarballs
  o Prevent unnecessary triggering of channel-repodata tasks when GPG signing
    is disabled (bsc#1137715)
  o Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#
    1136029)
  o Add support for ULN repositories on new Zypper based reposync.
  o Don't skip Deb package tags on package import (bsc#1130040)
  o For backend-libs subpackages, exclude files for the server (already part of
    spacewalk-backend) to avoid conflicts (bsc#1148125)
  o prevent duplicate key violates on repo-sync with long changelog entries
    (bsc#1144889)


spacewalk-remote-utils:

  o Add RHEL8

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Manager Tools 15:
    zypper in -t patch SUSE-SLE-Manager-Tools-15-2019-2317=1
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15-SP1:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2317=1
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2317=1

Package List:

  o SUSE Manager Tools 15 (aarch64 ppc64le s390x x86_64):
       golang-github-prometheus-alertmanager-0.16.2-3.3.1
       golang-github-prometheus-prometheus-2.11.1-3.6.2
  o SUSE Manager Tools 15 (noarch):
       mgr-cfg-4.0.9-1.6.5
       mgr-cfg-actions-4.0.9-1.6.5
       mgr-cfg-client-4.0.9-1.6.5
       mgr-cfg-management-4.0.9-1.6.5
       mgr-daemon-4.0.7-1.8.1
       mgr-osad-4.0.9-1.6.2
       mgr-virtualization-host-4.0.8-1.8.4
       python3-mgr-cfg-4.0.9-1.6.5
       python3-mgr-cfg-actions-4.0.9-1.6.5
       python3-mgr-cfg-client-4.0.9-1.6.5
       python3-mgr-cfg-management-4.0.9-1.6.5
       python3-mgr-osa-common-4.0.9-1.6.2
       python3-mgr-osad-4.0.9-1.6.2
       python3-mgr-virtualization-common-4.0.8-1.8.4
       python3-mgr-virtualization-host-4.0.8-1.8.4
       python3-rhnlib-4.0.11-3.10.1
       python3-spacewalk-backend-libs-4.0.25-3.23.1
       spacecmd-4.0.14-3.26.1
       spacewalk-remote-utils-4.0.5-3.9.2
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
    (noarch):
       python2-rhnlib-4.0.11-3.10.1
       spacecmd-4.0.14-3.26.1
       spacewalk-backend-4.0.25-3.23.1
       spacewalk-backend-app-4.0.25-3.23.1
       spacewalk-backend-applet-4.0.25-3.23.1
       spacewalk-backend-cdn-4.0.25-3.23.1
       spacewalk-backend-config-files-4.0.25-3.23.1
       spacewalk-backend-config-files-common-4.0.25-3.23.1
       spacewalk-backend-config-files-tool-4.0.25-3.23.1
       spacewalk-backend-iss-4.0.25-3.23.1
       spacewalk-backend-iss-export-4.0.25-3.23.1
       spacewalk-backend-libs-4.0.25-3.23.1
       spacewalk-backend-package-push-server-4.0.25-3.23.1
       spacewalk-backend-server-4.0.25-3.23.1
       spacewalk-backend-sql-4.0.25-3.23.1
       spacewalk-backend-sql-oracle-4.0.25-3.23.1
       spacewalk-backend-sql-postgresql-4.0.25-3.23.1
       spacewalk-backend-tools-4.0.25-3.23.1
       spacewalk-backend-xml-export-libs-4.0.25-3.23.1
       spacewalk-backend-xmlrpc-4.0.25-3.23.1
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
    (aarch64 ppc64le s390x x86_64):
       golang-github-prometheus-alertmanager-0.16.2-3.3.1
       golang-github-prometheus-prometheus-2.11.1-3.6.2
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
    (noarch):
       python2-rhnlib-4.0.11-3.10.1
       spacecmd-4.0.14-3.26.1
       spacewalk-backend-4.0.25-3.23.1
       spacewalk-backend-app-4.0.25-3.23.1
       spacewalk-backend-applet-4.0.25-3.23.1
       spacewalk-backend-cdn-4.0.25-3.23.1
       spacewalk-backend-config-files-4.0.25-3.23.1
       spacewalk-backend-config-files-common-4.0.25-3.23.1
       spacewalk-backend-config-files-tool-4.0.25-3.23.1
       spacewalk-backend-iss-4.0.25-3.23.1
       spacewalk-backend-iss-export-4.0.25-3.23.1
       spacewalk-backend-libs-4.0.25-3.23.1
       spacewalk-backend-package-push-server-4.0.25-3.23.1
       spacewalk-backend-server-4.0.25-3.23.1
       spacewalk-backend-sql-4.0.25-3.23.1
       spacewalk-backend-sql-oracle-4.0.25-3.23.1
       spacewalk-backend-sql-postgresql-4.0.25-3.23.1
       spacewalk-backend-tools-4.0.25-3.23.1
       spacewalk-backend-xml-export-libs-4.0.25-3.23.1
       spacewalk-backend-xmlrpc-4.0.25-3.23.1


References:

  o https://www.suse.com/security/cve/CVE-2019-10136.html
  o https://bugzilla.suse.com/1130040
  o https://bugzilla.suse.com/1135881
  o https://bugzilla.suse.com/1136029
  o https://bugzilla.suse.com/1136480
  o https://bugzilla.suse.com/1137715
  o https://bugzilla.suse.com/1137940
  o https://bugzilla.suse.com/1138313
  o https://bugzilla.suse.com/1138358
  o https://bugzilla.suse.com/1138494
  o https://bugzilla.suse.com/1138822
  o https://bugzilla.suse.com/1139453
  o https://bugzilla.suse.com/1142038
  o https://bugzilla.suse.com/1143856
  o https://bugzilla.suse.com/1144155
  o https://bugzilla.suse.com/1144889
  o https://bugzilla.suse.com/1148125
  o https://bugzilla.suse.com/1148177
  o https://bugzilla.suse.com/1148311

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXXWe92aOgq3Tt24GAQiZuBAAgNk+7PXdDx5u9pE8Qri5Vrnv83xA+LGA
fE5HXjuFdVW3uzK0dqrsKfbqZLxSo1Dnd5wSCpiitq24GfWo3jMwjVACwcgec8U+
KoTzhSidcaGRIWKFy3u4sWmR9J4ngCefDGrbTaaySM7VA+MDvGXW0A6LozcT4494
780eZxnJ7UnPIVY1VXhfRe8arrKL5N7DwyCYsk6aRIKjpnwbCZOZRUqbHWqE4WhM
oLRGOVi5wD0y5wzCtQbn2XASDoOfR/1w9okI/UxV+2mp2JClXb3P3Ahq5Ful1YKc
QYMZjhve6xj9qBnqgL814AZelxaH5ADy/H+tHPwQnEy0Yrbo9Go84ZHXKrygWEZG
TJxG1Jy6keR8jXWuOa8kux3IQBZqPNzL03IWs1mMbFVy9FrXGWD5b0uds6iyb7Pw
lTjOuMmlin8Kq2YmITkvHY6YaaS04LUa7zkFb8KnZdGbFXSbWINpXWGD7WBYMemt
Sw48G90JHht201qlIgJdMWTGZQWuOxGu4EAb/fK23nkvNuyPd73ytx7U2oz1uTNR
gPoje+nTU3JUoQjkWHo2MdQMWawLRTYrjawYcZBTFvPmutswLYHNNXWvBHDOG4NA
uQD8j71g8Ct9Pph+GGBLh1zhKACMLPKYs75BMPm3UsDyN3Ma8/MMpgyPdJXEAMTI
V6fa6Zt97jg=
=5NR3
-----END PGP SIGNATURE-----