Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3407
SUSE-SU-2019:2317-1 Security update for SUSE Manager Client Tools
9 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SUSE Manager Client Tools
Publisher: SUSE
Operating System: SUSE
Impact/Access: Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10136
Reference: ESB-2019.3386
ESB-2019.3385
ESB-2019.2516
ESB-2019.2432
Original Bulletin:
https://www.suse.com/support/update/announcement/2019/suse-su-20192317-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:2317-1
Rating: moderate
References: #1130040 #1135881 #1136029 #1136480 #1137715 #1137940
#1138313 #1138358 #1138494 #1138822 #1139453 #1142038
#1143856 #1144155 #1144889 #1148125 #1148177 #1148311
Cross-References: CVE-2019-10136
Affected Products:
SUSE Manager Tools 15
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
______________________________________________________________________________
An update that solves one vulnerability and has 17 fixes is now available.
Description:
This update fixes the following issues:
golang-github-prometheus-prometheus:
o Add support for Uyuni/SUSE Manager service discovery + Added
0003-Add-Uyuni-service-discovery
o Readded _service file removed in error.
o Update to 2.11.1 + Bug Fix: * Fix potential panic when prometheus is
watching multiple zookeeper paths.
o Update to 2.11.0 + Bug Fix: * resolve race condition in maxGauge. * Fix
ZooKeeper connection leak. * Improved atomicity of .tmp block replacement
during compaction for usual case. * Fix "unknown series references" after
clean shutdown. * Re-calculate block size when calling block.Delete. * Fix
unsafe snapshots with head block. *
prometheus_tsdb_compactions_failed_total is now incremented on any
compaction failure. + Changes: * Remove max_retries from queue_config (it
has been unused since rewriting remote-write to utilize the
write-ahead-log) * The meta file BlockStats no longer holds size
information. This is now dynamically calculated and kept in memory. It also
includes the meta file size which was not included before * Renamed metric
from prometheus_tsdb_wal_reader_corruption_errors to
prometheus_tsdb_wal_reader_corruption_errors_total + Features: * Add option
to use Alertmanager API v2. * Added humanizePercentage function for
templates. * Include InitContainers in Kubernetes Service Discovery. *
Provide option to compress WAL records using Snappy. + Enhancements: *
Create new clean segment when starting the WAL. * Reduce allocations in
PromQL aggregations. * Add storage warnings to LabelValues and LabelNames
API results. * Add prometheus_http_requests_total metric. * Enable openbsd/
arm build. * Remote-write allocation improvements. * Query performance
improvement: Efficient iteration and search in HashForLabels and
HashWithoutLabels. * Allow injection of arbitrary headers in promtool. *
Allow passing external_labels in alert unit tests groups. * Allows globs
for rules when unit testing. * Improved postings intersection matching. *
Reduced disk usage for WAL for small setups. * Optimize queries using
regexp for set lookups.
o Rebase patch002-Default-settings.patch
o Update to 2.10.0: + Bug Fixes: * TSDB: Don't panic when running out of disk
space and recover nicely from the condition * TSDB: Correctly handle empty
labels. * TSDB: Don't crash on an unknown tombstone reference. * Storage/
remote: Remove queue-manager specific metrics if queue no longer exists. *
PromQL: Correctly display {__name__="a"}. * Discovery/kubernetes: Use
service rather than ingress as the name for the service workqueue. *
Discovery/azure: Don't panic on a VM with a public IP. * Web: Fixed
Content-Type for js and css instead of using /etc/mime.types. * API: Encode
alert values as string to correctly represent Inf/NaN. + Features: *
Template expansion: Make external labels available as $externalLabels in
alert and console template expansion. * TSDB: Add
prometheus_tsdb_wal_segment_current metric for the WAL segment index that
TSDB is currently writing to. tsdb * Scrape: Add scrape_series_added
per-scrape metric. #5546 + Enhancements * Discovery/kubernetes: Add labels
__meta_kubernetes_endpoint_node_name and
__meta_kubernetes_endpoint_hostname. * Discovery/azure: Add label
__meta_azure_machine_public_ip. * TSDB: Simplify mergedPostings.Seek,
resulting in better performance if there are many posting lists. tsdb * Log
filesystem type on startup. * Cmd/promtool: Use POST requests for Query and
QueryRange. client_golang * Web: Sort alerts by group name. * Console
templates: Add convenience variables $rawParams, $params, $path.
o Upadte to 2.9.2 + Bug Fixes: * Make sure subquery range is taken into
account for selection * Exhaust every request body before closing it * Cmd/
promtool: return errors from rule evaluations * Remote Storage: string
interner should not panic in release * Fix memory allocation regression in
mergedPostings.Seek tsdb
o Update to 2.9.1 + Bug Fixes: * Discovery/kubernetes: fix missing label
sanitization * Remote_write: Prevent reshard concurrent with calling stop
o Update to 2.9.0 + Feature: * Add honor_timestamps scrape option. +
Enhancements: * Update Consul to support catalog.ServiceMultipleTags. *
Discovery/kubernetes: add present labels for labels/annotations. *
OpenStack SD: Add ProjectID and UserID meta labels. * Add GODEBUG and
retention to the runtime page. * Add support for POSTing to /series
endpoint. * Support PUT methods for Lifecycle and Admin APIs. * Scrape: Add
global jitter for HA server. * Check for cancellation on every step of a
range evaluation. * String interning for labels & values in the
remote_write path. * Don't lose the scrape cache on a failed scrape. *
Reload cert files from disk automatically. common * Use fixed length
millisecond timestamp format for logs. common * Performance improvements
for postings. Bug Fixes: * Remote Write: fix checkpoint reading. * Check if
label value is valid when unmarshaling external labels from YAML. *
Promparse: sort all labels when parsing. * Reload rules: copy state on both
name and labels. * Exponentation operator to drop metric name in result of
operation. * Config: resolve more file paths. * Promtool: resolve relative
paths in alert test files. * Set TLSHandshakeTimeout in HTTP transport.
common * Use fsync to be more resilient to machine crashes. * Keep series
that are still in WAL in checkpoints.
o Update to 2.8.1 + Bug Fixes * Display the job labels in /targets which was
removed accidentally
o Update to 2.8.0 + Change: * This release uses Write-Ahead Logging (WAL) for
the remote_write API. This currently causes a slight increase in memory
usage, which will be addressed in future releases. * Default time retention
is used only when no size based retention is specified. These are flags
where time retention is specified by the flag --storage.tsdb.retention and
size retention by --storage.tsdb.retention.size. *
prometheus_tsdb_storage_blocks_bytes_total is now
prometheus_tsdb_storage_blocks_bytes. + Feature: * (EXPERIMENTAL) Time
overlapping blocks are now allowed; vertical compaction and vertical query
merge. It is an optional feature which is controlled by the
--storage.tsdb.allow-overlapping-blocks flag, disabled by default. +
Enhancements:
* Use the WAL for remote_write API. * Query performance improvements. * UI
enhancements with upgrade to Bootstrap 4. * Reduce time that Alertmanagers are
in flux when reloaded. * Limit number of metrics displayed on UI to 10000. *
(1) Remember All/Unhealthy choice on target-overview when reloading page. (2)
Resize text-input area on Graph page on mouseclick. * In histogram_quantile
merge buckets with equivalent le values. * Show list of offending labels in the
error message in many-to-many scenarios. * Show Storage Retention criteria in
effect on /status page. + Bug Fixes: + Fix sorting of rule groups. + Fix
support for password_file and bearer_token_file in Kubernetes SD. + Scrape:
catch errors when creating HTTP clients + Adds new metrics:
prometheus_target_scrape_pools_total
prometheus_target_scrape_pools_failed_total
prometheus_target_scrape_pool_reloads_total
prometheus_target_scrape_pool_reloads_failed_total + Fix panic when aggregator
param is not a literal.
mgr-cfg:
o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-daemon:
o Fix systemd timer configuration on SLE12 (bsc#1142038)
mgr-osad:
o Fix obsolete for old osad packages, to allow installing mgr-osad even by
using osad at yum/zyppper install (bsc#1139453)
o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)
mgr-virtualization:
o Fix missing python 3 ugettext (bsc#1138494)
o Fix package dependencies to prevent file conflict (bsc#1143856)
rhnlib:
o Add SNI support for clients
o Fix initialize ssl connection (bsc#1144155)
o Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)
spacecmd:
o Bugfix: referenced variable before assignment.
o Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881)
o Add unit tests for custominfo, snippet, scap, ssm, cryptokey and
distribution
o Fix missing runtime dependencies that made spacecmd return old versions of
packages in some cases, even if newer ones were available (bsc#1148311)
spacewalk-backend:
o Do not overwrite comps and module data with older versions
o Fix issue with "dists" keyword in url hostname
o Import packages from all collections of a patch not just first one
o Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to
"registration.register_osad" (bsc#1138822)
o Do not duplicate "http://" protocol when using proxies with "deb"
repositories (bsc#1138313)
o Fix reposync when dealing with RedHat CDN (bsc#1138358)
o Fix for CVE-2019-10136. An attacker with a valid, but expired,
authenticated set of headers could move some digits around, artificially
extending the session validity without modifying the checksum. (bsc#
1136480)
o Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940)
o Add journalctl output to spacewalk-debug tarballs
o Prevent unnecessary triggering of channel-repodata tasks when GPG signing
is disabled (bsc#1137715)
o Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc#
1136029)
o Add support for ULN repositories on new Zypper based reposync.
o Don't skip Deb package tags on package import (bsc#1130040)
o For backend-libs subpackages, exclude files for the server (already part of
spacewalk-backend) to avoid conflicts (bsc#1148125)
o prevent duplicate key violates on repo-sync with long changelog entries
(bsc#1144889)
spacewalk-remote-utils:
o Add RHEL8
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Manager Tools 15:
zypper in -t patch SUSE-SLE-Manager-Tools-15-2019-2317=1
o SUSE Linux Enterprise Module for Open Buildservice Development Tools
15-SP1:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2317=1
o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2317=1
Package List:
o SUSE Manager Tools 15 (aarch64 ppc64le s390x x86_64):
golang-github-prometheus-alertmanager-0.16.2-3.3.1
golang-github-prometheus-prometheus-2.11.1-3.6.2
o SUSE Manager Tools 15 (noarch):
mgr-cfg-4.0.9-1.6.5
mgr-cfg-actions-4.0.9-1.6.5
mgr-cfg-client-4.0.9-1.6.5
mgr-cfg-management-4.0.9-1.6.5
mgr-daemon-4.0.7-1.8.1
mgr-osad-4.0.9-1.6.2
mgr-virtualization-host-4.0.8-1.8.4
python3-mgr-cfg-4.0.9-1.6.5
python3-mgr-cfg-actions-4.0.9-1.6.5
python3-mgr-cfg-client-4.0.9-1.6.5
python3-mgr-cfg-management-4.0.9-1.6.5
python3-mgr-osa-common-4.0.9-1.6.2
python3-mgr-osad-4.0.9-1.6.2
python3-mgr-virtualization-common-4.0.8-1.8.4
python3-mgr-virtualization-host-4.0.8-1.8.4
python3-rhnlib-4.0.11-3.10.1
python3-spacewalk-backend-libs-4.0.25-3.23.1
spacecmd-4.0.14-3.26.1
spacewalk-remote-utils-4.0.5-3.9.2
o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
(noarch):
python2-rhnlib-4.0.11-3.10.1
spacecmd-4.0.14-3.26.1
spacewalk-backend-4.0.25-3.23.1
spacewalk-backend-app-4.0.25-3.23.1
spacewalk-backend-applet-4.0.25-3.23.1
spacewalk-backend-cdn-4.0.25-3.23.1
spacewalk-backend-config-files-4.0.25-3.23.1
spacewalk-backend-config-files-common-4.0.25-3.23.1
spacewalk-backend-config-files-tool-4.0.25-3.23.1
spacewalk-backend-iss-4.0.25-3.23.1
spacewalk-backend-iss-export-4.0.25-3.23.1
spacewalk-backend-libs-4.0.25-3.23.1
spacewalk-backend-package-push-server-4.0.25-3.23.1
spacewalk-backend-server-4.0.25-3.23.1
spacewalk-backend-sql-4.0.25-3.23.1
spacewalk-backend-sql-oracle-4.0.25-3.23.1
spacewalk-backend-sql-postgresql-4.0.25-3.23.1
spacewalk-backend-tools-4.0.25-3.23.1
spacewalk-backend-xml-export-libs-4.0.25-3.23.1
spacewalk-backend-xmlrpc-4.0.25-3.23.1
o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
(aarch64 ppc64le s390x x86_64):
golang-github-prometheus-alertmanager-0.16.2-3.3.1
golang-github-prometheus-prometheus-2.11.1-3.6.2
o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15
(noarch):
python2-rhnlib-4.0.11-3.10.1
spacecmd-4.0.14-3.26.1
spacewalk-backend-4.0.25-3.23.1
spacewalk-backend-app-4.0.25-3.23.1
spacewalk-backend-applet-4.0.25-3.23.1
spacewalk-backend-cdn-4.0.25-3.23.1
spacewalk-backend-config-files-4.0.25-3.23.1
spacewalk-backend-config-files-common-4.0.25-3.23.1
spacewalk-backend-config-files-tool-4.0.25-3.23.1
spacewalk-backend-iss-4.0.25-3.23.1
spacewalk-backend-iss-export-4.0.25-3.23.1
spacewalk-backend-libs-4.0.25-3.23.1
spacewalk-backend-package-push-server-4.0.25-3.23.1
spacewalk-backend-server-4.0.25-3.23.1
spacewalk-backend-sql-4.0.25-3.23.1
spacewalk-backend-sql-oracle-4.0.25-3.23.1
spacewalk-backend-sql-postgresql-4.0.25-3.23.1
spacewalk-backend-tools-4.0.25-3.23.1
spacewalk-backend-xml-export-libs-4.0.25-3.23.1
spacewalk-backend-xmlrpc-4.0.25-3.23.1
References:
o https://www.suse.com/security/cve/CVE-2019-10136.html
o https://bugzilla.suse.com/1130040
o https://bugzilla.suse.com/1135881
o https://bugzilla.suse.com/1136029
o https://bugzilla.suse.com/1136480
o https://bugzilla.suse.com/1137715
o https://bugzilla.suse.com/1137940
o https://bugzilla.suse.com/1138313
o https://bugzilla.suse.com/1138358
o https://bugzilla.suse.com/1138494
o https://bugzilla.suse.com/1138822
o https://bugzilla.suse.com/1139453
o https://bugzilla.suse.com/1142038
o https://bugzilla.suse.com/1143856
o https://bugzilla.suse.com/1144155
o https://bugzilla.suse.com/1144889
o https://bugzilla.suse.com/1148125
o https://bugzilla.suse.com/1148177
o https://bugzilla.suse.com/1148311
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXXWe92aOgq3Tt24GAQiZuBAAgNk+7PXdDx5u9pE8Qri5Vrnv83xA+LGA
fE5HXjuFdVW3uzK0dqrsKfbqZLxSo1Dnd5wSCpiitq24GfWo3jMwjVACwcgec8U+
KoTzhSidcaGRIWKFy3u4sWmR9J4ngCefDGrbTaaySM7VA+MDvGXW0A6LozcT4494
780eZxnJ7UnPIVY1VXhfRe8arrKL5N7DwyCYsk6aRIKjpnwbCZOZRUqbHWqE4WhM
oLRGOVi5wD0y5wzCtQbn2XASDoOfR/1w9okI/UxV+2mp2JClXb3P3Ahq5Ful1YKc
QYMZjhve6xj9qBnqgL814AZelxaH5ADy/H+tHPwQnEy0Yrbo9Go84ZHXKrygWEZG
TJxG1Jy6keR8jXWuOa8kux3IQBZqPNzL03IWs1mMbFVy9FrXGWD5b0uds6iyb7Pw
lTjOuMmlin8Kq2YmITkvHY6YaaS04LUa7zkFb8KnZdGbFXSbWINpXWGD7WBYMemt
Sw48G90JHht201qlIgJdMWTGZQWuOxGu4EAb/fK23nkvNuyPd73ytx7U2oz1uTNR
gPoje+nTU3JUoQjkWHo2MdQMWawLRTYrjawYcZBTFvPmutswLYHNNXWvBHDOG4NA
uQD8j71g8Ct9Pph+GGBLh1zhKACMLPKYs75BMPm3UsDyN3Ma8/MMpgyPdJXEAMTI
V6fa6Zt97jg=
=5NR3
-----END PGP SIGNATURE-----