Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3407 SUSE-SU-2019:2317-1 Security update for SUSE Manager Client Tools 9 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SUSE Manager Client Tools Publisher: SUSE Operating System: SUSE Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10136 Reference: ESB-2019.3386 ESB-2019.3385 ESB-2019.2516 ESB-2019.2432 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20192317-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2317-1 Rating: moderate References: #1130040 #1135881 #1136029 #1136480 #1137715 #1137940 #1138313 #1138358 #1138494 #1138822 #1139453 #1142038 #1143856 #1144155 #1144889 #1148125 #1148177 #1148311 Cross-References: CVE-2019-10136 Affected Products: SUSE Manager Tools 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 ______________________________________________________________________________ An update that solves one vulnerability and has 17 fixes is now available. Description: This update fixes the following issues: golang-github-prometheus-prometheus: o Add support for Uyuni/SUSE Manager service discovery + Added 0003-Add-Uyuni-service-discovery o Readded _service file removed in error. o Update to 2.11.1 + Bug Fix: * Fix potential panic when prometheus is watching multiple zookeeper paths. o Update to 2.11.0 + Bug Fix: * resolve race condition in maxGauge. * Fix ZooKeeper connection leak. * Improved atomicity of .tmp block replacement during compaction for usual case. * Fix "unknown series references" after clean shutdown. * Re-calculate block size when calling block.Delete. * Fix unsafe snapshots with head block. * prometheus_tsdb_compactions_failed_total is now incremented on any compaction failure. + Changes: * Remove max_retries from queue_config (it has been unused since rewriting remote-write to utilize the write-ahead-log) * The meta file BlockStats no longer holds size information. This is now dynamically calculated and kept in memory. It also includes the meta file size which was not included before * Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to prometheus_tsdb_wal_reader_corruption_errors_total + Features: * Add option to use Alertmanager API v2. * Added humanizePercentage function for templates. * Include InitContainers in Kubernetes Service Discovery. * Provide option to compress WAL records using Snappy. + Enhancements: * Create new clean segment when starting the WAL. * Reduce allocations in PromQL aggregations. * Add storage warnings to LabelValues and LabelNames API results. * Add prometheus_http_requests_total metric. * Enable openbsd/ arm build. * Remote-write allocation improvements. * Query performance improvement: Efficient iteration and search in HashForLabels and HashWithoutLabels. * Allow injection of arbitrary headers in promtool. * Allow passing external_labels in alert unit tests groups. * Allows globs for rules when unit testing. * Improved postings intersection matching. * Reduced disk usage for WAL for small setups. * Optimize queries using regexp for set lookups. o Rebase patch002-Default-settings.patch o Update to 2.10.0: + Bug Fixes: * TSDB: Don't panic when running out of disk space and recover nicely from the condition * TSDB: Correctly handle empty labels. * TSDB: Don't crash on an unknown tombstone reference. * Storage/ remote: Remove queue-manager specific metrics if queue no longer exists. * PromQL: Correctly display {__name__="a"}. * Discovery/kubernetes: Use service rather than ingress as the name for the service workqueue. * Discovery/azure: Don't panic on a VM with a public IP. * Web: Fixed Content-Type for js and css instead of using /etc/mime.types. * API: Encode alert values as string to correctly represent Inf/NaN. + Features: * Template expansion: Make external labels available as $externalLabels in alert and console template expansion. * TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL segment index that TSDB is currently writing to. tsdb * Scrape: Add scrape_series_added per-scrape metric. #5546 + Enhancements * Discovery/kubernetes: Add labels __meta_kubernetes_endpoint_node_name and __meta_kubernetes_endpoint_hostname. * Discovery/azure: Add label __meta_azure_machine_public_ip. * TSDB: Simplify mergedPostings.Seek, resulting in better performance if there are many posting lists. tsdb * Log filesystem type on startup. * Cmd/promtool: Use POST requests for Query and QueryRange. client_golang * Web: Sort alerts by group name. * Console templates: Add convenience variables $rawParams, $params, $path. o Upadte to 2.9.2 + Bug Fixes: * Make sure subquery range is taken into account for selection * Exhaust every request body before closing it * Cmd/ promtool: return errors from rule evaluations * Remote Storage: string interner should not panic in release * Fix memory allocation regression in mergedPostings.Seek tsdb o Update to 2.9.1 + Bug Fixes: * Discovery/kubernetes: fix missing label sanitization * Remote_write: Prevent reshard concurrent with calling stop o Update to 2.9.0 + Feature: * Add honor_timestamps scrape option. + Enhancements: * Update Consul to support catalog.ServiceMultipleTags. * Discovery/kubernetes: add present labels for labels/annotations. * OpenStack SD: Add ProjectID and UserID meta labels. * Add GODEBUG and retention to the runtime page. * Add support for POSTing to /series endpoint. * Support PUT methods for Lifecycle and Admin APIs. * Scrape: Add global jitter for HA server. * Check for cancellation on every step of a range evaluation. * String interning for labels & values in the remote_write path. * Don't lose the scrape cache on a failed scrape. * Reload cert files from disk automatically. common * Use fixed length millisecond timestamp format for logs. common * Performance improvements for postings. Bug Fixes: * Remote Write: fix checkpoint reading. * Check if label value is valid when unmarshaling external labels from YAML. * Promparse: sort all labels when parsing. * Reload rules: copy state on both name and labels. * Exponentation operator to drop metric name in result of operation. * Config: resolve more file paths. * Promtool: resolve relative paths in alert test files. * Set TLSHandshakeTimeout in HTTP transport. common * Use fsync to be more resilient to machine crashes. * Keep series that are still in WAL in checkpoints. o Update to 2.8.1 + Bug Fixes * Display the job labels in /targets which was removed accidentally o Update to 2.8.0 + Change: * This release uses Write-Ahead Logging (WAL) for the remote_write API. This currently causes a slight increase in memory usage, which will be addressed in future releases. * Default time retention is used only when no size based retention is specified. These are flags where time retention is specified by the flag --storage.tsdb.retention and size retention by --storage.tsdb.retention.size. * prometheus_tsdb_storage_blocks_bytes_total is now prometheus_tsdb_storage_blocks_bytes. + Feature: * (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical compaction and vertical query merge. It is an optional feature which is controlled by the --storage.tsdb.allow-overlapping-blocks flag, disabled by default. + Enhancements: * Use the WAL for remote_write API. * Query performance improvements. * UI enhancements with upgrade to Bootstrap 4. * Reduce time that Alertmanagers are in flux when reloaded. * Limit number of metrics displayed on UI to 10000. * (1) Remember All/Unhealthy choice on target-overview when reloading page. (2) Resize text-input area on Graph page on mouseclick. * In histogram_quantile merge buckets with equivalent le values. * Show list of offending labels in the error message in many-to-many scenarios. * Show Storage Retention criteria in effect on /status page. + Bug Fixes: + Fix sorting of rule groups. + Fix support for password_file and bearer_token_file in Kubernetes SD. + Scrape: catch errors when creating HTTP clients + Adds new metrics: prometheus_target_scrape_pools_total prometheus_target_scrape_pools_failed_total prometheus_target_scrape_pool_reloads_total prometheus_target_scrape_pool_reloads_failed_total + Fix panic when aggregator param is not a literal. mgr-cfg: o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822) mgr-daemon: o Fix systemd timer configuration on SLE12 (bsc#1142038) mgr-osad: o Fix obsolete for old osad packages, to allow installing mgr-osad even by using osad at yum/zyppper install (bsc#1139453) o Ensure bytes type when using hashlib to avoid traceback (bsc#1138822) mgr-virtualization: o Fix missing python 3 ugettext (bsc#1138494) o Fix package dependencies to prevent file conflict (bsc#1143856) rhnlib: o Add SNI support for clients o Fix initialize ssl connection (bsc#1144155) o Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177) spacecmd: o Bugfix: referenced variable before assignment. o Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881) o Add unit tests for custominfo, snippet, scap, ssm, cryptokey and distribution o Fix missing runtime dependencies that made spacecmd return old versions of packages in some cases, even if newer ones were available (bsc#1148311) spacewalk-backend: o Do not overwrite comps and module data with older versions o Fix issue with "dists" keyword in url hostname o Import packages from all collections of a patch not just first one o Ensure bytes type when using hashlib to avoid traceback on XMLRPC call to "registration.register_osad" (bsc#1138822) o Do not duplicate "http://" protocol when using proxies with "deb" repositories (bsc#1138313) o Fix reposync when dealing with RedHat CDN (bsc#1138358) o Fix for CVE-2019-10136. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. (bsc# 1136480) o Prevent FileNotFoundError: repomd.xml.key traceback (bsc#1137940) o Add journalctl output to spacewalk-debug tarballs o Prevent unnecessary triggering of channel-repodata tasks when GPG signing is disabled (bsc#1137715) o Fix spacewalk-repo-sync for Ubuntu repositories in mirror case (bsc# 1136029) o Add support for ULN repositories on new Zypper based reposync. o Don't skip Deb package tags on package import (bsc#1130040) o For backend-libs subpackages, exclude files for the server (already part of spacewalk-backend) to avoid conflicts (bsc#1148125) o prevent duplicate key violates on repo-sync with long changelog entries (bsc#1144889) spacewalk-remote-utils: o Add RHEL8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Manager Tools 15: zypper in -t patch SUSE-SLE-Manager-Tools-15-2019-2317=1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2317=1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2317=1 Package List: o SUSE Manager Tools 15 (aarch64 ppc64le s390x x86_64): golang-github-prometheus-alertmanager-0.16.2-3.3.1 golang-github-prometheus-prometheus-2.11.1-3.6.2 o SUSE Manager Tools 15 (noarch): mgr-cfg-4.0.9-1.6.5 mgr-cfg-actions-4.0.9-1.6.5 mgr-cfg-client-4.0.9-1.6.5 mgr-cfg-management-4.0.9-1.6.5 mgr-daemon-4.0.7-1.8.1 mgr-osad-4.0.9-1.6.2 mgr-virtualization-host-4.0.8-1.8.4 python3-mgr-cfg-4.0.9-1.6.5 python3-mgr-cfg-actions-4.0.9-1.6.5 python3-mgr-cfg-client-4.0.9-1.6.5 python3-mgr-cfg-management-4.0.9-1.6.5 python3-mgr-osa-common-4.0.9-1.6.2 python3-mgr-osad-4.0.9-1.6.2 python3-mgr-virtualization-common-4.0.8-1.8.4 python3-mgr-virtualization-host-4.0.8-1.8.4 python3-rhnlib-4.0.11-3.10.1 python3-spacewalk-backend-libs-4.0.25-3.23.1 spacecmd-4.0.14-3.26.1 spacewalk-remote-utils-4.0.5-3.9.2 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): python2-rhnlib-4.0.11-3.10.1 spacecmd-4.0.14-3.26.1 spacewalk-backend-4.0.25-3.23.1 spacewalk-backend-app-4.0.25-3.23.1 spacewalk-backend-applet-4.0.25-3.23.1 spacewalk-backend-cdn-4.0.25-3.23.1 spacewalk-backend-config-files-4.0.25-3.23.1 spacewalk-backend-config-files-common-4.0.25-3.23.1 spacewalk-backend-config-files-tool-4.0.25-3.23.1 spacewalk-backend-iss-4.0.25-3.23.1 spacewalk-backend-iss-export-4.0.25-3.23.1 spacewalk-backend-libs-4.0.25-3.23.1 spacewalk-backend-package-push-server-4.0.25-3.23.1 spacewalk-backend-server-4.0.25-3.23.1 spacewalk-backend-sql-4.0.25-3.23.1 spacewalk-backend-sql-oracle-4.0.25-3.23.1 spacewalk-backend-sql-postgresql-4.0.25-3.23.1 spacewalk-backend-tools-4.0.25-3.23.1 spacewalk-backend-xml-export-libs-4.0.25-3.23.1 spacewalk-backend-xmlrpc-4.0.25-3.23.1 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): golang-github-prometheus-alertmanager-0.16.2-3.3.1 golang-github-prometheus-prometheus-2.11.1-3.6.2 o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): python2-rhnlib-4.0.11-3.10.1 spacecmd-4.0.14-3.26.1 spacewalk-backend-4.0.25-3.23.1 spacewalk-backend-app-4.0.25-3.23.1 spacewalk-backend-applet-4.0.25-3.23.1 spacewalk-backend-cdn-4.0.25-3.23.1 spacewalk-backend-config-files-4.0.25-3.23.1 spacewalk-backend-config-files-common-4.0.25-3.23.1 spacewalk-backend-config-files-tool-4.0.25-3.23.1 spacewalk-backend-iss-4.0.25-3.23.1 spacewalk-backend-iss-export-4.0.25-3.23.1 spacewalk-backend-libs-4.0.25-3.23.1 spacewalk-backend-package-push-server-4.0.25-3.23.1 spacewalk-backend-server-4.0.25-3.23.1 spacewalk-backend-sql-4.0.25-3.23.1 spacewalk-backend-sql-oracle-4.0.25-3.23.1 spacewalk-backend-sql-postgresql-4.0.25-3.23.1 spacewalk-backend-tools-4.0.25-3.23.1 spacewalk-backend-xml-export-libs-4.0.25-3.23.1 spacewalk-backend-xmlrpc-4.0.25-3.23.1 References: o https://www.suse.com/security/cve/CVE-2019-10136.html o https://bugzilla.suse.com/1130040 o https://bugzilla.suse.com/1135881 o https://bugzilla.suse.com/1136029 o https://bugzilla.suse.com/1136480 o https://bugzilla.suse.com/1137715 o https://bugzilla.suse.com/1137940 o https://bugzilla.suse.com/1138313 o https://bugzilla.suse.com/1138358 o https://bugzilla.suse.com/1138494 o https://bugzilla.suse.com/1138822 o https://bugzilla.suse.com/1139453 o https://bugzilla.suse.com/1142038 o https://bugzilla.suse.com/1143856 o https://bugzilla.suse.com/1144155 o https://bugzilla.suse.com/1144889 o https://bugzilla.suse.com/1148125 o https://bugzilla.suse.com/1148177 o https://bugzilla.suse.com/1148311 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXWe92aOgq3Tt24GAQiZuBAAgNk+7PXdDx5u9pE8Qri5Vrnv83xA+LGA fE5HXjuFdVW3uzK0dqrsKfbqZLxSo1Dnd5wSCpiitq24GfWo3jMwjVACwcgec8U+ KoTzhSidcaGRIWKFy3u4sWmR9J4ngCefDGrbTaaySM7VA+MDvGXW0A6LozcT4494 780eZxnJ7UnPIVY1VXhfRe8arrKL5N7DwyCYsk6aRIKjpnwbCZOZRUqbHWqE4WhM oLRGOVi5wD0y5wzCtQbn2XASDoOfR/1w9okI/UxV+2mp2JClXb3P3Ahq5Ful1YKc QYMZjhve6xj9qBnqgL814AZelxaH5ADy/H+tHPwQnEy0Yrbo9Go84ZHXKrygWEZG TJxG1Jy6keR8jXWuOa8kux3IQBZqPNzL03IWs1mMbFVy9FrXGWD5b0uds6iyb7Pw lTjOuMmlin8Kq2YmITkvHY6YaaS04LUa7zkFb8KnZdGbFXSbWINpXWGD7WBYMemt Sw48G90JHht201qlIgJdMWTGZQWuOxGu4EAb/fK23nkvNuyPd73ytx7U2oz1uTNR gPoje+nTU3JUoQjkWHo2MdQMWawLRTYrjawYcZBTFvPmutswLYHNNXWvBHDOG4NA uQD8j71g8Ct9Pph+GGBLh1zhKACMLPKYs75BMPm3UsDyN3Ma8/MMpgyPdJXEAMTI V6fa6Zt97jg= =5NR3 -----END PGP SIGNATURE-----