Recommended update for SUSE Manager Proxy 4.1 SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2022:2145-1 Final 1 1 2022-06-20T14:12:56Z current 2022-06-20T14:12:56Z 2022-06-20T14:12:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for SUSE Manager Proxy 4.1 This update fixes the following issues: golang-github-QubitProducts-exporter_exporter: - Adapted to build on Enterprise Linux. - Fix build for Red Hat 7 - Require Go >= 1.14 also for CentOS - Add support for CentOS - Replace %{?systemd_requires} with %{?systemd_ordering} golang-github-lusitaniae-apache_exporter: - Require building with Go 1.15 - Add %license macro for LICENSE file golang-github-prometheus-node_exporter: - CVE-2022-21698: Update vendor tarball with prometheus/client_golang 1.11.1 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239) - Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187 - Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112 - Update to 1.2.1 * Removed Remove obsolete capture permission denied error patch already included upstream Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092 - Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067 - Apply patch to capture permission denied error for 'energy_uj' file (bsc#1190535) from https://github.com/prometheus/node_exporter/pull/2092 patterns-suse-manager: - Golang-github-wrouesnel-postgres_exporter was renamed to prometheus-postgres_exporter spacecmd: - Version 4.1.18-1 * implement system.bootstrap (bsc#1194909) spacewalk-backend: - Version 4.1.31-1 * Fix traceback on calling spacewalk-repo-sync --show-packages (bsc#1193238) * Fix virt_notify SQL syntax error (bsc#1199528) * Do not raise error on file:// based DEB repo when looking for alternative Release files (bsc#1199142) * Improve parsing deb packages dependencies (bsc#1194594) * Fix reposync update notice formatting and date parsing (bsc#1194447) * implement more decompression algorithms for reposync (bsc#1196704) spacewalk-web: - Version 4.1.33-1 * Added support for end of life notifications How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-2145,SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2022-2145 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2022-2145/suse-ru-20222145-1/ Link for SUSE-RU-2022:2145-1 https://lists.suse.com/pipermail/sle-updates/2022-June/023651.html E-Mail link for SUSE-RU-2022:2145-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1190535 SUSE Bug 1190535 https://bugzilla.suse.com/1193238 SUSE Bug 1193238 https://bugzilla.suse.com/1194447 SUSE Bug 1194447 https://bugzilla.suse.com/1194594 SUSE Bug 1194594 https://bugzilla.suse.com/1194909 SUSE Bug 1194909 https://bugzilla.suse.com/1196338 SUSE Bug 1196338 https://bugzilla.suse.com/1196704 SUSE Bug 1196704 https://bugzilla.suse.com/1199142 SUSE Bug 1199142 https://bugzilla.suse.com/1199528 SUSE Bug 1199528 https://www.suse.com/security/cve/CVE-2022-21698/ SUSE CVE CVE-2022-21698 page SUSE Manager Proxy Module 4.1 golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2 golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2 golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3 patterns-suma_proxy-4.1-150200.6.12.2 patterns-suma_retail-4.1-150200.6.12.2 patterns-suma_server-4.1-150200.6.12.2 postgresql-jdbc-42.2.10-150200.3.8.2 prometheus-exporters-formula-0.9.5-150200.3.31.2 prometheus-formula-0.3.7-150200.3.21.2 py27-compat-salt-3000.3-150200.6.24.2 spacecmd-4.1.18-150200.4.39.3 spacewalk-backend-4.1.31-150200.4.50.4 spacewalk-backend-app-4.1.31-150200.4.50.4 spacewalk-backend-applet-4.1.31-150200.4.50.4 spacewalk-backend-cdn-4.1.31-150200.4.50.4 spacewalk-backend-config-files-4.1.31-150200.4.50.4 spacewalk-backend-config-files-common-4.1.31-150200.4.50.4 spacewalk-backend-config-files-tool-4.1.31-150200.4.50.4 spacewalk-backend-iss-4.1.31-150200.4.50.4 spacewalk-backend-iss-export-4.1.31-150200.4.50.4 spacewalk-backend-package-push-server-4.1.31-150200.4.50.4 spacewalk-backend-server-4.1.31-150200.4.50.4 spacewalk-backend-sql-4.1.31-150200.4.50.4 spacewalk-backend-sql-postgresql-4.1.31-150200.4.50.4 spacewalk-backend-tools-4.1.31-150200.4.50.4 spacewalk-backend-xml-export-libs-4.1.31-150200.4.50.4 spacewalk-backend-xmlrpc-4.1.31-150200.4.50.4 spacewalk-base-4.1.34-150200.3.47.6 spacewalk-base-minimal-4.1.34-150200.3.47.6 spacewalk-base-minimal-config-4.1.34-150200.3.47.6 spacewalk-dobby-4.1.34-150200.3.47.6 spacewalk-html-4.1.34-150200.3.47.6 spacewalk-html-debug-4.1.34-150200.3.47.6 spacewalk-java-4.1.46-150200.3.71.5 spacewalk-java-apidoc-sources-4.1.46-150200.3.71.5 spacewalk-java-config-4.1.46-150200.3.71.5 spacewalk-java-lib-4.1.46-150200.3.71.5 spacewalk-java-postgresql-4.1.46-150200.3.71.5 spacewalk-setup-4.1.11-150200.3.18.2 spacewalk-taskomatic-4.1.46-150200.3.71.5 spacewalk-utils-4.1.20-150200.3.30.2 spacewalk-utils-extras-4.1.20-150200.3.30.2 subscription-matcher-0.28-150200.3.15.2 susemanager-4.1.36-150200.3.52.1 susemanager-doc-indexes-4.1-150200.11.55.4 susemanager-docs_en-4.1-150200.11.55.2 susemanager-docs_en-pdf-4.1-150200.11.55.2 susemanager-nodejs-sdk-devel-4.1.13-150200.3.24.3 susemanager-schema-4.1.26-150200.3.45.4 susemanager-schema-sanity-4.1.26-150200.3.45.4 susemanager-sls-4.1.36-150200.3.64.2 susemanager-tools-4.1.36-150200.3.52.1 susemanager-web-libs-4.1.34-150200.3.47.6 susemanager-web-libs-debug-4.1.34-150200.3.47.6 uyuni-config-modules-4.1.36-150200.3.64.2 golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2 as a component of SUSE Manager Proxy Module 4.1 golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2 as a component of SUSE Manager Proxy Module 4.1 golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3 as a component of SUSE Manager Proxy Module 4.1 patterns-suma_proxy-4.1-150200.6.12.2 as a component of SUSE Manager Proxy Module 4.1 spacecmd-4.1.18-150200.4.39.3 as a component of SUSE Manager Proxy Module 4.1 spacewalk-backend-4.1.31-150200.4.50.4 as a component of SUSE Manager Proxy Module 4.1 spacewalk-base-minimal-4.1.34-150200.3.47.6 as a component of SUSE Manager Proxy Module 4.1 spacewalk-base-minimal-config-4.1.34-150200.3.47.6 as a component of SUSE Manager Proxy Module 4.1 client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. CVE-2022-21698 SUSE Manager Proxy Module 4.1:golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2 SUSE Manager Proxy Module 4.1:golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2 SUSE Manager Proxy Module 4.1:golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3 SUSE Manager Proxy Module 4.1:patterns-suma_proxy-4.1-150200.6.12.2 SUSE Manager Proxy Module 4.1:spacecmd-4.1.18-150200.4.39.3 SUSE Manager Proxy Module 4.1:spacewalk-backend-4.1.31-150200.4.50.4 SUSE Manager Proxy Module 4.1:spacewalk-base-minimal-4.1.34-150200.3.47.6 SUSE Manager Proxy Module 4.1:spacewalk-base-minimal-config-4.1.34-150200.3.47.6 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2022-2145/suse-ru-20222145-1/ https://www.suse.com/security/cve/CVE-2022-21698.html CVE-2022-21698 https://bugzilla.suse.com/1196338 SUSE Bug 1196338 https://bugzilla.suse.com/1248689 SUSE Bug 1248689