Security Beta update for SUSE Manager Client Tools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:0310-1 Final 1 1 2022-02-02T11:09:18Z current 2022-02-02T11:09:18Z 2022-02-02T11:09:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security Beta update for SUSE Manager Client Tools This update fixes the following issues: grafana: - Update to version 7.5.12: * Fix markdown path traversal (#42969, bsc#1193688, CVE-2021-43813) - Recreate tarballs using the makefile to update the npm and go modules required - Update to version 7.5.11: * Fix Snapshot authentication bypass (bsc#1191454, CVE-2021-39226) * Fix certs issue (#40002) * Release v7.5.11 (#124) * Fix static path matching issue in macaron * OAuth: add docs for disableAutoLogin param (#38752) (#38894) * Fix #747; remove 'other variables'. (#37866) (#37878) * Update alert docs (#33658) (#33659) * [7.5.x] Docs: added documentation for the 'prepare time series'-transformation. (#36836) * cherry picked dc5778c303ca555b70e8ca8c28e95997e26ecfc1 (#36813) * 'Release: Updated versions in package to 7.5.10' (#36792) * [v7.5.x] Transformations: add 'prepare time series' transformer (#36749) * Remove verify-drone from windows (#36775) * Update queries.md (#31941) (#36764) * Updated content to specify method to use to get keyboard shortcuts; (#36084) (#36087) * ReleaseNotes: Updated changelog and release notes for 7.5.9 (#36057) (#36077) * 'Release: Updated versions in package to 7.5.9' (#36056) * Login: Fixes Unauthorized message showing when on login page or snapshot page (#35311) (#35880) * ReleaseNotes: Updated changelog and release notes for 7.5.8 (#35703) (#35822) * CI: Upgrade pipeline tool to use main (#35804) * CI: try to force v7.5.x instead of master (#35799) * CI: supports move from master to main in 7.5.x release branch (#35747) * 'Release: Updated versions in package to 7.5.8' (#35701) * Chore: Bump acorn and lodash-es (#35650) * Snapshots: Remove dashboard links from snapshots (#35567) (#35585) * [v7.5.x] Datasource: Allow configuring `MaxConnsPerHost` (#35519) * Remove docs sync from v7.5.x (#35443) * 'Release: Updated versions in package to 7.5.7' (#35412) * Add max_idle_connections_per_host to config (#35365) * Update go.sum to fix failing enterprise pipeline (#35353) * [v7.5.x] HTTP Client: Introduce `go-conntrack` (#35321) * Fix Markdown syntax in enterprise/license/_index.md (#34683) (#35210) * Update annotations.md (#33218) (#35138) * Docs: Add query caching to enterprise docs page (#34751) (#35025) * [7.5.x] Admin: hide per role counts for licensed users (#34994) * cleanup shortcodes, image paths (#34827) * Security: Upgrade Thrift dependency (#34698) (#34702) * Docs: Fix Quick Start link on Geting Started Influx page (#34549) (#34603) * Add link to release notes v7.5.7 (#34460) (#34474) * Update 7.5.x landing page (#34447) * ReleaseNotes: Updated changelog and release notes for 7.5.7 (#34383) (#34428) - Update to 7.5.10 * [v7.5.x] Transformations: add 'prepare time series' transformer. [#36749] - Update to 7.5.9 * Login: Fix Unauthorized message that is displayed on sign-in or snapshot page. [#35880] kiwi-desc-saltboot: - Update to version 0.1.1639488226.7c9eab9 * Enable one-time autosign grains for SLE12 and SLE11 clients mgr-cfg: - Version 4.3.3-1 * Fix python selinux package name depending on build target (bsc#1193600) * Do not build python 2 package for SLE15SP4 and higher mgr-custom-info: - Version 4.3.3-1 * require python macros for building mgr-osad: - Version 4.3.3-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher mgr-push: - Version 4.3.2-1 * Do not build python 2 package for SLE15SP4 and higher mgr-virtualization: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher python-hwdata: - Require python macros for building rhnlib: - Version 4.3.2-1 * do not build python 2 package for SLE15 salt: - Fix tmpfiles.d configuration for salt to not use legacy paths (bsc#1173103) - Fix the regression of docker_container state module (bsc#1191285) spacecmd: - Version 4.3.5-1 * require python macros for building spacewalk-client-tools: - Version 4.3.5-1 * require python macros for building * do not build python 2 package for SLE15 spacewalk-koan: - Version 4.3.2-1 * Do not build python 2 package for SLE15SP4 and higher spacewalk-oscap: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15SP4 and higher spacewalk-remote-utils: - Version 4.3.2-1 * require python macros for building suseRegisterInfo: - Version 4.3.2-1 * require python macros for building * Do not build python 2 package for SLE15 and higher uyuni-common-libs: - Version 4.3.2-1 * Read modularity data from DISTTAG tag as fallback (bsc#1192487) * Add decompression of zck files to fileutils * require python macros for building zypp-plugin-spacewalk: - 1.0.11 * require python macros for building The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-310,SUSE-SLE-Manager-Tools-12-BETA-2022-310 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20220310-1/ Link for SUSE-SU-2022:0310-1 https://lists.suse.com/pipermail/sle-security-updates/2022-February/010174.html E-Mail link for SUSE-SU-2022:0310-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173103 SUSE Bug 1173103 https://bugzilla.suse.com/1191285 SUSE Bug 1191285 https://bugzilla.suse.com/1191454 SUSE Bug 1191454 https://bugzilla.suse.com/1192487 SUSE Bug 1192487 https://bugzilla.suse.com/1193600 SUSE Bug 1193600 https://bugzilla.suse.com/1193688 SUSE Bug 1193688 https://www.suse.com/security/cve/CVE-2021-39226/ SUSE CVE CVE-2021-39226 page https://www.suse.com/security/cve/CVE-2021-43813/ SUSE CVE CVE-2021-43813 page grafana-7.5.12-4.18.1 kiwi-desc-saltboot-0.1.1639488226.7c9eab9-4.12.1 mgr-cfg-4.3.3-4.18.2 mgr-cfg-actions-4.3.3-4.18.2 mgr-cfg-client-4.3.3-4.18.2 mgr-cfg-management-4.3.3-4.18.2 mgr-custom-info-4.3.3-4.12.1 mgr-osa-dispatcher-4.3.3-4.21.2 mgr-osad-4.3.3-4.21.2 mgr-push-4.3.2-4.12.2 mgr-virtualization-host-4.3.2-4.12.2 python2-hwdata-2.3.5-15.9.1 python2-mgr-cfg-4.3.3-4.18.2 python2-mgr-cfg-actions-4.3.3-4.18.2 python2-mgr-cfg-client-4.3.3-4.18.2 python2-mgr-cfg-management-4.3.3-4.18.2 python2-mgr-osa-common-4.3.3-4.21.2 python2-mgr-osa-dispatcher-4.3.3-4.21.2 python2-mgr-osad-4.3.3-4.21.2 python2-mgr-push-4.3.2-4.12.2 python2-mgr-virtualization-common-4.3.2-4.12.2 python2-mgr-virtualization-host-4.3.2-4.12.2 python2-rhnlib-4.3.2-24.21.1 python2-salt-3000-49.41.3 python2-spacewalk-check-4.3.5-55.36.2 python2-spacewalk-client-setup-4.3.5-55.36.2 python2-spacewalk-client-tools-4.3.5-55.36.2 python2-spacewalk-koan-4.3.2-27.12.1 python2-spacewalk-oscap-4.3.2-22.12.1 python2-suseRegisterInfo-4.3.2-28.18.1 python2-uyuni-common-libs-4.3.2-3.24.1 python2-zypp-plugin-spacewalk-1.0.11-33.18.1 python3-salt-3000-49.41.3 salt-3000-49.41.3 salt-api-3000-49.41.3 salt-bash-completion-3000-49.41.3 salt-cloud-3000-49.41.3 salt-doc-3000-49.41.3 salt-fish-completion-3000-49.41.3 salt-master-3000-49.41.3 salt-minion-3000-49.41.3 salt-proxy-3000-49.41.3 salt-ssh-3000-49.41.3 salt-standalone-formulas-configuration-3000-49.41.3 salt-syndic-3000-49.41.3 salt-transactional-update-3000-49.41.3 salt-zsh-completion-3000-49.41.3 spacecmd-4.3.5-41.30.1 spacewalk-check-4.3.5-55.36.2 spacewalk-client-setup-4.3.5-55.36.2 spacewalk-client-tools-4.3.5-55.36.2 spacewalk-koan-4.3.2-27.12.1 spacewalk-oscap-4.3.2-22.12.1 spacewalk-remote-utils-4.3.2-27.12.2 suseRegisterInfo-4.3.2-28.18.1 zypp-plugin-spacewalk-1.0.11-33.18.1 Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects. CVE-2021-39226 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220310-1/ https://www.suse.com/security/cve/CVE-2021-39226.html CVE-2021-39226 https://bugzilla.suse.com/1191454 SUSE Bug 1191454 Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text. CVE-2021-43813 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20220310-1/ https://www.suse.com/security/cve/CVE-2021-43813.html CVE-2021-43813 https://bugzilla.suse.com/1193686 SUSE Bug 1193686 https://bugzilla.suse.com/1193688 SUSE Bug 1193688