Security update for SUSE Manager Client Tools SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3875-1 Final 1 1 2023-09-28T11:45:38Z current 2023-09-28T11:45:38Z 2023-09-28T11:45:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SUSE Manager Client Tools This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Security issues fixed: * CVE-2022-32149: Fix denial of service vulnerability (bsc#1204501) * CVE-2022-41723: Fix uncontrolled resource consumption (bsc#1208270) * CVE-2022-46146: Fix authentication bypass vulnarability (bsc#1208046) - Changes and bugs fixed: * Updated to 1.0.0 (jsc#PED-5405) + Improved flag parsing + Added support for custom headers * Changes from 0.13.1 + Fix panic caused by missing flagConfig options * Changes from 0.11.0 (jsc#SLE-24791) + Add TLS support + Switch to logger, please check --log.level and --log.format flags * Changes from 0.10.1 + Bugfix: Reset ProxyBalancer metrics on each scrape to remove stale data * Changes from 0.10.0 + Add Apache Proxy and other metrics * Changes from 0.8.0 + Change commandline flags + Add metrics: Apache version, request duration total * Changes from 0.7.0 + Handle OS TERM signals * Changes from 0.6.0 + Add option to override host name * Added support for Red Hat Enterprise Linux * Added AppArmor profile * Added sandboxing options to systemd service unit * Build using promu * Build with Go 1.19 * Exclude s390 architecture golang-github-prometheus-node_exporter: - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version. golang-github-QubitProducts-exporter_exporter: - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version. prometheus-postgres_exporter: - CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880) There are no direct source changes. The CVE is fixed rebuilding the sources with the patched Go version. scap-security-guide: - Updated to 0.1.69 (jsc#ECO-3319) - Introduce a JSON build manifest - Introduce a script to compare ComplianceAsCode versions - Introduce CCN profiles for Red Hat Enterprise Linux 9 - Map rules to components - products/anolis23: supports Anolis OS 23 - Render components to HTML - Store rendered control files - Test and use rules to components mapping - Use distributed product properties - Revert patch that breaks the SLE hardening (bsc#1213691) - Changes from 0.1.68 (jsc#ECO-3319) - Bump OL8 STIG version to V1R6 - Introduce a Product class, make the project work with it - Introduce Fedora and Firefox CaC profiles for common workstation users - OL7 DISA STIG v2r11 update - Publish rendered policy artifacts - Update ANSSI BP-028 to version 2.0 - Changes from 0.1.67 (jsc#ECO-3319) - Add utils/controlrefcheck.py - Red Hat Enterprise Linux 9 STIG Update Q1 2023 - Include warning for NetworkManager keyfiles in Red Hat Enterprise Linux 9 - OL7 stig v2r10 update - Bump version of OL8 STIG to V1R5 - Various enhancements to SLE profiles spacecmd: - Updated to 4.3.23-1 * Update translation strings The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-3875,SUSE-EL-9-CLIENT-TOOLS-2023-3875 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233875-1/ Link for SUSE-SU-2023:3875-1 https://lists.suse.com/pipermail/sle-updates/2023-September/031784.html E-Mail link for SUSE-SU-2023:3875-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1204501 SUSE Bug 1204501 https://bugzilla.suse.com/1208046 SUSE Bug 1208046 https://bugzilla.suse.com/1208270 SUSE Bug 1208270 https://bugzilla.suse.com/1213691 SUSE Bug 1213691 https://bugzilla.suse.com/1213880 SUSE Bug 1213880 https://www.suse.com/security/cve/CVE-2022-32149/ SUSE CVE CVE-2022-32149 page https://www.suse.com/security/cve/CVE-2022-41723/ SUSE CVE CVE-2022-41723 page https://www.suse.com/security/cve/CVE-2022-46146/ SUSE CVE CVE-2022-46146 page https://www.suse.com/security/cve/CVE-2023-29409/ SUSE CVE CVE-2023-29409 page SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS SUSE:EL-9:Update:Products:ManagerTools:Update golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 golang-github-prometheus-node_exporter-1.5.0-1.9.2 prometheus-postgres_exporter-0.10.1-1.9.2 scap-security-guide-0.1.69-1.12.2 scap-security-guide-debian-0.1.69-1.12.2 scap-security-guide-redhat-0.1.69-1.12.2 scap-security-guide-ubuntu-0.1.69-1.12.2 spacecmd-4.3.23-1.18.2 golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS golang-github-prometheus-node_exporter-1.5.0-1.9.2 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS prometheus-postgres_exporter-0.10.1-1.9.2 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS scap-security-guide-redhat-0.1.69-1.12.2 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS spacecmd-4.3.23-1.18.2 as a component of SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update golang-github-prometheus-node_exporter-1.5.0-1.9.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update prometheus-postgres_exporter-0.10.1-1.9.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update scap-security-guide-0.1.69-1.12.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update scap-security-guide-debian-0.1.69-1.12.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update scap-security-guide-redhat-0.1.69-1.12.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update scap-security-guide-ubuntu-0.1.69-1.12.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update spacecmd-4.3.23-1.18.2 as a component of SUSE:EL-9:Update:Products:ManagerTools:Update An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. CVE-2022-32149 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:scap-security-guide-redhat-0.1.69-1.12.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:spacecmd-4.3.23-1.18.2 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-debian-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-redhat-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-ubuntu-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:spacecmd-4.3.23-1.18.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233875-1/ https://www.suse.com/security/cve/CVE-2022-32149.html CVE-2022-32149 https://bugzilla.suse.com/1204501 SUSE Bug 1204501 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:scap-security-guide-redhat-0.1.69-1.12.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:spacecmd-4.3.23-1.18.2 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-debian-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-redhat-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-ubuntu-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:spacecmd-4.3.23-1.18.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233875-1/ https://www.suse.com/security/cve/CVE-2022-41723.html CVE-2022-41723 https://bugzilla.suse.com/1208270 SUSE Bug 1208270 https://bugzilla.suse.com/1215588 SUSE Bug 1215588 Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. CVE-2022-46146 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:scap-security-guide-redhat-0.1.69-1.12.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:spacecmd-4.3.23-1.18.2 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-debian-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-redhat-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-ubuntu-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:spacecmd-4.3.23-1.18.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233875-1/ https://www.suse.com/security/cve/CVE-2022-46146.html CVE-2022-46146 https://bugzilla.suse.com/1208046 SUSE Bug 1208046 Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. CVE-2023-29409 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:scap-security-guide-redhat-0.1.69-1.12.2 SUSE Manager Client Tools for RHEL, Liberty and Clones 9-CLIENT-TOOLS:spacecmd-4.3.23-1.18.2 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-lusitaniae-apache_exporter-1.0.0-1.8.1 SUSE:EL-9:Update:Products:ManagerTools:Update:golang-github-prometheus-node_exporter-1.5.0-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:prometheus-postgres_exporter-0.10.1-1.9.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-debian-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-redhat-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:scap-security-guide-ubuntu-0.1.69-1.12.2 SUSE:EL-9:Update:Products:ManagerTools:Update:spacecmd-4.3.23-1.18.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233875-1/ https://www.suse.com/security/cve/CVE-2023-29409.html CVE-2023-29409 https://bugzilla.suse.com/1213880 SUSE Bug 1213880