A SUSE Manager Client Tools security update has been released for openSUSE Leap 15.2.

openSUSE-SU-2021:1162-1: moderate: Security update for SUSE Manager Client Tools

openSUSE Security Update: Security update for SUSE Manager Client Tools
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1162-1
Rating: moderate
References: #1175478 #1186242 #1186508 #1186581 #1186650
#1188846 SLE-18254
Cross-References: CVE-2021-27962 CVE-2021-28146 CVE-2021-28147
CVE-2021-28148 CVE-2021-29622
CVSS scores:
CVE-2021-27962 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVE-2021-27962 (SUSE): 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2021-28148 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-29622 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves 5 vulnerabilities, contains one
feature and has one errata is now available.

Description:

This update fixes the following issues:

ansible:

- The support level for ansible is l2, not l3

dracut-saltboot:

- Force installation of libexpat.so.1 (bsc#1188846)
- Use kernel parameters from PXE formula also for local boot

golang-github-prometheus-prometheus:

- Provide and reload firewalld configuration only for:
+ openSUSE Leap 15.0, 15.1, 15.2
+ SUSE Linux Enterprise 15, 15 SP1, 15 SP2
- Upgrade to upstream version 2.27.1 (jsc#SLE-18254)
+ Bugfix:
* SECURITY: Fix arbitrary redirects under the /new endpoint
(CVE-2021-29622, bsc#1186242)
* UI: Provide errors instead of blank page on TSDB Status Page. #8654
#8659
* TSDB: Do not panic when writing very large records to the WAL. #8790
* TSDB: Avoid panic when mmaped memory is referenced after the file is
closed. #8723
* Scaleway Discovery: Fix nil pointer dereference. #8737
* Consul Discovery: Restart no longer required after config update
with no targets. #8766
+ Features:
* Promtool: Retroactive rule evaluation functionality.
* Configuration: Environment variable expansion for external labels.
Behind '--enable-feature=expand-external-labels' flag.
* Add a flag '--storage.tsdb.max-block-chunk-segment-size' to control
the max chunks file size of the blocks for small Prometheus
instances.
* UI: Add a dark theme.
* AWS Lightsail Discovery: Add AWS Lightsail Discovery.
* Docker Discovery: Add Docker Service Discovery.
* OAuth: Allow OAuth 2.0 to be used anywhere an HTTP client is used.
* Remote Write: Send exemplars via remote write. Experimental and
disabled by default.
+ Enhancements:
* Digital Ocean Discovery: Add '__meta_digitalocean_vpc' label.
* Scaleway Discovery: Read Scaleway secret from a file.
* Scrape: Add configurable limits for label size and count.
* UI: Add 16w and 26w time range steps.
* Templating: Enable parsing strings in humanize functions.
- Update package with changes from `server:monitoring` (bsc#1175478) Left
out removal of 'firewalld' related configuration files as SUSE Linux
Enterprise 15-SP1's `firewalld` package does not contain 'prometheus'
configuration yet.

mgr-cfg:

- No visible impact for the user

mgr-custom-info:

- No visible impact for the user

mgr-osad:

- No visible impact for the user

mgr-push:

- No visible impact for the user

mgr-virtualization:

- No visible impact for the user

rhnlib:

- No visible impact for the user

spacecmd:

- Make spacecmd aware of retracted patches/packages
- Enhance help for installation types when creating distributions
(bsc#1186581)
- Parse empty argument when nothing in between the separator

spacewalk-client-tools:

- Update translation strings

spacewalk-koan:

- Fix for spacewalk-koan tests after switching to the new Docker images

spacewalk-oscap:

- No visible impact for the user

suseRegisterInfo:

- No visible impact for the user

uyuni-common-libs:

- Handle broken RPM packages to prevent exceptions causing fails on
repository synchronization (bsc#1186650)
- Maintainer field in debian packages are only recommended (bsc#1186508)

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1162=1


Package List:

- openSUSE Leap 15.2 (x86_64):

golang-github-prometheus-prometheus-2.27.1-lp152.3.13.1

- openSUSE Leap 15.2 (noarch):

ansible-2.9.21-lp152.2.7.1
ansible-doc-2.9.21-lp152.2.7.1
ansible-test-2.9.21-lp152.2.7.1
dracut-saltboot-0.1.1627546504.96a0b3e-lp152.2.26.1

References:

  https://www.suse.com/security/cve/CVE-2021-27962.html
  https://www.suse.com/security/cve/CVE-2021-28146.html
  https://www.suse.com/security/cve/CVE-2021-28147.html
  https://www.suse.com/security/cve/CVE-2021-28148.html
  https://www.suse.com/security/cve/CVE-2021-29622.html
  https://bugzilla.suse.com/1175478
  https://bugzilla.suse.com/1186242
  https://bugzilla.suse.com/1186508
  https://bugzilla.suse.com/1186581
  https://bugzilla.suse.com/1186650
  https://bugzilla.suse.com/1188846