openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:4011-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.856728

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2024:4011-1)

Summary: The remote host is missing an update for the 'SUSE Manager Client Tools' package(s) announced via the SUSE-SU-2024:4011-1 advisory.

Description: Summary:
The remote host is missing an update for the 'SUSE Manager Client Tools' package(s) announced via the SUSE-SU-2024:4011-1 advisory.

Vulnerability Insight:
This update fixes the following issues:

golang-github-lusitaniae-apache_exporter:

- Security issues fixed:

* CVE-2023-3978: Fixed security bug in x/net dependency (bsc#1213933)

- Other changes and issues fixed:

* Delete unpackaged debug files for RHEL
* Do not include source files in the package for RHEL 9
* Require Go 1.20 when building for RedHat derivatives
* Drop EnvironmentFile from the service definition
* Explicitly unset $ARGS environment variable. Setting environment
variables should be done in drop-in systemd configuration files.
* Drop go_nostrip macro. It is not needed with current binutils and
Go.
* Migrate from `disabled` to `manual` source service type
* Drop BuildRequires: golang-packaging
* Upgrade to version 1.0.8 (bsc#1227341)
+ Update prometheus/client_golang to version 1.19.1
+ Update x/net to version 0.23.0
* Upgrade to version 1.0.7
+ Update protobuf to version 1.33.0
+ Update prometheus/client_golang to version 1.19.0
+ Update prometheus/common to version 0.46.0
+ Standardize landing page
* Upgrade to version 1.0.6
+ Update prometheus/exporter-toolkit to version 0.11.0
+ Update prometheus/client_golang to version 1.18.0
+ Add User-Agent header
* Upgrade to version 1.0.4
+ Update x/crypto to version 0.17.0
+ Update alecthomas/kingpin/v2 to version 2.4.0
+ Update prometheus/common to version 0.45.0
* Upgrade to version 1.0.3
+ Update prometheus/client_golang to version 1.17.0
+ Update x/net 0.17.0
* Upgrade to version 1.0.1
+ Update prometheus/exporter-toolkit to version 0.10.0
+ Update prometheus/common to version 0.44.0
+ Update prometheus/client_golang to version 1.16.0

golang-github-prometheus-promu:

- Require Go >= 1.21 for building
- Packaging improvements:
* Drop export CGO_ENABLED='0'. Use the default unless there is a
defined requirement or benefit (bsc#1230623).
- Update to version 0.16.0:
* Do not discover user/host for reproducible builds
* Fix example/prometheus build error
- Update to version 0.15.0:
* Add linux/riscv64 to default platforms
* Use yaml.Unmarshalstrict to validate configuration files

spacecmd:

- Version 5.0.10-0
* Speed up softwarechannel_removepackages (bsc#1227606)
* Fix error in 'kickstart_delete' when using wildcards
(bsc#1227578)
* Spacecmd bootstrap now works with specified port (bsc#1229437)
* Fix sls backup creation as directory with spacecmd (bsc#1230745)

uyuni-common-libs:

- Version 5.0.5-0
* Enforce directory permissions at repo-sync when creating
directories (bsc#1229260)

uyuni-tools:

- version 0.1.23-0
* Ensure namespace is defined in all kubernetes commands
* Use SCC credentials to authenticate against registry.suse.com
for kubernetes (bsc#1231157)
* Fix namespace usage on mgrctl cp command
- version 0.1.22-0
* Set projectId also for test packages/images
* mgradm migration should not pull Confidential Computing and Hub
image is replicas == 0 ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'SUSE Manager Client Tools' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
6.4

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-3978
https://go.dev/cl/514896
https://go.dev/issue/61615
https://pkg.go.dev/vuln/GO-2023-1988

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.856728
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2024:4011-1)
Summary:	The remote host is missing an update for the 'SUSE Manager Client Tools' package(s) announced via the SUSE-SU-2024:4011-1 advisory.
Description:	Summary: The remote host is missing an update for the 'SUSE Manager Client Tools' package(s) announced via the SUSE-SU-2024:4011-1 advisory. Vulnerability Insight: This update fixes the following issues: golang-github-lusitaniae-apache_exporter: - Security issues fixed: * CVE-2023-3978: Fixed security bug in x/net dependency (bsc#1213933) - Other changes and issues fixed: * Delete unpackaged debug files for RHEL * Do not include source files in the package for RHEL 9 * Require Go 1.20 when building for RedHat derivatives * Drop EnvironmentFile from the service definition * Explicitly unset $ARGS environment variable. Setting environment variables should be done in drop-in systemd configuration files. * Drop go_nostrip macro. It is not needed with current binutils and Go. * Migrate from `disabled` to `manual` source service type * Drop BuildRequires: golang-packaging * Upgrade to version 1.0.8 (bsc#1227341) + Update prometheus/client_golang to version 1.19.1 + Update x/net to version 0.23.0 * Upgrade to version 1.0.7 + Update protobuf to version 1.33.0 + Update prometheus/client_golang to version 1.19.0 + Update prometheus/common to version 0.46.0 + Standardize landing page * Upgrade to version 1.0.6 + Update prometheus/exporter-toolkit to version 0.11.0 + Update prometheus/client_golang to version 1.18.0 + Add User-Agent header * Upgrade to version 1.0.4 + Update x/crypto to version 0.17.0 + Update alecthomas/kingpin/v2 to version 2.4.0 + Update prometheus/common to version 0.45.0 * Upgrade to version 1.0.3 + Update prometheus/client_golang to version 1.17.0 + Update x/net 0.17.0 * Upgrade to version 1.0.1 + Update prometheus/exporter-toolkit to version 0.10.0 + Update prometheus/common to version 0.44.0 + Update prometheus/client_golang to version 1.16.0 golang-github-prometheus-promu: - Require Go >= 1.21 for building - Packaging improvements: * Drop export CGO_ENABLED='0'. Use the default unless there is a defined requirement or benefit (bsc#1230623). - Update to version 0.16.0: * Do not discover user/host for reproducible builds * Fix example/prometheus build error - Update to version 0.15.0: * Add linux/riscv64 to default platforms * Use yaml.Unmarshalstrict to validate configuration files spacecmd: - Version 5.0.10-0 * Speed up softwarechannel_removepackages (bsc#1227606) * Fix error in 'kickstart_delete' when using wildcards (bsc#1227578) * Spacecmd bootstrap now works with specified port (bsc#1229437) * Fix sls backup creation as directory with spacecmd (bsc#1230745) uyuni-common-libs: - Version 5.0.5-0 * Enforce directory permissions at repo-sync when creating directories (bsc#1229260) uyuni-tools: - version 0.1.23-0 * Ensure namespace is defined in all kubernetes commands * Use SCC credentials to authenticate against registry.suse.com for kubernetes (bsc#1231157) * Fix namespace usage on mgrctl cp command - version 0.1.22-0 * Set projectId also for test packages/images * mgradm migration should not pull Confidential Computing and Hub image is replicas == 0 ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'SUSE Manager Client Tools' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-3978 https://go.dev/cl/514896 https://go.dev/issue/61615 https://pkg.go.dev/vuln/GO-2023-1988
Copyright	Copyright (C) 2024 Greenbone AG