Security update for pcp

Announcement ID:	SUSE-SU-2024:3533-1
Release Date:	2024-10-04T14:40:38Z
Rating:	important
References:	bsc#1217826 bsc#1222121 bsc#1222815 bsc#1230551 bsc#1230552 jsc#PED-8192 jsc#PED-8389
Cross-References:	CVE-2023-6917 CVE-2024-3019 CVE-2024-45769 CVE-2024-45770
CVSS scores:	CVE-2023-6917 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-3019 ( SUSE ): 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-45769 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-45770 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVE-2024-45770 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVE-2024-45770 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products:	Development Tools Module 15-SP6 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves four vulnerabilities, contains two features and has one security fix can now be installed.

Description:

This update for pcp fixes the following issues:

pcp was updated from version 5.3.7 to version 6.2.0 (jsc#PED-8192, jsc#PED-8389):

• Security issues fixed:

• CVE-2024-45770: Fixed a symlink attack that allows escalating from the pcp to the root user (bsc#1230552)

• CVE-2024-45769: Fixed a heap corruption through metric pmstore operations (bsc#1230551)
• CVE-2023-6917: Fixed local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy (bsc#1217826)

• CVE-2024-3019: Disabled redis proxy by default (bsc#1222121)

• Major changes:

• Add version 3 PCP archive support: instance domain change-deltas, Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, 64-bit file offsets used throughout for larger (beyond 2GB) individual volumes.

  • Opt-in using the /etc/pcp.conf PCP_ARCHIVE_VERSION setting
  • Version 2 archives remain the default (for next few years).
• Switch to using OpenSSL only throughout PCP (dropped NSS/NSPR); this impacts on libpcp, PMAPI clients and PMCD use of encryption; these are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already using OpenSSL.
• New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps.
  These are all optional, and full backward compatibility is preserved for existing tools.

• For the full list of changes please consult the packaged CHANGELOG file

• Other packaging changes:

• Moved pmlogger_daily into main package (bsc#1222815)

• Change dependency from openssl-devel >= 1.1.1 to openssl-devel >= 1.0.2p. Required for SLE-12.
• Introduce 'pmda-resctrl' package, disabled for architectures other than x86_64.
• Change the architecture for various subpackages to 'noarch' as they contain no binaries.
• Disable 'pmda-mssql', as it fails to build.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch openSUSE-SLE-15.6-2024-3533=1 SUSE-2024-3533=1
• Development Tools Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-3533=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • pcp-pmda-dm-6.2.0-150600.3.6.1
  • libpcp_web1-debuginfo-6.2.0-150600.3.6.1
  • libpcp_gui2-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-nvidia-gpu-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-hacluster-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-lustrecomm-6.2.0-150600.3.6.1
  • pcp-pmda-gfs2-6.2.0-150600.3.6.1
  • pcp-pmda-mounts-debuginfo-6.2.0-150600.3.6.1
  • pcp-devel-debuginfo-6.2.0-150600.3.6.1
  • pcp-system-tools-6.2.0-150600.3.6.1
  • python3-pcp-6.2.0-150600.3.6.1
  • pcp-pmda-systemd-debuginfo-6.2.0-150600.3.6.1
  • libpcp3-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-apache-6.2.0-150600.3.6.1
  • pcp-pmda-sockets-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-MMV-6.2.0-150600.3.6.1
  • pcp-pmda-summary-6.2.0-150600.3.6.1
  • pcp-pmda-bash-6.2.0-150600.3.6.1
  • pcp-pmda-mailq-6.2.0-150600.3.6.1
  • pcp-pmda-sendmail-6.2.0-150600.3.6.1
  • libpcp_web1-6.2.0-150600.3.6.1
  • pcp-pmda-apache-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-logger-6.2.0-150600.3.6.1
  • pcp-testsuite-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-trace-debuginfo-6.2.0-150600.3.6.1
  • pcp-devel-6.2.0-150600.3.6.1
  • pcp-pmda-summary-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-logger-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-PMDA-6.2.0-150600.3.6.1
  • pcp-pmda-sockets-6.2.0-150600.3.6.1
  • pcp-pmda-weblog-6.2.0-150600.3.6.1
  • perl-PCP-MMV-debuginfo-6.2.0-150600.3.6.1
  • pcp-debugsource-6.2.0-150600.3.6.1
  • pcp-6.2.0-150600.3.6.1
  • pcp-pmda-smart-6.2.0-150600.3.6.1
  • pcp-pmda-roomtemp-6.2.0-150600.3.6.1
  • pcp-pmda-docker-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-shping-6.2.0-150600.3.6.1
  • pcp-pmda-shping-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-LogSummary-6.2.0-150600.3.6.1
  • libpcp_gui2-6.2.0-150600.3.6.1
  • pcp-pmda-smart-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-LogImport-6.2.0-150600.3.6.1
  • libpcp3-6.2.0-150600.3.6.1
  • pcp-pmda-cifs-debuginfo-6.2.0-150600.3.6.1
  • python3-pcp-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-cifs-6.2.0-150600.3.6.1
  • pcp-pmda-cisco-6.2.0-150600.3.6.1
  • pcp-pmda-hacluster-6.2.0-150600.3.6.1
  • pcp-pmda-mailq-debuginfo-6.2.0-150600.3.6.1
  • pcp-import-collectl2pcp-6.2.0-150600.3.6.1
  • pcp-pmda-gfs2-debuginfo-6.2.0-150600.3.6.1
  • libpcp_import1-debuginfo-6.2.0-150600.3.6.1
  • libpcp-devel-6.2.0-150600.3.6.1
  • pcp-pmda-roomtemp-debuginfo-6.2.0-150600.3.6.1
  • libpcp_trace2-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-trace-6.2.0-150600.3.6.1
  • perl-PCP-PMDA-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-zimbra-debuginfo-6.2.0-150600.3.6.1
  • libpcp_mmv1-6.2.0-150600.3.6.1
  • pcp-pmda-nvidia-gpu-6.2.0-150600.3.6.1
  • pcp-pmda-bash-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-cisco-debuginfo-6.2.0-150600.3.6.1
  • libpcp_import1-6.2.0-150600.3.6.1
  • pcp-gui-debuginfo-6.2.0-150600.3.6.1
  • libpcp_trace2-6.2.0-150600.3.6.1
  • pcp-testsuite-6.2.0-150600.3.6.1
  • libpcp_mmv1-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-systemd-6.2.0-150600.3.6.1
  • pcp-pmda-lustrecomm-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-sendmail-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-weblog-debuginfo-6.2.0-150600.3.6.1
  • pcp-system-tools-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-mounts-6.2.0-150600.3.6.1
  • pcp-import-collectl2pcp-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-zimbra-6.2.0-150600.3.6.1
  • pcp-gui-6.2.0-150600.3.6.1
  • pcp-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-docker-6.2.0-150600.3.6.1
  • pcp-pmda-dm-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-LogImport-debuginfo-6.2.0-150600.3.6.1
• openSUSE Leap 15.6 (noarch)
  • pcp-pmda-redis-6.2.0-150600.3.6.1
  • pcp-pmda-snmp-6.2.0-150600.3.6.1
  • pcp-pmda-postfix-6.2.0-150600.3.6.1
  • pcp-pmda-memcache-6.2.0-150600.3.6.1
  • pcp-pmda-mysql-6.2.0-150600.3.6.1
  • pcp-pmda-news-6.2.0-150600.3.6.1
  • pcp-pmda-samba-6.2.0-150600.3.6.1
  • pcp-export-pcp2influxdb-6.2.0-150600.3.6.1
  • pcp-pmda-nfsclient-6.2.0-150600.3.6.1
  • pcp-pmda-openmetrics-6.2.0-150600.3.6.1
  • pcp-export-pcp2elasticsearch-6.2.0-150600.3.6.1
  • pcp-conf-6.2.0-150600.3.6.1
  • pcp-pmda-nutcracker-6.2.0-150600.3.6.1
  • pcp-pmda-lmsensors-6.2.0-150600.3.6.1
  • pcp-pmda-unbound-6.2.0-150600.3.6.1
  • pcp-pmda-gluster-6.2.0-150600.3.6.1
  • pcp-pmda-mic-6.2.0-150600.3.6.1
  • pcp-pmda-named-6.2.0-150600.3.6.1
  • pcp-pmda-netfilter-6.2.0-150600.3.6.1
  • pcp-pmda-zswap-6.2.0-150600.3.6.1
  • pcp-pmda-ds389-6.2.0-150600.3.6.1
  • pcp-pmda-slurm-6.2.0-150600.3.6.1
  • pcp-import-mrtg2pcp-6.2.0-150600.3.6.1
  • pcp-pmda-dbping-6.2.0-150600.3.6.1
  • pcp-pmda-netcheck-6.2.0-150600.3.6.1
  • pcp-pmda-openvswitch-6.2.0-150600.3.6.1
  • pcp-pmda-json-6.2.0-150600.3.6.1
  • pcp-pmda-elasticsearch-6.2.0-150600.3.6.1
  • pcp-import-sar2pcp-6.2.0-150600.3.6.1
  • pcp-doc-6.2.0-150600.3.6.1
  • pcp-pmda-haproxy-6.2.0-150600.3.6.1
  • pcp-pmda-gpsd-6.2.0-150600.3.6.1
  • pcp-pmda-ds389log-6.2.0-150600.3.6.1
  • pcp-export-pcp2json-6.2.0-150600.3.6.1
  • pcp-pmda-gpfs-6.2.0-150600.3.6.1
  • pcp-pmda-oracle-6.2.0-150600.3.6.1
  • pcp-pmda-rsyslog-6.2.0-150600.3.6.1
  • pcp-export-pcp2zabbix-6.2.0-150600.3.6.1
  • pcp-pmda-lustre-6.2.0-150600.3.6.1
  • pcp-import-iostat2pcp-6.2.0-150600.3.6.1
  • pcp-pmda-activemq-6.2.0-150600.3.6.1
  • pcp-import-ganglia2pcp-6.2.0-150600.3.6.1
  • pcp-pmda-bonding-6.2.0-150600.3.6.1
  • pcp-pmda-pdns-6.2.0-150600.3.6.1
  • pcp-zeroconf-6.2.0-150600.3.6.1
  • pcp-export-pcp2spark-6.2.0-150600.3.6.1
  • pcp-pmda-rabbitmq-6.2.0-150600.3.6.1
  • pcp-pmda-nginx-6.2.0-150600.3.6.1
  • pcp-export-pcp2graphite-6.2.0-150600.3.6.1
  • pcp-export-pcp2xml-6.2.0-150600.3.6.1
• openSUSE Leap 15.6 (aarch64 ppc64le x86_64 i586)
  • pcp-pmda-infiniband-6.2.0-150600.3.6.1
  • pcp-pmda-perfevent-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-infiniband-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-perfevent-6.2.0-150600.3.6.1
• openSUSE Leap 15.6 (x86_64)
  • pcp-pmda-resctrl-6.2.0-150600.3.6.1
  • pcp-pmda-resctrl-debuginfo-6.2.0-150600.3.6.1
• Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • libpcp_web1-debuginfo-6.2.0-150600.3.6.1
  • libpcp_gui2-debuginfo-6.2.0-150600.3.6.1
  • pcp-system-tools-6.2.0-150600.3.6.1
  • python3-pcp-6.2.0-150600.3.6.1
  • pcp-devel-debuginfo-6.2.0-150600.3.6.1
  • libpcp3-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-MMV-6.2.0-150600.3.6.1
  • libpcp_web1-6.2.0-150600.3.6.1
  • pcp-devel-6.2.0-150600.3.6.1
  • perl-PCP-MMV-debuginfo-6.2.0-150600.3.6.1
  • pcp-debugsource-6.2.0-150600.3.6.1
  • pcp-6.2.0-150600.3.6.1
  • perl-PCP-LogSummary-6.2.0-150600.3.6.1
  • libpcp_gui2-6.2.0-150600.3.6.1
  • perl-PCP-LogImport-6.2.0-150600.3.6.1
  • libpcp3-6.2.0-150600.3.6.1
  • python3-pcp-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-PMDA-6.2.0-150600.3.6.1
  • libpcp_import1-debuginfo-6.2.0-150600.3.6.1
  • libpcp-devel-6.2.0-150600.3.6.1
  • libpcp_trace2-debuginfo-6.2.0-150600.3.6.1
  • libpcp_mmv1-6.2.0-150600.3.6.1
  • libpcp_import1-6.2.0-150600.3.6.1
  • libpcp_trace2-6.2.0-150600.3.6.1
  • libpcp_mmv1-debuginfo-6.2.0-150600.3.6.1
  • pcp-system-tools-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-PMDA-debuginfo-6.2.0-150600.3.6.1
  • pcp-debuginfo-6.2.0-150600.3.6.1
  • perl-PCP-LogImport-debuginfo-6.2.0-150600.3.6.1
• Development Tools Module 15-SP6 (noarch)
  • pcp-import-sar2pcp-6.2.0-150600.3.6.1
  • pcp-conf-6.2.0-150600.3.6.1
  • pcp-import-iostat2pcp-6.2.0-150600.3.6.1
  • pcp-import-mrtg2pcp-6.2.0-150600.3.6.1
  • pcp-doc-6.2.0-150600.3.6.1
• Development Tools Module 15-SP6 (ppc64le)
  • pcp-pmda-perfevent-debuginfo-6.2.0-150600.3.6.1
  • pcp-pmda-perfevent-6.2.0-150600.3.6.1

References:

• https://www.suse.com/security/cve/CVE-2023-6917.html
• https://www.suse.com/security/cve/CVE-2024-3019.html
• https://www.suse.com/security/cve/CVE-2024-45769.html
• https://www.suse.com/security/cve/CVE-2024-45770.html
• https://bugzilla.suse.com/show_bug.cgi?id=1217826
• https://bugzilla.suse.com/show_bug.cgi?id=1222121
• https://bugzilla.suse.com/show_bug.cgi?id=1222815
• https://bugzilla.suse.com/show_bug.cgi?id=1230551
• https://bugzilla.suse.com/show_bug.cgi?id=1230552
• https://jira.suse.com/browse/PED-8192
• https://jira.suse.com/browse/PED-8389