Security update for SUSE Manager Client Tools

Announcement ID:	SUSE-SU-2023:2917-1
Rating:	critical
References:	#1212099 #1212100 #1212641
Cross-References:	CVE-2023-2183 CVE-2023-2801 CVE-2023-3128
CVSS scores:	CVE-2023-2183 ( SUSE ): 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N CVE-2023-2183 ( NVD ): 4.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N CVE-2023-2801 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-2801 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-3128 ( SUSE ): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2023-3128 ( NVD ): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected Products:	openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 SUSE Package Hub 15 15-SP4 SUSE Package Hub 15 15-SP5

An update that solves three vulnerabilities and contains two features can now be installed.

Description:

This update fixes the following issues:

grafana:

• Update to version 9.5.5:
• CVE-2023-3128: Fix authentication bypass using Azure AD OAuth (bsc#1212641, jsc#PED-3694)
• Bug fixes:
  • Auth: Show invite button if disable login form is set to false.
  • Azure: Fix Kusto auto-completion for Azure datasources.
  • RBAC: Remove legacy AC editor and admin role on new dashboard route.
  • API: Revert allowing editors to access GET /datasources.
  • Settings: Add ability to override skip_org_role_sync with Env variables.
• Update to version 9.5.3:
• CVE-2023-2801: Query: Prevent crash while executing concurrent mixed queries (bsc#1212099)
• CVE-2023-2183: Alerting: Require alert.notifications:write permissions to test receivers and templates (bsc#1212100)
• Update to version 9.5.2: Alerting: Scheduler use rule fingerprint instead of version. Explore: Update table min height. DataLinks: Encoded URL fixed. TimeSeries: Fix leading null-fill for missing intervals. Dashboard: Revert fixed header shown on mobile devices in the new panel header. PostgreSQL: Fix TLS certificate issue by downgrading lib/pq. Provisioning: Fix provisioning issues with legacy alerting and data source permissions. Alerting: Fix misleading status code in provisioning API. Loki: Fix log samples using instant queries. Panel Header: Implement new Panel Header on Angular Panels. Azure Monitor: Fix bug that was not showing resources for certain locations. Alerting: Fix panic when reparenting receivers to groups following an attempted rename via Provisioning. Cloudwatch Logs: Clarify Cloudwatch Logs Limits.
• Update to 9.5.1 Loki Variable Query Editor: Fix bug when the query is updated Expressions: Fix expression load with legacy UID -100

Patch Instructions:

To install this SUSE Critical update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-2917=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-2917=1
• SUSE Package Hub 15 15-SP4
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-2917=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2917=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-9.5.5-150200.3.44.1
  • grafana-9.5.5-150200.3.44.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-9.5.5-150200.3.44.1
  • grafana-9.5.5-150200.3.44.1
• SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-9.5.5-150200.3.44.1
  • grafana-9.5.5-150200.3.44.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
  • grafana-debuginfo-9.5.5-150200.3.44.1
  • grafana-9.5.5-150200.3.44.1

References:

• https://www.suse.com/security/cve/CVE-2023-2183.html
• https://www.suse.com/security/cve/CVE-2023-2801.html
• https://www.suse.com/security/cve/CVE-2023-3128.html
• https://bugzilla.suse.com/show_bug.cgi?id=1212099
• https://bugzilla.suse.com/show_bug.cgi?id=1212100
• https://bugzilla.suse.com/show_bug.cgi?id=1212641
• https://jira.suse.com/browse/MSQA-687
• https://jira.suse.com/browse/PED-3694