Bug 1196338 (CVE-2022-21698)

Summary:	VUL-0: CVE-2022-21698: rook,golang-github-prometheus-alertmanager,golang-github-prometheus-node_exporter,golang-github-prometheus-prometheus: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Gianluca Gabrielli <gianluca.gabrielli>
Component:	Incidents	Assignee:	E-Mail List <ceph-bugs>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	abergmann, asettle, ceph-bugs, gabriele.sonnu, meissner, rfrohl, smash_bz, stefan.haas, stoyan.manolov, witold.bedyk
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/323818/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-21698:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Gianluca Gabrielli 2022-02-23 10:45:00 UTC

A malicious actor can in theory kill / DOS a server in Go instrumented using prometheus/client_golang InstrumentHandlerCounter in the version below 1.12.

References:

https://github.com/prometheus/client_golang/blob/22da9497b8f0d53072dfc4721904faa7395d8318/prometheus/promhttp/instrument_server.go#L95

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2045880
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21698
http://seclists.org/oss-sec/2022/q1/140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21698
https://github.com/prometheus/client_golang/pull/962
https://github.com/prometheus/client_golang/releases/tag/v1.11.1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
https://github.com/prometheus/client_golang/pull/987

Comment 1 Gianluca Gabrielli 2022-02-23 10:49:32 UTC

Witek could you please submit to the following packages?

 - golang-github-prometheus-prometheus
   - SUSE:SLE-12:Update/golang-github-prometheus-prometheus/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15:Update/golang-github-prometheus-prometheus/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15-SP1:Update/golang-github-prometheus-prometheus/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-prometheus/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-prometheus/vendor/github.com/prometheus/client_golang


 - golang-github-prometheus-node_exporter
   - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:RES-8:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-11-SP3:Update:Manager3:Update/golang-github-prometheus-node_exporter/node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-12:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:RES-7:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15-SP1:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:RES-7:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:RES-8:Update:Products:ManagerTools:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15-SP3:Update/golang-github-vpenso-prometheus_slurm_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-11-SP3:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-node_exporter/node_exporter/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15:Update/golang-github-prometheus-node_exporter/node_exporter-1.0.1/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-12-SP2:Update/golang-github-prometheus-node_exporter/vendor/github.com/prometheus/client_golang

 - golang-github-prometheus-alertmanager
   - SUSE:SLE-12:Update/golang-github-prometheus-alertmanager/alertmanager-0.21.0/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15-SP1:Update/golang-github-prometheus-alertmanager/alertmanager-0.21.0/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-alertmanager/alertmanager-0.21.0/vendor/github.com/prometheus/client_golang
   - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/golang-github-prometheus-alertmanager/alertmanager-0.21.0/vendor/github.com/prometheus/client_golang

coldpool@suse.de could you please take care of the following one?

 - rook
   - SUSE:SLE-15-SP2:Update:Products:SES7:Update/rook/vendor/github.com/prometheus/client_golang

Comment 2 Gabriele Sonnu 2022-03-21 15:43:36 UTC

SUSE:SLE-15-SP3:Update:Products:SES7:Update/rook is also affected

Comment 3 Gianluca Gabrielli 2022-03-21 16:06:14 UTC

coldpool and Witek could you please provide your feedback?

Comment 4 Witek Bedyk 2022-03-23 11:04:07 UTC

I've fixed monitoring packages by updating vendor tarballs. Current status is the following:

* golang-github-prometheus-prometheus

Fix submitted to openSUSE:Factory, waiting to accumulate another pending bugfix before submitting to SLE codestreams.

* golang-github-prometheus-node_exporter

Fix in review at openSUSE:Factory.

* golang-github-prometheus-alertmanager

Fix submitted to openSUSE:Factory. The bugfix includes version bump of build requirement `promu`. ECO is needed here  to upgrade both Alertmanager and promu in SLE codestreams.

Comment 5 Gianluca Gabrielli 2022-03-28 10:39:25 UTC

(In reply to Witek Bedyk from comment #4)
> I've fixed monitoring packages by updating vendor tarballs. Current status
> is the following:
> 
> * golang-github-prometheus-prometheus
> 
> Fix submitted to openSUSE:Factory, waiting to accumulate another pending
> bugfix before submitting to SLE codestreams.
> 
> * golang-github-prometheus-node_exporter
> 
> Fix in review at openSUSE:Factory.

Could you update here once SLE submissions are provided?

> * golang-github-prometheus-alertmanager
> 
> Fix submitted to openSUSE:Factory. The bugfix includes version bump of build
> requirement `promu`. ECO is needed here  to upgrade both Alertmanager and
> promu in SLE codestreams.

Do you mean the package `golang-github-prometheus-promu`? In this case the ECO is only required for SUSE:SLE-12:Update which ships to SLE-Manager-Tools_12.

Comment 9 Swamp Workflow Management 2022-04-27 16:18:42 UTC

SUSE-SU-2022:1434-1: An update that solves one vulnerability, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1196338,1197042
CVE References: CVE-2022-21698
JIRA References: SLE-24376
Sources used:
SUSE Manager Tools 15 (src):    golang-github-prometheus-prometheus-2.32.1-150000.3.41.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2022-04-27 16:19:57 UTC

SUSE-SU-2022:1433-1: An update that solves one vulnerability, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1196338,1197042
CVE References: CVE-2022-21698
JIRA References: SLE-24376
Sources used:
SUSE Manager Tools 12 (src):    golang-github-prometheus-prometheus-2.32.1-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2022-04-27 16:20:52 UTC

SUSE-SU-2022:1435-1: An update that solves one vulnerability, contains three features and has one errata is now available.

Category: security (important)
Bug References: 1196338,1197042
CVE References: CVE-2022-21698
JIRA References: SLE-24373,SLE-24374,SLE-24375
Sources used:
openSUSE Leap 15.4 (src):    golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
openSUSE Leap 15.3 (src):    firewalld-0.9.3-150300.3.6.1, golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    firewalld-0.9.3-150300.3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    firewalld-0.9.3-150300.3.6.1
SUSE Linux Enterprise Micro 5.2 (src):    firewalld-0.9.3-150300.3.6.1
SUSE Linux Enterprise Micro 5.1 (src):    firewalld-0.9.3-150300.3.6.1
SUSE Enterprise Storage 6 (src):    golang-github-prometheus-prometheus-2.32.1-150100.4.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2022-05-04 19:19:55 UTC

SUSE-SU-2022:1531-1: An update that solves 5 vulnerabilities, contains 5 features and has three fixes is now available.

Category: security (important)
Bug References: 1181400,1190535,1196338,1196704,1197042,1197417,1197579,1197689
CVE References: CVE-2020-22935,CVE-2022-21698,CVE-2022-22934,CVE-2022-22936,CVE-2022-22941
JIRA References: SLE-24077,SLE-24138,SLE-24139,SLE-24238,SLE-24239
Sources used:
SUSE Manager Tools 12-BETA (src):    golang-github-prometheus-alertmanager-0.23.0-4.9.1, golang-github-prometheus-node_exporter-1.3.0-4.12.1, golang-github-prometheus-prometheus-2.32.1-4.30.1, golang-github-prometheus-promu-0.13.0-4.9.1, mgr-cfg-4.3.6-4.27.1, mgr-osad-4.3.6-4.27.1, mgr-push-4.3.4-4.18.1, mgr-virtualization-4.3.5-4.18.1, rhnlib-4.3.4-24.27.1, salt-3000-53.11.1, spacecmd-4.3.10-41.39.1, spacewalk-client-tools-4.3.9-55.45.1, spacewalk-koan-4.3.5-27.18.1, spacewalk-oscap-4.3.5-22.18.1, suseRegisterInfo-4.3.3-28.21.1, uyuni-common-libs-4.3.4-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-05-05 13:23:10 UTC

SUSE-SU-2022:1545-1: An update that solves 5 vulnerabilities, contains two features and has four fixes is now available.

Category: security (important)
Bug References: 1181400,1196338,1196704,1197042,1197417,1197533,1197579,1197637,1197689
CVE References: CVE-2022-21698,CVE-2022-22934,CVE-2022-22935,CVE-2022-22936,CVE-2022-22941
JIRA References: SLE-24077,SLE-24145
Sources used:
SUSE Manager Tools 15-BETA (src):    golang-github-prometheus-alertmanager-0.23.0-159000.6.9.3, golang-github-prometheus-prometheus-2.32.1-159000.6.30.4, mgr-cfg-4.3.6-159000.4.26.1, mgr-osad-4.3.6-159000.4.27.2, mgr-push-4.3.4-159000.4.18.2, mgr-virtualization-4.3.5-159000.4.18.2, rhnlib-4.3.4-159000.6.27.2, salt-3004-159000.8.56.1, spacecmd-4.3.10-159000.6.39.2, spacewalk-client-tools-4.3.9-159000.6.45.2, spacewalk-koan-4.3.5-159000.6.18.1, spacewalk-oscap-4.3.5-159000.6.18.2, suseRegisterInfo-4.3.3-159000.6.21.2, uyuni-common-libs-4.3.4-159000.3.30.2, uyuni-proxy-systemd-services-4.3.2-159000.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Witek Bedyk 2022-05-09 09:46:07 UTC

golang-github-prometheus-prometheus - ACCEPTED
golang-github-prometheus-node_exporter - IN REVIEW
golang-github-prometheus-alertmanager - IN REVIEW

Comment 17 Witek Bedyk 2022-05-10 14:01:13 UTC

Monitoring changes completed. Leaving the bug open for SES.

Comment 18 Marcus Meissner 2022-05-11 08:36:51 UTC

rook was incorrectly assigned bugowner coldpool, i adjusted it to storage-team.

Comment 23 Swamp Workflow Management 2022-06-20 16:22:51 UTC

SUSE-SU-2022:2137-1: An update that solves one vulnerability, contains two features and has two fixes is now available.

Category: security (important)
Bug References: 1151558,1190535,1196338
CVE References: CVE-2022-21698
JIRA References: SLE-24238,SLE-24239
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2022-06-20 16:24:44 UTC

SUSE-SU-2022:2139-1: An update that solves one vulnerability, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1181400,1196338
CVE References: CVE-2022-21698
JIRA References: SLE-24077
Sources used:
openSUSE Leap 15.4 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
openSUSE Leap 15.3 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
SUSE Manager Tools 15 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1
SUSE Enterprise Storage 6 (src):    golang-github-prometheus-alertmanager-0.23.0-150100.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-06-20 16:25:45 UTC

SUSE-SU-2022:2140-1: An update that solves one vulnerability, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1190535,1196338
CVE References: CVE-2022-21698
JIRA References: SLE-24238,SLE-24239
Sources used:
openSUSE Leap 15.4 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
openSUSE Leap 15.3 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Manager Server 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Manager Retail Branch Server 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Manager Proxy 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Enterprise Storage 7 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE Enterprise Storage 6 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1
SUSE CaaS Platform 4.0 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2022-06-20 16:40:19 UTC

SUSE-SU-2022:2134-1: An update that fixes 13 vulnerabilities, contains 5 features is now available.

Category: security (important)
Bug References: 1181223,1181400,1190462,1190535,1193600,1194873,1195726,1195727,1195728,1196338,1196704,1197507,1197689
CVE References: CVE-2021-36222,CVE-2021-3711,CVE-2021-39226,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-21673,CVE-2022-21698,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713
JIRA References: SLE-23422,SLE-23439,SLE-24077,SLE-24238,SLE-24239
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE OpenStack Cloud Crowbar 8 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE OpenStack Cloud 9 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE OpenStack Cloud 8 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Manager Tools 12 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-1.6.1, golang-github-prometheus-alertmanager-0.23.0-1.12.3, golang-github-prometheus-node_exporter-1.3.0-1.15.3, grafana-8.3.5-1.30.3, mgr-cfg-4.3.6-1.27.4, mgr-custom-info-4.3.3-1.18.1, mgr-daemon-4.3.4-1.32.3, mgr-osad-4.3.6-1.39.4, mgr-push-4.3.4-1.21.4, mgr-virtualization-4.3.5-1.29.3, prometheus-blackbox_exporter-0.19.0-1.8.2, prometheus-postgres_exporter-0.10.0-1.8.2, python-hwdata-2.3.5-12.9.1, rhnlib-4.3.4-21.43.3, spacecmd-4.3.11-38.103.3, spacewalk-client-tools-4.3.9-52.71.3, spacewalk-koan-4.3.5-24.33.3, spacewalk-oscap-4.3.5-19.27.1, spacewalk-remote-utils-4.3.3-24.24.3, supportutils-plugin-salt-1.2.0-6.16.1, supportutils-plugin-susemanager-client-4.3.2-6.24.1, suseRegisterInfo-4.3.3-25.27.3, uyuni-common-libs-4.3.4-1.21.3
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Linux Enterprise Server 12-SP5 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
SUSE Linux Enterprise Server 12-SP3-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3
HPE Helion Openstack 8 (src):    golang-github-prometheus-node_exporter-1.3.0-1.15.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2022-06-21 10:17:07 UTC

SUSE-SU-2022:2145-1: An update that solves 5 vulnerabilities, contains two features and has 33 fixes is now available.

Category: security (important)
Bug References: 1173527,1182742,1189501,1190535,1191143,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196067,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199577,1199629,1199677,1199888,1200212,1200606
CVE References: CVE-2022-21698,CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: SLE-24238,SLE-24239
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2, golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2, golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3, patterns-suse-manager-4.1-150200.6.12.2, postgresql-jdbc-42.2.10-150200.3.8.2, prometheus-exporters-formula-0.9.5-150200.3.31.2, prometheus-formula-0.3.7-150200.3.21.2, py27-compat-salt-3000.3-150200.6.24.2, spacecmd-4.1.18-150200.4.39.3, spacewalk-backend-4.1.31-150200.4.50.4, spacewalk-java-4.1.46-150200.3.71.5, spacewalk-setup-4.1.11-150200.3.18.2, spacewalk-utils-4.1.20-150200.3.30.2, spacewalk-web-4.1.34-150200.3.47.6, subscription-matcher-0.28-150200.3.15.2, susemanager-4.1.36-150200.3.52.1, susemanager-doc-indexes-4.1-150200.11.55.4, susemanager-docs_en-4.1-150200.11.55.2, susemanager-schema-4.1.26-150200.3.45.4, susemanager-sls-4.1.36-150200.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2022-06-21 10:20:13 UTC

SUSE-SU-2022:2143-1: An update that solves four vulnerabilities and has 28 fixes is now available.

Category: security (moderate)
Bug References: 1182742,1189501,1190535,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199629,1199677,1199888
CVE References: CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.15-150200.3.80.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Swamp Workflow Management 2022-06-21 10:24:30 UTC

SUSE-RU-2022:2145-1: An update that solves one vulnerability, contains two features and has 8 fixes is now available.

Category: recommended (moderate)
Bug References: 1190535,1193238,1194447,1194594,1194909,1196338,1196704,1199142,1199528
CVE References: CVE-2022-21698
JIRA References: SLE-24238,SLE-24239
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2, golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2, golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3, patterns-suse-manager-4.1-150200.6.12.2, spacecmd-4.1.18-150200.4.39.3, spacewalk-backend-4.1.31-150200.4.50.4, spacewalk-web-4.1.34-150200.3.47.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 Robert Frohl 2022-08-02 13:15:59 UTC

our tracking shows this as missing for:

- SUSE:RES-8:Update:Products:ManagerTools:Update/golang-github-prometheus-node_exporter

- SUSE:SLE-15-SP2:Update:Products:SES7:Update/rook
- SUSE:SLE-15-SP3:Update:Products:SES7:Update/rook

Comment 32 Swamp Workflow Management 2022-08-17 19:16:54 UTC

SUSE-SU-2022:2834-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    podman-3.4.7-150400.4.3.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    podman-3.4.7-150400.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 33 Swamp Workflow Management 2022-08-18 10:18:09 UTC

SUSE-SU-2022:2839-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.2 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.1 (src):    podman-3.4.7-150300.9.9.2
SUSE Enterprise Storage 7.1 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 36 Swamp Workflow Management 2022-09-01 14:51:55 UTC

SUSE-SU-2022:2839-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 40 Swamp Workflow Management 2022-10-26 13:34:22 UTC

SUSE-SU-2022:3745-1: An update that fixes one vulnerability, contains two features is now available.

Category: security (moderate)
Bug References: 1196338
CVE References: CVE-2022-21698
JIRA References: SLE-24238,SLE-24239
Sources used:
openSUSE Leap 15.4 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
openSUSE Leap 15.3 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Manager Server 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Manager Retail Branch Server 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Manager Proxy 4.1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Enterprise Storage 7 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE Enterprise Storage 6 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1
SUSE CaaS Platform 4.0 (src):    golang-github-prometheus-node_exporter-1.3.0-150100.3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 41 Swamp Workflow Management 2022-10-26 14:07:00 UTC

SUSE-SU-2022:3747-1: An update that solves three vulnerabilities, contains 6 features and has two fixes is now available.

Category: security (moderate)
Bug References: 1196338,1198903,1200725,1201535,1201539
CVE References: CVE-2022-21698,CVE-2022-31097,CVE-2022-31107
JIRA References: SLE-23422,SLE-23439,SLE-24243,SLE-24565,SLE-24791,SUMA-114
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1
SUSE OpenStack Cloud 9 (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1
SUSE Manager Tools 12 (src):    golang-github-lusitaniae-apache_exporter-0.11.0-1.13.1, golang-github-prometheus-alertmanager-0.23.0-1.15.2, golang-github-prometheus-node_exporter-1.3.0-1.21.1, grafana-8.3.10-1.33.2, kiwi-desc-saltboot-0.1.1661440542.6cbe0da-1.29.1, mgr-daemon-4.3.6-1.38.1, spacecmd-4.3.15-38.109.1, spacewalk-client-tools-4.3.12-52.77.1, uyuni-common-libs-4.3.6-1.27.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1
SUSE Linux Enterprise Server 12-SP5 (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    golang-github-prometheus-node_exporter-1.3.0-1.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.