File _patchinfo of Package patchinfo.34705
<patchinfo incident="34705">
<issue tracker="bnc" id="1222815">Performance CoPilot 6 is not starting due to missing pmlogger_daily.timer</issue>
<issue tracker="bnc" id="1217826">VUL-0: CVE-2023-6917: pcp: Local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy</issue>
<issue tracker="bnc" id="1186511">pcp uses deprecated KillMode=none in services</issue>
<issue tracker="bnc" id="1222121">VUL-0: CVE-2024-3019: pcp: exposure of the redis server backend allows remote command execution via pmproxy</issue>
<issue tracker="bnc" id="1230552">VUL-0: CVE-2024-45770: pcp: `pmpost` symlink attack allows escalating `pcp` to `root` user</issue>
<issue tracker="bnc" id="1230551">VUL-0: CVE-2024-45769: pcp: `pmcd` heap corruption through metric pmstore operations</issue>
<issue tracker="bnc" id="1231345">PCP 6.2 built without libuv support</issue>
<issue tracker="cve" id="2024-3019"/>
<issue tracker="cve" id="2023-6917"/>
<issue tracker="cve" id="2024-45770"/>
<issue tracker="cve" id="2024-45769"/>
<issue tracker="jsc" id="PED-8389"/>
<issue tracker="jsc" id="PED-8192"/>
<packager>mschreiner</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for pcp</summary>
<description>This update for pcp fixes the following issues:
pcp was updated from version 3.11.9 to version 6.2.0 (jsc#PED-8192, jsc#PED-8389):
- Security issues fixed:
* CVE-2024-45770: Fixed a symlink attack that allows escalating from the pcp to the root user (bsc#1230552)
* CVE-2024-45769: Fixed a heap corruption through metric pmstore operations (bsc#1230551)
* CVE-2023-6917: Fixed local privilege escalation from pcp user to root in /usr/libexec/pcp/lib/pmproxy (bsc#1217826)
* CVE-2024-3019: Disabled redis proxy by default (bsc#1222121)
- Major changes:
* Add version 3 PCP archive support: instance domain change-deltas,
Y2038-safe timestamps, nanosecond-precision timestamps, arbitrary timezones support, 64-bit file offsets used
throughout for larger (beyond 2GB) individual volumes.
+ Opt-in using the /etc/pcp.conf PCP_ARCHIVE_VERSION setting
+ Version 2 archives remain the default (for next few years).
* Switch to using OpenSSL only throughout PCP (dropped NSS/NSPR);
this impacts on libpcp, PMAPI clients and PMCD use of encryption;
these are now configured and used consistently with pmproxy HTTPS support and redis-server, which were both already
using OpenSSL.
* New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps.
These are all optional, and full backward compatibility is preserved for existing tools.
* For the full list of changes please consult the packaged CHANGELOG file
- Other packaging changes:
* Reintroduce libuv support for SUSE Linux Enterprise 15 (bsc#1231345)
* Moved pmlogger_daily into main package (bsc#1222815)
* Switched logutil and pmieutil scripts from Type=oneshot to Type=exec (bsc#1186511)
* Change dependency from openssl-devel >= 1.1.1 to openssl-devel >= 1.0.2p.
Required for SUSE Linux Enterprise 12.
* Disabled 'pmda-infiniband' subpackage for SUSE Linux Enterprise 12 to resolve build issues.
* Introduce 'pmda-resctrl' package, disabled for architectures other than x86_64.
* Change the architecture for various subpackages to 'noarch' as they contain no binaries.
* Disable 'pmda-mssql', as it fails to build.
</description>
</patchinfo>
