Overview

File _patchinfo of Package patchinfo.28020

<patchinfo incident="28020">
  <rating>important</rating>
  <packager>juliogonzalezgil</packager>
  <category>security</category>
  <summary>Security update for SUSE Manager Client Tools</summary>
  <description>
This update fixes the following issues:

grafana:

- CVE-2022-46146: Fix basic authentication bypass by updating the exporter
  toolkit to version 0.7.3 (bsc#1208065)
- CVE-2022-41723: Require Go 1.19 or newer (bsc#1208293)
- Update to version 8.5.20:
  * CVE-2022-23552: Security: SVG: Add dompurify preprocessor step (bsc#1207749)
  * CVE-2022-39324: Security: Snapshots: Fix originalUrl spoof security issue
    (bsc#1207750)
  * Security: Omit error from http response 
  * Bug fix: Email and username trimming and invitation validation

spacecmd:

- Version 4.3.19-1
  * Fix spacecmd not showing any output for softwarechannel_diff
    and softwarechannel_errata_diff (bsc#1207352)
  * Prevent string api parameters to be parsed as dates if not in
    ISO-8601 format (bsc#1205759)

spacewalk-client-tools:

- Version 4.3.15-1
  * Update translation strings

</description>
  <issue tracker="bnc" id="1205759">Fix for Bug 1198903 introduces new issue with spacecmd api calls</issue>
  <issue tracker="bnc" id="1207352">spacecmd: no output shown for softwarechannel_diff or softwarechannel_errata_diff</issue>
  <issue tracker="bnc" id="1207749">VUL-0: CVE-2022-23552: grafana: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plu</issue>
  <issue tracker="bnc" id="1207750">VUL-0: CVE-2022-39324: grafana: Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the</issue>
  <issue tracker="bnc" id="1208065">VUL-0: CVE-2022-46146: grafana: prometheus/exporter-toolkit: authentication bypass via cache poisoning</issue>
  <issue tracker="bnc" id="1208293">VUL-0: CVE-2022-41723: grafana: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding</issue>
  <issue tracker="cve" id="2022-46146"/>
  <issue tracker="cve" id="2022-41723"/>
  <issue tracker="cve" id="2022-23552"/>
  <issue tracker="cve" id="2022-39324"/>
</patchinfo>
openSUSE Build Service is sponsored by
Places