Overview

File _patchinfo of Package patchinfo.33434

<patchinfo incident="33434">
  <issue tracker="ijsc" id="MSQA-760"/>
  <issue tracker="bnc" id="1008037">VUL-0: CVE-2016-8628: ansible: Command injection by compromised server via fact variables</issue>
  <issue tracker="bnc" id="1008038">VUL-0: CVE-2016-8614: ansible: Improper verification of key fingerprints in apt_key module</issue>
  <issue tracker="bnc" id="1010940">VUL-0: CVE-2016-8647: ansible: in some circumstances the mysql_user module may fail to correctly change a password</issue>
  <issue tracker="bnc" id="1019021">VUL-0: CVE-2016-9587: ansible: host to controller command execution vulnerability</issue>
  <issue tracker="bnc" id="1038785">VUL-0: CVE-2017-7481: ansible: Security issue with lookup return not tainting the jinja2 environment</issue>
  <issue tracker="bnc" id="1059235">ansible upgrade on SLES 11 SP3-TD</issue>
  <issue tracker="bnc" id="1099805">VUL-0: CVE-2018-10874: ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution</issue>
  <issue tracker="bnc" id="1166389">VUL-1: CVE-2020-1753: ansible: kubectl connection plugin leaks sensitive information</issue>
  <issue tracker="bnc" id="1171823">VUL-1: CVE-2020-10744: ansible: incomplete fix for CVE-2020-1733</issue>
  <issue tracker="bnc" id="1174145">VUL-1: CVE-2020-14330: ansible: "no log" values are not stripped from module response keys</issue>
  <issue tracker="bnc" id="1174302">VUL-1: CVE-2020-14332: ansible,ansible1: module_args does not censor properly in --check mode</issue>
  <issue tracker="bnc" id="1175993">VUL-0: CVE-2020-14365: ansible,ansible1: dnf module install packages with no GPG signature</issue>
  <issue tracker="bnc" id="1177948">ansible-2.9: superfluous dependency</issue>
  <issue tracker="bnc" id="1216854">VUL-0: CVE-2023-5764: ansible,ansible1: Template Injection</issue>
  <issue tracker="bnc" id="1219002">VUL-0: CVE-2024-0690: ansible: possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration</issue>
  <issue tracker="bnc" id="1219912">VUL-0: CVE-2023-6152: grafana: lack of validation on email update on configuration option "verify_email_enabled"</issue>
  <issue tracker="bnc" id="1221092">salt boot gets confusing network settings in SLE15 SP3 and does not complete</issue>
  <issue tracker="bnc" id="1221465">rhnpush: not uploading RSA signed packages</issue>
  <issue tracker="bnc" id="1222155">VUL-0: CVE-2024-1313: grafana: authorization bypass on snapshot delete endpoint of different organization</issue>
  <issue tracker="cve" id="2023-5764"/>
  <issue tracker="cve" id="2024-0690"/>
  <issue tracker="cve" id="2020-1753"/>
  <issue tracker="cve" id="2020-14365"/>
  <issue tracker="cve" id="2020-14332"/>
  <issue tracker="cve" id="2020-14330"/>
  <issue tracker="cve" id="2020-10744"/>
  <issue tracker="cve" id="2017-7550"/>
  <issue tracker="cve" id="2018-10874"/>
  <issue tracker="cve" id="2016-9587"/>
  <issue tracker="cve" id="2016-8628"/>
  <issue tracker="cve" id="2016-8614"/>
  <issue tracker="cve" id="2016-8647"/>
  <issue tracker="cve" id="2024-1313"/>
  <issue tracker="cve" id="2023-6152"/>
  <packager>raulosuna</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for SUSE Manager Client Tools</summary>
  <description>This update fixes the following issues:

POS_Image-Graphical7 was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

  * Moved image services to dracut-saltboot package
  * Use salt bundle

- Version 0.1.1645440615.7f1328c

  * Removed deprecated kiwi functions

POS_Image-JeOS7 was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

  * Moved image services to dracut-saltboot package
  * Use salt bundle

- Version 0.1.1645440615.7f1328c

  * Removed deprecated kiwi functions

ansible received the following fixes:

- Security issues fixed:

  * CVE-2023-5764: Address issues where internal templating can cause unsafe
    variables to lose their unsafe designation (bsc#1216854)

    + Breaking changes:
      assert - Nested templating may result in an inability for the conditional
      to be evaluated. See the porting guide for more information.

  * CVE-2024-0690: Address issue where ANSIBLE_NO_LOG was ignored (bsc#1219002)
  * CVE-2020-14365: Ensure that packages are GPG validated (bsc#1175993)
  * CVE-2020-10744: Fixed insecure temporary directory creation (bsc#1171823)
  * CVE-2018-10874: Fixed inventory variables loading from current working directory when running ad-hoc command that
    can lead to code execution (bsc#1099805)

- Bugs fixed:  

  * Don't Require python-coverage, it is needed only for testing (bsc#1177948)

dracut-saltboot was updated to version 0.1.1710765237.46af599:

- Version 0.1.1710765237.46af599

  * Load only first available leaseinfo (bsc#1221092)

- Version 0.1.1681904360.84ef141

grafana was updated to version 9.5.18:

- Grafana now requires Go 1.20
- Security issues fixed:

  * CVE-2024-1313: Require same organisation when deleting snapshots (bsc#1222155)
  * CVE-2023-6152: Add email verification when updating user email (bsc#1219912)

- Other non-security related changes:

  * Version 9.5.17:

    + [FEATURE] Alerting: Backport use Alertmanager API v2

  * Version 9.5.16:

    + [BUGFIX] Annotations: Split cleanup into separate queries and
      deletes to avoid deadlocks on MySQL

  * Version 9.5.15:

    + [FEATURE] Alerting: Attempt to retry retryable errors

  * Version 9.5.14:

    + [BUGFIX] Alerting: Fix state manager to not keep
      datasource_uid and ref_id labels in state after Error
    + [BUGFIX] Transformations: Config overrides being lost when
      config from query transform is applied
    + [BUGFIX] LDAP: Fix enable users on successfull login

  * Version 9.5.13:

    + [BUGFIX] BrowseDashboards: Only remember the most recent
      expanded folder
    + [BUGFIX] Licensing: Pass func to update env variables when
      starting plugin

  * Version 9.5.12:

    + [FEATURE] Azure: Add support for Workload Identity
      authentication

  * Version 9.5.9:

    + [FEATURE] SSE: Fix DSNode to not panic when response has empty
      response
    + [FEATURE] Prometheus: Handle the response with different field
      key order
    + [BUGFIX] LDAP: Fix user disabling

mgr-daemon was updated to version 4.3.9-0:

- Version 4.3.9-0

  * Update translation strings

spacecmd was updated to version 4.3.27-0:

- Version 4.3.27-0

  * Update translation strings

spacewalk-client-tools was updated to version 4.3.19-0:

- Version 4.3.19-0

  * Update translation strings

spacewalk-koan was updated to version version 4.3.6-0:

- Version 4.3.6-0

  * Change Docker image location for test

uyuni-common-libs was updated to version 4.3.10-0:

- Version 4.3.10-0

  * Add support for package signature type V4 RSA/SHA384
  * Add support for package signature type V4 RSA/SHA512 (bsc#1221465)

uyuni-proxy-systemd-services was updated to version 4.3.12-0:

- Version 4.3.12-0

  * Update to SUSE Manager 4.3.12
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places