{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for SUSE Manager Server 4.3","title":"Title of the patch"},{"category":"description","text":"\nThis update fixes the following issues:\n\nrelease-notes-susemanager:\n\n- Update to SUSE Manager 4.3.11\n  * Migrate from RHEL and its clones to SUSE Liberty Linux\n  * Reboot required indication for non-SUSE distributions\n  * SSH key rotation for enhanced security\n  * Configure remote command execution\n  * End of Debian 10 support\n  * CVEs fixed: \n    CVE-2023-32189, CVE-2024-22231, CVE-2024-22232\n  * Bugs mentioned:    \n    bsc#1170848, bsc#1210911, bsc#1211254, bsc#1211560, bsc#1211912\n    bsc#1213079, bsc#1213507, bsc#1213738, bsc#1213981, bsc#1214077\n    bsc#1214791, bsc#1215166, bsc#1215514, bsc#1215769, bsc#1215810\n    bsc#1215813, bsc#1215982, bsc#1216114, bsc#1216394, bsc#1216437\n    bsc#1216550, bsc#1216657, bsc#1216753, bsc#1216781, bsc#1216988\n    bsc#1217069, bsc#1217209, bsc#1217588, bsc#1217784, bsc#1217869\n    bsc#1218019, bsc#1218074, bsc#1218075, bsc#1218089, bsc#1218094\n    bsc#1218490, bsc#1218615, bsc#1218669, bsc#1218849, bsc#1219577\n    bsc#1219850, bsc#1218146\n","title":"Description of the patch"},{"category":"details","text":"SUSE-2024-513,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-513,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-513","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0513-1.json"},{"category":"self","summary":"URL for SUSE-SU-2024:0513-1","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20240513-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2024:0513-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2024-February/017924.html"},{"category":"self","summary":"SUSE Bug 1170848","url":"https://bugzilla.suse.com/1170848"},{"category":"self","summary":"SUSE Bug 1210911","url":"https://bugzilla.suse.com/1210911"},{"category":"self","summary":"SUSE Bug 1211254","url":"https://bugzilla.suse.com/1211254"},{"category":"self","summary":"SUSE Bug 1211560","url":"https://bugzilla.suse.com/1211560"},{"category":"self","summary":"SUSE Bug 1211912","url":"https://bugzilla.suse.com/1211912"},{"category":"self","summary":"SUSE Bug 1213079","url":"https://bugzilla.suse.com/1213079"},{"category":"self","summary":"SUSE Bug 1213507","url":"https://bugzilla.suse.com/1213507"},{"category":"self","summary":"SUSE Bug 1213738","url":"https://bugzilla.suse.com/1213738"},{"category":"self","summary":"SUSE Bug 1213981","url":"https://bugzilla.suse.com/1213981"},{"category":"self","summary":"SUSE Bug 1214077","url":"https://bugzilla.suse.com/1214077"},{"category":"self","summary":"SUSE Bug 1214791","url":"https://bugzilla.suse.com/1214791"},{"category":"self","summary":"SUSE Bug 1215166","url":"https://bugzilla.suse.com/1215166"},{"category":"self","summary":"SUSE Bug 1215514","url":"https://bugzilla.suse.com/1215514"},{"category":"self","summary":"SUSE Bug 1215769","url":"https://bugzilla.suse.com/1215769"},{"category":"self","summary":"SUSE Bug 1215810","url":"https://bugzilla.suse.com/1215810"},{"category":"self","summary":"SUSE Bug 1215813","url":"https://bugzilla.suse.com/1215813"},{"category":"self","summary":"SUSE Bug 1215982","url":"https://bugzilla.suse.com/1215982"},{"category":"self","summary":"SUSE Bug 1216114","url":"https://bugzilla.suse.com/1216114"},{"category":"self","summary":"SUSE Bug 1216394","url":"https://bugzilla.suse.com/1216394"},{"category":"self","summary":"SUSE Bug 1216437","url":"https://bugzilla.suse.com/1216437"},{"category":"self","summary":"SUSE Bug 1216550","url":"https://bugzilla.suse.com/1216550"},{"category":"self","summary":"SUSE Bug 1216657","url":"https://bugzilla.suse.com/1216657"},{"category":"self","summary":"SUSE Bug 1216753","url":"https://bugzilla.suse.com/1216753"},{"category":"self","summary":"SUSE Bug 1216781","url":"https://bugzilla.suse.com/1216781"},{"category":"self","summary":"SUSE Bug 1216988","url":"https://bugzilla.suse.com/1216988"},{"category":"self","summary":"SUSE Bug 1217069","url":"https://bugzilla.suse.com/1217069"},{"category":"self","summary":"SUSE Bug 1217209","url":"https://bugzilla.suse.com/1217209"},{"category":"self","summary":"SUSE Bug 1217588","url":"https://bugzilla.suse.com/1217588"},{"category":"self","summary":"SUSE Bug 1217784","url":"https://bugzilla.suse.com/1217784"},{"category":"self","summary":"SUSE Bug 1217869","url":"https://bugzilla.suse.com/1217869"},{"category":"self","summary":"SUSE Bug 1218019","url":"https://bugzilla.suse.com/1218019"},{"category":"self","summary":"SUSE Bug 1218074","url":"https://bugzilla.suse.com/1218074"},{"category":"self","summary":"SUSE Bug 1218075","url":"https://bugzilla.suse.com/1218075"},{"category":"self","summary":"SUSE Bug 1218089","url":"https://bugzilla.suse.com/1218089"},{"category":"self","summary":"SUSE Bug 1218094","url":"https://bugzilla.suse.com/1218094"},{"category":"self","summary":"SUSE Bug 1218146","url":"https://bugzilla.suse.com/1218146"},{"category":"self","summary":"SUSE Bug 1218490","url":"https://bugzilla.suse.com/1218490"},{"category":"self","summary":"SUSE Bug 1218615","url":"https://bugzilla.suse.com/1218615"},{"category":"self","summary":"SUSE Bug 1218669","url":"https://bugzilla.suse.com/1218669"},{"category":"self","summary":"SUSE Bug 1218849","url":"https://bugzilla.suse.com/1218849"},{"category":"self","summary":"SUSE Bug 1219577","url":"https://bugzilla.suse.com/1219577"},{"category":"self","summary":"SUSE Bug 1219850","url":"https://bugzilla.suse.com/1219850"},{"category":"self","summary":"SUSE CVE CVE-2023-32189 page","url":"https://www.suse.com/security/cve/CVE-2023-32189/"},{"category":"self","summary":"SUSE CVE CVE-2024-22231 page","url":"https://www.suse.com/security/cve/CVE-2024-22231/"},{"category":"self","summary":"SUSE CVE CVE-2024-22232 page","url":"https://www.suse.com/security/cve/CVE-2024-22232/"}],"title":"Security update for SUSE Manager Server 4.3","tracking":{"current_release_date":"2024-02-15T13:43:22Z","generator":{"date":"2024-02-15T13:43:22Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2024:0513-1","initial_release_date":"2024-02-15T13:43:22Z","revision_history":[{"date":"2024-02-15T13:43:22Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"release-notes-susemanager-4.3.11-150400.3.100.1.noarch","product":{"name":"release-notes-susemanager-4.3.11-150400.3.100.1.noarch","product_id":"release-notes-susemanager-4.3.11-150400.3.100.1.noarch"}},{"category":"product_version","name":"release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","product":{"name":"release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","product_id":"release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch"}}],"category":"architecture","name":"noarch"},{"branches":[{"category":"product_name","name":"SUSE Manager Proxy 4.3","product":{"name":"SUSE Manager Proxy 4.3","product_id":"SUSE Manager Proxy 4.3","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-proxy:4.3"}}},{"category":"product_name","name":"SUSE Manager Server 4.3","product":{"name":"SUSE Manager Server 4.3","product_id":"SUSE Manager Server 4.3","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:4.3"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch as component of SUSE Manager Proxy 4.3","product_id":"SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch"},"product_reference":"release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","relates_to_product_reference":"SUSE Manager Proxy 4.3"},{"category":"default_component_of","full_product_name":{"name":"release-notes-susemanager-4.3.11-150400.3.100.1.noarch as component of SUSE Manager Server 4.3","product_id":"SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"},"product_reference":"release-notes-susemanager-4.3.11-150400.3.100.1.noarch","relates_to_product_reference":"SUSE Manager Server 4.3"}]},"vulnerabilities":[{"cve":"CVE-2023-32189","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2023-32189"}],"notes":[{"category":"general","text":"Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys","title":"CVE description"}],"product_status":{"recommended":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]},"references":[{"category":"external","summary":"CVE-2023-32189","url":"https://www.suse.com/security/cve/CVE-2023-32189"},{"category":"external","summary":"SUSE Bug 1170848 for CVE-2023-32189","url":"https://bugzilla.suse.com/1170848"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N","version":"3.1"},"products":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"threats":[{"category":"impact","date":"2024-02-15T13:43:22Z","details":"moderate"}],"title":"CVE-2023-32189"},{"cve":"CVE-2024-22231","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-22231"}],"notes":[{"category":"general","text":"Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead  a malicious attacker to create an arbitrary directory on a Salt master.","title":"CVE description"}],"product_status":{"recommended":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]},"references":[{"category":"external","summary":"CVE-2024-22231","url":"https://www.suse.com/security/cve/CVE-2024-22231"},{"category":"external","summary":"SUSE Bug 1219430 for CVE-2024-22231","url":"https://bugzilla.suse.com/1219430"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N","version":"3.1"},"products":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"threats":[{"category":"impact","date":"2024-02-15T13:43:22Z","details":"moderate"}],"title":"CVE-2024-22231"},{"cve":"CVE-2024-22232","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-22232"}],"notes":[{"category":"general","text":"A specially crafted url can be created which leads to a directory traversal in the salt file server.\nA malicious user can read an arbitrary file from a Salt master's filesystem.","title":"CVE description"}],"product_status":{"recommended":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]},"references":[{"category":"external","summary":"CVE-2024-22232","url":"https://www.suse.com/security/cve/CVE-2024-22232"},{"category":"external","summary":"SUSE Bug 1219431 for CVE-2024-22232","url":"https://bugzilla.suse.com/1219431"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"scores":[{"cvss_v3":{"baseScore":7.7,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"},"products":["SUSE Manager Proxy 4.3:release-notes-susemanager-proxy-4.3.11-150400.3.79.1.noarch","SUSE Manager Server 4.3:release-notes-susemanager-4.3.11-150400.3.100.1.noarch"]}],"threats":[{"category":"impact","date":"2024-02-15T13:43:22Z","details":"important"}],"title":"CVE-2024-22232"}]}