Security update for multipath-tools (important)

An update that solves two vulnerabilities, contains one
feature and has four fixes is now available.

Description:

This update for multipath-tools fixes the following issues:

• CVE-2022-41973: Fixed a symlink attack in multipathd. (bsc#1202739)

• CVE-2022-41974: Fixed an authorization bypass issue in multipathd.
  (bsc#1202739)

• multipathd: add “force_reconfigure” option (bsc#1189551) The command
  “multipathd -kreconfigure” changes behavior: instead
  of reloading every map, it checks map configuration and reloads
  only modified maps. This speeds up the reconfigure operation
  substantially. The old behavior can be reinstated by setting
  “force_reconfigure yes” in multipath.conf (not recommended). Note:
  “force_reconfigure yes” is not supported in SLE15-SP4 and beyond,
  which provide the command “multipathd -k’reconfigure all’”

• multipathd: avoid stalled clients during reconfigure (bsc#1189551)

• multipathd: handle client disconnect correctly (bsc#1189551)

• Avoid linking to libreadline to avoid licensing issue (bsc#1202616)

• multipathd: don’t switch to DAEMON_IDLE during startup (bsc#1197570)

• multipathd: disallow changing to/from fpin marginal paths on reconfig

• multipathd handle fpin events (bsc#1195506,jsc#PED-1448)

• multipath: fix exit status of multipath -T (bsc#1191900)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap Micro 5.2:

  zypper in -t patch openSUSE-Leap-Micro-5.2-2022-3710=1

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-3710=1

• SUSE Linux Enterprise Module for Basesystem 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3710=1

• SUSE Linux Enterprise Micro 5.2:

  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3710=1

• SUSE Linux Enterprise Micro 5.1:

  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3710=1