Security update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, op

Announcement ID:	SUSE-RU-2020:2072-1
Rating:	low
References:	bsc#1037777 bsc#1068612 bsc#1069468 bsc#1070737 bsc#1077718 bsc#1083903 bsc#1111657 bsc#1126503 bsc#1133817 bsc#1135773 bsc#1138748 bsc#1148383 bsc#1149110 bsc#1149535 bsc#1153191 bsc#1156525 bsc#1159447 bsc#1160152 bsc#1160153 bsc#1160192 bsc#1160790 bsc#1160851 bsc#1161088 bsc#1161089 bsc#1161349 bsc#1161670 bsc#1164316 bsc#1165402 bsc#1167244 bsc#1170657 bsc#1171560 bsc#1171909 bsc#1172166 bsc#1172167 bsc#1172175 bsc#1172176 bsc#1172409 bsc#948198 bsc#981848 jsc#ECO-1256 jsc#SOC-10357 jsc#SOC-11067 jsc#SOC-11077 jsc#SOC-11079 jsc#SOC-11082 jsc#SOC-11122 jsc#SOC-11174 jsc#SOC-11187 jsc#SOC-11224 jsc#SOC-11238 jsc#SOC-11243 jsc#SOC-11248 jsc#SOC-11251 jsc#SOC-11286 jsc#SOC-9298 jsc#SOC-9801
Cross-References:	CVE-2017-1000246 CVE-2017-4965 CVE-2017-4967 CVE-2018-1000115 CVE-2019-0201 CVE-2019-11596 CVE-2019-15026 CVE-2019-15043 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2019-16865 CVE-2019-18874 CVE-2019-19844 CVE-2019-19911 CVE-2019-3498 CVE-2019-3828 CVE-2020-10663 CVE-2020-10743 CVE-2020-11076 CVE-2020-11077 CVE-2020-12052 CVE-2020-13254 CVE-2020-13379 CVE-2020-13596 CVE-2020-5247 CVE-2020-5312 CVE-2020-5313 CVE-2020-5390 CVE-2020-8151
CVSS scores:	CVE-2017-1000246 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-1000246 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-4965 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-4965 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-4967 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-4967 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-1000115 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-0201 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-0201 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-0201 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-11596 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-11596 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15026 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2019-15026 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15043 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2019-15043 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-16785 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16785 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16789 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2019-16789 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2019-16792 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16792 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16865 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-16865 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-18874 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-18874 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19844 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2019-19844 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19911 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19911 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-3498 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2019-3498 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2019-3828 ( SUSE ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2020-10663 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-10663 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-10743 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2020-10743 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-11076 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-11076 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-11077 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-11077 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-12052 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-12052 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-13254 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13596 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13596 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-5247 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2020-5247 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-5312 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5312 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-5313 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5313 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-5390 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-5390 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-8151 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-8151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE OpenStack Cloud 7

An update that solves 31 vulnerabilities, contains 17 features and has eight fixes can now be installed.

Description:

This update for ansible, crowbar-core, crowbar-ha, crowbar-openstack, etcd, flannel, grafana, keepalived, kibana, memcached, monasca-installer, openstack-dashboard-theme-SUSE, openstack-manila, openstack-neutron-fwaas, openstack-nova, openstack-tempest, python-Django, python-Pillow, python-psql2mysql, python-psutil, python-py, python-pysaml2, python-waitress, rabbitmq-server, release-notes-suse-openstack-cloud, zookeeper fixes the following issues:

Security fixes included ins this update:

ansible - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).

grafana - CVE-2020-13379: Fixed an incorrect access control issue which could lead to information leaks or denial of service (bsc#1172409). - CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation popup (bsc#1170657).

kibana - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).

memcached (to version 1.5.17) - CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str()n (bsc#1149110). - CVE-2019-11596: Fixed a denial of service in the 'lru' command (bsc#1133817) - CVE-2018-1000115: Disabled UDP by default to reduce DDoS amplification attacks (bsc#1083903).

python-Django - CVE-2020-13254: Fixed a data leakage via malformed memcached keys (bsc#1172167). - CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin parameters of the ForeignKeyRawIdWidget (bsc#1172166). - Fixed a regression with the fix for CVE-2019-3498 (bsc#1161349).

python-Pillow - CVE-2019-16865: Fixed a denial of service with specially crafted image files (bsc#1153191). - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode (bsc#1160152). - CVE-2020-5313: Fixed a buffer overflow related to FLI (bsc#1160153). - CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py (bsc#1160192).

python-pysaml2 - CVE-2020-5390: Fixed an issue with the verification of signatures in SAML documents (bsc#1160851) - CVE-2017-1000246: Fixed an issue with weak encryption data, caused by initialization vector reuse(bsc#1068612).

python-waitress (to version 1.4.3) - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: Fixed HTTP Request Smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling (bsc#1161670).

rubygem-activeresource - CVE-2020-8151: Fixed information disclosure issue through specially crafted requests (bsc#1171560)

rubygem-json-1_7 - CVE-2020-10663: Fixed Unsafe Object Creation Vulnerability in JSON (bsc#1167244)

rubygem-puma - CVE-2020-11077: Fixed HTTP Request Smuggling through proxy (bsc#1172175) - CVE-2020-11076: Fixed HTTP Request smuggling through invalid Transfer-Encoding header. - CVE-2020-5247: Fixed HTTP Response Splitting through newline characters handling (bsc#1165402)

zookeeper: - CVE-2019-0201: Fixed an information disclosure related to getACL() (bsc#1135773).

Non security fixes included in this update:

Changes in ansible: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in crowbar-core: - Update to version 4.0+git.1580209654.1d112d31f: * network: start OVS before wickedd (SOC-11067)

Changes in crowbar-ha: - Update to version 4.0+git.1585316203.d6ad2c8: * [4.0] add ssl termination on haproxy (bsc#1149535)

Changes in crowbar-openstack: - Update to version 4.0+git.1589804581.9972163f0: * [4.0] magnum: fix check for image/flavor (SOC-11251)

• Update to version 4.0+git.1589647351.