Security update for ansible1, ardana-ansible, ardana-cobbler, ardana-glance, ardana-input-model, ardana-logging, ardana-manila, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempes

Announcement ID:	SUSE-RU-2020:2161-1
Rating:	moderate
References:	bsc#1019111 bsc#1107190 bsc#1126503 bsc#1136928 bsc#1153191 bsc#1159046 bsc#1159447 bsc#1160151 bsc#1160152 bsc#1160153 bsc#1160192 bsc#1160790 bsc#1161088 bsc#1161089 bsc#1161670 bsc#1161919 bsc#1163446 bsc#1165022 bsc#1170657 bsc#1171070 bsc#1171071 bsc#1171072 bsc#1171273 bsc#1171594 bsc#1171909 bsc#1172166 bsc#1172167 bsc#1172409 bsc#1172522 bsc#1173413 bsc#1173416 bsc#1173418 bsc#1173420 bsc#1174006 jsc#SOC-10029 jsc#SOC-10106 jsc#SOC-10124 jsc#SOC-10317 jsc#SOC-10357 jsc#SOC-11077 jsc#SOC-11082 jsc#SOC-11126 jsc#SOC-11176 jsc#SOC-11203 jsc#SOC-11209 jsc#SOC-11241 jsc#SOC-11243 jsc#SOC-11248 jsc#SOC-11249 jsc#SOC-11274 jsc#SOC-11279 jsc#SOC-11286 jsc#SOC-11289 jsc#SOC-11294 jsc#SOC-11297 jsc#SOC-11298 jsc#SOC-11299 jsc#SOC-11306 jsc#SOC-11314 jsc#SOC-11330 jsc#SOC-11341 jsc#SOC-11342 jsc#SOC-6780 jsc#SOC-9235 jsc#SOC-9775
Cross-References:	CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2019-16865 CVE-2019-19844 CVE-2019-19911 CVE-2019-3828 CVE-2020-10177 CVE-2020-10378 CVE-2020-10743 CVE-2020-10755 CVE-2020-10994 CVE-2020-11538 CVE-2020-12052 CVE-2020-13254 CVE-2020-13379 CVE-2020-13596 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 CVE-2020-7471 CVE-2020-8184 CVE-2020-9402
CVSS scores:	CVE-2019-16785 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16785 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16789 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2019-16789 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2019-16792 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16792 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16865 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-16865 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19844 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2019-19844 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19911 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19911 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-3828 ( SUSE ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2020-10177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2020-10177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2020-10378 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2020-10743 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2020-10743 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-10755 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-10755 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-10994 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2020-10994 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-11538 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11538 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12052 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-12052 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-13254 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13596 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13596 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-5311 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5311 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-5312 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5312 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-5313 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5313 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-7471 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L CVE-2020-7471 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-8184 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-8184 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-9402 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVE-2020-9402 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9

An update that solves 24 vulnerabilities, contains 31 features and has 10 fixes can now be installed.

Description:

This update for ansible1, ardana-ansible, ardana-cobbler, ardana-glance, ardana-input-model, ardana-logging, ardana-manila, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-openstack, grafana, kibana, openstack-barbican, openstack-ceilometer, openstack-cinder, openstack-dashboard, openstack-designate, openstack-heat-templates, openstack-ironic, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-neutron, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, python-Django1, python-Pillow, python-ardana-packager, python-heatclient, python-neutron-tempest-plugin, python-octavia-tempest-plugin, python-os-brick, python-oslo.messaging, python-pyroute2, python-urllib3, python-waitress, release-notes-suse-openstack-cloud, rubygem-activeresource, rubygem-json-1_7, rubygem-puma fixes the following issues:

Security fixes included in this update:

ansible1: - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).

grafana: - CVE-2020-13379: Fixed an incorrect access control issue which could lead to information leaks or denial of service (bsc#1172409). - CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation popup (bsc#1170657).

kibana: - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).

python-Django1 to 1.11.29: - CVE-2020-13254: Fixed a data leakage via malformed memcached keys (bsc#1172167). - CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin parameters of the ForeignKeyRawIdWidget (bsc#1172166). - CVE-2020-7471: Fixed a SQL injection via StringAgg delimiter (bsc#1161919). - CVE-2020-9402: Fixed a SQL injection via tolerance parameter in GIS functions and aggregates (bsc#1165022). - CVE-2019-19844: Fixed a potential account hijack via password reset form (bsc#1159447).

python-Pillow: - CVE-2020-10177: Fixed multiple out-of-bounds reads in libImaging/FliDecode.c (bsc#1173413). - CVE-2020-11538: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173420). - CVE-2020-10994: Fixed multiple out-of-bounds reads via a crafted JP2 files (bsc#1173418). - CVE-2020-10378: Fixed an out-of-bounds read when reading PCX files (bsc#1173416). - CVE-2019-16865: Fixed a denial of service with specially crafted image files (bsc#1153191). - CVE-2020-5311: Fixed an SGI buffer overflow (bsc#1160151). - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode (bsc#1160152). - CVE-2020-5313: Fixed a buffer overflow related to FLI (bsc#1160153). - CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py (bsc#1160192).

python-waitress to version 1.4.3: - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling (bsc#1161088). - CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding (bsc#1161089). - CVE-2019-16789: Fixed HTTP Request Smuggling through invalid whitespace characters (bsc#1160790). - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling (bsc#1161670).

rubygem-activeresource: - CVE-2020-8151: Fixed possible information disclosure through specially crafted requests (bsc#1171560).

Non security fixes:

Changes in ansible1.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in ardana-ansible.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1591138508.e269bdb: * Use internal endpoint for upload image (SOC-11294)

• Update to version 9.0+git.1589740968.d339a28:

• Reconfigure rabbitmq user permissions on update (SOC-11082)

• Update to version 9.0+git.1588953276.b8b5512:

• Fix incorrect prefix used to collect supportconfig files (bsc#1171273)

Changes in ardana-cobbler.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1588181228.bae3b1f: * Ensure distro_signatures.json gets updated if needed (SOC-11249)

Changes in ardana-glance.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593631708.9354a78: * Idempotent cirros image upload to glance (SOC-11342)

Changes in ardana-input-model.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1589740948.c24fc0b: * Add default rabbitmq exchange write permissions (SOC-11082)

Changes in ardana-logging.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1591193994.d93b668: * kibana: set x-frame-options header (bsc#1171909)

Changes in ardana-manila.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1594158642.b5905e4: * Ensure manila_upgrade_mode is initialised appropriately (SOC-11341)

• Update to version 9.0+git.1593516580.6c83767:
• Skip openstack-manila-share status check during upgrade (SOC-11341)

Changes in ardana-monasca.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1589385256.7fbfaaf: * Fix stop start/stop logic (SOC-11209)

• Update to version 9.0+git.1588610558.98958f3:

• Fix monasca-thresh-wrapper status action (SOC-11209)

• Update to version 9.0+git.1588343155.0e67455:

• monasca-thresh restart and storm upgrade enhancements (SOC-11209)

Changes in ardana-mq.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593618110.cbd1a37: * Ensure epmd.service started/stopped independent of rabbitmq (SOC-6780)

• Update to version 9.0+git.1589715197.9196f62:
• Don't mirror reply queues (SOC-10317)

Changes in ardana-neutron.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1590756257.e09d54f: * Update L3 rootwrap filters (SOC-11306)

Changes in ardana-octavia.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1590079609.a2ae6ab: * fix octavia to glance communication over internal endpoint (SOC-11294)

Changes in ardana-tempest.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 9.0+git.1593033709.9495bb2: * load-balancer: set check timeout to 120 seconds (SOC-11330)

• Update to version 9.0+git.1593010160.cb417d7:

• Blacklist neutron test_snat_external_ip test (SOC-11279)

• Update to version 9.0+git.1592341936.3b5ad41:

• Remove blacklisted octavia test (SOC-11289)

• Update to version 9.0+git.1592239656.b18289a:

• Blacklist NetworkMigration tests (SOC-11279)

• Update to version 9.0+git.1590429931.4fa308a:

• Install only needed tempest pluguins (SOC-11297)

• Update to version 9.0+git.1590164310.9e7888e:

• Enable tempest shelve tests (SOC-9775)

• Update to version 9.0+git.1590151267.16bddd9:

• Add NetworkMigration tests back in neutron filter (SOC-11279)

• Update to version 9.0+git.1589460689.e3bd243:

• Enable test_delete_policies_while_tenant_attached_to_net test (SOC-9235)

• Update to version 9.0+git.1589206665.aedb17d:

• Blacklist some NetworkMigration tests (SOC-11279)

Changes in crowbar-core.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 6.0+git.1594619891.b75a61d0d: * upgrade: Do not stop pacemaker managed apache service (SOC-11298)

• Update to version 6.0+git.1593156244.533c05c01:

• Ignore CVE-2020-8184 (SOC-11299)

• Update to version 6.0+git.1592589539.e0cbb8c8f:

• provisioner: allow tftp access from admin network only (bsc#1019111)

• Update to version 6.0+git.1590650924.e7548b2ac:

• Ignore latest ruby-related CVEs in the CI (SOC-11299)

• Update to version 6.0+git.1589803358.48ba3f4a6:

• provisioner: Fix ssh key validation (SOC-11126)

• Update to version 6.0+git.1588062060.de79301bf:

• upgrade: disable zypper process check temporarily (SOC-11203)

Changes in crowbar-openstack.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 6.0+git.1591795073.49cb6400e: * kibana: set x-frame-options header (bsc#1171909, CVE-2020-10743)

• Update to version 6.0+git.1591104467.7de344556:

• Restore undeprecated nova dhcp_domain option (bsc#1171594)

• Update to version 6.0+git.1590579980.5258ac04a:

• tempest: Enable shelve tests when using RBD ephemeral (SOC-11176)

• Update to version 6.0+git.1589957131.fcfccecc1:

• galera: Make sure checks are executed without password (bsc#1136928)

• Update to version 6.0+git.1589573559.3bf36a7cd:

• rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274)

• Update to version 6.0+git.1589544034.e52fd938a:

• trove: fix rabbitmq connection URL (SOC-11286)

• Update to version 6.0+git.1589389407.5a306c6d3:

• tempest: remove port_admin_state_change workaround (SOC-10029)

• Update to version 6.0+git.1588686448.3c0060ca7:

• Fix monasca libvirt ping checks (bsc#1107190)

• Update to version 6.0+git.1588259003.a4e938422:

• run keystone_register on cluster founder only when HA (SOC-11248)

• ceilometer: Post API removal cleanup (SOC-10124)

• Update to version 6.0+git.1588096476.79154bb30:

• nova: run keystone_register on cluster founder only (SOC-11243)

Changes in grafana.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Add CVE-2020-13379.patch * Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379)

• Add 0001-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch

• Security: Fix annotation popup XSS vulnerability (bsc#1170657, CVE-2020-12052)

• Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#1148383)

• Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and Changes in kibana.SUSE_SLE-12-SP4_Update_Products_Cloud9:
• Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743)

Changes in openstack-barbican.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop python-argparse buildrequires

Changes in openstack-ceilometer.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ceilometer-11.1.1.dev7: * [stable-only] Add confluent-kafka to test-requirements

• Update to version ceilometer-11.1.1.dev6:
• Temporary failures should be treated as temporary

Changes in openstack-ceilometer.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version ceilometer-11.1.1.dev7: * [stable-only] Add confluent-kafka to test-requirements

• Update to version ceilometer-11.1.1.dev6:
• Temporary failures should be treated as temporary

Changes in openstack-cinder.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version cinder-13.0.10.dev12: * Remove VxFlex OS credentials from connection_properties

• Update to version cinder-13.0.10.dev11:

• [stable only] Add warning about rbd_keyring_conf

• Update to version cinder-13.0.10.dev10:

• VMAX Driver - Backport fix for Rocky and Queens

Changes in openstack-cinder.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - drop obsolete python-argparse buildrequires

• Update to version cinder-13.0.10.dev12:

• Remove VxFlex OS credentials from connection_properties

• Update to version cinder-13.0.10.dev11:

• [stable only] Add warning about rbd_keyring_conf

• Update to version cinder-13.0.10.dev10:

• VMAX Driver - Backport fix for Rocky and Queens

Changes in openstack-dashboard.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version horizon-14.1.1.dev6: * Fix tenant_id for a new port

• Update to version horizon-14.1.1.dev5:
• Fix .zuul.yaml syntax errors
• Gate fix: use tempest-horizon 0.2.0 explicitly
• Authenticate before Authorization

Changes in openstack-designate.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version designate-7.0.2.dev2: * Worker should send NOTIFY also to all servers in 'also_notifies' pool settings

• Update to version designate-7.0.2.dev1:
• Pin stable/rocky tempest tests to 0.7.0 tag 7.0.1

Changes in openstack-designate.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version designate-7.0.2.dev2: * Worker should send NOTIFY also to all servers in 'also_notifies' pool settings

• Update to version designate-7.0.2.dev1:
• Pin stable/rocky tempest tests to 0.7.0 tag 7.0.1

Changes in openstack-heat-templates.SUSE_SLE-12-SP4_Update_Products_Cloud9_Update: - Update to version 0.0.0+git.1582270132.8a20477: * Drop use of git.openstack.org * Add example for running Zun container * OpenDev Migration Patch * Replace openstack.org git:// URLs with https:// * Add