Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-h

Announcement ID: SUSE-SU-2020:1901-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-1000246 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-1000246 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2019-1010083 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-1010083 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2019-1010083 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-15043 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  • CVE-2019-15043 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-16785 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16785 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16786 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16789 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
  • CVE-2019-16789 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
  • CVE-2019-16792 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16792 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-16865 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2019-16865 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-18874 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2019-18874 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19911 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19911 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-3828 ( SUSE ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • CVE-2019-3828 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • CVE-2019-3828 ( NVD ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-10663 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-10663 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-10743 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
  • CVE-2020-10743 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
  • CVE-2020-11076 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
  • CVE-2020-11076 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-11077 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
  • CVE-2020-11077 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
  • CVE-2020-12052 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE-2020-12052 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-13254 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-13379 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-13379 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
  • CVE-2020-13596 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE-2020-13596 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-5312 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-5312 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-5313 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-5313 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
  • CVE-2020-5390 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2020-5390 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-8151 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-8151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
  • HPE Helion OpenStack 8
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE OpenStack Cloud 8
  • SUSE OpenStack Cloud Crowbar 8

An update that solves 23 vulnerabilities, contains 29 features and has 12 security fixes can now be installed.

Description:

This update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm contains the following fixes:

The update fixes several security issues:

ansible - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).

grafana - CVE-2020-13379: Fixed an incorrect access control issue which could lead to information leaks or denial of service (bsc#1172409). - CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation popup (bsc#1170657).

kibana - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).

python-Django - CVE-2020-13254: Fixed a data leakage via malformed memcached keys. (bsc#1172167) - CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin parameters of the ForeignKeyRawIdWidget. (bsc#1172166)

python-Flask - CVE-2019-1010083: Fixed a denial of service via crafted encoded JSON. (bsc#1141968)

python-Pillow - CVE-2019-16865: Fixed a denial of service with specially crafted image files. (bsc#1153191) - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode. (bsc#1160152) - CVE-2020-5313: Fixed a buffer overflow related to FLI. (bsc#1160153) - CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py. (bsc#1160192)

python-psutil - CVE-2019-18874: Fixed a double free caused by refcount mishandling. (bsc#1156525)

python-pysaml2 - CVE-2020-5390: Fixed an issue with the verification of signatures in SAML documents. (bsc#1160851) - CVE-2017-1000246: Fixed an issue with weak encryption data, caused by initialization vector reuse. (bsc#1068612)

python-waitress (to version 1.4.3) - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling. (bsc#1161088) - CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding. (bsc#1161089) - CVE-2019-16789: Fixed HTTP Request Smuggling through Invalid whitespace characters. (bsc#1160790) - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling. (bsc#1161670)

rubygem-activeresource - CVE-2020-8151: Fixed information disclosure issue via specially crafted requests. (bsc#1171560)

rubygem-json-1_7 - CVE-2020-10663: Fixed an unsafe object creation vulnerability. (bsc#1167244)

rubygem-puma - CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage. (bsc#1172175) - CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding header. (bsc#1172176)

Other non-security fixes in in the update below:

Changes in ansible: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in ansible1: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in ardana-ansible: - Update to version 8.0+git.1589740980.6c3bcdc: * Reconfigure rabbitmq user permissions on update (SOC-11082)

  • Update to version 8.0+git.1588953487.9bfd5cb:
  • Fix incorrect prefix used to collect supportconfig files (bsc#1171273)

  • Update to version 8.0+git.1585690828.81d8f45:

  • Cleanup keystone-ansible (bsc#1108719)

Changes in ardana-cluster: - Update to version 8.0+git.1585685203.3e71e49: * Use bool filter to ensure valid boolean evaluation (SOC-11192)

Changes in ardana-freezer: - Update to version 8.0+git.1586539529.b7d295f: * Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)

Changes in ardana-input-model: - Update to version 8.0+git.1589740934.0e0ad61: * Add default rabbitmq exchange write permissions (SOC-11082)

  • Update to version 8.0+git.1586174594.2b92ec3:
  • add port neutron security extension to CI models (SOC-11027)

Changes in ardana-logging: - Update to version 8.0+git.1591194866.b7375d0: * kibana: set x-frame-options header (bsc#1171909)

  • Update to version 8.0+git.1586179244.ae61f62:
  • Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593)

Changes in ardana-mq: - Update to version 8.0+git.1589715269.62ad6df: * Don't mirror reply queues (SOC-10317)

  • Update to version 8.0+git.1586784724.586343d:
  • Actually fail if sync HA queues retries exceeded (SOC-11083)

Changes in ardana-neutron: - Update to version 8.0+git.1590756744.ba84abc: * Update L3 rootwrap filters (SOC-11306)

  • Update to version 8.0+git.1587737509.4e09de3:
  • Add network.target "After" option (bsc#1169770)

  • Update to version 8.0+git.1586546152.e7bc07f:

  • Add neutron-common role dependencies (SOC-10875)

  • Update to version 8.0+git.1586543712.62bb5a3:

  • Fix neutron-ovsvapp-agent status (SOC-10637)

  • Update to version 8.0+git.1586535447.55769df:

  • Improve neutron service restart limit handling (SOC-8746)

  • Update to version 8.0+git.1586519528.a28db53:

  • Correctly setup ardana_notify_... fact (SOC-10902)

Changes in ardana-octavia: - Update to version 8.0+git.1590100427.cf4cc8f: * fix octavia to glance communication over internal endpoint (SOC-11294)

Changes in ardana-osconfig: - Update to version 8.0+git.1587034587.eac37b8: * Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223)

Changes in caasp-openstack-heat-templates: - Switch github URL from git@ to git:// to bypass authentication

Changes in crowbar-core: - Update to version 5.0+git.1593156248.55bbdb26d: * Ignore CVE-8184 (SOC-11299) * Ignore latest ruby-related CVEs in the CI (SOC-11299)

  • Update to version 5.0+git.1589804984.44a89be24:
  • provisioner: Fix ssh key validation (SOC-11126)
  • assign host to hostless keys (noref)

Changes in crowbar-openstack: - Update to version 5.0+git.1593085772.64c4ab43c: * monasca: Prevent deploying monasca-server to the node in pacemaker cluster (SOC-6354)

  • Update to version 5.0+git.1591171674.1f299cd1c:
  • Restore undeprecated nova dhcp_domain option (bsc#1171594)

  • Update to version 5.0+git.1591104265.683d76534:

  • [5.0] Fix availability zone script (bsc#1171661)

  • Update to version 5.0+git.1590398068.f5cfacc12:

  • nova: only create nonexistent cell1

  • Update to version 5.0+git.1590150829.e86326d03:

  • [5.0] Tempest: enable test_volume_boot_pattern test (SOC-10874)

  • Update to version 5.0+git.1589814633.23fde86ab:

  • rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274)

  • Update to version 5.0+git.1589647291.73c7f1cb6:

  • [5.0] trove: fix rabbitmq connection URL (SOC-11286)

  • Update to version 5.0+git.1589214669.8332efff3:

  • Fix monasca libvirt ping checks (bsc#1107190)

  • Update to version 5.0+git.1588271874.90adebc7a:

  • run keystone_register on cluster founder only when HA (SOC-11248)
  • nova: run keystone_register on cluster founder only (SOC-11243)

  • Update to version 5.0+git.1588059034.3823515b7:

  • tempest: retry openstack commands (SOC-11238)

  • Update to version 5.0+git.1587403360.c43cd9905:

  • tempest: disable block migration when using RBD (SOC-11176)

  • Update to version 5.0+git.1586293860.901cb0f55:

  • monasca: disable postgres backend monitoring by default (SOC-11190)

  • Update to version 5.0+git.1585659861.c29fac257:

  • magnum: Populate SSL configuration (SOC-9849)
  • magnum: Add SSL support (SOC-9849)
  • nova: Populate cinder SES settings early (SOC-11179)

Changes in documentation-suse-openstack-cloud: - Update to version 8.20200527: * Update Travis config: new container name (noref)

  • Update to version 8.20200417:
  • Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)

  • Update to version 8.20200326:

  • Clarify wipe_disks does not affect non-OS partitions (bsc#1092420)

Changes in grafana: - Add CVE-2020-13379.patch * Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379) - Refresh systemd-notification.patch - Fix declaration for LICENSE

  • Add 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch
  • Security: Fix annotation popup XSS vulnerability (bsc#1170657)

  • Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#11483483) Changes in kibana:

  • Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743)

Changes in openstack-dashboard: - Update to version horizon-12.0.5.dev3: * Fix typo in publicize_image policy name

Changes in openstack-dashboard-theme-HPE: - Switch github URL from git@ to https:// to bypass authentication

Changes in openstack-heat-templates: - Update to version 0.0.0+git.1582270132.8a20477: * Drop use of git.openstack.org * Add sample templates for Blazar

Changes in openstack-keystone: - Update to version keystone-12.0.4.dev11: * Fix security issues with EC2 credentials

  • Update to version keystone-12.0.4.dev10:
  • Check timestamp of signed EC2 token request
  • Ensure OAuth1 authorized roles are respected

  • Update to version keystone-12.0.4.dev6:

  • Remove neutron-grenade job

Changes in openstack-keystone: - Update to version keystone-12.0.4.dev11: * Fix security issues with EC2 credentials

  • Update to version keystone-12.0.4.dev10:
  • Check timestamp of signed EC2 token request
  • Ensure OAuth1 authorized roles are respected

  • Update to version keystone-12.0.4.dev6:

  • Remove neutron-grenade job

Changes in openstack-monasca-agent: - update to version 2.2.6~dev4 - Add debug output for libvirt ping checks

  • Lockdown /bin/ip permissions for the monasca-agent (bsc#1107190)
  • add addtional arguments to /bin/ip in sudoers

  • Fix missing sudo privleges (bsc#1107190)

  • add /bin/ip and /usr/bin/ovs-vsctl to monasca-agent sudoers

  • removed 0001-Avoid-overwriting-sys.path-ip-command.patch

  • update to version 2.2.6~dev3
  • Do not copy /sbin/ip to /usr/bin/monasa-agent-ip

  • update to version 2.2.6~dev2

  • Remove incorrect assignment of ping_cmd to 'True'

  • update to version 2.2.6~dev1

  • Update hacking version to 1.1.x

Changes in openstack-monasca-installer: - Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909, CVE-2020-10743)

Changes in openstack-neutron: - Update to version neutron-11.0.9.dev65: * Revert iptables TCP checksum-fill code

  • Update to version neutron-11.0.9.dev64:
  • [Pike-only]: make grenade jobs non-voting

Changes in openstack-neutron: - Update to version neutron-11.0.9.dev65: * Revert iptables TCP checksum-fill code

  • Update to version neutron-11.0.9.dev64:
  • [Pike-only]: make grenade jobs non-voting

Changes in openstack-octavia-amphora-image: - Update image to 0.1.4 to include latest changes

Changes in python-Django: - Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254, CVE-2020-13596) * Added patch CVE-2020-13254-1.8.19.patch * Added patch CVE-2020-13596-1.8.19.patch

Changes in python-Flask: - Apply patch to resolve CVE-2019-1010083 (bsc#1141968) - 0001-detect-UTF-encodings-when-loading-json.patch

Changes in python-GitPython: - Require git-core instead of git

Changes in python-Pillow: - Remove decompression_bomb.gif and relevant test case to avoid ClamAV scan alerts during build

  • Add 001-Corrected-negative-seeks.patch
  • From upstream, backported
  • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 002-Added-DecompressionBombError.patch
  • From upstream, backported
  • Adds DecompressionBombError class
  • Used by 003-Added-decompression-bomb-checks.patch
  • Add 003-Added-decompression-bomb-checks.patch
  • From upstream, backported
  • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 004-Raise-error-if-dimension-is-a-string.patch
  • From upstream, backported
  • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 005-Catch-buffer-overruns.patch
  • From upstream, backported
  • Fixes part of CVE-2019-16865, bsc#1153191
  • Add 006-Catch-PCX-P-mode-buffer-overrun.patch
  • From upstream, backported
  • Fixes CVE-2020-5312, bsc#1160152
  • Add 007-Test-animated-FLI-file.patch
  • From upstream, backported