Security update for openstack-nova and openstack-neutron

Announcement ID:	SUSE-SU-2015:2220-1
Rating:	moderate
References:	bsc#927625 bsc#935017 bsc#935263 bsc#939691 bsc#942457 bsc#943648 bsc#944178 bsc#945923 bsc#948704 bsc#949070 bsc#949529
Cross-References:	CVE-2015-3221 CVE-2015-3241 CVE-2015-3280 CVE-2015-5240 CVE-2015-7713
CVSS scores:
Affected Products:	SUSE Cloud for SLE 12 Compute Nodes 5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves five vulnerabilities and has six security fixes can now be installed.

Description:

This update for openstack-nova and openstack-neutron provides various fixes and improvements.

openstack-nova:

• Fix instance filtering. (bsc#927625)
• Remove error messages from multipath command output before parsing. (bsc#949529)
• Fix live-migration usage of the wrong connector information.
• Added requirement for memcached to python-nova. (bsc#942457)
• Don't expect meta attributes in object_compat that aren't in the db obj. (bsc#949070, CVE-2015-7713)
• Kill rsync/scp processes before deleting instance. (bsc#935017, CVE-2015-3241)
• Sync process utils from oslo for execute callbacks. (bsc#935017, CVE-2015-3241)
• Fix rebuild of an instance with a volume attached.
• Fixes _cleanup_rbd code to capture ImageBusy exception.
• Don't try to confine a non-NUMA instance.
• Include blank volumes in the block device mapping (bsc#945923)
• Delete orphaned instance files from compute nodes (bsc#944178, CVE-2015-3280)

openstack-neutron:

• Fix usage_audit to work with ML2.
• Fix UDP offloading issue with virtio VMs. (bsc#948704)
• Fix ipset can't be destroyed when last rule is deleted.
• Add ARP spoofing protection for LinuxBridge agent.
• Don't use ARP responder for IPv6 addresses in ovs.
• Stop device_owner from being set to 'network:*'. (bsc#943648, CVE-2015-5240)
• NSX-mh: use router_distributed flag.
• NSX-mh: Failover controller connections on socket failures.
• NSX-mh: Prevent failures on router delete.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Cloud for SLE 12 Compute Nodes 5
  zypper in -t patch SUSE-SLE12-CLOUD-5-2015-953=1

Package List:

• SUSE Cloud for SLE 12 Compute Nodes 5 (noarch)
  • openstack-neutron-linuxbridge-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-ha-tool-2014.2.4~a0~dev103-10.3
  • openstack-nova-2014.2.4~a0~dev80-14.1
  • python-nova-2014.2.4~a0~dev80-14.1
  • openstack-neutron-2014.2.4~a0~dev103-10.3
  • openstack-neutron-openvswitch-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-l3-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-dhcp-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-vpn-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-metadata-agent-2014.2.4~a0~dev103-10.3
  • openstack-nova-compute-2014.2.4~a0~dev80-14.1
  • python-neutron-2014.2.4~a0~dev103-10.3
  • python-python-memcached-1.54-2.1
  • openstack-neutron-metering-agent-2014.2.4~a0~dev103-10.3
  • openstack-neutron-lbaas-agent-2014.2.4~a0~dev103-10.3

References:

• https://www.suse.com/security/cve/CVE-2015-3221.html
• https://www.suse.com/security/cve/CVE-2015-3241.html
• https://www.suse.com/security/cve/CVE-2015-3280.html
• https://www.suse.com/security/cve/CVE-2015-5240.html
• https://www.suse.com/security/cve/CVE-2015-7713.html
• https://bugzilla.suse.com/show_bug.cgi?id=927625
• https://bugzilla.suse.com/show_bug.cgi?id=935017
• https://bugzilla.suse.com/show_bug.cgi?id=935263
• https://bugzilla.suse.com/show_bug.cgi?id=939691
• https://bugzilla.suse.com/show_bug.cgi?id=942457
• https://bugzilla.suse.com/show_bug.cgi?id=943648
• https://bugzilla.suse.com/show_bug.cgi?id=944178
• https://bugzilla.suse.com/show_bug.cgi?id=945923
• https://bugzilla.suse.com/show_bug.cgi?id=948704
• https://bugzilla.suse.com/show_bug.cgi?id=949070
• https://bugzilla.suse.com/show_bug.cgi?id=949529