Security update for Cloud Compute 12

Announcement ID:	SUSE-SU-2015:1666-1
Rating:	moderate
References:	bsc#915245 bsc#917091 bsc#920573 bsc#922751 bsc#926596 bsc#926773 bsc#927625 bsc#930574 bsc#931839 bsc#934523 bsc#944339
Cross-References:	CVE-2015-0259
CVSS scores:
Affected Products:	SUSE Cloud for SLE 12 Compute Nodes 5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves one vulnerability and has 10 security fixes can now be installed.

Description:

This collective update for the Cloud Compute 12 Module provides several fixes and enhancements.

openstack-suse:

• Do not copy upstream Python requirements to the package. (bsc#920573)

openstack-nova:

• Fix metadata not returning just instance private IP. (bsc#934523)
• Enable tenant/user specific instance filtering. (bsc#927625)
• Cleanup allocated networks after rescheduling. (bsc#931839)
• Fix instance filtering. (bsc#927625)
• Websocket Proxy should verify Origin header to prevent Cross-Site WebSocket hijacking. (bsc#917091, CVE-2015-0259)

openstack-neutron:

• Change neutron-ha-tool to read password from /etc/neutron/os_password. (bsc#922751)
• Change port status when it is bound. (bsc#926773)
• Require conntrack-tools for SLE12. (bsc#944339)
• Allow images with existing routes in the network 169.254.0.0/16 to access metadata server. (bsc#915245)

openstack-ceilometer:

• Fix issue when ceilometer-expirer is called from the wrong user via cronjob and the resulting logs end up having wrong ownership. (bsc#930574)
• Move the cron job to collector package. (bsc#926596)

For a comprehensive list of changes, please refer to the packages' change log.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Cloud for SLE 12 Compute Nodes 5
  zypper in -t patch SUSE-SLE12-CLOUD-5-2015-629=1

Package List:

• SUSE Cloud for SLE 12 Compute Nodes 5 (noarch)
  • openstack-neutron-linuxbridge-agent-2014.2.4~a0~dev78-7.2
  • openstack-neutron-openvswitch-agent-2014.2.4~a0~dev78-7.2
  • openstack-nova-2014.2.4~a0~dev61-6.2
  • python-nova-2014.2.4~a0~dev61-6.2
  • openstack-ceilometer-2014.2.4.dev18-3.2
  • openstack-neutron-metadata-agent-2014.2.4~a0~dev78-7.2
  • openstack-neutron-lbaas-agent-2014.2.4~a0~dev78-7.2
  • openstack-suse-sudo-2014.2-5.1
  • openstack-neutron-2014.2.4~a0~dev78-7.2
  • openstack-neutron-vpn-agent-2014.2.4~a0~dev78-7.2
  • python-ceilometer-2014.2.4.dev18-3.2
  • openstack-ceilometer-agent-compute-2014.2.4.dev18-3.2
  • openstack-neutron-l3-agent-2014.2.4~a0~dev78-7.2
  • python-neutron-2014.2.4~a0~dev78-7.2
  • openstack-neutron-dhcp-agent-2014.2.4~a0~dev78-7.2
  • openstack-neutron-metering-agent-2014.2.4~a0~dev78-7.2
  • openstack-neutron-ha-tool-2014.2.4~a0~dev78-7.2
  • openstack-nova-compute-2014.2.4~a0~dev61-6.2

References:

• https://www.suse.com/security/cve/CVE-2015-0259.html
• https://bugzilla.suse.com/show_bug.cgi?id=915245
• https://bugzilla.suse.com/show_bug.cgi?id=917091
• https://bugzilla.suse.com/show_bug.cgi?id=920573
• https://bugzilla.suse.com/show_bug.cgi?id=922751
• https://bugzilla.suse.com/show_bug.cgi?id=926596
• https://bugzilla.suse.com/show_bug.cgi?id=926773
• https://bugzilla.suse.com/show_bug.cgi?id=927625
• https://bugzilla.suse.com/show_bug.cgi?id=930574
• https://bugzilla.suse.com/show_bug.cgi?id=931839
• https://bugzilla.suse.com/show_bug.cgi?id=934523
• https://bugzilla.suse.com/show_bug.cgi?id=944339