Security update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client

Announcement ID:	SUSE-SU-2020:0081-1
Rating:	moderate
References:	bsc#1157028 bsc#1157482 bsc#1158675 bsc#917802 jsc#SOC-10131 jsc#SOC-10133 jsc#SOC-10883 jsc#SOC-10999
Cross-References:	CVE-2015-3448 CVE-2019-13117 CVE-2019-16770
CVSS scores:	CVE-2019-13117 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-13117 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-13117 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-16770 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-16770 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE OpenStack Cloud 7

An update that solves three vulnerabilities, contains four features and has one security fix can now be installed.

Description:

This update for crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client contains the following fixes:

Security issue fixed for rubygem-puma:

• CVE-2019-16770: Fixed a potential denial of service in Puma's reactor (bsc#1158675, jsc#SOC-10999)

Security issue fixed for rubygem-rest-client:

• CVE-2015-3448: Fixed a plain text local password disclosure. (bsc#917802)

Updates for crowbar-core: - Update to version 4.0+git.1574788924.e4a6aeb0c: * Allow pacemaker remotes for upgrade (SOC-10133)

• Update to version 4.0+git.1574713660.972029d1a:
• Ignore CVE-2019-13117 in CI builds (bsc#1157028)

Updates for crowbar-openstack: - Update to version 4.0+git.1574869671.9c7bade2d: * tempest: configure Kibana version (SOC-10131)

• Update to version 4.0+git.1574764112.c260c70e5:
• horizon: install lbaas horizon dashboard (SOC-10883)

Updates for openstack-horizon-plugin-monasca-ui: - Refresh allow-raw-grafana-links.patch - update to version 1.5.5~dev3 * Replace openstack.org git:// URLs with https:// * Fix the partial missing metrics in Create Alarm Definition flow * import zuul job settings from project-config * Fix incorrect splitting of dimension in ProxyView * Fix Alarm status Panel on Overview page * Change IntegerField to ChoiceField for notification period * Imported Translations from Zanata * Display unique metric names for alarm * Fix Alarm Details section in Alarm History view * Fix validators for creating and editing notifications * Center the text for the button Deterministic * Adding title to Filter Alarms pop-up * Fix misleading validation error * Fix nit found in monasca-ui * Fix Breadcrumbs * Fix description for name field * Fixing 'Create Alarm Definition' for IE11 * Imported Translations from Zanata

Updates to openstack-monasca-api: - added fix-metric-name-offset.patch (SOC-10131) - removed 0001-Fix-InfluxDB-repository-list_dimension_values-to-sup.patch (merged upstream) - update to version 1.7.1~dev18 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Upgrade Apache Storm to 1.0.6 * Zuul: Remove project name

Updates to openstack-monasca-log-api: - added fix-tempest-region.patch (SOC-10131) - update to version 1.4.3~dev3 * Replace openstack.org git:// URLs with https:// * import zuul job settings from project-config * Avoid tox_install.sh for constraints support

Updates to openstack-neutron: - neutron: Remove stop action from ovs-cleanup (bsc#1157482) backport of https://review.opendev.org/#/c/695867/

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 7
  zypper in -t patch SUSE-OpenStack-Cloud-7-2020-81=1

Package List:

• SUSE OpenStack Cloud 7 (x86_64)
  • crowbar-core-branding-upstream-4.0+git.1574788924.e4a6aeb0c-9.60.2
  • rubygem-puma-debugsource-2.16.0-4.3.1
  • ruby2.1-rubygem-puma-debuginfo-2.16.0-4.3.1
  • crowbar-core-4.0+git.1574788924.e4a6aeb0c-9.60.2
  • ruby2.1-rubygem-puma-2.16.0-4.3.1
• SUSE OpenStack Cloud 7 (noarch)
  • openstack-monasca-log-api-1.4.3~dev3-5.1
  • python-monasca-api-1.7.1~dev18-12.1
  • openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.38.1
  • openstack-neutron-9.4.2~dev21-7.38.1
  • grafana-monasca-ui-drilldown-1.5.5~dev3-8.1
  • openstack-neutron-ha-tool-9.4.2~dev21-7.38.1
  • openstack-neutron-openvswitch-agent-9.4.2~dev21-7.38.1
  • crowbar-openstack-4.0+git.1574869671.9c7bade2d-9.65.1
  • python-neutron-9.4.2~dev21-7.38.1
  • python-monasca-log-api-1.4.3~dev3-5.1
  • openstack-neutron-metadata-agent-9.4.2~dev21-7.38.1
  • openstack-monasca-api-1.7.1~dev18-12.1
  • openstack-neutron-doc-9.4.2~dev21-7.38.1
  • openstack-neutron-l3-agent-9.4.2~dev21-7.38.1
  • openstack-neutron-metering-agent-9.4.2~dev21-7.38.1
  • openstack-neutron-dhcp-agent-9.4.2~dev21-7.38.1
  • openstack-neutron-server-9.4.2~dev21-7.38.1
  • python-horizon-plugin-monasca-ui-1.5.5~dev3-8.1
  • openstack-horizon-plugin-monasca-ui-1.5.5~dev3-8.1
  • openstack-neutron-macvtap-agent-9.4.2~dev21-7.38.1

References:

• https://www.suse.com/security/cve/CVE-2015-3448.html
• https://www.suse.com/security/cve/CVE-2019-13117.html
• https://www.suse.com/security/cve/CVE-2019-16770.html
• https://bugzilla.suse.com/show_bug.cgi?id=1157028
• https://bugzilla.suse.com/show_bug.cgi?id=1157482
• https://bugzilla.suse.com/show_bug.cgi?id=1158675
• https://bugzilla.suse.com/show_bug.cgi?id=917802
• https://jira.suse.com/browse/SOC-10131
• https://jira.suse.com/browse/SOC-10133
• https://jira.suse.com/browse/SOC-10883
• https://jira.suse.com/browse/SOC-10999