Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-h

Announcement ID:	SUSE-SU-2020:1901-1
Rating:	important
References:	bsc#1068612 bsc#1092420 bsc#1107190 bsc#1108719 bsc#1123872 bsc#1126503 bsc#1141968 bsc#11483483 bsc#1148383 bsc#1153191 bsc#1156525 bsc#1159046 bsc#1160152 bsc#1160153 bsc#1160192 bsc#1160790 bsc#1160851 bsc#1161088 bsc#1161089 bsc#1161670 bsc#1164322 bsc#1167244 bsc#1168593 bsc#1169770 bsc#1170657 bsc#1171273 bsc#1171560 bsc#1171594 bsc#1171661 bsc#1171909 bsc#1172166 bsc#1172167 bsc#1172175 bsc#1172176 bsc#1172409 jsc#SOC-10137 jsc#SOC-10317 jsc#SOC-10357 jsc#SOC-10637 jsc#SOC-10874 jsc#SOC-10875 jsc#SOC-10902 jsc#SOC-11027 jsc#SOC-11077 jsc#SOC-11082 jsc#SOC-11083 jsc#SOC-11122 jsc#SOC-11126 jsc#SOC-11176 jsc#SOC-11179 jsc#SOC-11190 jsc#SOC-11192 jsc#SOC-11223 jsc#SOC-11238 jsc#SOC-11243 jsc#SOC-11248 jsc#SOC-11274 jsc#SOC-11286 jsc#SOC-11294 jsc#SOC-11299 jsc#SOC-11306 jsc#SOC-6354 jsc#SOC-8746 jsc#SOC-9849
Cross-References:	CVE-2017-1000246 CVE-2019-1010083 CVE-2019-15043 CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2019-16865 CVE-2019-18874 CVE-2019-19911 CVE-2019-3828 CVE-2020-10663 CVE-2020-10743 CVE-2020-11076 CVE-2020-11077 CVE-2020-12052 CVE-2020-13254 CVE-2020-13379 CVE-2020-13596 CVE-2020-5312 CVE-2020-5313 CVE-2020-5390 CVE-2020-8151
CVSS scores:	CVE-2017-1000246 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-1000246 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-1010083 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-1010083 ( SUSE ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2019-1010083 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15043 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2019-15043 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-16785 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16785 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16786 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16789 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVE-2019-16789 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2019-16792 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16792 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2019-16865 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-16865 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-18874 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-18874 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19911 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-19911 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-3828 ( SUSE ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2019-3828 ( NVD ): 4.2 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVE-2020-10663 ( SUSE ): 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-10663 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-10743 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2020-10743 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-11076 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-11076 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-11077 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-11077 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-12052 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-12052 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-13254 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13379 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13596 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13596 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-5312 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5312 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-5313 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-5313 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-5390 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-5390 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-8151 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-8151 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	HPE Helion OpenStack 8 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP3 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

An update that solves 23 vulnerabilities, contains 29 features and has 12 security fixes can now be installed.

Description:

This update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm contains the following fixes:

The update fixes several security issues:

ansible - CVE-2019-3828: Fixed a path traversal in the fetch module (bsc#1126503).

grafana - CVE-2020-13379: Fixed an incorrect access control issue which could lead to information leaks or denial of service (bsc#1172409). - CVE-2020-12052: Fixed an cross site scripting vulnerability related to the annotation popup (bsc#1170657).

kibana - CVE-2020-10743: Fixed a clickjacking vulnerability (bsc#1171909).

python-Django - CVE-2020-13254: Fixed a data leakage via malformed memcached keys. (bsc#1172167) - CVE-2020-13596: Fixed a cross site scripting vulnerability related to the admin parameters of the ForeignKeyRawIdWidget. (bsc#1172166)

python-Flask - CVE-2019-1010083: Fixed a denial of service via crafted encoded JSON. (bsc#1141968)

python-Pillow - CVE-2019-16865: Fixed a denial of service with specially crafted image files. (bsc#1153191) - CVE-2020-5312: Fixed a buffer overflow in the PCX P mode. (bsc#1160152) - CVE-2020-5313: Fixed a buffer overflow related to FLI. (bsc#1160153) - CVE-2019-19911: Fixed a denial of service in FpxImagePlugin.py. (bsc#1160192)

python-psutil - CVE-2019-18874: Fixed a double free caused by refcount mishandling. (bsc#1156525)

python-pysaml2 - CVE-2020-5390: Fixed an issue with the verification of signatures in SAML documents. (bsc#1160851) - CVE-2017-1000246: Fixed an issue with weak encryption data, caused by initialization vector reuse. (bsc#1068612)

python-waitress (to version 1.4.3) - CVE-2019-16785: Fixed HTTP request smuggling through LF vs CRLF handling. (bsc#1161088) - CVE-2019-16786: Fixed HTTP request smuggling through invalid Transfer-Encoding. (bsc#1161089) - CVE-2019-16789: Fixed HTTP Request Smuggling through Invalid whitespace characters. (bsc#1160790) - CVE-2019-16792: Fixed HTTP Request Smuggling through Content-Length header handling. (bsc#1161670)

rubygem-activeresource - CVE-2020-8151: Fixed information disclosure issue via specially crafted requests. (bsc#1171560)

rubygem-json-1_7 - CVE-2020-10663: Fixed an unsafe object creation vulnerability. (bsc#1167244)

rubygem-puma - CVE-2020-11077: Fixed a HTTP smuggling issue related to proxy usage. (bsc#1172175) - CVE-2020-11076: Fixed a HTTP smuggling issue when using an invalid transfer-encoding header. (bsc#1172176)

Other non-security fixes in in the update below:

Changes in ansible: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in ansible1: - Add 0001-Disallow-use-of-remote-home-directories-containing-..patch (bsc#1126503, CVE-2019-3828)

Changes in ardana-ansible: - Update to version 8.0+git.1589740980.6c3bcdc: * Reconfigure rabbitmq user permissions on update (SOC-11082)

• Update to version 8.0+git.1588953487.9bfd5cb:

• Fix incorrect prefix used to collect supportconfig files (bsc#1171273)

• Update to version 8.0+git.1585690828.81d8f45:

• Cleanup keystone-ansible (bsc#1108719)

Changes in ardana-cluster: - Update to version 8.0+git.1585685203.3e71e49: * Use bool filter to ensure valid boolean evaluation (SOC-11192)

Changes in ardana-freezer: - Update to version 8.0+git.1586539529.b7d295f: * Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)

Changes in ardana-input-model: - Update to version 8.0+git.1589740934.0e0ad61: * Add default rabbitmq exchange write permissions (SOC-11082)

• Update to version 8.0+git.1586174594.2b92ec3:
• add port neutron security extension to CI models (SOC-11027)

Changes in ardana-logging: - Update to version 8.0+git.1591194866.b7375d0: * kibana: set x-frame-options header (bsc#1171909)

• Update to version 8.0+git.1586179244.ae61f62:
• Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593)

Changes in ardana-mq: - Update to version 8.0+git.1589715269.62ad6df: * Don't mirror reply queues (SOC-10317)

• Update to version 8.0+git.1586784724.586343d:
• Actually fail if sync HA queues retries exceeded (SOC-11083)

Changes in ardana-neutron: - Update to version 8.0+git.1590756744.ba84abc: * Update L3 rootwrap filters (SOC-11306)

• Update to version 8.0+git.1587737509.4e09de3:

• Add network.target "After" option (bsc#1169770)

• Update to version 8.0+git.1586546152.e7bc07f:

• Add neutron-common role dependencies (SOC-10875)

• Update to version 8.0+git.1586543712.62bb5a3:

• Fix neutron-ovsvapp-agent status (SOC-10637)

• Update to version 8.0+git.1586535447.55769df:

• Improve neutron service restart limit handling (SOC-8746)

• Update to version 8.0+git.1586519528.a28db53:

• Correctly setup ardana_notify_... fact (SOC-10902)

Changes in ardana-octavia: - Update to version 8.0+git.1590100427.cf4cc8f: * fix octavia to glance communication over internal endpoint (SOC-11294)

Changes in ardana-osconfig: - Update to version 8.0+git.1587034587.eac37b8: * Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223)

Changes in caasp-openstack-heat-templates: - Switch github URL from git@ to git:// to bypass authentication

Changes in crowbar-core: - Update to version 5.0+git.1593156248.55bbdb26d: * Ignore CVE-8184 (SOC-11299) * Ignore latest ruby-related CVEs in the CI (SOC-11299)

• Update to version 5.0+git.1589804984.44a89be24:
• provisioner: Fix ssh key validation (SOC-11126)
• assign host to hostless keys (noref)

Changes in crowbar-openstack: - Update to version 5.0+git.1593085772.64c4ab43c: * monasca: Prevent deploying monasca-server to the node in pacemaker cluster (SOC-6354)

• Update to version 5.0+git.1591171674.1f299cd1c:

• Restore undeprecated nova dhcp_domain option (bsc#1171594)

• Update to version 5.0+git.1591104265.683d76534:

• [5.0] Fix availability zone script (bsc#1171661)

• Update to version 5.0+git.1590398068.f5cfacc12:

• nova: only create nonexistent cell1

• Update to version 5.0+git.1590150829.e86326d03:

• [5.0] Tempest: enable test_volume_boot_pattern test (SOC-10874)

• Update to version 5.0+git.1589814633.23fde86ab:

• rabbitmq: sync startup definitions.json with recipe (SOC-11077,SOC-11274)

• Update to version 5.0+git.1589647291.73c7f1cb6:

• [5.0] trove: fix rabbitmq connection URL (SOC-11286)

• Update to version 5.0+git.1589214669.8332efff3:

• Fix monasca libvirt ping checks (bsc#1107190)

• Update to version 5.0+git.1588271874.90adebc7a:

• run keystone_register on cluster founder only when HA (SOC-11248)

• nova: run keystone_register on cluster founder only (SOC-11243)

• Update to version 5.0+git.1588059034.3823515b7:

• tempest: retry openstack commands (SOC-11238)

• Update to version 5.0+git.1587403360.c43cd9905:

• tempest: disable block migration when using RBD (SOC-11176)

• Update to version 5.0+git.1586293860.901cb0f55:

• monasca: disable postgres backend monitoring by default (SOC-11190)

• Update to version 5.0+git.1585659861.c29fac257:

• magnum: Populate SSL configuration (SOC-9849)
• magnum: Add SSL support (SOC-9849)
• nova: Populate cinder SES settings early (SOC-11179)

Changes in documentation-suse-openstack-cloud: - Update to version 8.20200527: * Update Travis config: new container name (noref)

• Update to version 8.20200417:

• Recovering Cloud8 using Freezer or SSH backups if upgrade fails (SOC-10137)

• Update to version 8.20200326:

• Clarify wipe_disks does not affect non-OS partitions (bsc#1092420)

Changes in grafana: - Add CVE-2020-13379.patch * Security: fix unauthorized avatar proxying (bsc#1172409, CVE-2020-13379) - Refresh systemd-notification.patch - Fix declaration for LICENSE

• Add 0002-CVE-2020-12052-bsc1170657-XSS-annotation-popup-vulnerability.patch

• Security: Fix annotation popup XSS vulnerability (bsc#1170657)

• Add CVE-2019-15043.patch (SOC-10357, CVE-2019-15043, bsc#11483483) Changes in kibana:

• Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743)

Changes in openstack-dashboard: - Update to version horizon-12.0.5.dev3: * Fix typo in publicize_image policy name

Changes in openstack-dashboard-theme-HPE: - Switch github URL from git@ to https:// to bypass authentication

Changes in openstack-heat-templates: - Update to version 0.0.0+git.1582270132.8a20477: * Drop use of git.openstack.org * Add sample templates for Blazar

Changes in openstack-keystone: - Update to version keystone-12.0.4.dev11: * Fix security issues with EC2 credentials

• Update to version keystone-12.0.4.dev10:
• Check timestamp of signed EC2 token request

• Ensure OAuth1 authorized roles are respected

• Update to version keystone-12.0.4.dev6:

• Remove neutron-grenade job

Changes in openstack-keystone: - Update to version keystone-12.0.4.dev11: * Fix security issues with EC2 credentials

• Update to version keystone-12.0.4.dev10:
• Check timestamp of signed EC2 token request

• Ensure OAuth1 authorized roles are respected

• Update to version keystone-12.0.4.dev6:

• Remove neutron-grenade job

Changes in openstack-monasca-agent: - update to version 2.2.6~dev4 - Add debug output for libvirt ping checks

• Lockdown /bin/ip permissions for the monasca-agent (bsc#1107190)

• add addtional arguments to /bin/ip in sudoers

• Fix missing sudo privleges (bsc#1107190)

• add /bin/ip and /usr/bin/ovs-vsctl to monasca-agent sudoers

• removed 0001-Avoid-overwriting-sys.path-ip-command.patch

• update to version 2.2.6~dev3

• Do not copy /sbin/ip to /usr/bin/monasa-agent-ip

• update to version 2.2.6~dev2

• Remove incorrect assignment of ping_cmd to 'True'

• update to version 2.2.6~dev1

• Update hacking version to 1.1.x

Changes in openstack-monasca-installer: - Add 0001-kibana:-set-x-frame-options-header.patch (bsc#1171909, CVE-2020-10743)

Changes in openstack-neutron: - Update to version neutron-11.0.9.dev65: * Revert iptables TCP checksum-fill code

• Update to version neutron-11.0.9.dev64:
• [Pike-only]: make grenade jobs non-voting

Changes in openstack-neutron: - Update to version neutron-11.0.9.dev65: * Revert iptables TCP checksum-fill code

• Update to version neutron-11.0.9.dev64:
• [Pike-only]: make grenade jobs non-voting

Changes in openstack-octavia-amphora-image: - Update image to 0.1.4 to include latest changes

Changes in python-Django: - Security fixes (bsc#1172167, bsc#1172166, CVE-2020-13254, CVE-2020-13596) * Added patch CVE-2020-13254-1.8.19.patch * Added patch CVE-2020-13596-1.8.19.patch

Changes in python-Flask: - Apply patch to resolve CVE-2019-1010083 (bsc#1141968) - 0001-detect-UTF-encodings-when-loading-json.patch

Changes in python-GitPython: - Require git-core instead of git

Changes in python-Pillow: - Remove decompression_bomb.gif and relevant test case to avoid ClamAV scan alerts during build

• Add 001-Corrected-negative-seeks.patch
• From upstream, backported
• Fixes part of CVE-2019-16865, bsc#1153191
• Add 002-Added-DecompressionBombError.patch
• From upstream, backported
• Adds DecompressionBombError class
• Used by 003-Added-decompression-bomb-checks.patch
• Add 003-Added-decompression-bomb-checks.patch
• From upstream, backported
• Fixes part of CVE-2019-16865, bsc#1153191
• Add 004-Raise-error-if-dimension-is-a-string.patch
• From upstream, backported
• Fixes part of CVE-2019-16865, bsc#1153191
• Add 005-Catch-buffer-overruns.patch
• From upstream, backported
• Fixes part of CVE-2019-16865, bsc#1153191
• Add 006-Catch-PCX-P-mode-buffer-overrun.patch
• From upstream, backported
• Fixes CVE-2020-5312, bsc#1160152
• Add 007-Test-animated-FLI-file.patch
• From upstream, backported