Security update for crowbar-openstack, grafana, influxdb, python-urllib3

Announcement ID: SUSE-SU-2020:3624-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2016-8611 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2019-20933 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2019-20933 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-9740 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
  • CVE-2019-9740 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2019-9740 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-24303 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-24303 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2020-26137 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
  • CVE-2020-26137 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE OpenStack Cloud 7

An update that solves five vulnerabilities and contains one feature can now be installed.

Description:

This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:

Security fixes included in this update:

openstack-glance - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)

grafana - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)

influxdb - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)

python-urlib3 - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071). - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)

memcached - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).

Non-security fixes included in this update:

Changes in crowbar-openstack: - Update to version 4.0+git.1604938545.30c10db18: * rabbitmq: Fix crm running check (SOC-11240)

Changes in grafana: - Fix bnc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch

Changes in influxdb: - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix authentication bypass_ - Declare license files correctly

  • Version 1.2.4:
  • The stress tool influx_stress will be removed in a subsequent release.
  • Remove the override of GOMAXPROCS.
  • Uncomment section headers from the default configuration file.
  • Improve write performance significantly.
  • Prune data in meta store for deleted shards.
  • Update latest dependencies with Godeps.
  • Introduce syntax for marking a partial response with chunking.
  • Use X-Forwarded-For IP address in HTTP logger if present.
  • Add support for secure transmission via collectd.
  • Switch logging to use structured logging everywhere.
  • [CLI feature request] USE retention policy for queries.
  • Add clear command to cli.
  • Adding ability to use parameters in queries in the v2 client using the Parameters map in the Query struct.
  • Allow add items to array config via ENV
  • Support subquery execution in the query language.
  • Verbose output for SSL connection errors.
  • Cache snapshotting performance improvements

  • Partially revert previous change to fix build for Leap

Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.

  • Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740.

  • Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bnc#1177120, CVE-2020-26137)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 7
    zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3624=1

Package List:

  • SUSE OpenStack Cloud 7 (noarch)
    • python-urllib3-1.16-3.12.1
    • crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1
  • SUSE OpenStack Cloud 7 (x86_64)
    • influxdb-debuginfo-1.2.4-5.1
    • influxdb-1.2.4-5.1
    • grafana-6.7.4-1.20.1

References: