Security update for crowbar-openstack, grafana, influxdb, python-urllib3
| Announcement ID: | SUSE-SU-2020:3624-1 |
|---|---|
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves five vulnerabilities and contains one feature can now be installed.
Description:
This update for crowbar-openstack, grafana, influxdb, python-urllib3 contains the following fixes:
Security fixes included in this update:
openstack-glance - CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)
grafana - CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch datasource (#bnc#1178243)
influxdb - CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)
python-urlib3 - CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071). - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bnc#1177120)
memcached - CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed traffic amplification DoS (bnc#1083903).
Non-security fixes included in this update:
Changes in crowbar-openstack: - Update to version 4.0+git.1604938545.30c10db18: * rabbitmq: Fix crm running check (SOC-11240)
Changes in grafana: - Fix bnc#1178243 CVE-2020-24303 by adding 25401-Fix-XSS-vulnerability-with-series-overrides.patch
Changes in influxdb: - Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix authentication bypass_ - Declare license files correctly
- Version 1.2.4:
- The stress tool influx_stress will be removed in a subsequent release.
- Remove the override of GOMAXPROCS.
- Uncomment section headers from the default configuration file.
- Improve write performance significantly.
- Prune data in meta store for deleted shards.
- Update latest dependencies with Godeps.
- Introduce syntax for marking a partial response with chunking.
- Use X-Forwarded-For IP address in HTTP logger if present.
- Add support for secure transmission via collectd.
- Switch logging to use structured logging everywhere.
- [CLI feature request] USE retention policy for queries.
- Add clear command to cli.
- Adding ability to use parameters in queries in the v2 client using the Parameters map in the Query struct.
- Allow add items to array config via ENV
- Support subquery execution in the query language.
- Verbose output for SSL connection errors.
-
Cache snapshotting performance improvements
-
Partially revert previous change to fix build for Leap
Changes in python-urllib3: - Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.
-
Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for CVE-2019-9740.
-
Add urllib3-cve-2020-26137.patch. Don't allow control chars in request method. (bnc#1177120, CVE-2020-26137)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE OpenStack Cloud 7
zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3624=1
Package List:
-
SUSE OpenStack Cloud 7 (noarch)
- python-urllib3-1.16-3.12.1
- crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1
-
SUSE OpenStack Cloud 7 (x86_64)
- influxdb-debuginfo-1.2.4-5.1
- influxdb-1.2.4-5.1
- grafana-6.7.4-1.20.1
References:
- https://www.suse.com/security/cve/CVE-2016-8611.html
- https://www.suse.com/security/cve/CVE-2019-20933.html
- https://www.suse.com/security/cve/CVE-2019-9740.html
- https://www.suse.com/security/cve/CVE-2020-24303.html
- https://www.suse.com/security/cve/CVE-2020-26137.html
- https://bugzilla.suse.com/show_bug.cgi?id=1005886
- https://bugzilla.suse.com/show_bug.cgi?id=1170479
- https://bugzilla.suse.com/show_bug.cgi?id=1177120
- https://bugzilla.suse.com/show_bug.cgi?id=1178243
- https://bugzilla.suse.com/show_bug.cgi?id=1178988
- https://jira.suse.com/browse/SOC-11240