Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installe

Announcement ID: SUSE-SU-2021:2554-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-11481 ( SUSE ): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2017-11481 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2017-11499 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-11499 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-5929 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-5929 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-25025 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2019-25025 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-17516 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-17516 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2020-26247 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-26247 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2020-29651 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2020-29651 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-21238 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2021-21238 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2021-21239 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2021-21239 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • CVE-2021-21419 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-21419 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2021-23336 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
  • CVE-2021-23336 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
  • CVE-2021-27358 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-27358 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2021-28658 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-28658 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2021-31542 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-31542 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-33203 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  • CVE-2021-33571 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2021-33571 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • HPE Helion OpenStack 8
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE OpenStack Cloud 8
  • SUSE OpenStack Cloud Crowbar 8

An update that solves 16 vulnerabilities, contains 10 features and has eight security fixes can now be installed.

Description:

This update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema fixes the following issues:

Security fixes included on this update:

cassandra-kit: - CVE-2020-17516: Internode encryption enforcement vulnerability

cassandra: - CVE-2020-17516: Internode encryption enforcement vulnerability - CVE-2017-5929 logback: Fixed a serialization vulnerability in SocketServer and ServerSocketReceiver

crowbar-core: CVE-2020-26247: Potentially XXE or SSRF attacks by parsed Nokogiri::XML::Schema

grafana: - CVE-2021-27358: Unauthenticated remote attackers to trigger a Denial of Service via a remote API call

kibana: - CVE-2017-11481: Fixed an XSS via URL fields - CVE-2017-11499: Fixed a constant hashtable seeds vulnerability

python-Django: - CVE-2021-28658: Potential directory-traversal via uploaded files - CVE-2021-31542: Potential directory-traversal via uploaded files - CVE-2021-33203: Potential directory traversal via admindocs - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses - CVE-2021-23336: Fixed web cache poisoning via django.utils.http.limited_parse_qsl

python-eventlet: - CVE-2021-21419: Improper handling of highly compressed data and memory allocation with excessive size value

python-pysaml2: - CVE-2021-21238: Fixed an improper verification of cryptographic signatures for signed SAML documents - CVE-2021-21239: Fixed an improper verification of cryptographic signatures when using CryptoBackendXmlSec1()_

python-py: - CVE-2020-29651: Regular expression denial of service in svnwc.py

rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a hijack sessions by using timing attacks targeting the session id CVE-2019-16782

Non-security fixes included on this update:

Changes in ardana-cobbler: - Update to version 8.0+git.1614096566.e8c2b27: * Change install_recommended to true (bsc#1181828)

Changes in cassandra: - update to 3.11.10 (bsc#1181689, CVE-2020-17516) * Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962) * Reduce amount of allocations during batch statement execution (CASSANDRA-16201) * Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393) * Fix DecimalDeserializer#toString OOM (CASSANDRA-14925) * Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161) * SASI's max_compaction_flush_memory_in_mb settings over 100GB revert to default of 1GB (CASSANDRA-16071) * Prevent unbounded number of pending flushing tasks (CASSANDRA-16261) * Improve empty hint file handling during startup (CASSANDRA-16162) * Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372) * Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226) * Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311) * Synchronize transaction logs for JBOD (CASSANDRA-16225) * Fix the counting of cells per partition (CASSANDRA-16259) * Fix serial read/non-applying CAS linearizability (CASSANDRA-12126) * Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294) * Improved check of num_tokens against the length of initial_token (CASSANDRA-14477) * Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228) * Remove the SEPExecutor blocking behavior (CASSANDRA-16186) * Fix invalid cell value skipping when reading from disk (CASSANDRA-16223) * Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146) * Wait for schema agreement when bootstrapping (CASSANDRA-15158) * Fix the histogram merge of the table metrics (CASSANDRA-16259) * Synchronize Keyspace instance store/clear (CASSANDRA-16210) * Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977) * Fix memory leak in CompressedChunkReader (CASSANDRA-15880) * Don't attempt value skipping with mixed version cluster (CASSANDRA-15833) * Avoid failing compactions with very large partitions (CASSANDRA-15164) * Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103) * Fix OOM when terminating repair session (CASSANDRA-15902) * Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094) * Check SSTables for latest version before dropping compact storage (CASSANDRA-16063) * Handle unexpected columns due to schema races (CASSANDRA-15899) * Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160) * Package tools/bin scripts as executable (CASSANDRA-16151) * Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127) * Correctly interpret SASI's max_compaction_flush_memory_in_mb setting in megabytes not bytes (CASSANDRA-16071) * Fix short read protection for GROUP BY queries (CASSANDRA-15459) * Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857) Merged from 3.0: * Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935) * Fix gossip shutdown order (CASSANDRA-15816) * Remove broken 'defrag-on-read' optimization (CASSANDRA-15432) * Check for endpoint collision with hibernating nodes (CASSANDRA-14599) * Operational improvements and hardening for replica filtering protection (CASSANDRA-15907) * stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191) * Forbid altering UDTs used in partition keys (CASSANDRA-15933) * Fix empty/null json string representation (CASSANDRA-15896) * 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970) * Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050) Merged from 2.2: * Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814) * Only allow strings to be passed to JMX authentication (CASSANDRA-16077) * Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905) * Upgrade Jackson to 2.9.10 (CASSANDRA-15867) * Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503) * Allow sstableloader to use SSL on the native port (CASSANDRA-14904) * Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948) * Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859) * Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924) * Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922) * Add token to tombstone warning and error messages (CASSANDRA-15890) * Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752) * Catch exception on bootstrap resume and init native transport (CASSANDRA-15863) * Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273) * Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805) * Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667) * EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790) * Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666) * Avoid creating duplicate rows during major upgrades (CASSANDRA-15789) * liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674) * Fix Debian init start/stop (CASSANDRA-15770) * Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242) * Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595) * Allow selecting static column only when querying static index (CASSANDRA-14242) * cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623) * Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690) * Memtable memory allocations may deadlock (CASSANDRA-15367) * Run evictFromMembership in GossipStage (CASSANDRA-15592) * Fix nomenclature of allow and deny lists (CASSANDRA-15862) * Remove generated files from source artifact (CASSANDRA-15849) * Remove duplicated tools binaries from tarballs (CASSANDRA-15768) * Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501) * Disable JMX rebinding (CASSANDRA-15653) * Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968) * Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679) * Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365) * Fix Red Hat init script on newer systemd versions (CASSANDRA-15273) * Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567) * Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035) * Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409) * Fix SELECT JSON formatting for the "duration" type (CASSANDRA-15075) * Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081) * Update nodetool help stop output (CASSANDRA-15401) * Run in-jvm upgrade dtests in circleci (CASSANDRA-15506) * Include updates to static column in mutation size calculations (CASSANDRA-15293) * Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292) * GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306) * Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721) * Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364) * Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11 (CASSANDRA-15441) * Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398) * Fix various data directory prefix matching issues (CASSANDRA-13974) * Minimize clustering values in metadata collector (CASSANDRA-15400) * Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405) * validate value sizes in LegacyLayout (CASSANDRA-15373) * Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385) * Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265) * Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365) * Fix race condition when setting bootstrap flags (CASSANDRA-14878) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SELECT JSON output for empty blobs (CASSANDRA-15435) * In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371) * In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169) * Make sure user defined compaction transactions are always closed (CASSANDRA-15123) * Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305) * Fixed nodetool cfstats printing index name twice (CASSANDRA-14903) * Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866) * Add ability to cap max negotiable protocol version (CASSANDRA-15193) * Gossip tokens on startup if available (CASSANDRA-15335) * Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340) * Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289) * Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172) * Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952) * Filter sstables earlier when running cleanup (CASSANDRA-15100) * Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259) * Avoid updating unchanged gossip states (CASSANDRA-15097) * Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948) * Prevent client requests from blocking on executor task queue (CASSANDRA-15013) * Toughen up column drop/recreate type validations (CASSANDRA-15204) * LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201) * Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198) * Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812) * Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178) * Handle paging states serialized with a different version than the session's (CASSANDRA-15176) * Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066) * Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120) * Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090) * Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086) * Fix assorted gossip races and add related runtime checks (CASSANDRA-15059) * Fix mixed mode partition range scans with limit (CASSANDRA-15072) * cassandra-stress works with frozen collections: list and set (CASSANDRA-14907) * Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053) * Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058) * Improve nodetool status -r speed (CASSANDRA-14847) * Improve merkle tree size and time on heap (CASSANDRA-14096) * Add missing commands to nodetool_completion (CASSANDRA-14916) * Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004) * Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225) * Handle exceptions during authentication/authorization (CASSANDRA-15041) * Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078) * Fix index summary redistribution cancellation (CASSANDRA-15045) * Fixing invalid CQL in security documentation (CASSANDRA-15020) * Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170) * Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319) * Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870) * Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser * Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951) * If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905) * Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958) * Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554) * Fix cassandra-stress write hang with default options (CASSANDRA-14616) * Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919) * Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909) * Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588) * RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894) * Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912) * Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591) * Drop/add column name with different Kind can result in corruption (CASSANDRA-14843) * Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873) * Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884) * Sstable min/max metadata can cause data loss (CASSANDRA-14861) * Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838) * Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823) * Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824) * Reverse order reads can return incomplete results (CASSANDRA-14803) * Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794) * Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672) * DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766) * Fix corrupted collection deletions for dropped columns in 3.0 2.{1,2} messages (CASSANDRA-14568) * Fix corrupted static collection deletions in 3.0 2.{1,2} messages (CASSANDRA-14568) * Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657) * Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660) * Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651) * Fix static column order for SELECT * wildcard queries (CASSANDRA-14638) * sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522) * Fix reading columns with non-UTF names from schema (CASSANDRA-14468) * Don't enable client transports when bootstrap is pending (CASSANDRA-14525) * MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928) * Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262) * Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377) * Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956) * Validate supported column type with SASI analyzer (CASSANDRA-13669) * Remove BTree.Builder Recycler to reduce memory usage (CASSANDRA-13929) * Reduce nodetool GC thread count (CASSANDRA-14475) * Fix New SASI view creation during Index Redistribution (CASSANDRA-14055) * Remove string formatting lines from BufferPool hot path (CASSANDRA-14416) * Update metrics to 3.1.5 (CASSANDRA-12924) * Detect OpenJDK jvm type and architecture (CASSANDRA-12793) * Don't use guava collections in the non-system keyspace jmx attributes (CASSANDRA-12271) * Allow existing nodes to use all peers in shadow round (CASSANDRA-13851) * Fix cqlsh to read connection.ssl cqlshrc option again (CASSANDRA-14299) * Downgrade log level to trace for CommitLogSegmentManager (CASSANDRA-14370) * CQL fromJson(null) throws NullPointerException (CASSANDRA-13891) * Serialize empty buffer as empty string for json output format (CASSANDRA-14245) * Allow logging implementation to be interchanged for embedded testing (CASSANDRA-13396) * SASI tokenizer for simple delimiter based entries (CASSANDRA-14247) * Fix Loss of digits when doing CAST from varint/bigint to decimal (CASSANDRA-14170) * RateBasedBackPressure unnecessarily invokes a lock on the Guava RateLimiter (CASSANDRA-14163) * Fix wildcard GROUP BY queries (CASSANDRA-14209) * Fix corrupted static collection deletions in 3.0 -> 2.{1,2} messages (CASSANDRA-14568) * Fix potential IndexOutOfBoundsException with counters (CASSANDRA-14167) * Always close RT markers returned by ReadCommand#executeLocally() (CASSANDRA-14515) * Reverse order queries with range tombstones can cause data loss (CASSANDRA-14513) * Fix regression of lagging commitlog flush log message (CASSANDRA-14451) * Add Missing dependencies in pom-all (CASSANDRA-14422) * Cleanup StartupClusterConnectivityChecker and PING Verb (CASSANDRA-14447) * Fix deprecated repair error notifications from 3.x clusters to legacy JMX clients (CASSANDRA-13121) * Cassandra not starting when using enhanced startup scripts in windows (CASSANDRA-14418) * Fix progress stats and units in compactionstats (CASSANDRA-12244) * Better handle missing partition columns in system_schema.columns (CASSANDRA-14379) * Delay hints store excise by write timeout to avoid race with decommission (CASSANDRA-13740) * Deprecate background repair and probablistic read_repair_chance table options (CASSANDRA-13910) * Add missed CQL keywords to documentation (CASSANDRA-14359) * Fix unbounded validation compactions on repair / revert CASSANDRA-13797 (CASSANDRA-14332) * Avoid deadlock when running nodetool refresh before node is fully up (CASSANDRA-14310) * Handle all exceptions when opening sstables (CASSANDRA-14202) * Handle incompletely written hint descriptors during startup (CASSANDRA-14080) * Handle repeat open bound from SRP in read repair (CASSANDRA-14330) * Respect max hint window when hinting for LWT (CASSANDRA-14215) * Adding missing WriteType enum values to v3, v4, and v5 spec (CASSANDRA-13697) * Don't regenerate bloomfilter and summaries on startup (CASSANDRA-11163) * Fix NPE when performing comparison against a null frozen in LWT (CASSANDRA-14087) * Log when SSTables are deleted (CASSANDRA-14302) * Fix batch commitlog sync regression (CASSANDRA-14292) * Write to pending endpoint when view replica is also base replica (CASSANDRA-14251) * Chain commit log marker potential performance regression in batch commit mode (CASSANDRA-14194) * Fully utilise specified compaction threads (CASSANDRA-14210) * Pre-create deletion log records to finish compactions quicker (CASSANDRA-12763) * Fix bug that prevented compaction of SSTables after full repairs (CASSANDRA-14423) * Incorrect counting of pending messages in OutboundTcpConnection (CASSANDRA-11551) * Fix compaction failure caused by reading un-flushed data (CASSANDRA-12743) * Use Bounds instead of Range for sstables in anticompaction (CASSANDRA-14411) * Fix JSON queries with IN restrictions and ORDER BY clause (CASSANDRA-14286) * Backport circleci yaml (CASSANDRA-14240) * Check checksum before decompressing data (CASSANDRA-14284) * CVE-2017-5929 Security vulnerability in Logback warning in NEWS.txt (CASSANDRA-14183) - Use %license macro

Changes in cassandra-kit: - Update to Cassandra 3.11.10 (bsc#1181689, CVE-2020-17516)

Changes in crowbar-core: - Update to version 5.0+git.1622489449.a8e60e238: * avoid v4.1.5 of delayed_job_active_record (noref) * add CVE-2020-26247 to travis ignore list (bsc#1180507)

Changes in crowbar-openstack: - Update to version 5.0+git.1616001417.67fd9c2a1: * monasca: restart Kibana on update (bsc#1044849)

  • Update to version 5.0+git.1615542070.7841c34b7:
  • monasca: fix monasca-server reinstall state check (SOC-11471)

Changes in documentation-suse-openstack-cloud: - Update to version 8.20210512: * Moved Monasca deployment to immediately after keystone (SOC-11525) (#1312)

  • Update to version 8.20210511:
  • Update the correct SLES version to suse-12.3 (SOC-11521) (#1321)
  • Renamed the repo name from SLE12-SP3-HA to SLE-HA12-SP3 (SOC-11523) (#1320)

  • Update to version 8.20210511:

  • Add bm-power-status playbook to add sles compute section (#1317)

  • Update to version 8.20210507:

  • Add instructions for checking MySQL cert expiry (SOC-11422) (#1311)

  • Update to version 8.20210304:

  • Add nova and heat db purge cron jobs to maintenance section (SOC-9876) (#1307)

Changes in grafana: - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API.

Changes in kibana: - Ensure /etc/sysconfig/kibana is present

  • Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16)
  • [4.6] ignore forked code for babel transpile build phase (#13483)
  • Allow more than match queries in custom filters (#8614) (#10857)
  • [state] don't make extra $location.replace() calls (#9954)
  • [optimizer] move to querystring-browser package for up-to-date api
  • [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
  • server: refactor log_interceptor to be more DRY (#9617)
  • server: downgrade ECANCELED logs to debug (#9616)
  • server: do not treat logged warnings as errors (#8746) (#9610)
  • [server/logger] downgrade EPIPE errors to debug level (#9023)
  • Add basepath when redirecting from a trailling slash (#9035)
  • [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968)
  • [server/shortUrl] validate urls before shortening them
  • Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
  • This fixes an XSS vulnerability in URL fields
  • Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there
  • Exclude /opt/kibana/optimize from %fdupes
  • Restart service on upgrade
  • Do not copy LICENSE.txt and README.txt to /opt/kibana
  • Fix rpmlint warnings/errors
  • Switch to explicit patch application
  • Fix source URL
  • Fix logic for systemd/systemv detection

Changes in openstack-heat-templates: - Update to version 0.0.0+git.1623056900.7917e18: * Fix zuul config for heat-templates-check

  • Update to version 0.0.0+git.1621405516.71a0f7a:
  • Remove testr

Changes in openstack-monasca-installer: - Add 0001-fix-influxdb-stop-task.patch (SOC-11470) - Add 0001-fix-cassandra-deployment.patch (SOC-11470)

Changes in openstack-nova: - Update to version nova-16.1.9.dev92: * Lowercase ironic driver hash ring and ignore case in cache * Include only required fields in ironic node cache * Add resource_class to fields in ironic node cache

  • Update to version nova-16.1.9.dev86:
  • [stable-only] Move grenade jobs to experimental
  • Update resources once in update_available_resource
  • rt: Make resource tracker always invoking get_inventory()

  • Update to version nova-16.1.9.dev81:

  • [stable-only] gate: Pin CEPH_RELEASE to nautilus in LM hook

  • Update to version nova-16.1.9.dev80:

  • [placement] Add status and links fields to version document at /

Changes in openstack-nova: - Update to version nova-16.1.9.dev92: * Lowercase ironic driver hash ring and ignore case in cache * Include only required fields in ironic node cache * Add resource_class to fields in ironic node cache

  • Update to version nova-16.1.9.dev86:
  • [stable-only] Move grenade jobs to experimental
  • Update resources once in update_available_resource
  • rt: Make resource tracker always invoking get_inventory()

  • Update to version nova-16.1.9.dev81:

  • [stable-only] gate: Pin CEPH_RELEASE to nautilus in LM hook

  • Update to version nova-16.1.9.dev80:

  • [placement] Add status and links fields to version document at /

Changes in python-Django: - Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203) * Fixed potential path-traversal via admindocs' TemplateDetailView. - Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571) * Prevented leading zeros in IPv4 addresses.

  • Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542)

    • Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file uploads.
  • Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658)

  • Fixed potential directory-traversal via uploaded files

  • Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336)

  • Fixed web cache poisoning via django.utils.http.limited_parse_qsl()

Changes in python-eventlet: - Add 0001-websocket-fd-leak-when-client-did-not-close-connecti.patch - Add 0002-websocket-Limit-maximum-uncompressed-frame-length-to.patch (bsc#1185836 CVE-2021-21419) * websocket: Limit maximum uncompressed frame length to 8MiB

Changes in python-py: - Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651) * svnwc: fix regular expression vulnerable to DoS in blame functionality

Changes in python-pysaml2: - Add %dir declaration for %{_licensedir}

  • Fix CVE-2021-21238, bsc#1181277 with 0004-Strengthen-XSW-tests.patch , 0005-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch , 0006-Add-xsd-schemas.patch , 0007-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch . This adds a dependency on python-xmlschema, which depends on python-elementpath and build depends python-pathlib2, which depends on python-scandir, thus all these need to be added for this to work. The used python-xmlschema needs to support the sandbox argument which was added in 1.2.0 and refined in 1.2.1, but that version doesn't support python2, so a patched version that does both is needed. 0009-Make-previous-commits-python2-compatible.patch to not add a dependency on reportlib_resources and make other changes python2 compatible.
  • Fix CVE-2021-21239, bsc#1181278 with 0008-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch

Changes in venv-openstack-keystone: - Add python-xmlschema and python-elementpath for new python-pysaml2 version.

Changes in python-xmlschema:

  • Add missed BuildRequires on pathlib2

  • Add 3 patches to backport sandbox argument, which is needed by a security fix in python-pysaml2 and one patch to make backport python2 compatible.

  • Upstream url changed
  • Add rpmlintrc to make it work on Leap 42.3
  • Update to 1.0.18:
  • Fix for ModelVisitor.iter_unordered_content()
  • Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode
  • Fixed validation tests with all converters
  • Added UnorderedConverter to validation tests
  • Update to 1.0.17:
  • Enhancement of validation-only speed (~15%)
  • Added is_valid() and iter_errors() to module API
  • Update to 1.0.16:
  • Improved XMLResource class for working with compressed files
  • Fix for validation with XSD wildcards and 'lax' process content
  • Fix ambiguous items validation for xs:choice and xs:sequence models

  • Handle UnicodeDecodeErrors during build process

  • Update to 1.0.15:

  • Improved XPath 2.0 bindings
  • Added logging for schema initialization and building (handled with argument loglevel)
  • Update encoding of collapsed contents with a new model based reordering method
  • Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML)
  • Fixed half of failed W3C instance tests (remain 255 over 15344 tests)

  • Initial commit, needed by pytest 5.1.2

Changes in python-elementpath:

  • Update to 1.3.1:
  • Improved schema proxy
  • Improved XSD type matching using paths
  • Cached parent path for XPathContext (only Python 3)
  • Improve typed selection with TypedAttribute and TypedElement named-tuples
  • Add iter_results to XPathContext
  • Remove XMLSchemaProxy from package
  • Fix descendant shortcut operator '//'
  • Fix text() function
  • Fix typed select of '(name)' token