Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp

Announcement ID:	SUSE-SU-2021:3729-1
Rating:	moderate
References:	bsc#1180837 bsc#1185836 bsc#1186868 bsc#1189052 bsc#1191681 jsc#SOC-11543
Cross-References:	CVE-2020-26298 CVE-2021-21419 CVE-2021-22141 CVE-2021-41136
CVSS scores:	CVE-2020-26298 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2020-26298 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVE-2021-21419 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21419 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-22141 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2021-22141 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-41136 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2021-41136 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9

An update that solves four vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma contains the following fixes:

Security fixes included in this update:

kibana: CVE-2021-22141: Fixed URL redirection flaw (bsc#1186868).

python-eventlet: CVE-2021-21419: Fixed improper handling of highly compressed data and memory allocation with excessive size value. (bsc#1185836)

rubygem-redcarpet: CVE-2020-26298: Fixed XSS via HTML escaping when processing quotes. (bsc#1180837)

rubygem-puma: CVE-2021-41136: Fixes build of the Java state machine for parsing HTTP. (bsc#1191681)

Non-security fixes included in this update:

Changes in ardana-ansible: * Patch service.py to skip blank lines.

Changes in ardana-monasca: * Use specific TLS versions for monasca-thresh DB connections. (SOC-11543)

Changes in crowbar-openstack: * keystone wakeup: get new session on any error. (bsc#1189052)

Changes in influxdb: - Set GO111MODULE=auto to fix build with go1.16 and later where default is GO111MODULE=on

Canges in kibana: - Fix an open redirect flaw. (CVE-2021-22141, bsc#1186868)

Changes in openstack-cinder: * Fix typo in Dell EMC Unity driver documentation. * Drop lower-constraints job. * [stable-only] Cap bandit to v1.6.2 and fix constraints.

Changes in openstack-ec2-api: * Remove jobs corresponds to obselete featuresets. * OpenDev Migration Patch.

Changes in openstack-heat-gbp: * Add support for Wallaby. * Fix upstream gate.

Changes in openstack-heat-templates: * [ussuri][goal] Update contributor documentation. * Fix zuul config for heat-templates-check. * Remove testr.

Changes in openstack-horizon-plugin-gbp-ui: * Add support for Wallaby. * Fix upstream gate.

Changes in openstack-keystone: * Retry update_user when sqlalchemy raises StaleDataErrors. * Pin keystone-tempest-plugin for py27 compatibility.

Changes in openstack-neutron-gbp: * Fix update router API. * Fix HA IP DB migration. * Revert "Fix HA IP DB migration". * Fix HA IP DB migration. * Add network_id column to apic_ml2_ha_ipaddress_to_port_owner table. * Use custom converter for extra attributes. * Validate network before creating or updating router. * Fix Data Migration query for HA IP table. * System security grp:Add system sg in port sg list. * Add vrf column to apic_ml2_ha_ipaddress_to_port_owner table. * [apic_aim]: Fix HA IP UTs. * Fixing the exception msg for IPAddressGenerationFailure. * Enhancement regarding router/instance attachment to an external network floating ip and snat subnets. * Setting legacy-group-based-policy-dsvm-aim to non-voting gate. * Add support for Wallaby. * Bug fixes for gbp-validate. * [apic_aim]: Filter endpoint details. * Bugfix: Policy Enforcement Pref. * Fix unit-tests for tenant-scope validation. * [AIM] Add Policy Enforcement Pref to network extension.

Changes in openstack-nova: * [neutron] Get only ID and name of the SGs from Neutron. * Remove allocations before setting vm_status to SHELVED_OFFLOADED. * libvirt:driver:Disallow AIO=native when 'O_DIRECT' is not available. * Update pci stat pools based on PCI device changes. * Use subqueryload() instead of joinedload() for (system_)metadata.

Changes in python-eventlet: Websocket: Limit maximum uncompressed frame length to 8MiB. (bsc#1185836 CVE-2021-21419)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE OpenStack Cloud 9
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3729=1
SUSE OpenStack Cloud Crowbar 9
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3729=1

Package List:

SUSE OpenStack Cloud 9 (noarch)
- venv-openstack-ironic-x86_64-11.1.5~dev17-4.23.1
- openstack-heat-gbp-12.0.1~dev4-3.6.1
- openstack-nova-18.3.1~dev91-3.40.1
- openstack-neutron-gbp-14.0.1~dev19-3.28.1
- python-heat-gbp-12.0.1~dev4-3.6.1
- python-keystone-14.2.1~dev7-3.25.2
- venv-openstack-cinder-x86_64-13.0.10~dev23-3.28.1
- ardana-ansible-9.0+git.1628097238.f6cbb0e-3.29.1
- python-neutron-gbp-14.0.1~dev19-3.28.1
- python-eventlet-0.20.0-8.3.1
- venv-openstack-sahara-x86_64-9.0.2~dev15-3.25.1
- openstack-nova-novncproxy-18.3.1~dev91-3.40.1
- openstack-cinder-volume-13.0.10~dev23-3.31.2
- venv-openstack-neutron-x86_64-13.0.8~dev164-6.29.1
- openstack-ec2-api-7.1.1~dev6-3.3.2
- openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
- openstack-cinder-13.0.10~dev23-3.31.2
- openstack-ec2-api-s3-7.1.1~dev6-3.3.2
- openstack-nova-scheduler-18.3.1~dev91-3.40.1
- venv-openstack-barbican-x86_64-7.0.1~dev24-3.25.1
- venv-openstack-manila-x86_64-7.4.2~dev60-3.31.1
- venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.25.1
- openstack-ec2-api-api-7.1.1~dev6-3.3.2
- openstack-cinder-api-13.0.10~dev23-3.31.2
- openstack-nova-api-18.3.1~dev91-3.40.1
- python-nova-18.3.1~dev91-3.40.1
- openstack-nova-placement-api-18.3.1~dev91-3.40.1
- venv-openstack-glance-x86_64-17.0.1~dev30-3.23.1
- venv-openstack-nova-x86_64-18.3.1~dev91-3.29.1
- python-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
- venv-openstack-monasca-x86_64-2.7.1~dev10-3.23.1
- python-ec2api-7.1.1~dev6-3.3.2
- openstack-nova-vncproxy-18.3.1~dev91-3.40.1
- venv-openstack-horizon-x86_64-14.1.1~dev11-4.29.1
- venv-openstack-swift-x86_64-2.19.2~dev48-2.20.1
- openstack-nova-cells-18.3.1~dev91-3.40.1
- ardana-monasca-9.0+git.1627995376.30bdf85-3.25.1
- openstack-nova-serialproxy-18.3.1~dev91-3.40.1
- venv-openstack-magnum-x86_64-7.2.1~dev1-4.25.1
- openstack-ec2-api-metadata-7.1.1~dev6-3.3.2
- openstack-cinder-scheduler-13.0.10~dev23-3.31.2
- openstack-nova-compute-18.3.1~dev91-3.40.1
- venv-openstack-keystone-x86_64-14.2.1~dev7-3.26.1
- venv-openstack-designate-x86_64-7.0.2~dev2-3.25.1
- venv-openstack-heat-x86_64-11.0.4~dev4-3.25.1
- openstack-cinder-backup-13.0.10~dev23-3.31.2
- openstack-keystone-14.2.1~dev7-3.25.2
- openstack-nova-conductor-18.3.1~dev91-3.40.1
- openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1
- venv-openstack-octavia-x86_64-3.2.3~dev7-4.25.1
- python-cinder-13.0.10~dev23-3.31.2
- openstack-nova-console-18.3.1~dev91-3.40.1
SUSE OpenStack Cloud 9 (x86_64)
- kibana-4.6.6-4.12.1
- influxdb-1.3.8-4.6.1
- kibana-debuginfo-4.6.6-4.12.1
- influxdb-debuginfo-1.3.8-4.6.1
SUSE OpenStack Cloud Crowbar 9 (noarch)
- openstack-heat-gbp-12.0.1~dev4-3.6.1
- openstack-nova-18.3.1~dev91-3.40.1
- openstack-neutron-gbp-14.0.1~dev19-3.28.1
- python-heat-gbp-12.0.1~dev4-3.6.1
- python-keystone-14.2.1~dev7-3.25.2
- python-neutron-gbp-14.0.1~dev19-3.28.1
- python-eventlet-0.20.0-8.3.1
- openstack-nova-novncproxy-18.3.1~dev91-3.40.1
- openstack-cinder-volume-13.0.10~dev23-3.31.2
- crowbar-openstack-6.0+git.1630614261.26948f746-3.37.2
- openstack-ec2-api-7.1.1~dev6-3.3.2
- openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
- openstack-cinder-13.0.10~dev23-3.31.2
- openstack-ec2-api-s3-7.1.1~dev6-3.3.2
- openstack-nova-scheduler-18.3.1~dev91-3.40.1
- openstack-ec2-api-api-7.1.1~dev6-3.3.2
- openstack-cinder-api-13.0.10~dev23-3.31.2
- openstack-nova-api-18.3.1~dev91-3.40.1
- python-nova-18.3.1~dev91-3.40.1
- openstack-nova-placement-api-18.3.1~dev91-3.40.1
- python-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
- python-ec2api-7.1.1~dev6-3.3.2
- openstack-nova-vncproxy-18.3.1~dev91-3.40.1
- openstack-nova-cells-18.3.1~dev91-3.40.1
- openstack-nova-serialproxy-18.3.1~dev91-3.40.1
- openstack-ec2-api-metadata-7.1.1~dev6-3.3.2
- openstack-cinder-scheduler-13.0.10~dev23-3.31.2
- openstack-nova-compute-18.3.1~dev91-3.40.1
- openstack-cinder-backup-13.0.10~dev23-3.31.2
- openstack-keystone-14.2.1~dev7-3.25.2
- openstack-nova-conductor-18.3.1~dev91-3.40.1
- openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1
- python-cinder-13.0.10~dev23-3.31.2
- openstack-nova-console-18.3.1~dev91-3.40.1
SUSE OpenStack Cloud Crowbar 9 (x86_64)
- rubygem-redcarpet-debugsource-3.2.3-4.3.1
- kibana-debuginfo-4.6.6-4.12.1
- rubygem-puma-debugsource-2.16.0-4.15.1
- ruby2.1-rubygem-puma-2.16.0-4.15.1
- influxdb-debuginfo-1.3.8-4.6.1
- ruby2.1-rubygem-puma-debuginfo-2.16.0-4.15.1
- ruby2.1-rubygem-redcarpet-3.2.3-4.3.1
- kibana-4.6.6-4.12.1
- influxdb-1.3.8-4.6.1
- ruby2.1-rubygem-redcarpet-debuginfo-3.2.3-4.3.1

Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp

Description:

Patch Instructions:

Package List:

References: