SUSE-SU-2019:3068-1: moderate: Security update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Nov 26 10:11:23 MST 2019


   SUSE Security Update: Security update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:3068-1
Rating:             moderate
References:         #1153304 #1155942 #1156525 
Cross-References:   CVE-2019-17134 CVE-2019-18874
Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud 9
______________________________________________________________________________

   An update that solves two vulnerabilities and has one
   errata is now available.

Description:

   This update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova,
   crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican,
   openstack-heat-templates, openstack-keystone, openstack-neutron,
   openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova,
   openstack-octavia, openstack-sahara, python-psutil,
   release-notes-suse-openstack-cloud fixes the following issues:

   Security fix for openstack-octavia:

   - CVE-2019-17134: Fixed an issue where Octavia Amphora-Agent not requiring
     Client-Certificate (bsc#1153304).

   Security fix for python-psutil:

   - CVE-2019-18874: Fixed a double-free vulnerability occured during
     converting system data into a Python object (bsc#1155089).


   - Update to version 9.0+git.1572311426.a6dc2fd:
     * Align Crowbar and Ardana MariaDB configs (SOC-10094)

   - Update to version 9.0+git.1573069087.15ffd1c:
     * enable debug and insecure_debug on demand (SOC-10934)

   - Update to version 9.0+git.1572019823.6650494:
     * Correctly setup ardana_notify_... fact (SOC-10902)

   - Update to version 9.0+git.1572618171.4460843:
     * Update gerrit FQDN in .gitreview (SOC-9140)

   - Update to version 6.0+git.1573825081.b1caf60f1:
     * Update the testsuite for new upgrade method (SOC-10761)
     * upgrade: cold start nova before live migration (SOC-10761)

   - Update to version 6.0+git.1573131992.3c660b413:
     * [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942)

   - Update to version 6.0+git.1573051151.3495e0e94:
     * Allow enabling bpdu-forwarding on OVS bridges (SOC-9172)



   - Update to version 6.0+git.1573754820.dd036ef77:
     * neutron: use octavia-api admin VIP URI for lbaasv2 (SOC-10906)
     * octavia: handle certificate ownership in barclamp (SOC-10906)
     * octavia: add SSL support to octavia-api (SOC-10906)

   - Update to version 6.0+git.1573174019.9965ae9b8:
     * designate: change default configuration (SOC-10899)

   - Update to version 6.0+git.1572855359.8efafea01:
     * Make sure the input file with ssh key exists (SOC-10133)

   - Update to version 6.0+git.1572636244.e12406629:
     * Change order of Octavia to 102 (SOC-10289)

   - Update to version 6.0+git.1572470261.49c0affe1:
     * designate: move keystone resource lookup to convergence (SOC-10887)

   - Update to version 1.3.0+git.1572871359.50fc6087:
     * Add title for XEN compute nodes precheck (SOC-10495)

   - Update to version barbican-7.0.1.dev21:
     * Fix duplicate paths in secret hrefs
     * Fix the bug of pep8 and building api-guide
     * OpenDev Migration Patch

   - Update to version barbican-7.0.1.dev21:
     * Fix duplicate paths in secret hrefs
     * Fix the bug of pep8 and building api-guide
     * OpenDev Migration Patch
   - remove 0001-Fix-duplicate-paths-in-secret-hrefs.patch as it had landed
     upstream

   - Replace openstack.org git:// URLs with https://

   - Update to version keystone-14.1.1.dev28:
     * Allows to use application credentials through group membership

   - Update to version keystone-14.1.1.dev28:
     * Allows to use application credentials through group membership

   - Update to version neutron-13.0.6.dev8:
     * Retry creating iptables managers and adding metering rules

   - Update to version neutron-13.0.6.dev6:
     * Increase timeout when waiting for dnsmasq enablement

   - Update to version neutron-13.0.6.dev4:
     * Log OVS firewall conjunction creation

   - Update to version neutron-13.0.6.dev8:
     * Retry creating iptables managers and adding metering rules

   - Update to version neutron-13.0.6.dev6:
     * Increase timeout when waiting for dnsmasq enablement

   - Update to version neutron-13.0.6.dev4:
     * Log OVS firewall conjunction creation

   - Update to version group-based-policy-5.0.1.dev476:
     * Provide a control knob to use the internal EP interface
     * Send port notifications when host\_route is getting updated

   - Update to version group-based-policy-5.0.1.dev473:
     * Fix pep8 failures seen on submitted patches

   - Update to version neutron-lbaas-13.0.1.dev16:
     * "lbaas delete l7 rule" Parameter Passing Error

   - Update to version neutron-lbaas-13.0.1.dev16:
     * "lbaas delete l7 rule" Parameter Passing Error

   - Update to version nova-18.2.4.dev22:
     * Revert "openstack server create" to "nova boot" in nova docs
     * doc: fix and clarify --block-device usage in user docs

   - Update to version nova-18.2.4.dev20:
     * Avoid error 500 on shelve task\_state race

   - Update to version nova-18.2.4.dev19:
     * libvirt: Ignore volume exceptions during post\_live\_migration

   - Update to version nova-18.2.4.dev22:
     * Revert "openstack server create" to "nova boot" in nova docs
     * doc: fix and clarify --block-device usage in user docs

   - Update to version nova-18.2.4.dev20:
     * Avoid error 500 on shelve task\_state race

   - Update to version nova-18.2.4.dev19:
     * libvirt: Ignore volume exceptions during post\_live\_migration

   - Update to version octavia-3.2.1.dev3:
     * Improve the error message for bad pkcs12 bundles

   - Update to version octavia-3.2.1.dev2:
     * ipvsadm '--exact' arg to ensure outputs are ints

   - Update to version sahara-9.0.2.dev14:
     * Fixing image creation
     * Check MariaDB installation

   - Update to version sahara-9.0.2.dev14:
     * Fixing image creation
     * Check MariaDB installation

   - Update to version 9.20191025:
     * support OpenID Connect (SOC-10510)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3068=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3068=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1
      crowbar-core-branding-upstream-6.0+git.1573825081.b1caf60f1-3.16.1
      python-psutil-5.4.6-3.3.1
      python-psutil-debuginfo-5.4.6-3.3.1
      python-psutil-debugsource-5.4.6-3.3.1

   - SUSE OpenStack Cloud Crowbar 9 (noarch):

      crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1
      crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1
      openstack-barbican-7.0.1~dev21-3.3.1
      openstack-barbican-api-7.0.1~dev21-3.3.1
      openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
      openstack-barbican-retry-7.0.1~dev21-3.3.1
      openstack-barbican-worker-7.0.1~dev21-3.3.1
      openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
      openstack-keystone-14.1.1~dev28-3.16.1
      openstack-neutron-13.0.6~dev8-3.16.2
      openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
      openstack-neutron-gbp-5.0.1~dev476-3.13.1
      openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
      openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
      openstack-neutron-lbaas-13.0.1~dev16-3.13.1
      openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
      openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
      openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
      openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
      openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
      openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
      openstack-neutron-server-13.0.6~dev8-3.16.2
      openstack-nova-18.2.4~dev22-3.16.2
      openstack-nova-api-18.2.4~dev22-3.16.2
      openstack-nova-cells-18.2.4~dev22-3.16.2
      openstack-nova-compute-18.2.4~dev22-3.16.2
      openstack-nova-conductor-18.2.4~dev22-3.16.2
      openstack-nova-console-18.2.4~dev22-3.16.2
      openstack-nova-novncproxy-18.2.4~dev22-3.16.2
      openstack-nova-placement-api-18.2.4~dev22-3.16.2
      openstack-nova-scheduler-18.2.4~dev22-3.16.2
      openstack-nova-serialproxy-18.2.4~dev22-3.16.2
      openstack-nova-vncproxy-18.2.4~dev22-3.16.2
      openstack-octavia-3.2.1~dev3-3.16.1
      openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
      openstack-octavia-api-3.2.1~dev3-3.16.1
      openstack-octavia-health-manager-3.2.1~dev3-3.16.1
      openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
      openstack-octavia-worker-3.2.1~dev3-3.16.1
      openstack-sahara-9.0.2~dev14-3.6.1
      openstack-sahara-api-9.0.2~dev14-3.6.1
      openstack-sahara-engine-9.0.2~dev14-3.6.1
      python-barbican-7.0.1~dev21-3.3.1
      python-keystone-14.1.1~dev28-3.16.1
      python-neutron-13.0.6~dev8-3.16.2
      python-neutron-gbp-5.0.1~dev476-3.13.1
      python-neutron-lbaas-13.0.1~dev16-3.13.1
      python-nova-18.2.4~dev22-3.16.2
      python-octavia-3.2.1~dev3-3.16.1
      python-sahara-9.0.2~dev14-3.6.1
      release-notes-suse-openstack-cloud-9.20191025-3.15.1

   - SUSE OpenStack Cloud 9 (x86_64):

      python-psutil-5.4.6-3.3.1
      python-psutil-debuginfo-5.4.6-3.3.1
      python-psutil-debugsource-5.4.6-3.3.1

   - SUSE OpenStack Cloud 9 (noarch):

      ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1
      ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1
      ardana-neutron-9.0+git.1572019823.6650494-3.16.1
      ardana-nova-9.0+git.1572618171.4460843-3.13.1
      openstack-barbican-7.0.1~dev21-3.3.1
      openstack-barbican-api-7.0.1~dev21-3.3.1
      openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
      openstack-barbican-retry-7.0.1~dev21-3.3.1
      openstack-barbican-worker-7.0.1~dev21-3.3.1
      openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
      openstack-keystone-14.1.1~dev28-3.16.1
      openstack-neutron-13.0.6~dev8-3.16.2
      openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
      openstack-neutron-gbp-5.0.1~dev476-3.13.1
      openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
      openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
      openstack-neutron-lbaas-13.0.1~dev16-3.13.1
      openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
      openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
      openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
      openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
      openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
      openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
      openstack-neutron-server-13.0.6~dev8-3.16.2
      openstack-nova-18.2.4~dev22-3.16.2
      openstack-nova-api-18.2.4~dev22-3.16.2
      openstack-nova-cells-18.2.4~dev22-3.16.2
      openstack-nova-compute-18.2.4~dev22-3.16.2
      openstack-nova-conductor-18.2.4~dev22-3.16.2
      openstack-nova-console-18.2.4~dev22-3.16.2
      openstack-nova-novncproxy-18.2.4~dev22-3.16.2
      openstack-nova-placement-api-18.2.4~dev22-3.16.2
      openstack-nova-scheduler-18.2.4~dev22-3.16.2
      openstack-nova-serialproxy-18.2.4~dev22-3.16.2
      openstack-nova-vncproxy-18.2.4~dev22-3.16.2
      openstack-octavia-3.2.1~dev3-3.16.1
      openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
      openstack-octavia-api-3.2.1~dev3-3.16.1
      openstack-octavia-health-manager-3.2.1~dev3-3.16.1
      openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
      openstack-octavia-worker-3.2.1~dev3-3.16.1
      openstack-sahara-9.0.2~dev14-3.6.1
      openstack-sahara-api-9.0.2~dev14-3.6.1
      openstack-sahara-engine-9.0.2~dev14-3.6.1
      python-barbican-7.0.1~dev21-3.3.1
      python-keystone-14.1.1~dev28-3.16.1
      python-neutron-13.0.6~dev8-3.16.2
      python-neutron-gbp-5.0.1~dev476-3.13.1
      python-neutron-lbaas-13.0.1~dev16-3.13.1
      python-nova-18.2.4~dev22-3.16.2
      python-octavia-3.2.1~dev3-3.16.1
      python-sahara-9.0.2~dev14-3.6.1
      release-notes-suse-openstack-cloud-9.20191025-3.15.1
      venv-openstack-barbican-x86_64-7.0.1~dev21-3.13.1
      venv-openstack-cinder-x86_64-13.0.8~dev8-3.13.1
      venv-openstack-designate-x86_64-7.0.1~dev22-3.13.1
      venv-openstack-heat-x86_64-11.0.3~dev23-3.13.1
      venv-openstack-keystone-x86_64-14.1.1~dev28-3.13.1
      venv-openstack-magnum-x86_64-7.1.1~dev28-4.13.1
      venv-openstack-manila-x86_64-7.3.1~dev15-3.13.1
      venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.13.1
      venv-openstack-neutron-x86_64-13.0.6~dev8-6.13.1
      venv-openstack-nova-x86_64-18.2.4~dev22-3.13.1
      venv-openstack-octavia-x86_64-3.2.1~dev3-4.13.1
      venv-openstack-sahara-x86_64-9.0.2~dev14-3.13.1


References:

   https://www.suse.com/security/cve/CVE-2019-17134.html
   https://www.suse.com/security/cve/CVE-2019-18874.html
   https://bugzilla.suse.com/1153304
   https://bugzilla.suse.com/1155942
   https://bugzilla.suse.com/1156525



More information about the sle-security-updates mailing list