SUSE-SU-2015:0324-1: Security update for openstack-nova

Wed Feb 18 20:08:24 MST 2015

   SUSE Security Update: Security update for openstack-nova
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0324-1
Rating:             low
References:         #867922 #897815 #898371 #899190 #899199 #901087 
                    #903013 
Cross-References:   CVE-2014-3608 CVE-2014-3708 CVE-2014-7230
                    CVE-2014-7231 CVE-2014-8750
Affected Products:
                    SUSE Cloud 4
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has two fixes
   is now available. It includes one version update.

Description:

   This update for openstack-nova provides stability fixes from the upstream
   OpenStack project:

       * Add @retry_on_deadlock to _instance_update()
       * Fix nova-compute start issue after evacuate
       * Fix nova evacuate issues for RBD
       * Add _wrap_db_error() support to SessionTransaction.commit()
       * Fixes DoS issue in instance list ip filter (bnc#903013,
         CVE-2014-3708)
       * Make the block device mapping retries configurable
       * Retry on closing of luks encrypted volume in case device is busy
       * Nova api service doesn't handle SIGHUP properly
       * Fix XML UnicodeEncode serialization error
       * share neutron admin auth tokens
       * Fix CellStateManagerFile init to failure
       * postgresql: use postgres db instead of template1
       * Fix instance cross AZ check when attaching volumes
       * Fixes missing ec2 api address disassociate error on failure
       * Ignore errors when deleting non-existing vifs
       * VMware: validate that VM exists on backend prior to deletion
       * VMWare: Fix VM leak when deletion of VM during resizing
       * Sync process utils from oslo
       * VMware: prevent race condition with VNC port allocation (bnc#901087,
         CVE-2014-8750)
       * Fixes Hyper-V volume mapping issue on reboot
       * Raise descriptive error for over volume quota
       * libvirt: Handle unsupported host capabilities
       * libvirt: Make fakelibvirt.libvirtError match
       * Adds tests for Hyper-V VM Utils
       * Removes unnecessary instructions in test_hypervapi
       * Fixes a Hyper-V list_instances localization issue
       * Adds list_instance_uuids to the Hyper-V driver
       * Add _wrap_db_error() support to Session.commit()
       * Sync process and str utils from oslo (bnc#899190 CVE-2014-7230
         CVE-2014-7231)
       * Fixes Hyper-V agent force_hyperv_utils_v1 flag issue
       * Fix live-migration failure in FC multipath case
       * libvirt: Save device_path in connection_info when booting from volume
       * Fixes Hyper-V boot from volume root device issue
       * Catch missing Glance image attrs with None
       * Adds get_instance_disk_info to compute drivers
       * Include next link when default limit is reached
       * VM in rescue state must have a restricted set of actions to avoid
         leaking rescued images (bnc#899199, CVE-2014-3608)
       * libvirt: return the correct instance path while cleanup_resize
       * Fix nova image-show with queued image
       * _translate_from_glance() can cause an unnecessary HTTP request
       * Neutron: Atomic update of instance info cache
       * Ensure info cache updates don't overwhelm cells
       * remove test_multiprocess_api
       * Fixes Hyper-V resize down exception
       * libvirt: Use VIR_DOMAIN_AFFECT_LIVE for paused instances
       * Fix _parse_datetime in simple tenant usage extension
       * Avoid traceback logs from simple tenant usage extension
       * Made unassigned networks visible in flat networking
       * VMware: validate that VM exists on backend prior to deletion
         (bnc#898371)
       * Fix attaching config drive issue on Hyper-V when migrate instances
       * Do not fail cell's instance deletion, if it's missing info_cache
       * Fixes Hyper-V vm state issue
       * Update block_device_info to contain swap and ephemeral disks
       * Loosen import_exceptions to cover all of gettextutils
       * Fix instance boot when Ceph is used for ephemeral storage
       * VMware: do not cache image when root_gb is 0
       * Delete image when backup operation failed on snapshot step
       * db: Add @_retry_on_deadlock to service_update()
       * Fix rootwrap for non openstack.org iqn's
       * Add Hyper-V driver in the "compute_driver" option description
       * Block sqlalchemy migrate 0.9.2 as it breaks all of nova
       * Move the error check for "brctl addif"
       * Add a retry_on_deadlock to reservations_expire
       * Add expire reservations in backport position
       * Make floatingip-ip-delete atomic with neutron
       * add repr for event objects
       * make lifecycle event logs more clear
       * Fix race condition with vif plugging in finish migrate
       * Delay STOPPED lifecycle event for Xen domains (bnc#867922)
       * Fix FloatingIP.save() passing FixedIP object to sqlalchemy
       * fix filelist
       * use %_rundir if available, otherwise /var/run
       * Fix expected error details from jsonschema
       * replace NovaException with VirtualInterfaceCreate when neutron fails
       * Fixes Hyper-V SCSI slot selection
       * libvirt: convert cpu features attribute from list to a set
       * Read deleted instances during lifecycle events
       * shelve doesn't work on nova-cells environment
       * Mask block_device_info auth_password in virt driver debug logs
       * only emit deprecation warnings once

   Security Issues:

       * CVE-2014-3708
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708>
       * CVE-2014-3608
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3608>
       * CVE-2014-7230
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7230>
       * CVE-2014-7231
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7231>
       * CVE-2014-8750
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8750>

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 4:

      zypper in -t patch sleclo40sp3-openstack-nova-0115=10199

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Cloud 4 (x86_64) [New Version: 2014.1.4.dev49]:

      openstack-nova-2014.1.4.dev49-0.7.1
      openstack-nova-api-2014.1.4.dev49-0.7.1
      openstack-nova-cells-2014.1.4.dev49-0.7.1
      openstack-nova-cert-2014.1.4.dev49-0.7.1
      openstack-nova-compute-2014.1.4.dev49-0.7.1
      openstack-nova-conductor-2014.1.4.dev49-0.7.1
      openstack-nova-console-2014.1.4.dev49-0.7.1
      openstack-nova-consoleauth-2014.1.4.dev49-0.7.1
      openstack-nova-novncproxy-2014.1.4.dev49-0.7.1
      openstack-nova-objectstore-2014.1.4.dev49-0.7.1
      openstack-nova-scheduler-2014.1.4.dev49-0.7.1
      openstack-nova-vncproxy-2014.1.4.dev49-0.7.1
      python-nova-2014.1.4.dev49-0.7.1

   - SUSE Cloud 4 (noarch) [New Version: 2014.1.4.dev49]:

      openstack-nova-doc-2014.1.4.dev49-0.7.1

References:

   http://support.novell.com/security/cve/CVE-2014-3608.html
   http://support.novell.com/security/cve/CVE-2014-3708.html
   http://support.novell.com/security/cve/CVE-2014-7230.html
   http://support.novell.com/security/cve/CVE-2014-7231.html
   http://support.novell.com/security/cve/CVE-2014-8750.html
   https://bugzilla.suse.com/867922
   https://bugzilla.suse.com/897815
   https://bugzilla.suse.com/898371
   https://bugzilla.suse.com/899190
   https://bugzilla.suse.com/899199
   https://bugzilla.suse.com/901087
   https://bugzilla.suse.com/903013
   http://download.suse.com/patch/finder/?keywords=d140dcf28b797b3045a71f4e6cd6e0fc