SUSE-SU-2015:0018-1: Security update for openstack-neutron

[sle-security-updates at lists.suse.com]

   SUSE Security Update: Security update for openstack-neutron
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0018-1
Rating:             low
References:         #890711 #896780 #897815 #899132 #905104 
Cross-References:   CVE-2014-6414 CVE-2014-7821
Affected Products:
                    SUSE Cloud 4
______________________________________________________________________________

   An update that solves two vulnerabilities and has three
   fixes is now available. It includes one version update.

Description:


   This update for openstack-neutron provides security and stability fixes:

       * Updated from global requirements
       * Stop ignoring 400 errors returned by ODL
       * Delete disassociated floating ips on external network deletion
       * Cisco: update_port should only invoke n1kv and not nexus plugin
       * Add unit tests covering single operations to ODL
       * Qpid: explicitly name subscription queue
       * Convert all incoming protocol numbers to string
       * Fix hostname regex pattern (bnc#905104, CVE-2014-7821)
       * Fix event_send for re-assign floating ip
       * Enabled Cisco ML2 driver to use new upstream ncclient
       * Allow delete_port to work when there are multiple floating ips
       * Set vif_details to reflect enable_security_group
       * Revert "Deletes floating ip related connection states"
       * Big Switch: Fix SSL version on get_server_cert
       * NSX: allow multiple networks with same vlan on different phy_net
       * Fix a recent ipv6 UT regression
       * Big Switch: Switch to TLSv1 in server manager
       * Remove unused py33 tox env
       * Increase the default poll duration for Cisco n1kv
       * Check for IPv6 file before reading
       * Big Switch: Don't clear hash before sync
       * Skip lbaas table creation if tables already exist
       * Create 'quota' table in folsom_initial
       * Forbid regular users to reset admin-only attrs to default values
         (bnc#896780, CVE-2014-6414)
       * Follow the RFC-3442-spec for DHCP (bnc#899132)
       * Allow unsharing a network used as gateway floatingip (bnc#890711)
       * Delete DHCP port without DHCP server on a net node
       * Add quotas to Cisco N1kv plugins supported extension aliases
       * Fix error adding security groups to instances with nexus
       * Provide way to reserve dhcp port during failovers
       * Enforce required config params for ODL driver
       * Update vsm credential correctly
       * Networks are not scheduled to DHCP agents for Cisco N1KV plugin
       * Add BSN plugin to agent migration script
       * Deletes floating ip related connection states
       * Add delete operations for the ODL MechanismDriver
       * Add missing ml2 plugin to migration
       * Big Switch: Check for 'id' in port before lookup
       * NSX: Optionally not enforce nat rule match length check
       * Don't spawn metadata-proxy for non-isolated nets
       * Send network name and uuid to subnet create
       * Don't allow user to set firewall rule with port and no protocol
       * Allow unsharing a network used as gateway/floatingip
       * Big Switch: Retry on 503 errors from backend
       * BSN: Allow concurrent reads to consistency DB
       * Fix metadata agent's auth info caching
       * Fixes Hyper-V agent issue on Hyper-V 2008 R2
       * Fixes Hyper-V issue due to ML2 RPC versioning
       * Verify ML2 type driver exists before calling del
       * NSX: Correct allowed_address_pair return value on create_port
       * Neutron should not use the neutronclient utils module for
         import_class
       * Pass object to policy when finding fields to strip
       * Perform policy checks only once on list responses
       * Cisco N1kv plugin to send subtype on network profile creation
       * Add support for router scheduling in Cisco N1kv Plugin
       * Remove explicit dependency on amqplib
       * Fix func job hook script permission problems
       * Big Switch: Only update hash header on success
       * Clear entries in Cisco N1KV specific tables on rollback
       * Fix no-ipv6 regression (lp#1361542)
       * Add hook scripts for the functional infra job
       * Ensure ip6tables are used only if ipv6 is enabled in kernel
       * Ignore variable column widths in ovsdb functional tests
       * VMWare: don't notify on disassociate_floatingips()
       * Avoid notifying while inside transaction opened in delete_port()
       * Cisco N1kv: Remove vmnetwork delete REST call on last port delete
       * Raise exception for network delete with subnets presents
       * Security Group rule validation for ICMP rules.

   Security Issues:

       * CVE-2014-7821
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7821>
       * CVE-2014-6414
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6414>


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Cloud 4:

      zypper in -t patch sleclo40sp3-openstack-neutron-1214-10031

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Cloud 4 (x86_64) [New Version: 2014.1.4.dev66.gb8c0c7b]:

      openstack-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-dhcp-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-ha-tool-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-l3-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-lbaas-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-linuxbridge-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-metadata-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-metering-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-mlnx-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-nec-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-openvswitch-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-plugin-cisco-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-ryu-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-server-2014.1.4.dev66.gb8c0c7b-0.7.1
      openstack-neutron-vpn-agent-2014.1.4.dev66.gb8c0c7b-0.7.1
      python-neutron-2014.1.4.dev66.gb8c0c7b-0.7.1

   - SUSE Cloud 4 (noarch) [New Version: 2014.1.4.dev66.gb8c0c7b]:

      openstack-neutron-doc-2014.1.4.dev66.gb8c0c7b-0.7.1


References:

   http://support.novell.com/security/cve/CVE-2014-6414.html
   http://support.novell.com/security/cve/CVE-2014-7821.html
   https://bugzilla.suse.com/show_bug.cgi?id=890711
   https://bugzilla.suse.com/show_bug.cgi?id=896780
   https://bugzilla.suse.com/show_bug.cgi?id=897815
   https://bugzilla.suse.com/show_bug.cgi?id=899132
   https://bugzilla.suse.com/show_bug.cgi?id=905104
   http://download.suse.com/patch/finder/?keywords=6fef8cad1f09e4cf337bdbe3462f5cf2