SUSE-SU-2015:1515-1: Security update for openstack and python-oslo.utils

Wed Sep 9 03:10:41 MDT 2015

   SUSE Security Update: Security update for openstack and python-oslo.utils
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1515-1
Rating:             low
References:         #918784 #920573 #926596 #928718 #930574 #931204 
                    #935892 
Affected Products:
                    SUSE OpenStack Cloud 5
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:

   This update provides the following fixes provided from the upstream
   OpenStack-project:

   - openstack-suse:
     + do not copy upstream python requirements to the package, we rely on
       Requires; upstream requirements.txt introduce version caps which we do
       not follow (bnc#920573)

   - openstack-sahara:
     + Fix getting heat stack in Sahara
     + Fixed scaling with new node group with auto sg
     + Open all ports for private network for auto SG
     + Fix for getting auth url for hadoop-swift
     + Fixed auto security group cleanup in case of creation error
     + Add list of open ports for Cloudera plugin
     + Add missed files for migrations in MANIFEST.in
     + Include launch_command.py in MANIFEST.in
     + Fix requires

   - openstack-keystone:
     + Updated hybrid backend to include fix for bsc#935892
     + Deal with PEP-0476 certificate chaining checking
     + Backport fixes for v3 API sample policy file (lp#1381809 and
       lp#1392155).
     + Install v3 sample policy into the doc directory
     + Update hybrid backend to include latest fixes for v3 protocol
       (bsc#928718)
     + backend_argument should be marked secret
     + Work with pymongo 3.0
     + Speed up memcache lock
     + Fix up _ldap_res_to_model for ldap identity backend
     + Don't try to convert LDAP attributes to boolean
     + Fix the wrong update logic of catalog kvs driver
     + Do parameter check before updating endpoint_group
     + Correct initialization order for logging to use eventlet locks
     + Fix the syntax issue on creating table `endpoint_group`

   - openstack-heat:
     + Add env storing for loaded environments
     + Fix block_device_mapping property validation when using get_attr
     + Add default_client_name in Nova::FloatingIPAssoc
     + Fix cloud-init Python syntax for Python < 2.6
     + Allow lists and strings for Json parameters via provider resources
     + RandomString physical_resource_id as id not the string
     + Authenticate the domain user with id instead of username
     + Tell stevedore not to force verify requirements
     + Use properties.data when testing for "provided by the user"
     + Ship /usr/lib/heat directory in openstack-heat-engine subpackage,
       since that's where plugin are loaded from.
     + Create openstack-heat-plugin-heat_docker subpackage to ship the
       heat_docker plugin.
     + Fix update on failed stack
     + Enable https for keystone while creating stack user
     + Change the engine-listener topic
     + Just to delete the stack when adopt rollback
     + Release stack lock when successfully acquire
     + Add dependency on Router External Gateway property
     + Use only FIP dependencies from graph
     + Add dependency hidden on router_interface
     + Update heat.conf.sample
     + Upgrade requirements for kombu and greenlet to Juno versions
       (bnc#920573)
     + Stop patching oslo.messaging private bits

   - openstack-glance:
     + Eventlet green threads not released back to pool
     + Replace assert statements with proper control-flow
     + Fix intermittent unit test failures
     + Initiate deletion of image files if the import was interrupted to
       prevent denial of service (bnc#918784, CVE-2014-9684)

   - openstack-cinder:
     + Remove nonexistent LIO terminate_connection call
     + Disallow backing files when uploading volumes to image
     + LVM: Pass volume size in MiB to copy_volume() during volume migration
     + Remove iscsi_helper calls from base iscsi driver
     + Fix exceptions logging in iSCSI targets
     + Delete the temporary volume if migration fails
     + Get the 'consumer' in a correct way for retyping with qos-specs
     + Fix re-export of iscsi volume when using lioadm
     + Revert "Add support for customized cluster name"
     + Failed to discovery when iscsi multipath and CHAP both enabled
     + Add support for customized cluster name
     + Only use operational LIFs for iscsi target details
     + Clear migration_status from a destination volume if migration fails
     + Deal with PEP-0476 certificate chaining checking

   - openstack-ceilometer:
     + Ensure unique list of consumers created
     + Add bandwidth to measurements
     + Rely on VM UUID to fetch metrics in libvirt
     + Retry to connect database when DB2 or mongodb is restarted
     + Use alarm's evaluation periods in sufficient test
     + [MongoDB] Fix bug with reconnection to new master node
     + Fix the value of query_spec.maxSample to advoid to be zero
     + Fix issue when ceilometer-expirer is called from the wrong user via
       cronjob and the resulting logs end up having wrong ownership. See also
       bsc#930574
     + Metering data ttl sql backend breaks resource metadata
     + Stop mocking os.path in test_setup_events_default_config
     + Move the cron job to collector package (bnc#926596)
     + Catch exception when evaluate single alarm

   - python-oslo.utils:
     + Update to version 1.4.0
       * Add a stopwatch + split for duration(s)
       * Allow providing a logger to save_and_reraise_exception
       * Utility API to generate EUI-64 IPv6 address
       * Add a eventlet utils helper module
       * Add microsecond support to iso8601_from_timestamp
       * Update Oslo imports to remove namespace package
       * Add TimeFixture
       * Add microsecond support to timeutils.utcnow_ts()

   - python-oslo.i18n:
     + Update to version 1.3.1
       * Remove deprecation warning (bnc#931204)
       * Correct the translation domain for loading messages
       * Workflow documentation is now in infra-manual
       * Imported Translations from Transifex
       * Activate pep8 check that _ is imported
       * Make clear in docs to use _LE() when using LOG.exception()
       * Support building wheels (PEP-427)

   - python-six:
     + Update to version 1.9.0
       * Support the `flush` parameter to `six.print_`.
       * Add the `python_2_unicode_compatible` decorator.
       * Ensure `six.wraps` respects the *updated* and *assigned* arguments.
       * Fix `six.moves` race condition in multi-threaded code.
       * Add `six.view(keys|values|itmes)`, which provide dictionary views on
         Python 2.7+.
       * Fix add_metaclass when the class has __slots__ containing
         "__weakref__" or "__dict__".
       * Always accept *updated* and *assigned* arguments for wraps().
       * Fix import six on Python 3.4 with a custom loader.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 5:

      zypper in -t patch sleclo50sp3-openstack-201507-12074=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE OpenStack Cloud 5 (x86_64):

      openstack-ceilometer-2014.2.4.dev18-9.7
      openstack-ceilometer-agent-central-2014.2.4.dev18-9.7
      openstack-ceilometer-agent-compute-2014.2.4.dev18-9.7
      openstack-ceilometer-agent-ipmi-2014.2.4.dev18-9.7
      openstack-ceilometer-agent-notification-2014.2.4.dev18-9.7
      openstack-ceilometer-alarm-evaluator-2014.2.4.dev18-9.7
      openstack-ceilometer-alarm-notifier-2014.2.4.dev18-9.7
      openstack-ceilometer-api-2014.2.4.dev18-9.7
      openstack-ceilometer-collector-2014.2.4.dev18-9.7
      openstack-cinder-2014.2.4.dev19-9.7
      openstack-cinder-api-2014.2.4.dev19-9.7
      openstack-cinder-backup-2014.2.4.dev19-9.7
      openstack-cinder-scheduler-2014.2.4.dev19-9.7
      openstack-cinder-volume-2014.2.4.dev19-9.7
      openstack-glance-2014.2.4.dev5-9.5
      openstack-heat-2014.2.4.dev13-9.6
      openstack-heat-api-2014.2.4.dev13-9.6
      openstack-heat-api-cfn-2014.2.4.dev13-9.6
      openstack-heat-api-cloudwatch-2014.2.4.dev13-9.6
      openstack-heat-engine-2014.2.4.dev13-9.6
      openstack-keystone-2014.2.4.dev5-11.8
      openstack-sahara-2014.2.4.dev3-9.5
      openstack-sahara-api-2014.2.4.dev3-9.5
      openstack-sahara-engine-2014.2.4.dev3-9.5
      python-ceilometer-2014.2.4.dev18-9.7
      python-cinder-2014.2.4.dev19-9.7
      python-glance-2014.2.4.dev5-9.5
      python-heat-2014.2.4.dev13-9.6
      python-keystone-2014.2.4.dev5-11.8
      python-oslo.i18n-1.3.1-9.6
      python-oslo.utils-1.4.0-14.2
      python-oslotest-1.2.0-2.5
      python-sahara-2014.2.4.dev3-9.5
      python-six-1.9.0-9.2

   - SUSE OpenStack Cloud 5 (noarch):

      openstack-ceilometer-doc-2014.2.4.dev18-9.11
      openstack-cinder-doc-2014.2.4.dev19-9.12
      openstack-glance-doc-2014.2.4.dev5-9.7
      openstack-heat-doc-2014.2.4.dev13-9.8
      openstack-keystone-doc-2014.2.4.dev5-11.12
      openstack-sahara-doc-2014.2.4.dev3-9.5
      openstack-suse-sudo-2014.2-9.2

References:

   https://bugzilla.suse.com/918784
   https://bugzilla.suse.com/920573
   https://bugzilla.suse.com/926596
   https://bugzilla.suse.com/928718
   https://bugzilla.suse.com/930574
   https://bugzilla.suse.com/931204
   https://bugzilla.suse.com/935892