SUSE-SU-2018:2536-1: moderate: Security update for grafana, kafka, logstash and monasca-installer

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Aug 28 07:10:23 MDT 2018


   SUSE Security Update: Security update for grafana, kafka, logstash and monasca-installer
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2536-1
Rating:             moderate
References:         #1086909 #1090192 #1090343 #1090849 #1094448 
                    #1095603 #1096985 #1102920 
Cross-References:   CVE-2018-12099 CVE-2018-1288 CVE-2018-3817
                   
Affected Products:
                    SUSE OpenStack Cloud 7
______________________________________________________________________________

   An update that solves three vulnerabilities and has 5 fixes
   is now available.

Description:

   This update for grafana, kafka, logstash and monasca-installer fixes the
   following issues:

   The following security issues have been fixed:

   grafana:

   - CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in
     dashboard links. (bsc#1096985)

   kafka:

   - CVE-2018-1288: Authenticated Kafka users may perform action reserved for
     the Broker via a manually created fetch request interfering with data
     replication, resulting in data loss. (bsc#1102920)

   logstash:

   - CVE-2018-3817: Fix potential leak of sensitive data when logging
     warnings about deprecated options. (bsc#1090849)

   Additionally, the following non-security issues have been fixed:

   monasca-installer:

   - Add complete set of elasticsearch performance tunables.
   - Update to version Build_20180427_14.04 (bsc#1090192, bsc#1090343)
   - Fix bad elasticsearch-curator configuration. (bsc#1090192)
   - Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343)

   logstash:

   - Declare Gemfile as config to prevent loss of installed plugins when
     updating.
   - Stop installing prebuilt jruby for non-x86.

   kafka:

   - Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288)
   - Add noreplace directive for /etc/kafka/server.properties.
   - Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2)
   - Set log rotation options. (bsc#1094448)
   - Disable jmxremote debugging. (bsc#1095603)
   - Increase open file limits. (bsc#1086909)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1771=1



Package List:

   - SUSE OpenStack Cloud 7 (x86_64):

      grafana-4.5.1-1.8.1
      kafka-0.10.2.2-5.1
      logstash-2.4.1-5.1

   - SUSE OpenStack Cloud 7 (noarch):

      monasca-installer-20180608_12.47-9.1


References:

   https://www.suse.com/security/cve/CVE-2018-12099.html
   https://www.suse.com/security/cve/CVE-2018-1288.html
   https://www.suse.com/security/cve/CVE-2018-3817.html
   https://bugzilla.suse.com/1086909
   https://bugzilla.suse.com/1090192
   https://bugzilla.suse.com/1090343
   https://bugzilla.suse.com/1090849
   https://bugzilla.suse.com/1094448
   https://bugzilla.suse.com/1095603
   https://bugzilla.suse.com/1096985
   https://bugzilla.suse.com/1102920



More information about the sle-security-updates mailing list