SUSE-SU-2019:3270-1: moderate: Security update for caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates, openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud, python-oslo.messaging, python-oslo.utils, python-pysaml2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Dec 11 07:34:17 MST 2019


   SUSE Security Update: Security update for caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb, mariadb-connector-c, openstack-dashboard-theme-SUSE, openstack-heat-templates, openstack-neutron, openstack-nova, openstack-quickstart, patterns-cloud, python-oslo.messaging, python-oslo.utils, python-pysaml2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:3270-1
Rating:             moderate
References:         #1075812 #1123053 #1126088 #1126428 #1129729 
                    #1132666 #1136035 #1143215 #1152916 #1155089 
                    
Cross-References:   CVE-2017-1002201 CVE-2019-2614 CVE-2019-2627
                    CVE-2019-2628
Affected Products:
                    SUSE OpenStack Cloud 7
______________________________________________________________________________

   An update that solves four vulnerabilities and has 6 fixes
   is now available.

Description:

   This update for caasp-openstack-heat-templates, crowbar-core,
   crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, mariadb,
   mariadb-connector-c, openstack-dashboard-theme-SUSE,
   openstack-heat-templates, openstack-neutron, openstack-nova,
   openstack-quickstart, patterns-cloud, python-oslo.messaging,
   python-oslo.utils, python-pysaml2 fixes the following issues:

   Security fix for mariadb:

   - MariaDB was update to version 10.2.25 (bsc#1136035)
   - CVE-2019-2628: Fixed a remote denial of service by an privileged
     attacker (bsc#1136035).
   - CVE-2019-2627: Fixed another remote denial of service by an privileged
     attacker (bsc#1136035).
   - CVE-2019-2614: Fixed a potential remote denial of service by an
     privileged attacker (bsc#1136035).

   - adjust mysql-systemd-helper ("shutdown protected MySQL" section) so it
     checks both ping response and the pid in a process list as it can take
     some time till the process is terminated. Otherwise it can lead to
     "found left-over process" situation when regular mariadb is started
     [bsc#1143215]
   - update suse_skipped_tests.list

   - remove client_ed25519.so plugin because it's shipped in
     mariadb-connector-c package (libmariadb_plugins)
   - update suse_skipped_tests.list

   - update to 10.2.25 GA
     * Fixes for the following security vulnerabilities:
       * 10.2.23: none
       * 10.2.24: CVE-2019-2628, CVE-2019-2627, CVE-2019-2614
       * 10.2.25: none
     * release notes and changelog:
       https://mariadb.com/kb/en/library/mariadb-10223-release-notes
       https://mariadb.com/kb/en/library/mariadb-10223-changelog
       https://mariadb.com/kb/en/library/mariadb-10224-release-notes
       https://mariadb.com/kb/en/library/mariadb-10224-changelog
       https://mariadb.com/kb/en/library/mariadb-10225-release-notes
       https://mariadb.com/kb/en/library/mariadb-10225-changelog
   - remove mariadb-10.2.22-fix_path.patch that was applied upstream in
     mariadb 10.2.23
   - remove caching_sha2_password.so because it's shipped in
     mariadb-connector-c package (libmariadb_plugins)
   - remove xtrabackup scripts as it was replaced by mariabackup (we already
     removed xtrabackup requires in the first phase)
   - fix reading options for multiple instances if my${INSTANCE}.cnf is used.
     Also remove "umask 077" from mysql-systemd-helper that causes that new
     datadirs are created with wrong permissions. Set correct permissions for
     files created by us (mysql_upgrade_info, .run-mysql_upgrade)
     [bsc#1132666]
   - fix build comment to not refer to openSUSE
   - tracker bug [bsc#1136035]


   - Update to version 1.0+git.1560518045.ad7dc6d:
     * Patching node before bootstraping

   - Update to version 4.0+git.1573109906.0f62e9503:
     * Ignore CVE-2017-1002201 in CI builds (bsc#1155089)

   - Update to version 4.0+git.1573038068.1e32b3205:
     * Make sure the input file with ssh key exists (SOC-10133)
     * mysql: fix WSREP sync race (SOC-10717)
     * mysql: stop service for mysql_install_db (SOC-10717)

   - Update to version 4.0+git.1571404877.8edf9dd5c:
     * Do not use obsoleted --endpoint-type option with CLI
     * [4.0] Configurable timeout for Galera pre-sync

   - Switch to stable/7-8 branch

   - Update to 25.3.25:
     * A new Galera configuration parameter cert.optimistic_pa was added. If
       the parameter value is set to true, full parallelization in applying
       write sets is allowed as determined by certification algorithm. If set
       to false, no more parallelism is allowed in applying than seen on the
       master.
     * Support for ECDH OpenSSL engines on CentOS 6 (galera#520)
     * Fixed compilation on Debian testing and unstable (galera#516,
       galera#528)

   - Add unescape_IPv6_bind_ip.patch
     *
   https://github.com/dciabrin/galera-1/commit/0f6f8aeeb09809280c956514cfd5844
       b8acad4f9

   - remove galera-3-25.3.23-scons_fixes.patch (merged upstream)
   - update to 25.3.24:
     * A support for new certification key type was added to allow more
       relaxed certification rules for foreign key references (galera#491).
     * New status variables were added to display the number of open
       transactions and referenced client connections inside Galera provider
       (galera#492).
     * GCache was sometimes cleared unnecessarily on startup if the recovered
       state had smaller sequence number than the highest found from GCache.
       Now only entries with sequence number higher than recovery point will
       be cleared (galera#498).
     * Non-primary configuration is saved into grastate.dat only when if the
       node is in closing state (galera#499).
     * Exception from GComm was not always handled properly resulting in
       Galera to remain in half closed state. This was fixed by propagating
       the error condition appropriately to upper layers (galera#500).
     * A new status variable displaying the total weight of the cluster nodes
       was added (galera#501).
     * The value of pc.weight did not reflect the actual effective value
       after setting it via wsrep_provider_options. This was fixed by making
       sure that the new value is taken into use before returning the control
       back to caller (galera#505, MDEV-11959)
     * Use of ECHD algorithms with old OpenSSL versions was enabled
       (galera#511).
     * Default port value is now used by garbd if the port is not explicitly
       given in cluster address (MDEV-15531).
     * Correct error handling for posix_fallocate().
     * Failed causal reads are retried during configuration changes.

   - New upstream version 3.1.2 [bsc#1136035]
     * CONC-383: client plugins can't be loaded due to missing prefix
     * Fixed version setting in GnuTLS by moving "NORMAL" at the end
       of priority string
     * CONC-386: Added support for pem files which contain certificate and
       private key.
     * Replication/Binlog API: The main mechanism used in replication is the
       binary log.
     * CONC-395: Dashes and underscores are not interchangeable in
       options in my.cnf
     * CONC-384: Incorrect packet when a connection attribute name or value
       is equal to or greater than 251
     * CONC-388: field->def_length is always set to 0
     * Getter should get and the setter should set
       CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS
     * Disable LOAD DATA LOCAL INFILE support by default and auto-enable it
       for the duration of one query, if the query string starts with the
       word "load". In all other cases the application should enable LOAD
       DATA LOCAL INFILE support explicitly.
     * Changed return code for mysql_optionv/mysql_get_optionv to 1 (was -1)
       and added CR_NOT_IMPLEMENTED error message if a option is unknown
       or not supported.
     * mingw fix: use lowercase names for include files
     * CONC-375: Fixed handshake errors when mixing TLSv1.3 cipher suites
       with cipher suites from other TLS protocols
     * CONC-312: Added new caching_sha2_password authentication plugin for
       authentication with MySQL 8.0
   - refresh mariadb-connector-c-2.3.1_unresolved_symbols.patch and
     private_library.patch
   - pack caching_sha2_password.so and client_ed25519.so
   - move libmariadb.pc from /usr/lib/pkgconfig to /usr/lib64/pkgconfig for
     x86_64 [bsc#1126088]

   - Switch to new GitHub repo

   - Add trigger for openstack-horizon-plugin-murano-ui
   - Update to version 0.0.0+git.1515995585.81ed236:
     * Migrate templates job to Zuul v3

   - add 0001-set_db_attribute-differs-between-vsctl-and-native.patch
     (bsc#1152916) part of lp#1630920

   - add copytruncate to openstack-neutron.logrotate (bsc#1126428)

   - Add 0001-When-converting-sg-rules-to-iptables-do-not-emit-dpo.patch
     (bsc#1129729)

   - Add back the HA related patches that we removed to debug(SOC-10092) Add
     0001-Keep-HA-ports-info-for-HA-router-during-entire-lifecycle.patch
     backported from https://review.opendev.org/#/c/659644/1 Add
     0001-Async-notify-neutron-server-for-HA-states.patch backported from
     https://review.opendev.org/#/c/658507/1 Add
     0001-Change-duplicate-OVS-bridge-datapath-ids.patch backported from
     https://review.opendev.org/#/c/649192/3 Add
     0001-Choose-random-value-for-HA-routes-vr_id.patch backported from
     https://review.opendev.org/#/c/651988/2

   - add copytruncate to openstack-nova.logrorate (bsc#1126428)

   - Update to version 2016.2+git.1492839294.d76879d:
     * Setup monasca-agent

   - Update to version 2016.2+git.1492611783.2908851:
     * Adding support for monasca

   - Update to version 2016.2+git.1490964440.09a9673:
     * Move aliases inside Keystone vhost configuration

   - Update to version 2016.2+git.1486720712.bea5be9:
     * Use qemu instead of lxc as virt_type fallback
     * Check for net/subnet/router existance before creating it
     * Use get_or_*() functions for Heat

   - skip magnum service image for non-x86_64

   - add 0001-Suppress-excessive-debug-logs-when-consume-rabbit (bsc#1123053):
   - Add adjust-to-setuptools-8-plus.patch (SOC-10947): this patch fixes
     oslo.utils breakage caused by the more recent python-setuptools version
     introduced by (bsc#1075812).

   - Revert change on using license macro from previous commit.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3270=1



Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):

      crowbar-core-4.0+git.1573109906.0f62e9503-9.57.2
      crowbar-core-branding-upstream-4.0+git.1573109906.0f62e9503-9.57.2
      galera-3-wsrep-provider-25.3.25-11.1
      galera-3-wsrep-provider-debuginfo-25.3.25-11.1
      mariadb-10.2.25-13.1
      mariadb-client-10.2.25-13.1
      mariadb-client-debuginfo-10.2.25-13.1
      mariadb-debuginfo-10.2.25-13.1
      mariadb-debugsource-10.2.25-13.1
      mariadb-tools-10.2.25-13.1
      mariadb-tools-debuginfo-10.2.25-13.1
      patterns-cloud-admin-20170124-4.6.1
      patterns-cloud-compute-20170124-4.6.1
      patterns-cloud-controller-20170124-4.6.1
      patterns-cloud-network-20170124-4.6.1
      patterns-cloud-user-20170124-4.6.1

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      libmariadb3-3.1.2-1.9.1

   - SUSE OpenStack Cloud 7 (noarch):

      caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-1.9.1
      crowbar-openstack-4.0+git.1573038068.1e32b3205-9.62.2
      crowbar-ui-1.1.0+git.1547500033.d0fb2bf2-4.12.1
      mariadb-errormessages-10.2.25-13.1
      openstack-dashboard-theme-SUSE-2016.2-5.9.2
      openstack-heat-templates-0.0.0+git.1515995585.81ed236-12.1
      openstack-neutron-9.4.2~dev21-7.35.3
      openstack-neutron-dhcp-agent-9.4.2~dev21-7.35.3
      openstack-neutron-doc-9.4.2~dev21-7.35.1
      openstack-neutron-ha-tool-9.4.2~dev21-7.35.3
      openstack-neutron-l3-agent-9.4.2~dev21-7.35.3
      openstack-neutron-linuxbridge-agent-9.4.2~dev21-7.35.3
      openstack-neutron-macvtap-agent-9.4.2~dev21-7.35.3
      openstack-neutron-metadata-agent-9.4.2~dev21-7.35.3
      openstack-neutron-metering-agent-9.4.2~dev21-7.35.3
      openstack-neutron-openvswitch-agent-9.4.2~dev21-7.35.3
      openstack-neutron-server-9.4.2~dev21-7.35.3
      openstack-nova-14.0.11~dev13-4.37.3
      openstack-nova-api-14.0.11~dev13-4.37.3
      openstack-nova-cells-14.0.11~dev13-4.37.3
      openstack-nova-cert-14.0.11~dev13-4.37.3
      openstack-nova-compute-14.0.11~dev13-4.37.3
      openstack-nova-conductor-14.0.11~dev13-4.37.3
      openstack-nova-console-14.0.11~dev13-4.37.3
      openstack-nova-consoleauth-14.0.11~dev13-4.37.3
      openstack-nova-doc-14.0.11~dev13-4.37.2
      openstack-nova-novncproxy-14.0.11~dev13-4.37.3
      openstack-nova-placement-api-14.0.11~dev13-4.37.3
      openstack-nova-scheduler-14.0.11~dev13-4.37.3
      openstack-nova-serialproxy-14.0.11~dev13-4.37.3
      openstack-nova-vncproxy-14.0.11~dev13-4.37.3
      python-neutron-9.4.2~dev21-7.35.3
      python-nova-14.0.11~dev13-4.37.3
      python-oslo.messaging-5.10.2-3.12.1
      python-oslo.utils-3.16.1-3.6.1
      python-pysaml2-4.0.2-3.14.1

   - SUSE OpenStack Cloud 7 (x86_64):

      mariadb-galera-10.2.25-13.1


References:

   https://www.suse.com/security/cve/CVE-2017-1002201.html
   https://www.suse.com/security/cve/CVE-2019-2614.html
   https://www.suse.com/security/cve/CVE-2019-2627.html
   https://www.suse.com/security/cve/CVE-2019-2628.html
   https://bugzilla.suse.com/1075812
   https://bugzilla.suse.com/1123053
   https://bugzilla.suse.com/1126088
   https://bugzilla.suse.com/1126428
   https://bugzilla.suse.com/1129729
   https://bugzilla.suse.com/1132666
   https://bugzilla.suse.com/1136035
   https://bugzilla.suse.com/1143215
   https://bugzilla.suse.com/1152916
   https://bugzilla.suse.com/1155089



More information about the sle-security-updates mailing list