SUSE-SU-2019:2671-1: moderate: Security update for crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer

sle-security-updates at sle-security-updates at
Tue Oct 15 10:16:23 MDT 2019

   SUSE Security Update: Security update for crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer

Announcement ID:    SUSE-SU-2019:2671-1
Rating:             moderate
References:         #1019074 #1052286 #1106515 #1108033 #1115960 
                    #1118159 #1118900 #1120657 #1127558 #1128954 
                    #1128987 #1131053 #1131961 #1132860 #1133719 
                    #1133722 #1136784 #1143475 #1145796 #1145867 
                    #1148383 #1150895 #1152916 
Cross-References:   CVE-2016-10127 CVE-2018-15727 CVE-2018-19039
                    CVE-2018-558213 CVE-2019-15043 CVE-2019-5477
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Enterprise Storage 4

   An update that solves 6 vulnerabilities and has 17 fixes is
   now available.


   This update for crowbar-core, crowbar-openstack, grafana, novnc,
   openstack-keystone, openstack-neutron, openstack-neutron-lbaas,
   openstack-nova, openstack-tempest, python-pysaml2, python-urllib3,
   rubygem-chef, rubygem-easy_diff, sleshammer fixes the following issues:

   In python-pysaml2 the following security issue was fixed:

   - CVE-2016-10127: Fixed an XML external entity attack. (bsc#1019074)

   crowbar-core was updated to version 4.0+git.1570463621.40b11cd48:
   * network: Don't set datapath-ids on ovs-bridges anymore (bsc#1152916)
   * barclamp_lib: Sync timeout with other barclamps (SOC-10513, SOC-10011)
   * gems: Update easy_diff to 1.0.0 (SOC-10505)
   * crowbar: Do not read /etc/crowbar.install.key in non-SUSE init script
   * Do not read /etc/crowbar.install.key
   * gather_logs: Make it a bit useful again
   * gather_logs: Do not read /etc/crowbar.install.key
   * network: Allow locking down the network config for nodes (bsc#1120657)
   * network: Check existing upper layers before bond setup  (bsc#1120657)
   * network: never plug two interface into the same ovs bridge (bsc#1120657)
   * network: Avoid plugging the same interface to two ovs bridges
   * nic library: some helper for identifying base interface (bsc#1120657)
   * network: Rework the vlan port replugging code (bsc#1120657)
   * network: DRY out "kill_nic_files" (noref)
   * Add CVE-2019-5477 the to travis ignore list (SOC-9635)

   crowbar-openstack was updated to version 4.0+git.1569429513.e7016b2b6:
   * tempest: don't rely on service catalogue (SOC-10633)
   * nova: set default attribute for max_threads_per_process
   * database: Hardcode ruby version for package installation (SOC-10010)
   * neutron: restore dhcp_domain in stable/4.0 (bsc#1145867)
   * nova: add max_threads_per_process tuneable (SOC-10001, bsc#1133719)

   grafana was updated to:

   - CVE-2019-15043: Adds authentication to a few rest endpoints that could
     be used to access grafana snapshot apis to cause denial of service
     (SOC-10357 bsc#1148383) Also see

   grafana was updated to version 4.6.5:

   - CVE-2018-19039: Users with Editor or Admin permissions could exfiltrate
     files  (jsc#SOC-9976 bsc#1115960)

   grafana was updated version to 4.6.4:

   - CVE-2018-15727 / CVE-2018-558213: Fixed an authentication bypass because
     an attacker can generate a valid "remember me"cookie knowing only a
     username of an LDAP or OAuth user (jsc#SOC-9980 bsc#1106515)

   Other fixes:

   * sql: added code migration type
   * release 4.6.3
   * fix default alias
   * fixes broken alert eval when first condition is using OR
   * fix: alert list panel now works correctly after adding manual annotation
     on dashboard, fixes #9951
   * fix: fix for avatar images when gzip is turned on, fixes #5952
   * sets version to 4.6.2
   * prom: add support for default step param (#9866)
   * build: fixed jshint error
   * fix: Html escaping caused issue in InfluxDB query editor,  could not
     pick greater than or less then operators, fixes #9871
   * heatmap: fix tooltip in "Time series bucket" mode, #9332 (#9867)
   * fix cloudwatch ec2_instance_attribute (#9718)
   * colorpicker: fix color string change #9769 (#9780)
   * changes version to 4.6.1
   * fix: panel view now wraps, no scrolling required, fixes #9746
   * plugins: fix for loading external plugins behind auth proxy, fixes #9509
   * fix: color picker bug at series overrides page, #9715 (#9738)
   * tech: switch to golang 1.9.2
   * tech: add missing include
   * save as should only delete threshold for panels with alerts
   * fix: graphite annotation tooltip included undefined, fixes #9707
   * build: updated version to v4.6.0
   * plugins: added backward compatible path for rxjs
   * ux: updated singlestat default colors
   * prometheus: fixed unsaved changes warning when changing time range due
     to step option on query model was changed in datasource.query code,
     fixes #9675
   * fix: firefox can now create region annotations, fixes #9638
   * alerting: only editors can pause rules
   * fix: another fix for playlist view state, #9639
   * fix: fixed playlist controls and view state, fixes #9639
   * prom: adds pre built grafana dashboard
   * bump version for
   * update version to 4.6.0-beta3
   * plugins: expose dashboard impression store
   * modify $__timeGroup macro so it can be used in select clause (#9527)
   * plugins: fixes path issue on Windows
   * prometheus: enable gzip for /metrics endpoint
   * fix: fixed save to file button in export modal, fixes #9586
   * mysql: add usage stats for mysql
   * pluginloader: esModule true for systemjs config
   * Fix heatmap Y axis rendering (#9580)
   * fix vector range
   * prometheus: add builtin template variable as range vectors
   * fix: fixed prometheus step issue that caused browser crash, fixes #9575
   * fix: getting started panel and mark adding data source as done, fixes
   * Fixes for annotations API (#9577)
   * bump packagecloud script
   * build: added imports of rxjs utility functions
   * prepare for v4.6.0-beta2 release
   * fix template variable expanding
   * annotations: quote reserved fields (#9550)
   * ux: align alert and btn colors
   * fix: fixed color pickers that were broken in minified builds, fixes #9549
   * textpanel: fixes #9491
   * csv: fix import for saveAs shim
   * plugins: expose more util and flot dependencies
   * alert_tab: clear test result when testing rules
   * (cloudwatch) fix cloudwatch query error over 24h (#9536)
   * show error message when cloudwatch datasource can't add
   * update packagecloud script for 4.6.0-beta1
   * changelog: adds note about closing #9516
   * alerting: add count_non_null reducer
   * Update
   * fix: can now remove annotation tags without popover closing
   * tech: add backward compatibility for <spectrum-picker> directive (#9510)
   * fix: fixed links on new 404 page, fixes #9493
   * logging: dont use cli logger in http_server
   * oauth: raise error if session state is missing
   * oauth: provide more logging for failed oauth requests
   * prepare for 4.6.0-beta1 release
   * docs: updated whats new article
   * docs: initial draft release v46
   * graph: fix y-axis decimalTick check. Fixes #9405
   * minor docs update
   * docs: annotation docs update
   * changelog: adds note about closing #7104
   * changelog: adds note about closing #9373
   * metrics: disable gzip for /metrics endpoint (#9468)
   * Annotation docs (#9506)
   * Update
   * Update
   * Update
   * Update
   * Fixed link issue in CHANGELOG
   * Create
   * changelog: adds note about closing #9371,#5334,#8812
   * ds_edit: placeholder should only be cert header
   * fixed minor styling issus (#9497)
   * fix: alert api limit param did not work and caused SQL syntax error,
     fixes #9492
   * annotations: add endpoint for writing graphite-like events (#9495)
   * Update unsaved_changes_modal.ts
   * fix: set lastSeenAt date when creating users to then years in past
     insteasd of empty date, fixes #9260
   * ux: minor ux fix
   * Retain old name for TLS client auth
   * Return error if datasource TLS CA not parsed
   * Datasource settings: Make HTTP all caps
   * Datasource HTTP settings: Add TLS skip verify
   * Make URL capitalisation consistent in UI
   * Alias macron package in app_routes.go
   * Verify datasource TLS and split client auth and CA
   * Tidy spacing in datasource TLS settings
   * Tests: Clarify what InsecureSkipVerify does
   * postgres: add missing ngInject decorator
   * docs: initial docs for new annotation features, #9483
   * Adds note for #9209 to changelog
   * Postgres Data Source  (#9475)
   * tech: expose more to plugins, closes #9456
   * Fix NaN handling (#9469)
   * snapshots: improve snapshot listing performance, #9314 (#9477)
   * mysql: fix interpolation for numbers in temp vars
   * Added docs for Kafka alerting
   * Fixed failing go tests
   * gofmt fixes
   * Added tests
   * Kafka REST Proxy works with Grafana
   * added insrtuctions for oauth2 okta bitbucket (#9471)
   * Unified Color picker fixes (#9466)
   * Show min interval query option for mixed datasource (#9467)
   * gzip: plugin readme content set explicitly
   * ignore pattern for vendored libs
   * fix: escape metric segment auto complete, fixes #9423
   * Corrected a PostgreSQL SELECT statement. (#9460)
   * tests: found the unhandled promise issue in the dash import tests
   * testing: fixing tests
   * annotations: minor change to default/edit annotation color
   * Create annotations (#8197)
   * OAuth: Rename sslcli
   * OAuth: Separate TLS client auth and CA config
   * OAuth: Check both TLS client cert and key
   * Always verify TLS unless explicitly told otherwise
   * fix: threshold's colors in table panels (#9445) (#9453)
   * singlestat: fix sizing bug #9337 (#9448)
   * Revert "Fix coloring in singlestat if null value (#9438)" (#9443)
   * Fix coloring in singlestat if null value (#9438)
   * fix: missing semicolon
   * changed jsontree to use jsonexplorer (#9416)
   * docs page for authproxy (#9420)
   * Update codebox (#9430)
   * Series color picker fix (#9442)
   * fix type in readme
   * removed commented line
   * changelog: adds note about closing #9110
   * Fixed typo
   * Change empty string checks and improve logging
   * changelog: adds note about closing #9208
   * Fix spelling on 404 page.
   * Lint fix
   * Update kbn.js
   * Add Norwegian Krone denominator for currency
   * fixed layout for column options, changed dropdown for date format kept
     old code
   * build: add noUnusedLocals to tsc parameters
   * build: install go based on env variable
   * changes go version to 1.9.1
   * changelog: adds note about closing #9226
   * changelog: add note about closing #9429
   * changelog: adds note about closing #9399
   * Fix formatting issue
   * Add milliseconds format in table panel's config
   * support for s3 path (#9151)
   * Remove apparently unnecessary .flush() calls.
   * Fix empty message and toolong attribute names Use default state message
     if no message is provided by the user Slice attribute name to maximum of
     50 chars
   * Address review comments.
   * changelog: add note about closing #7175
   * plugin_loader: expose app_events to plugins
   * Add the missing comma
   * colorpicker: refactoring the new unififed colorpicker, #9347
   * Unified colorpicker (#9347)
   * fix missing column headers in excel export (#9413)
   * build: remove clean plugin from dev build
   * build: fixed broken elastic unit test
   * shore: cleanup unused stuff in common.d.ts
   * Build URL for close alert request differently
   * some restyling (#9409)
   * Docs text fixes (#9408)
   * Checkbox fixes (#9400)
   * fix: ensure panel.datasource is null as default
   * plugibs: expose more to plugins
   * properly parse & pass upload image bool from config
   * break out slack upload into separate function
   * tech: minor npm scripts update
   * build: fixed build
   * refactoring: minor refactoring of PR #8916
   * Update script to make it use OpsGenie's REST API
   * docs: minor docs fix
   * Merge branch 'master' of
   * build: minor webpack fix
   * docs: updated building from source docs
   * playlist: play and edit should use same width
   * shore: fixed html indentation, #9368
   * tech: updated yarn.lock
   * shore: minor cleanup
   * Webpack (#9391)
   * fixing json for CI
   * adding support for token-based slack file.upload API call for posting
     images to slack
   * changelog: adds note about closing #8479
   * changelog: adds note about closing #8050
   * changelog: adds note about closing #9386
   * change pdiff to percent_diff for conditions
   * panel: rename label on csv export modal
   * add diff and pdiff for conditions
   * fix, add targetContainsTemplate()
   * fix cloudwatch alert bug
   * add debug log
   * move extend statistics handling code to backend
   * fix assume role
   * improve cloudwatch tsdb
   * refactor cloudwatch code
   * remove obsolete code
   * move cloudwatch crendential related code
   * remove old handler
   * fix annotation query
   * fix time
   * fix dimension convertion
   * re-implement annotation query
   * fix parameter format
   * fix alert feature
   * fix parameter format
   * refactor cloudwatch to support new tsdb interface
   * refactor cloudwatch frontend code
   * refactor cloudwatch frontend code
   * fix test
   * re-implement dimension_values()
   * fix error message
   * remove performEC2DescribeInstances()
   * re-implement ec2_instance_attribute()
   * re-implement ebs_volume_ids()
   * import the change,
   * fix conflict
   * fix test
   * remove obsolete GetMetricStatistics()
   * fix test
   * move test code
   * fix conflict
   * porting other suggestion
   * re-implement get regions
   * move the metric find query code
   * (cloudwatch) move query parameter to 'parameters'
   * parse duration
   * remove offset for startTime
   * cache creds for keys/credentials auth type
   * fix test
   * fix invalid query filter
   * count up metrics
   * (cloudwatch) alerting
   * add brazil currency
   * tech: upgrade of systemjs to 0.20.x working
   * tech: reverted to systemjs
   * tech: migrating elasticsearch to typescript
   * changelog: add note about using golang 1.9
   * change go version to 1.9
   * changelog: adds note about closing #9367
   * tech: systemjs upgrade
   * made a text-panel page, maybe we don't need it
   * cleaned up html/sass and added final touches
   * Enable dualstack in every net.Dialer, fixes #9364
   * jaeger: capitalize tracer name
   * jaeger: logging improvement
   * tech: systemjs upgrade
   * Have  include intervalFactor in its calculation, so always equal to the
     step query parameter.
   * alertlist: toggle play/pause button
   * updated css and html for recent state changes for alert lists
   * Fix export_modal message (#9353)
   * s3: minor fix for PR #9223
   * internal metrics: add grafana version
   * changelog: adds note about closing 5765
   * Update latest.json
   * typescript: stricter typescript option
   * prom_docker: give targets correct job name
   * testdata: add bucket scenarios for heatmap
   * dev-docker: add grafana as target
   * changelog: add note ablout closing #9319
   * introduce smtp config option for EHLO identity
   * changelog: note about closing #9250
   * go fmt
   * new page for text, needs more work
   * replaced img in graph, created alert list page
   * docs: update docs
   * Update
   * changelog: adds note about closing #5873
   * replaced image
   * Docs new updates (#9324)
   * Update
   * Update latest.json
   * cleanup: removed unused file
   * tech: remove bower and moved remaining bower dependencies to npm
   * tech: cleanup and fixed build issue
   * tech: upgraded angularjs and moved dependency from bower to npm, closes
   * follow go idiom and return error as second param
   * tech: updated tsconfig
   * docker: adds alertmanager to prometheus fig
   * tech: more tslint rules
   * another img update
   * tech: removing unused variables from typescript files, and making tslint
     rules more strict
   * deleted old shortcuts instruction
   * text uppdates for dashlist and singlestat(+img). updated the keyboard
   * context is reserved for go's context
   * make ds a param for Query
   * remove batch abstraction
   * rename executor into tsdbqueryendpoint
   * remove unused structs
   * refactor response flow
   * tech: removed test component
   * ux: minor singlestat update
   * singlestat: minor change
   * Update
   * Singlestat time (#9298)
   * tech: progress on react poc
   * adds note about closing #9213
   * Update _navbar.scss
   * replaced images, updating text(not finished)
   * fix: close for 'Unsaved Changes' modal, #9284 (#9313)
   * Initial graphite tags support (#9239)
   * tech: initial react poc
   * Make details more clean in PD description
   * bug: enable HEAD requests again
   * Add `DbClusterIdentifier` to CloudWatch dimensions (#9297)
   * templating: fix dependent variable updating (#9306)
   * Fix adhoc filters restoration (#9303)
   * Explicitly refer to Github 'OAuth' applications
   * config bucket and region for s3 uploader
   * fixes bug introduced with prom namespaces
   * fixing spelling of millesecond -> millisecond
   * fixing spelling of millesecond -> millisecond
   * Remove duplicate bus.AddHandler() (#9289)
   * Update
   * use same key as mt
   * tag alert queries that return no_data
   * updated error page html+css, added ds_store to ignore (#9285)
   * public/app/plugins/panel/graph/specs/graph_specs.ts: relax tests to be
     "within" instead of "equal", so they won't fail on i686 (#9286)
   * Fix path to icon (#9276)
   * adds note about fix in v4.5.2
   * skip NaN values when writing to graphite
   * addded mass units, #9265 (#9273)
   * Fully fill out nulls in cloudfront data source (#9268)
   * make it possible to configure sampler type
   * mark >=400 responses as error
   * change port for jaeger dev container
   * logwrapper for jaeger
   * make samplerconfig.param configurable
   * adds custom tags from settings
   * use route as span name
   * add trace headers for outgoing requests
   * docker file for running jaeger
   * better formating for error trace
   * attach context with span to *http.Request
   * add traces for datasource reverse proxy requests
   * trace failed executions
   * use tags instead of logs
   * use opentracing ext package when possible
   * set example port to zipkin default
   * adds codahale to vendor
   * makes jaeger tracing configurable
   * add trace parameters for outgoing requests
   * adds basic traces using open traces
   * require dashboard panels to have id
   * fix: jsonData should not be allowed to be null, fixes #9258
   * packaging: reduce package size
   * Update (#9263)
   * Added --pluginUrl option to grafana-cli for local network plugin
   * adds note about closing #1395
   * add locale format
   * update changelog
   * fixes broken tests :boom:
   * minor code adjusetments
   * pass context to image uploaders
   * remove unused deps
   * Reduced OAuth scope to read_write
   * GCS support via JSON API
   * gofmt fixes
   * Added GCS support #8370
   * move more known datasources from others
   * Remove alert thresholds on panel duplicate, issue #9178 (#9257)
   * 4.5.1 docs + update version to 5.0.0-pre1
   * update for 4.5.1
   * Update
   * docs: updated changelog
   * packaging: reducing package size be only including public vendor stuff
     we need
   * docs: update download links
   * allow ssl renegotiation for datasources
   * check args for query
   * add test for completer
   * fix
   * follow token name change
   * (prometheus) support label value completion
   * (prometheus) support label name completion
   * get s3 url via aws-sdk-go, fix #9189
   * Prometheus: Rework the interaction between auto interval (computed based
     on graph resolution), min interval (where specified, per query) and
     intervalFactor (AKA resolution, where specified, per query). As a bonus,
     have  and  reflect the actual interval (not the auto interval), taking
     into account min interval and Prometheus' 11k data points limit.
   * minor fix
   * (prometheus) support instant query for table format, use checkbox to
     switch query type
   * (prometheus) instant query support
   * Add thumbnail to card
   * Add values to the hipchat card
   * Reorder editorconfig
   * Enable datasources to be able to round off to a UTC day properly
   * Include triggering metrics to pagerduty alerts

   novnc was updated to fix the following issue:

   - Add tightPNG encoding (bsc#1145796) This encoding is needed to allow
     noVNC to work with instances that run on ESX hypervisors. It is not
     possible to update the Newton package to noVNC 1.1.0 as that version is
     not supported with openstack-nova until Rocky.

   openstack-keystone was updated to fix:

   - A domain_admin should be allowed to list role assignments for the domain
     and for all projects of this domain with a domain-scoped token.

   openstack-neutron was updated to fix:
   - Add path to not update device lists in large sets. (bsc#1136784) Since
     the ssh timeout issue was resolved, start adding back the removed
     patches. Backport based on comment #1.
   - Revert OVS timeout patch as it  also seams to cause CI issues.
   - Since the CI failures are mostly seen in ha jobs, let us first try to
     revert the last added HA related patches. Once we nail down the issue,
     we can add one at a time. (SOC-10092)
   - Disallow router interface out of subnet IP range (bsc#1108033)
   - Fix for dhcp serializing port delete and network rpc calls (bsc#1143475)
   - Fixed a function call error with get_reader_session Fixed an argument
     issue with respect to Context not having 'bein' function, we should have
     passed the session instead of context. Also fixed another function
     argument error with respect to 'is_ha_router_port'.  (bsc#1133722)
   - Divide and conquer local hridge flows beasts (bsc#1133722)
   - Choose random value for HA routes vr_id
   - Change duplicate OVS bridge datapath ids
   - Async notify neutron server for HA states
   - Divide and conquer security group beasts
   - Change default local ovs connection timeout (bsc#1136784)
   - Do not call update device list in large sets (bsc#1136784)
   - More accurate agent restart state transfer (bsc#1136784)
   - OVS agent: Always send start flag during initial sync (bsc#1136784)
   - Keep HA ports info for HA router during entire lifecycle
   - Packets getting lost during SNAT with too many connections
   - Don't restart neutron-ovs-cleanup on RPM update (bsc#1132860)
   - neutron-keepalived-state-change will check VIP before spawning ip
     monitor (bsc#1131961)
   - handle database query correctly
   - Fix the update port status issue without getting the ports to BUILD

   - OVS Raise RuntimeError in_get_dp if id is None
   - OVS Survive errors from check ovs status
   - Trigger port status DOWN on VIF replug.patch
   - Fix dvr ha router gateway port binding to incorrect host
   - DVR HA Unbinding a HA router from agent does not clear HA interface
   - Don't trigger DVR port update if status the same
   - Add retry decorator update_segment_host_mapping (bsc#1127558)
   - Do state report after setting start flag on OVS restart

   openstack-nova was updated to fix:

   Security issue fixed:

   - CVE-2016-10127: Fixed XXE in XML Parsing (bsc#1019074)

   - Allow to attach more than 26 volumes (bsc#1118900)

   openstack-tempest was updated to fix:

   - Avoid server check teardown exception breaking tearDown (SOC 10092)

   python-urllib3 was updated to fix:

   - Add missing dependency on python-six (bsc#1150895)

   sleshammer was updated to fix:

   - Really drop etc/udev/rules.d/70-persistent-net.rules from the overlay it
     was still present in the tarball. (SOC-9288)

   rubygem-chef was updated to fix:

   - pretty print inspect results and force encode the content (SOC-9954)

   - updated to version 1.0.0

     - Unmerge Arrays containing Hashes
     - Handle duplicate values in arrays correctly

   rubygem-easy_diff was updated to version 0.0.6

   - Fix merging arrays of hashes

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2671=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2019-2671=1

Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):


   - SUSE OpenStack Cloud 7 (noarch):


   - SUSE OpenStack Cloud 7 (x86_64):


   - SUSE Enterprise Storage 4 (aarch64 x86_64):


   - SUSE Enterprise Storage 4 (noarch):



More information about the sle-security-updates mailing list