SUSE-SU-2020:1190-1: moderate: Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue May 5 10:32:42 MDT 2020


   SUSE Security Update: Security update for ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-ironic, openstack-ironic-image, openstack-manila, openstack-neutron, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, python-cinderclient, python-glanceclient, python-ironic-lib, python-ironicclient, python-keystonemiddleware, python-manila-tempest-plugin, python-novaclient, python-octaviaclient, python-openstackclient, python-os-brick, python-oslo.config, python-oslo.rootwrap, python-oslo.utils, python-swiftclient, python-watcherclient, release-notes-suse-openstack-cloud, rubygem-crowbar-client, rubygem-puma, zookeeper
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:1190-1
Rating:             moderate
References:         #1084739 #1124708 #1133817 #1135773 #1137622 
                    #1149110 #1149535 #1163444 #1164838 #1165402 
                    #1165723 #1166290 #1168512 #1168593 #1169770 
                    
Cross-References:   CVE-2019-0201 CVE-2019-11596 CVE-2019-15026
                    CVE-2020-5247 CVE-2020-9543
Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud 9
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has 10 fixes is
   now available.

Description:

   This update for ardana-ansible, ardana-barbican, ardana-cluster,
   ardana-db, ardana-designate, ardana-input-model, ardana-logging,
   ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia,
   ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha,
   crowbar-openstack, memcached, openstack-ceilometer, openstack-cinder,
   openstack-designate, openstack-heat, openstack-ironic,
   openstack-ironic-image, openstack-manila, openstack-neutron,
   openstack-nova, openstack-octavia, openstack-octavia-amphora-image,
   python-cinderclient, python-glanceclient, python-ironic-lib,
   python-ironicclient, python-keystonemiddleware,
   python-manila-tempest-plugin, python-novaclient, python-octaviaclient,
   python-openstackclient, python-os-brick, python-oslo.config,
   python-oslo.rootwrap, python-oslo.utils, python-swiftclient,
   python-watcherclient, release-notes-suse-openstack-cloud,
   rubygem-crowbar-client, rubygem-puma, zookeeper contains the following
   fixes:

   Security fixes for memcached:
   - CVE-2019-15026: Fixed a stack-based buffer over-read in conn_to_str()
     (bsc#1149110).
   - CVE-2019-11596: Fixed a denial of service when parsing crafted lru
     command messages in process_lru_comma() (bsc#1133817).

   Security fixes for zookeeper:
   - CVE-2019-0201: Fixed a information disclosure vulnerability related to
     getACL() (bsc#1135773).

   Changes in rubygem-crowbar-client:
   - Update to 3.9.2
     - Enable SES commands in Cloud8 (SOC-11122)

   Changes in rubygem-puma:
   - Add CVE-2020-5247.patch (bsc#1165402) "Fixes a problem where we were not
     splitting newlines in headers according to Rack spec" The patch is
     reduced compared to the upstream version, which was patching also the
     parts that are not implemented in our old Puma version. This applies to
     unit test as well.

   Changes in ardana-ansible:
   - Update to version 9.0+git.1587034359.a12678b:
     * Include SLE 12 SP3 LTSS repos in list of managed repos (SOC-11223)

   - Update to version 9.0+git.1586793433.f7bbf1b:
     * Ensure rabbitmq-server not running during dist-upgrade (SOC-11083)

   - Update to version 9.0+git.1586521995.f709c73:
     * Upgrade packages before _osconfig-upgrade.yml (SOC-11149)

   - Update to version 9.0+git.1584135277.f4d488a:
     * Serialise the _ardana-update-base.yml zypper actions (SOC-11083)

   - Update to version 9.0+git.1583518616.d4eb33f:
     * Upgrade pre-checks in Cloud 8 and Cloud 9 (SOC-10300)

   Changes in ardana-barbican:
   - Update to version 9.0+git.1583953599.cd723bb:
     * monitor ardana-node-cert (SOC-10873)

   Changes in ardana-cluster:
   - Update to version 9.0+git.1585653734.c1fe3b2:
     * Use bool filter to ensure valid boolean evaluation (SOC-11192)

   Changes in ardana-db:
   - Update to version 9.0+git.1586543314.6b6aa20:
     * Improve boostrap error handling (SOC-11207)

   - Update to version 9.0+git.1583946648.0892bab:
     * monitor MySQL TLS certificate (SOC-10873)

   - Update to version 9.0+git.1583527362.d9e9436:
     * fix mysql output and root password update (SOC-11152)

   Changes in ardana-designate:
   - Update to version 9.0+git.1583445435.4bd1793:
     * Designate zone/pool to worker/producer migration (SOC-10095)

   Changes in ardana-input-model:
   - Update to version 9.0+git.1584632190.9541c56:
     * add port neutron security extension to CI models (SOC-11027)

   Changes in ardana-logging:
   - Update to version 9.0+git.1585929695.f35b591:
     * Fix YAMLLoadWarning: calling yaml.load() without Loader (bsc#1168593)

   Changes in ardana-monasca:
   - Update to version 9.0+git.1586769889.d43d736:
     * Retry systemctl status for auto-restarting services (SOC-11210)

   - Update to version 9.0+git.1583359379.b92a013:
     * Add certificate file check alarm (SOC-10873)

   Changes in ardana-mq:
   - Update to version 9.0+git.1586350749.a463fd2:
     * Actually fail if sync HA queues retries exceeded (SOC-11083)

   - Update to version 9.0+git.1583428243.c1a72a8:
     * monitor RabbitMQ TLS certificate (SOC-10873)

   Changes in ardana-neutron:
   - Update to version 9.0+git.1587667603.507fb50:
     * Add network.target "After" option (bsc#1169770)

   - Update to version 9.0+git.1584635234.e7e6b08:
     * Add symlink for neutron-fwaas.json.j2 (bsc#1166290)

   Changes in ardana-octavia:
   - Update to version 9.0+git.1587486004.8e99c6b:
     * Perform Neutron to Octavia migrate (SOC-11207)

   - Update to version 9.0+git.1584737314.873b84c:
     * Reconfigure monitor if needed (SOC-10873)

   - Update to version 9.0+git.1584682274.4693189:
     * fix Octavia client cert redeploy (SOC-10873)

   - Update to version 9.0+git.1584392355.7368ea3:
     * monitor Octavia client certificate (SOC-10873)

   Changes in ardana-osconfig:
   - Update to version 9.0+git.1586546715.dbd07ab:
     * Ensure ovs_user and ovs_group defined (SOC-11149)

   Changes in ardana-tempest:
   - Update to version 9.0+git.1587398456.b31cc4a:
     * Revert: Remove blacklisted octavia test(SOC-11027)

   - Update to version 9.0+git.1586901636.089de51:
     * Manila: Skip additional manila tests due to Ardana policy (SOC-11211)

   - Update to version 9.0+git.1586875796.43d9039:
     * Remove blacklisted octavia test(SOC-11027)

   - Update to version 9.0+git.1586350084.01a56ee:
     * Manila: Skip ShareNetworksTest due to Ardana policy (SOC-11211)

   - Update to version 9.0+git.1585746746.8f38be7:
     * Remove deprecated neutron extension from tempest (bsc#1124708)

   - Update to version 9.0+git.1582537125.359622b:
     * Enable port-security feature in tempest(SOC-11027)

   Changes in ardana-tls:
   - Update to version 9.0+git.1586301209.c9413b4:
     * Simplify VNC cert deployment (SOC-9742)

   Changes in crowbar-core:
   - Update to version 6.0+git.1587558898.313bb9fd3:
     * upgrade: Restart nova services at the end of disruptive upgrade
       (SOC-11202)

   - Update to version 6.0+git.1586175344.480d46e76:
     * Revert: Add lb-mgmt-net to network.json (SOC-10904)

   - Update to version 6.0+git.1585339930.336361e4c:
     * Add lb-mgmt-net to network.json (SOC-10904)

   - Update to version 6.0+git.1585229942.1ddd6e742:
     * upgrade: Point to config dir instead of config file (SOC-11171)
     * upgrade: Do not call neutron-evacuate-lbaasv2-agent with use_crm
       (SOC-11171)

   - Update to version 6.0+git.1584974229.c5a263be6:
     * Update the default value of OS version (trivial)
     * Ignore CVE-2020-5267 in CI (bsc#1167240)
     * Ignore CVE-2020-10663 in CI (bsc#1167244)
     * upgrade: Remove the assignement of crowbar-upgrade role (SOC-11166)

   - Update to version 6.0+git.1584564132.03cfcb5d0:
     * Remove comment that's no longer relevant (trivial)
     * Move role_to_proposal method from model to controller (trivial)
     * upgrade: proper check for remote elements (trivial)
     * Remove FIXME proposals that won't be fixed (trivial)
     * Drop unused suggestion (trivial)
     * Drop obsolete code (trivial)

   - Update to version 6.0+git.1583841628.7a9cacf85:
     * Ignore CVE-2020-8130 in CI (bsc#1164804)
     * Ignore CVE-2020-5247 (bsc#1165402)
     * Ignore CVE-2020-7595 in CI (bsc#1161517)
     * ses: Make SES UI safe for unknown options (trivial)
     * ses: Use cinder user for nova (SOC-5269)

   - Update to version 6.0+git.1583502199.abec5c91e:
     * upgrade: Raise the timeout for nodes evacuation (trivial)

   Changes in crowbar-ha:
   - Update to version 6.0+git.1586256059.e6f67e1:
     * Hide libvirt STONITH option from the UI (bsc#1084739)

   - Update to version 6.0+git.1585316150.ee52acc:
     * add ssl termination on haproxy (bsc#1149535)

   Changes in crowbar-openstack:
   - Update to version 6.0+git.1587753188.da39e44a7:
     * tempest: retry openstack commands (SOC-11238)

   - Update to version 6.0+git.1587560956.475ebae91:
     * nova: Hide setup_shared_instance_storage (SOC-11225)

   - Update to version 6.0+git.1587110382.e00bbeeb8:
     * octavia: remove mgmt_net from UI (SOC-10904)

   - Update to version 6.0+git.1586351116.5977d44ce:
     * neutron: fix neutron cli to use internal endpoint (bsc#1168512)

   - Update to version 6.0+git.1586249148.97e221138:
     * neutron: don't add physnets for non-enabled networks (SOC-11204)
     * octavia: move management network creation to octavia barclamp
       (SOC-10904)
     * octavia: move amphora changes check to worker recipe
     * octavia: use octavia network for health monitors (SOC-10904)
     * octavia: rework emanagement network config (SOC-10904)

   - Update to version 6.0+git.1585653227.5004f0a1f:
     * Disable "OpenStack RC File (identity API v2)" in horizon (bsc#1163444)

   - Update to version 6.0+git.1585444839.ec56032ca:
     * Revert "Octavia: Hide UI until complete (SOC-10550)"

   - Update to version 6.0+git.1585282212.df338c7f6:
     * Add lb-mgmt-net for Octavia (SOC-10904)

   - Update to version 6.0+git.1585237884.e441a435b:
     * fix travis CI to handle reverted commits properly (SOC-11180)

   - Update to version 6.0+git.1585143832.fa2fd2714:
     * nova: Populate cinder SES settings early (SOC-11179)

   - Update to version 6.0+git.1585068621.f53f95864:
     * tempest: blacklist shelve tests when using RBD ephemeral (SOC-11176)
     * tempest: disable block migration when using RBD (SOC-11176)

   - Update to version 6.0+git.1584967542.06b4f7cda:
     * magnum: Populate SSL configuration (SOC-9849)
     * magnum: Add SSL support (SOC-9849)

   - Update to version 6.0+git.1584603207.1dc71c848:
     * nova: Drop redundant disk_cachemodes (trivial)
     * nova: Add option to disable ephemeral on ceph (SOC-5269)

   - Update to version 6.0+git.1584540693.0d3b72090:
     * keystone: fix keystone node lookup (SOC-11333, bsc#1164838)
     * keystone: Register SES RadosGW endpoints (SOC-5270)
     * heat: Increase heat_register syncmark timeout (SOC-11103)
     * heat: Simplify domain registration code (SOC-11103)

   - Update to version 6.0+git.1584437931.10aebd310:
     * nova: Setup CEPH secrets later (SOC-11141)

   - Update to version 6.0+git.1584347033.7472a6925:
     * nova: Enable ephemeral volumes on SES (SOC-5269)

   Changes in memcached:
   - version update to 1.5.17
     * bugfixes fix strncpy call in stats conns to avoid ASAN violation
       (bsc#1149110, CVE-2019-15026) extstore: fix indentation add error
       handling when calling dup function add unlock when item_cachedump
       malloc failed extstore: emulate pread(v) for macOS fix off-by-one in
       logger to allow CAS commands to be logged. use strdup for explicitly
       configured slab sizes move mem_requested from slabs.c to items.c
       (internal cleanup)
     * new features add server address to the "stats conns" output log client
       connection id with fetchers and mutations Add a handler for seccomp
       crashes
   - version update to 1.5.16
     * bugfixes When nsuffix is 0 space for flags hasn't been allocated so
       don't memcpy them.
   - version update to 1.5.15
     * bugfixes Speed up incr/decr by replacing snprintf. Use correct buffer
       size for internal URI encoding. change some links from http to https
       Fix small memory leak in testapp.c. free window_global in
       slab_automove_extstore.c remove inline_ascii_response option
       -Y [filename] for ascii authentication mode fix: idle-timeout wasn't
        compatible with binprot
     * features
       -Y [authfile] enables an authentication mode for ASCII protocol.
   - modified patches % memcached-autofoo.patch (refreshed)

   - version update to 1.5.14
     * update -h output for -I (max item size)
     * fix segfault in "lru" command (bsc#1133817, CVE-2019-11596)
     * fix compile error on centos7
     * extstore: error adjusting page_size after ext_path
     * extstore: fix segfault if page_count is too high.
     * close delete + incr item survival race bug
     * memcached-tool dump fix loss of exp value
     * Fix "qw" in "MemcachedTest.pm" so wait_ext_flush is exported properly
     * Experimental TLS support.
     * Basic implementation of TLS for memcached.
     * Improve Get And Touch documentation
     * fix INCR/DECR refcount leak for invalid items
   - modified patches % memcached-autofoo.patch (refreshed)

   Changes in openstack-ceilometer:
   - Update to version ceilometer-11.1.1.dev5:
     * [stable-only] Cap stestr for python 2

   - Update to version ceilometer-11.1.1.dev3: 11.1.0
     * Add availability\_zone attribute to gnocchi instance resources
     * Set instance\_type\_id in event traits to be a string
     * Fix name of option group removed in Rocky

   Changes in openstack-ceilometer:
   - Update to version ceilometer-11.1.1.dev5:
     * [stable-only] Cap stestr for python 2

   - Update to version ceilometer-11.1.1.dev3: 11.1.0
     * Add availability\_zone attribute to gnocchi instance resources
     * Set instance\_type\_id in event traits to be a string
     * Fix name of option group removed in Rocky

   Changes in openstack-cinder:
   - Update to version cinder-13.0.10.dev9:
     * PowerMax Driver - Legacy volume not found
     * NEC driver: fix an undefined variable

   - Update to version cinder-13.0.10.dev6:
     * RBD: fix volume reference handling in clone logic

   - Update to version cinder-13.0.10.dev4:
     * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock

   - Update to version cinder-13.0.10.dev3:
     * ChunkedBackupDriver: Freeing memory on restore

   - Update to version cinder-13.0.10.dev1:
     * Don't quote {posargs} in tox.ini 13.0.9

   Changes in openstack-cinder:
   - Update to version cinder-13.0.10.dev9:
     * PowerMax Driver - Legacy volume not found
     * NEC driver: fix an undefined variable

   - Update to version cinder-13.0.10.dev6:
     * RBD: fix volume reference handling in clone logic

   - Update to version cinder-13.0.10.dev4:
     * [Unity] Fix TypeError for test case test\_delete\_host\_wo\_lock

   - Update to version cinder-13.0.10.dev3:
     * ChunkedBackupDriver: Freeing memory on restore

   - Update to version cinder-13.0.10.dev1:
     * Don't quote {posargs} in tox.ini 13.0.9

   Changes in openstack-designate:
   - Update to version designate-7.0.1.dev25:
     * Clean up zone locking

   Changes in openstack-designate:
   - Update to version designate-7.0.1.dev25:
     * Clean up zone locking

   Changes in openstack-heat:
   - Update to version openstack-heat-11.0.3.dev35:
     * Ignore Not Found when deleting Keystone role assignment
     * Handle OS::Mistral::Workflow resource replacement properly

   Changes in openstack-heat:
   - Update to version openstack-heat-11.0.3.dev35:
     * Ignore Not Found when deleting Keystone role assignment
     * Handle OS::Mistral::Workflow resource replacement properly

   Changes in openstack-ironic:
   - Update to version ironic-11.1.5.dev3:
     * Make deploy step failure logging indicate the error 11.1.4

   - Update to version ironic-11.1.4.dev26:
     * Remove rocky grenade jobs
     * tell reno to ignore the kilo branch
     * [stable] consume virtualbmc from pip packages

   Changes in openstack-ironic:
   - Update to version ironic-11.1.5.dev3:
     * Make deploy step failure logging indicate the error 11.1.4

   - Update to version ironic-11.1.4.dev26:
     * Remove rocky grenade jobs
     * tell reno to ignore the kilo branch
     * [stable] consume virtualbmc from pip packages

   Changes in openstack-ironic-image:
   - Add haveged package (bsc#1137622) It is needed to ensure there's enough
     entroy available to perform the iSCSI operations.

   Changes in openstack-manila:
   - Update to version manila-7.4.2.dev4:
     * Increase MANILA\_SERVICE\_VM\_FLAVOR\_DISK

   - Update to version manila-7.4.2.dev3:
     * If only .pyc exist, the extension API will be disabled

   - Update to version manila-7.4.2.dev2:
     * Enforce policy checks for share export locations

   - Update to version manila-7.4.2.dev1:
     * [stable-only] Pin neutron-tempest-plugin to 0.9.0 7.4.1

   - Update to version manila-7.4.1.dev2:
     * share\_networks: enable project\_only API only
     * Fix over-quota exception of snapshot creation 7.4.0

   - Update to version manila-7.4.1.dev1:
     * Fix over-quota exception of snapshot creation 7.4.0

   Changes in openstack-manila:
   - Update to version manila-7.4.2.dev4:
     * Increase MANILA\_SERVICE\_VM\_FLAVOR\_DISK

   - Update to version manila-7.4.2.dev3:
     * If only .pyc exist, the extension API will be disabled

   - Update to version manila-7.4.2.dev2:
     * Enforce policy checks for share export locations

   - Update to version manila-7.4.2.dev1:
     * [stable-only] Pin neutron-tempest-plugin to 0.9.0 7.4.1

   - Rebased patches:
     + cve-2020-9543-stable-rocky.patch dropped (merged upstream)

   - Update to version manila-7.4.1.dev2:
     * share\_networks: enable project\_only API only
     * Fix over-quota exception of snapshot creation 7.4.0

   Changes in openstack-neutron:
   - Update to version neutron-13.0.8.dev28:
     * Prioritize port create and update ready messages

   - Update to version neutron-13.0.8.dev26:
     * Support iproute2 4.15 in l3\_tc\_lib

   - Update to version neutron-13.0.8.dev24:
     * Add trunk subports to be one of dvr serviced device owners

   - Update to version neutron-13.0.8.dev22:
     * Filter by owner SGs when retrieving the SG rules
     * Delay HA router transition from "backup" to "master"
     * Increase waiting time for network rescheduling
     * Check dnsmasq process is active when spawned
     * Wait before deleting trunk bridges for DPDK vhu
     * [DVR] Don't populate unbound ports in router's ARP cache
     * Optimize DVR related port DB query

   - Update to version neutron-13.0.8.dev9:
     * Add bulk IP address assignment to ipam driver

   - Update to version neutron-13.0.8.dev7:
     * Add accepted egress direct flow

   - Update to version neutron-13.0.8.dev6:
     * Add VLAN type conntrack direct flow

   - Update to version neutron-13.0.8.dev4:
     * Use rally-openstack 1.7.0 for stable/rocky

   - Update to version neutron-13.0.8.dev3:
     * Remove extra header fields in proxied metadata requests
     * Ensure that default SG exists during list of SG rules API call 13.0.7

   Changes in openstack-neutron:
   - Update to version neutron-13.0.8.dev28:
     * Prioritize port create and update ready messages

   - Update to version neutron-13.0.8.dev26:
     * Support iproute2 4.15 in l3\_tc\_lib

   - Update to version neutron-13.0.8.dev24:
     * Add trunk subports to be one of dvr serviced device owners

   - Update to version neutron-13.0.8.dev22:
     * Filter by owner SGs when retrieving the SG rules
     * Delay HA router transition from "backup" to "master"
     * Increase waiting time for network rescheduling
     * Check dnsmasq process is active when spawned
     * Wait before deleting trunk bridges for DPDK vhu
     * [DVR] Don't populate unbound ports in router's ARP cache
     * Optimize DVR related port DB query

   - Update to version neutron-13.0.8.dev9:
     * Add bulk IP address assignment to ipam driver

   - Update to version neutron-13.0.8.dev7:
     * Add accepted egress direct flow

   - Update to version neutron-13.0.8.dev6:
     * Add VLAN type conntrack direct flow

   - Update to version neutron-13.0.8.dev4:
     * Use rally-openstack 1.7.0 for stable/rocky

   - Update to version neutron-13.0.8.dev3:
     * Remove extra header fields in proxied metadata requests
     * Ensure that default SG exists during list of SG rules API call 13.0.7

   Changes in openstack-nova:
   - Update to version nova-18.3.1.dev17:
     * Unplug VIFs as part of cleanup of networks

   - Update to version nova-18.3.1.dev16:
     * Functional test for UnexpectedDeletingTaskStateError

   - Update to version nova-18.3.1.dev15:
     * nova-live-migration: Wait for n-cpu services to come up after
       configuring Ceph
     * Replace ansible --sudo with --become in live\_migration/hooks scripts

   - Update to version nova-18.3.1.dev11:
     * Fix os-keypairs pagination links

   - Update to version nova-18.3.1.dev9:
     * Enhance service restart in functional env
     * Fix hypervisors paginted collection\_name
     * Avoid circular reference during serialization

   - Update to version nova-18.3.1.dev4:
     * Remove global state from the FakeDriver

   - Update to version nova-18.3.1.dev3:
     * Add retry\_on\_deadlock to migration\_update DB API
     * libvirt: Ignore DiskNotFound during update\_available\_resource 18.3.0

   Changes in openstack-nova:
   - Update to version nova-18.3.1.dev17:
     * Unplug VIFs as part of cleanup of networks

   - Update to version nova-18.3.1.dev16:
     * Functional test for UnexpectedDeletingTaskStateError

   - Update to version nova-18.3.1.dev15:
     * nova-live-migration: Wait for n-cpu services to come up after
       configuring Ceph
     * Replace ansible --sudo with --become in live\_migration/hooks scripts

   - Update to version nova-18.3.1.dev11:
     * Fix os-keypairs pagination links

   - Update to version nova-18.3.1.dev9:
     * Enhance service restart in functional env
     * Fix hypervisors paginted collection\_name
     * Avoid circular reference during serialization

   - Update to version nova-18.3.1.dev4:
     * Remove global state from the FakeDriver

   - Update to version nova-18.3.1.dev3:
     * Add retry\_on\_deadlock to migration\_update DB API
     * libvirt: Ignore DiskNotFound during update\_available\_resource 18.3.0

   Changes in openstack-octavia:
   - Update to version octavia-3.2.3.dev2:
     * Pick stale amphora randomly

   - Update to version octavia-3.2.3.dev1:
     * Remove the barbican "Grant access" from cookbook 3.2.2

   - Add patch 0001-HTTPS-HMs-need-the-same-validation-path-as-HTTP.patch
     (bsc#1165723) https://review.opendev.org/#/c/710161/ Change-Id:
     I2fd51664336dca51f134b3fccd3e8c936b809839

   Changes in openstack-octavia-amphora-image:
   - Update image to 0.1.3 to include latest changes

   Changes in python-cinderclient:
   - update to version 4.0.3
     - Add missed 'Server ID' output in attachment-list

   Changes in python-glanceclient:
   - update to version 2.13.2
     - OpenDev Migration Patch

   Changes in python-ironic-lib:
   - update to version 2.14.3
     - Use last digit to determine paritition naming scheme
     - Erase expected GPT locations in metadata wipe
     - Rescan after making partition changes

   Changes in python-ironicclient:
   - update to version 2.5.4
     - fix session cert arguments

   Changes in python-keystonemiddleware:
   - update to version 5.2.2
     - Make tests pass in 2022
     - Make sure audit middleware use own context

   Changes in python-manila-tempest-plugin:
   - added 0002-Fix-export-locations-tests.patch

   Changes in python-novaclient:
   - update to version 11.0.1
     - Add test for console-log and docs for bug 1746534
     - Use SHA256 instead of MD5 in completion cache
     - Improve the description of optional arguments
     - Revert "Fix crashing console-log"
     - Fix up userdata argument to rebuild.
     - OpenDev Migration Patch
     - Stop silently ignoring invalid 'nova boot --hint' options
     - Add missing options in CLI reference
     - import zuul job settings from project-config
     - Update .gitreview for stable/rocky
     - Replace openstack.org git:// URLs with https://
     - Update UPPER_CONSTRAINTS_FILE for stable/rocky
     - Follow up "Fix up userdata argument to rebuild"

   Changes in python-octaviaclient:
   - update to version 1.6.2
     - Fix long CLI error messages
     - Update tox.ini for new upper constraints strategy

   Changes in python-openstackclient:
   - update to version 3.16.3
     - Fix bug in endpoint group deletion
     - OpenDev Migration Patch
     - Fix: Restore output 'VolumeBackupsRestore' object is not iterable
     - Stable branch combination fix
     - Add --name-lookup-one-by-one option to server list
     - Fix BFV server list handling with --name-lookup-one-by-one
     - Fix compute service set handling for 2.53+
     - Don't display router's is_ha and is_distributed attributes always
     - Document 2.53 behavior for compute service list/delete
     - Remove str() when setting network objects names

   Changes in python-os-brick:
   - update to version 2.5.10
     - Check path alive before get scsi wwn
     - Skip cryptsetup password quality checking
     - iscsi: Add _get_device_link retry when waiting for /dev/disk/by-id/ to
       populate
     - linuxscsi: Stop waiting for multipath devices during extend_volume
     - Handle None value 'inititator_target_map'
     - Fix FC scan too broad
     - Ignore pep8 W503/W504

   Changes in python-oslo.config:
   - update to version 6.4.2
     - Use constraints when building docs
     - Ensure option groups don't change during logging
     - OpenDev Migration Patch

   Changes in python-oslo.rootwrap:
   - update to version 5.14.2
     - Run rootwrap with lower fd ulimit by default
     - Update UPPER_CONSTRAINTS_FILE for stable/rocky
     - import zuul job settings from project-config
     - Update .gitreview for stable/rocky
     - OpenDev Migration Patch

   Changes in python-oslo.utils:
   - update to version 3.36.5
     - import zuul job settings from project-config
     - Update UPPER_CONSTRAINTS_FILE for stable/rocky
     - Make mask_dict_password case insensitive and add new patterns
     - Update .gitreview for stable/rocky
     - OpenDev Migration Patch
     - Make mask_password case insensitive, and add new patterns
     - Mask encryption_key_id

   Changes in python-swiftclient:
   - update to version 3.6.1
     - OpenDev Migration Patch
     - Fix SLO re-upload
     - Update .gitreview for stable/rocky
     - Changelog for 3.6.1
     - import zuul job settings from project-config
     - Fix up stable gate
     - Use Swift's in-tree DSVM test

   Changes in python-watcherclient:
   - update to version 2.1.1
     - Update .gitreview for stable/rocky
     - OpenDev Migration Patch
     - Update UPPER_CONSTRAINTS_FILE for stable/rocky
     - import zuul job settings from project-config
     - Replace openstack.org git:// URLs with https://
     - fix watcher actionplan show command

   Changes in release-notes-suse-openstack-cloud:
   - Update to version 9.20200319:
     * Update release notes to indicate Designate support has shipped

   Changes in zookeeper:
   - Apply 0002-Apply-patch-to-resolve-CVE-2019-0201.patch This applies the
     patch for ZOOKEEPER-1392 to resolve CVE-2019-0201 Should not allow to
     read ACL when not authorized to read node (bsc#1135773)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-1190=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2020-1190=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      crowbar-core-6.0+git.1587558898.313bb9fd3-3.22.2
      crowbar-core-branding-upstream-6.0+git.1587558898.313bb9fd3-3.22.2
      memcached-1.5.17-3.3.1
      memcached-debuginfo-1.5.17-3.3.1
      memcached-debugsource-1.5.17-3.3.1
      ruby2.1-rubygem-crowbar-client-3.9.2-3.6.1
      ruby2.1-rubygem-puma-2.16.0-4.6.1
      ruby2.1-rubygem-puma-debuginfo-2.16.0-4.6.1
      rubygem-puma-debugsource-2.16.0-4.6.1

   - SUSE OpenStack Cloud Crowbar 9 (noarch):

      crowbar-ha-6.0+git.1586256059.e6f67e1-3.16.1
      crowbar-openstack-6.0+git.1587753188.da39e44a7-3.22.1
      openstack-ceilometer-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-central-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-compute-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-ipmi-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-notification-11.1.1~dev5-3.13.2
      openstack-ceilometer-polling-11.1.1~dev5-3.13.2
      openstack-cinder-13.0.10~dev9-3.19.1
      openstack-cinder-api-13.0.10~dev9-3.19.1
      openstack-cinder-backup-13.0.10~dev9-3.19.1
      openstack-cinder-scheduler-13.0.10~dev9-3.19.1
      openstack-cinder-volume-13.0.10~dev9-3.19.1
      openstack-designate-7.0.1~dev25-3.16.2
      openstack-designate-agent-7.0.1~dev25-3.16.2
      openstack-designate-api-7.0.1~dev25-3.16.2
      openstack-designate-central-7.0.1~dev25-3.16.2
      openstack-designate-producer-7.0.1~dev25-3.16.2
      openstack-designate-sink-7.0.1~dev25-3.16.2
      openstack-designate-worker-7.0.1~dev25-3.16.2
      openstack-heat-11.0.3~dev35-3.16.1
      openstack-heat-api-11.0.3~dev35-3.16.1
      openstack-heat-api-cfn-11.0.3~dev35-3.16.1
      openstack-heat-engine-11.0.3~dev35-3.16.1
      openstack-heat-plugin-heat_docker-11.0.3~dev35-3.16.1
      openstack-ironic-11.1.5~dev3-3.16.1
      openstack-ironic-api-11.1.5~dev3-3.16.1
      openstack-ironic-conductor-11.1.5~dev3-3.16.1
      openstack-ironic-image-debugsource-9.0.0-3.6.1
      openstack-ironic-image-x86_64-9.0.0-3.6.1
      openstack-manila-7.4.2~dev4-4.21.1
      openstack-manila-api-7.4.2~dev4-4.21.1
      openstack-manila-data-7.4.2~dev4-4.21.1
      openstack-manila-scheduler-7.4.2~dev4-4.21.1
      openstack-manila-share-7.4.2~dev4-4.21.1
      openstack-neutron-13.0.8~dev28-3.22.1
      openstack-neutron-dhcp-agent-13.0.8~dev28-3.22.1
      openstack-neutron-ha-tool-13.0.8~dev28-3.22.1
      openstack-neutron-l3-agent-13.0.8~dev28-3.22.1
      openstack-neutron-linuxbridge-agent-13.0.8~dev28-3.22.1
      openstack-neutron-macvtap-agent-13.0.8~dev28-3.22.1
      openstack-neutron-metadata-agent-13.0.8~dev28-3.22.1
      openstack-neutron-metering-agent-13.0.8~dev28-3.22.1
      openstack-neutron-openvswitch-agent-13.0.8~dev28-3.22.1
      openstack-neutron-server-13.0.8~dev28-3.22.1
      openstack-nova-18.3.1~dev17-3.22.1
      openstack-nova-api-18.3.1~dev17-3.22.1
      openstack-nova-cells-18.3.1~dev17-3.22.1
      openstack-nova-compute-18.3.1~dev17-3.22.1
      openstack-nova-conductor-18.3.1~dev17-3.22.1
      openstack-nova-console-18.3.1~dev17-3.22.1
      openstack-nova-novncproxy-18.3.1~dev17-3.22.1
      openstack-nova-placement-api-18.3.1~dev17-3.22.1
      openstack-nova-scheduler-18.3.1~dev17-3.22.1
      openstack-nova-serialproxy-18.3.1~dev17-3.22.1
      openstack-nova-vncproxy-18.3.1~dev17-3.22.1
      openstack-octavia-3.2.3~dev2-3.22.1
      openstack-octavia-amphora-agent-3.2.3~dev2-3.22.1
      openstack-octavia-amphora-image-debugsource-0.1.3-7.9.2
      openstack-octavia-amphora-image-x86_64-0.1.3-7.9.2
      openstack-octavia-api-3.2.3~dev2-3.22.1
      openstack-octavia-health-manager-3.2.3~dev2-3.22.1
      openstack-octavia-housekeeping-3.2.3~dev2-3.22.1
      openstack-octavia-worker-3.2.3~dev2-3.22.1
      python-ceilometer-11.1.1~dev5-3.13.2
      python-cinder-13.0.10~dev9-3.19.1
      python-cinderclient-4.0.3-3.6.2
      python-cinderclient-doc-4.0.3-3.6.2
      python-designate-7.0.1~dev25-3.16.2
      python-glanceclient-2.13.2-3.3.2
      python-glanceclient-doc-2.13.2-3.3.2
      python-heat-11.0.3~dev35-3.16.1
      python-ironic-11.1.5~dev3-3.16.1
      python-ironic-lib-2.14.3-3.6.1
      python-ironicclient-2.5.4-4.10.1
      python-ironicclient-doc-2.5.4-4.10.1
      python-keystonemiddleware-5.2.2-17.1
      python-manila-7.4.2~dev4-4.21.1
      python-manila-tempest-plugin-0.1.0-3.6.1
      python-neutron-13.0.8~dev28-3.22.1
      python-nova-18.3.1~dev17-3.22.1
      python-novaclient-11.0.1-3.3.1
      python-novaclient-doc-11.0.1-3.3.1
      python-octavia-3.2.3~dev2-3.22.1
      python-octaviaclient-1.6.2-3.6.1
      python-openstackclient-3.16.3-11.1
      python-os-brick-2.5.10-3.9.2
      python-os-brick-common-2.5.10-3.9.2
      python-oslo.config-6.4.2-3.3.1
      python-oslo.config-doc-6.4.2-3.3.1
      python-oslo.rootwrap-5.14.2-3.3.1
      python-oslo.utils-3.36.5-3.3.1
      python-swiftclient-3.6.1-3.3.1
      python-swiftclient-doc-3.6.1-3.3.1
      python-watcherclient-2.1.1-3.3.1
      release-notes-suse-openstack-cloud-9.20200319-3.18.1
      zookeeper-server-3.4.13-3.3.1

   - SUSE OpenStack Cloud 9 (noarch):

      ardana-ansible-9.0+git.1587034359.a12678b-3.19.1
      ardana-barbican-9.0+git.1583953599.cd723bb-3.10.1
      ardana-cluster-9.0+git.1585653734.c1fe3b2-3.13.1
      ardana-db-9.0+git.1586543314.6b6aa20-3.19.1
      ardana-designate-9.0+git.1583445435.4bd1793-3.10.1
      ardana-input-model-9.0+git.1584632190.9541c56-3.16.1
      ardana-logging-9.0+git.1585929695.f35b591-3.10.1
      ardana-monasca-9.0+git.1586769889.d43d736-3.16.1
      ardana-mq-9.0+git.1586350749.a463fd2-3.13.1
      ardana-neutron-9.0+git.1587667603.507fb50-3.19.1
      ardana-octavia-9.0+git.1587486004.8e99c6b-3.16.1
      ardana-osconfig-9.0+git.1586546715.dbd07ab-3.16.1
      ardana-tempest-9.0+git.1587398456.b31cc4a-3.13.1
      ardana-tls-9.0+git.1586301209.c9413b4-3.12.1
      openstack-ceilometer-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-central-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-compute-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-ipmi-11.1.1~dev5-3.13.2
      openstack-ceilometer-agent-notification-11.1.1~dev5-3.13.2
      openstack-ceilometer-polling-11.1.1~dev5-3.13.2
      openstack-cinder-13.0.10~dev9-3.19.1
      openstack-cinder-api-13.0.10~dev9-3.19.1
      openstack-cinder-backup-13.0.10~dev9-3.19.1
      openstack-cinder-scheduler-13.0.10~dev9-3.19.1
      openstack-cinder-volume-13.0.10~dev9-3.19.1
      openstack-designate-7.0.1~dev25-3.16.2
      openstack-designate-agent-7.0.1~dev25-3.16.2
      openstack-designate-api-7.0.1~dev25-3.16.2
      openstack-designate-central-7.0.1~dev25-3.16.2
      openstack-designate-producer-7.0.1~dev25-3.16.2
      openstack-designate-sink-7.0.1~dev25-3.16.2
      openstack-designate-worker-7.0.1~dev25-3.16.2
      openstack-heat-11.0.3~dev35-3.16.1
      openstack-heat-api-11.0.3~dev35-3.16.1
      openstack-heat-api-cfn-11.0.3~dev35-3.16.1
      openstack-heat-engine-11.0.3~dev35-3.16.1
      openstack-heat-plugin-heat_docker-11.0.3~dev35-3.16.1
      openstack-ironic-11.1.5~dev3-3.16.1
      openstack-ironic-api-11.1.5~dev3-3.16.1
      openstack-ironic-conductor-11.1.5~dev3-3.16.1
      openstack-ironic-image-debugsource-9.0.0-3.6.1
      openstack-ironic-image-x86_64-9.0.0-3.6.1
      openstack-manila-7.4.2~dev4-4.21.1
      openstack-manila-api-7.4.2~dev4-4.21.1
      openstack-manila-data-7.4.2~dev4-4.21.1
      openstack-manila-scheduler-7.4.2~dev4-4.21.1
      openstack-manila-share-7.4.2~dev4-4.21.1
      openstack-neutron-13.0.8~dev28-3.22.1
      openstack-neutron-dhcp-agent-13.0.8~dev28-3.22.1
      openstack-neutron-ha-tool-13.0.8~dev28-3.22.1
      openstack-neutron-l3-agent-13.0.8~dev28-3.22.1
      openstack-neutron-linuxbridge-agent-13.0.8~dev28-3.22.1
      openstack-neutron-macvtap-agent-13.0.8~dev28-3.22.1
      openstack-neutron-metadata-agent-13.0.8~dev28-3.22.1
      openstack-neutron-metering-agent-13.0.8~dev28-3.22.1
      openstack-neutron-openvswitch-agent-13.0.8~dev28-3.22.1
      openstack-neutron-server-13.0.8~dev28-3.22.1
      openstack-nova-18.3.1~dev17-3.22.1
      openstack-nova-api-18.3.1~dev17-3.22.1
      openstack-nova-cells-18.3.1~dev17-3.22.1
      openstack-nova-compute-18.3.1~dev17-3.22.1
      openstack-nova-conductor-18.3.1~dev17-3.22.1
      openstack-nova-console-18.3.1~dev17-3.22.1
      openstack-nova-novncproxy-18.3.1~dev17-3.22.1
      openstack-nova-placement-api-18.3.1~dev17-3.22.1
      openstack-nova-scheduler-18.3.1~dev17-3.22.1
      openstack-nova-serialproxy-18.3.1~dev17-3.22.1
      openstack-nova-vncproxy-18.3.1~dev17-3.22.1
      openstack-octavia-3.2.3~dev2-3.22.1
      openstack-octavia-amphora-agent-3.2.3~dev2-3.22.1
      openstack-octavia-amphora-image-debugsource-0.1.3-7.9.2
      openstack-octavia-amphora-image-x86_64-0.1.3-7.9.2
      openstack-octavia-api-3.2.3~dev2-3.22.1
      openstack-octavia-health-manager-3.2.3~dev2-3.22.1
      openstack-octavia-housekeeping-3.2.3~dev2-3.22.1
      openstack-octavia-worker-3.2.3~dev2-3.22.1
      python-ceilometer-11.1.1~dev5-3.13.2
      python-cinder-13.0.10~dev9-3.19.1
      python-cinderclient-4.0.3-3.6.2
      python-cinderclient-doc-4.0.3-3.6.2
      python-designate-7.0.1~dev25-3.16.2
      python-glanceclient-2.13.2-3.3.2
      python-glanceclient-doc-2.13.2-3.3.2
      python-heat-11.0.3~dev35-3.16.1
      python-ironic-11.1.5~dev3-3.16.1
      python-ironic-lib-2.14.3-3.6.1
      python-ironicclient-2.5.4-4.10.1
      python-ironicclient-doc-2.5.4-4.10.1
      python-keystonemiddleware-5.2.2-17.1
      python-manila-7.4.2~dev4-4.21.1
      python-manila-tempest-plugin-0.1.0-3.6.1
      python-neutron-13.0.8~dev28-3.22.1
      python-nova-18.3.1~dev17-3.22.1
      python-novaclient-11.0.1-3.3.1
      python-novaclient-doc-11.0.1-3.3.1
      python-octavia-3.2.3~dev2-3.22.1
      python-octaviaclient-1.6.2-3.6.1
      python-openstackclient-3.16.3-11.1
      python-os-brick-2.5.10-3.9.2
      python-os-brick-common-2.5.10-3.9.2
      python-oslo.config-6.4.2-3.3.1
      python-oslo.config-doc-6.4.2-3.3.1
      python-oslo.rootwrap-5.14.2-3.3.1
      python-oslo.utils-3.36.5-3.3.1
      python-swiftclient-3.6.1-3.3.1
      python-swiftclient-doc-3.6.1-3.3.1
      python-watcherclient-2.1.1-3.3.1
      release-notes-suse-openstack-cloud-9.20200319-3.18.1
      venv-openstack-barbican-x86_64-7.0.1~dev24-3.17.1
      venv-openstack-cinder-x86_64-13.0.10~dev9-3.17.1
      venv-openstack-designate-x86_64-7.0.1~dev25-3.17.1
      venv-openstack-glance-x86_64-17.0.1~dev30-3.15.1
      venv-openstack-heat-x86_64-11.0.3~dev35-3.17.1
      venv-openstack-horizon-x86_64-14.1.1~dev1-4.16.1
      venv-openstack-ironic-x86_64-11.1.5~dev3-4.13.1
      venv-openstack-keystone-x86_64-14.1.1~dev36-3.17.1
      venv-openstack-magnum-x86_64-7.2.1~dev1-4.17.1
      venv-openstack-manila-x86_64-7.4.2~dev4-3.19.1
      venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.17.1
      venv-openstack-monasca-x86_64-2.7.1~dev10-3.15.1
      venv-openstack-neutron-x86_64-13.0.8~dev28-6.17.1
      venv-openstack-nova-x86_64-18.3.1~dev17-3.17.1
      venv-openstack-octavia-x86_64-3.2.3~dev2-4.17.1
      venv-openstack-sahara-x86_64-9.0.2~dev15-3.17.1
      venv-openstack-swift-x86_64-2.19.2~dev48-2.12.1
      zookeeper-server-3.4.13-3.3.1

   - SUSE OpenStack Cloud 9 (x86_64):

      memcached-1.5.17-3.3.1
      memcached-debuginfo-1.5.17-3.3.1
      memcached-debugsource-1.5.17-3.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-0201.html
   https://www.suse.com/security/cve/CVE-2019-11596.html
   https://www.suse.com/security/cve/CVE-2019-15026.html
   https://www.suse.com/security/cve/CVE-2020-5247.html
   https://www.suse.com/security/cve/CVE-2020-9543.html
   https://bugzilla.suse.com/1084739
   https://bugzilla.suse.com/1124708
   https://bugzilla.suse.com/1133817
   https://bugzilla.suse.com/1135773
   https://bugzilla.suse.com/1137622
   https://bugzilla.suse.com/1149110
   https://bugzilla.suse.com/1149535
   https://bugzilla.suse.com/1163444
   https://bugzilla.suse.com/1164838
   https://bugzilla.suse.com/1165402
   https://bugzilla.suse.com/1165723
   https://bugzilla.suse.com/1166290
   https://bugzilla.suse.com/1168512
   https://bugzilla.suse.com/1168593
   https://bugzilla.suse.com/1169770



More information about the sle-security-updates mailing list