SUSE-SU-2021:1963-1: moderate: Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store

sle-security-updates at sle-security-updates at
Fri Jun 11 16:20:00 UTC 2021

   SUSE Security Update: Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store

Announcement ID:    SUSE-SU-2021:1963-1
Rating:             moderate
References:         #1044849 #1179805 #1181379 #1183803 #1184148 
                    #1185623 #1186608 #1186611 SOC-11435 
Cross-References:   CVE-2017-11481 CVE-2017-11499 CVE-2019-25025
                    CVE-2020-29651 CVE-2021-27358 CVE-2021-28658
                    CVE-2021-31542 CVE-2021-3281 CVE-2021-33203
CVSS scores:
                    CVE-2017-11481 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
                    CVE-2017-11481 (SUSE): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
                    CVE-2017-11499 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2017-11499 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2019-25025 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2019-25025 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2020-29651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-29651 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2021-27358 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-27358 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-28658 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-28658 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
                    CVE-2021-31542 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-31542 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-3281 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-3281 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
                    CVE-2021-33571 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    SUSE OpenStack Cloud 7

   An update that fixes 10 vulnerabilities, contains one
   feature is now available.


   This update for crowbar-openstack, grafana, kibana, monasca-installer,
   python-Django, python-py, rubygem-activerecord-session_store contains the
   following fixes:

   Security fixes included in this update:

   - CVE-2016-8611: Added rate limiting for the '/images' API POST method

   - CVE-2021-27358: Fixed a denial of service via remote API call

   - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the
     HashTable implementation, which could cause a denial of service
   - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL
     fields (bsc#1044849)

   - CVE-2021-3281: Fixed a directory traversal via archive.extract()
   - CVE-2021-28658: Fixed a directory traversal via uploaded files
   - CVE-2021-31542: Fixed a directory traversal via uploaded files with
     suitably crafted file names (bsc#1185623)
   - CVE-2021-33203:Fixed potential path-traversal via admindocs'
     TemplateDetailView (bsc#1186608)
   - CVE-2021-33571: Tighten validator checks to not allow leading zeros in
     IPv4 addresses, which potentially leads to further attacks (bsc#1186611)

   - CVE-2020-29651: Fixed a denial of service via regular expressions

   - CVE-2019-25025: Fixed a timing attacks targeting the session id which
     could allow an attack to hijack sessions (bsc#1183174)

   Non-security fixes included in this update:

   Changes in crowbar-openstack:
   - Update to version 4.0+git.1616146720.44daffca0:
     * monasca: restart Kibana on update (bsc#1044849)

   Changes in grafana_Update:
   - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358)
     * Prevent unauthenticated remote attackers from causing a DoS through
       the snapshots API.

   Changes in kibana_Update:
   - Ensure /etc/sysconfig/kibana is present

   - Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
     * [4.6] ignore forked code for babel transpile build phase (#13483)
     * Allow more than match queries in custom filters (#8614) (#10857)
     * [state] don't make extra $location.replace() calls (#9954)
     * [optimizer] move to querystring-browser package for up-to-date api
     * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
     * server: refactor log_interceptor to be more DRY (#9617)
     * server: downgrade ECANCELED logs to debug (#9616)
     * server: do not treat logged warnings as errors (#8746) (#9610)
     * [server/logger] downgrade EPIPE errors to debug level (#9023)
     * Add basepath when redirecting from a trailling slash (#9035)
     * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968)
     * [server/shortUrl] validate urls before shortening them
   - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
     * This fixes an XSS vulnerability in URL fields
   - Remove %dir declaration from /opt/kibana/optimize to ensure no files
     owned by root end up in there
   - Exclude /opt/kibana/optimize from %fdupes
   - Restart service on upgrade
   - Do not copy LICENSE.txt and README.txt to /opt/kibana
   - Fix rpmlint warnings/errors
   - Switch to explicit patch application
   - Fix source URL
   - Fix logic for systemd/systemv detection

   Changes in monasca-installer_Update:
   - Add support-influxdb-1.2.patch (SOC-11435)

   Changes in python-Django_Update:
   - Fixed potential path-traversal via admindocs'
     TemplateDetailView.(bsc#1186608, CVE-2021-33203)
   -  Prevented leading zeros in IPv4 addresses. (bsc#1186611, CVE-2021-33571)
   - Add delegate-os-path-filename-generation-to-storage.patch (bsc#1185623)
       * Needed for CVE-2021-31542.patch to apply
   - Tightened path & file name sanitation in file uploads. (bsc#1185623,
   - Fixed potential directory-traversal via uploaded files. (bsc#1184148,
   - Fixes a potential directory traversal when extracting archives.
     (bsc#1181379, CVE-2021-3281)

   Changes in python-py_Update:
   - Add CVE-2020-29651.patch (CVE-2020-29651, bsc#1179805)
     * svnwc: fix regular expression vulnerable to DoS in blame functionality
   - Ensure /usr/share/licenses exists

   Changes in rubygem-activerecord-session_store_Update:
   - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174)
     * This requires CVE-2019-16782.patch to be included in
       rubygem-actionpack-4_2 to work correctly.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1963=1

Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):


   - SUSE OpenStack Cloud 7 (x86_64):


   - SUSE OpenStack Cloud 7 (noarch):



More information about the sle-security-updates mailing list