SUSE-SU-2023:0070-1: important: Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Jan 11 20:22:15 UTC 2023
SUSE Security Update: Security update for openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp
______________________________________________________________________________
Announcement ID: SUSE-SU-2023:0070-1
Rating: important
References: #1203873 #1204326
Cross-References: CVE-2022-3100 CVE-2022-33891
CVSS scores:
CVE-2022-3100 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVE-2022-33891 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-33891 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for openstack-barbican, openstack-heat-gbp,
openstack-horizon-plugin-gbp-ui, openstack-neutron, openstack-neutron-gbp
fixes the following issues:
Security fixes included on this update:
openstack-barbican:
- CVE-2022-3100: Fixed an access policy bypass via query string injection
(bsc#1203873).
spark:
- CVE-2022-33891: Fixed a command injection vulnerability via Spark UI
(bsc#1204326).
Non Security fixes:
Changes in openstack-barbican:
- Add patch to address access policy bypass via query string injection.
(bsc#1203873, CVE-2022-3100.)
Changes in openstack-heat-gbp:
- Update to version group-based-policy-automation-14.0.1.dev5:
* Add support for zed
Changes in openstack-horizon-plugin-gbp-ui:
- Update to version group-based-policy-ui-14.0.1.dev6:
* Add support for zed
- Update to version group-based-policy-ui-14.0.1.dev5:
* fix launch instance GBP issue
Changes in openstack-neutron:
- Update to version neutron-13.0.8.dev209:
* Update documentation link for openSUSE index
- Update to version neutron-13.0.8.dev208:
* fix: Fix url of Floodlight
- Update to version neutron-13.0.8.dev207:
* Mellanox\_eth.img url expires, remove the mellanox\_eth.img node
Changes in openstack-neutron:
- Update to version neutron-13.0.8.dev209:
* Update documentation link for openSUSE index
- Update to version neutron-13.0.8.dev208:
* fix: Fix url of Floodlight
- Update to version neutron-13.0.8.dev207:
* Mellanox\_eth.img url expires, remove the mellanox\_eth.img node
Changes in openstack-neutron-gbp:
- Update to version group-based-policy-14.0.1.dev52:
* Fix keystone notification listener
- Update to version group-based-policy-14.0.1.dev51:
* Support for epg subnet 2014.2.0rc1
- Update to version group-based-policy-14.0.1.dev50:
* Use top-level contract references 2014.2.rc1
- Update to version group-based-policy-14.0.1.dev48:
* Remove py37 jobs from gate 2014.2rc1
Changes in spark:
- Avoid using bash -c in ShellBasedGroupsMappingProvider. (bsc#1204326,
CVE-2022-33891)
- Add _constraints to prevent build from running out of disk space
- Update to version group-based-policy-14.0.1.dev47:
* Remove python39 from voting
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2023-70=1
- SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2023-70=1
Package List:
- SUSE OpenStack Cloud Crowbar 9 (noarch):
openstack-barbican-7.0.1~dev24-3.17.1
openstack-barbican-api-7.0.1~dev24-3.17.1
openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1
openstack-barbican-retry-7.0.1~dev24-3.17.1
openstack-barbican-worker-7.0.1~dev24-3.17.1
openstack-heat-gbp-14.0.1~dev5-3.12.1
openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1
openstack-neutron-13.0.8~dev209-3.43.1
openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1
openstack-neutron-gbp-14.0.1~dev52-3.37.1
openstack-neutron-ha-tool-13.0.8~dev209-3.43.1
openstack-neutron-l3-agent-13.0.8~dev209-3.43.1
openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1
openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1
openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1
openstack-neutron-metering-agent-13.0.8~dev209-3.43.1
openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1
openstack-neutron-server-13.0.8~dev209-3.43.1
python-barbican-7.0.1~dev24-3.17.1
python-heat-gbp-14.0.1~dev5-3.12.1
python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1
python-neutron-13.0.8~dev209-3.43.1
python-neutron-gbp-14.0.1~dev52-3.37.1
spark-2.2.3-5.12.1
- SUSE OpenStack Cloud 9 (noarch):
openstack-barbican-7.0.1~dev24-3.17.1
openstack-barbican-api-7.0.1~dev24-3.17.1
openstack-barbican-keystone-listener-7.0.1~dev24-3.17.1
openstack-barbican-retry-7.0.1~dev24-3.17.1
openstack-barbican-worker-7.0.1~dev24-3.17.1
openstack-heat-gbp-14.0.1~dev5-3.12.1
openstack-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1
openstack-neutron-13.0.8~dev209-3.43.1
openstack-neutron-dhcp-agent-13.0.8~dev209-3.43.1
openstack-neutron-gbp-14.0.1~dev52-3.37.1
openstack-neutron-ha-tool-13.0.8~dev209-3.43.1
openstack-neutron-l3-agent-13.0.8~dev209-3.43.1
openstack-neutron-linuxbridge-agent-13.0.8~dev209-3.43.1
openstack-neutron-macvtap-agent-13.0.8~dev209-3.43.1
openstack-neutron-metadata-agent-13.0.8~dev209-3.43.1
openstack-neutron-metering-agent-13.0.8~dev209-3.43.1
openstack-neutron-openvswitch-agent-13.0.8~dev209-3.43.1
openstack-neutron-server-13.0.8~dev209-3.43.1
python-barbican-7.0.1~dev24-3.17.1
python-heat-gbp-14.0.1~dev5-3.12.1
python-horizon-plugin-gbp-ui-14.0.1~dev6-3.15.1
python-neutron-13.0.8~dev209-3.43.1
python-neutron-gbp-14.0.1~dev52-3.37.1
spark-2.2.3-5.12.1
venv-openstack-barbican-x86_64-7.0.1~dev24-3.37.1
venv-openstack-horizon-x86_64-14.1.1~dev11-4.43.1
venv-openstack-neutron-x86_64-13.0.8~dev209-6.43.1
venv-openstack-nova-x86_64-18.3.1~dev92-3.43.1
References:
https://www.suse.com/security/cve/CVE-2022-3100.html
https://www.suse.com/security/cve/CVE-2022-33891.html
https://bugzilla.suse.com/1203873
https://bugzilla.suse.com/1204326
More information about the sle-security-updates
mailing list