SUSE-SU-2020:3624-1: moderate: Security update for crowbar-openstack, grafana, influxdb, python-urllib3
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Fri Dec 4 10:17:40 MST 2020
SUSE Security Update: Security update for crowbar-openstack, grafana, influxdb, python-urllib3
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:3624-1
Rating: moderate
References: #1005886 #1170479 #1177120 #1178243 #1178988
SOC-11240
Cross-References: CVE-2016-8611 CVE-2019-20933 CVE-2019-9740
CVE-2020-24303 CVE-2020-26137
Affected Products:
SUSE OpenStack Cloud 7
______________________________________________________________________________
An update that fixes 5 vulnerabilities, contains one
feature is now available.
Description:
This update for crowbar-openstack, grafana, influxdb, python-urllib3
contains the following fixes:
Security fixes included in this update:
openstack-glance
- CVE-2016-8611: Added rate limiting for glance api (bnc#1005886)
grafana
- CVE-2020-24303: Fixed an XSS via a query alias for the ElasticSearch
datasource (#bnc#1178243)
influxdb
- CVE-2019-20933: Fixed an authentication bypass (bnc#1178988)
python-urlib3
- CVE-2019-9740: Fixed a CRLF injection in urllib3 (bnc#1129071).
- CVE-2020-26137: Fixed a CRLF injection via HTTP request method
(bnc#1177120)
memcached
- CVE-2018-1000115: Fixed a issue where a UDP server allowed spoofed
traffic amplification DoS (bnc#1083903).
Non-security fixes included in this update:
Changes in crowbar-openstack:
- Update to version 4.0+git.1604938545.30c10db18:
* rabbitmq: Fix crm running check (SOC-11240)
Changes in grafana:
- Fix bnc#1178243 CVE-2020-24303 by adding
25401-Fix-XSS-vulnerability-with-series-overrides.patch
Changes in influxdb:
- Add CVE-2019-20933.patch (bnc#1178988, CVE-2019-20933) to fix
authentication bypass_
- Declare license files correctly
- Version 1.2.4:
* The stress tool influx_stress will be removed in a subsequent release.
* Remove the override of GOMAXPROCS.
* Uncomment section headers from the default configuration file.
* Improve write performance significantly.
* Prune data in meta store for deleted shards.
* Update latest dependencies with Godeps.
* Introduce syntax for marking a partial response with chunking.
* Use X-Forwarded-For IP address in HTTP logger if present.
* Add support for secure transmission via collectd.
* Switch logging to use structured logging everywhere.
* [CLI feature request] USE retention policy for queries.
* Add clear command to cli.
* Adding ability to use parameters in queries in the v2 client using the
Parameters map in the Query struct.
* Allow add items to array config via ENV
* Support subquery execution in the query language.
* Verbose output for SSL connection errors.
* Cache snapshotting performance improvements
- Partially revert previous change to fix build for Leap
Changes in python-urllib3:
- Update urllib3-fix-test-urls.patch. Adjust to match upstream solution.
- Add urllib3-fix-test-urls.patch. Fix tests failing on python checks for
CVE-2019-9740.
- Add urllib3-cve-2020-26137.patch. Don't allow control chars in request
method. (bnc#1177120, CVE-2020-26137)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2020-3624=1
Package List:
- SUSE OpenStack Cloud 7 (x86_64):
grafana-6.7.4-1.20.1
influxdb-1.2.4-5.1
influxdb-debuginfo-1.2.4-5.1
- SUSE OpenStack Cloud 7 (noarch):
crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1
python-urllib3-1.16-3.12.1
References:
https://www.suse.com/security/cve/CVE-2016-8611.html
https://www.suse.com/security/cve/CVE-2019-20933.html
https://www.suse.com/security/cve/CVE-2019-9740.html
https://www.suse.com/security/cve/CVE-2020-24303.html
https://www.suse.com/security/cve/CVE-2020-26137.html
https://bugzilla.suse.com/1005886
https://bugzilla.suse.com/1170479
https://bugzilla.suse.com/1177120
https://bugzilla.suse.com/1178243
https://bugzilla.suse.com/1178988
More information about the sle-updates
mailing list