SUSE-SU-2021:3729-1: moderate: Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Nov 19 17:23:18 UTC 2021


   SUSE Security Update: Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:3729-1
Rating:             moderate
References:         #1180837 #1185836 #1186868 #1189052 #1191681 
                    SOC-11543 
Cross-References:   CVE-2020-26298 CVE-2021-21419 CVE-2021-22141
                    CVE-2021-41136
CVSS scores:
                    CVE-2020-26298 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
                    CVE-2020-26298 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-21419 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2021-21419 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-22141 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
                    CVE-2021-41136 (NVD) : 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
                    CVE-2021-41136 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud 9
______________________________________________________________________________

   An update that solves four vulnerabilities, contains one
   feature and has one errata is now available.

Description:

   This update for ardana-ansible, ardana-monasca, crowbar-openstack,
   influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp,
   openstack-heat-templates, openstack-horizon-plugin-gbp-ui,
   openstack-keystone, openstack-neutron-gbp, openstack-nova,
   python-eventlet, rubygem-redcarpet, rubygem-puma contains the following
   fixes:

   Security fixes included in this update:

   kibana: CVE-2021-22141: Fixed URL redirection flaw (bsc#1186868).

   python-eventlet: CVE-2021-21419: Fixed improper handling of highly
   compressed data and memory allocation with excessive size value.
   (bsc#1185836)

   rubygem-redcarpet: CVE-2020-26298: Fixed XSS via HTML escaping when
   processing quotes. (bsc#1180837)

   rubygem-puma: CVE-2021-41136: Fixes build of the Java state machine for
   parsing HTTP. (bsc#1191681)

   Non-security fixes included in this update:

   Changes in ardana-ansible:
     * Patch service.py to skip blank lines.

   Changes in ardana-monasca:
     * Use specific TLS versions for monasca-thresh DB connections.
       (SOC-11543)

   Changes in crowbar-openstack:
     * keystone wakeup: get new session on any error. (bsc#1189052)

   Changes in influxdb:
   - Set GO111MODULE=auto to fix build with go1.16 and later where default is
     GO111MODULE=on

   Canges in kibana:
     - Fix an open redirect flaw. (CVE-2021-22141, bsc#1186868)

   Changes in openstack-cinder:
     * Fix typo in Dell EMC Unity driver documentation.
     * Drop lower-constraints job.
     * [stable-only] Cap bandit to v1.6.2 and fix constraints.

   Changes in openstack-ec2-api:
     * Remove jobs corresponds to obselete featuresets.
     * OpenDev Migration Patch.

   Changes in openstack-heat-gbp:
     * Add support for Wallaby.
     * Fix upstream gate.

   Changes in openstack-heat-templates:
     * [ussuri][goal] Update contributor documentation.
     * Fix zuul config for heat-templates-check.
     * Remove testr.

   Changes in openstack-horizon-plugin-gbp-ui:
     * Add support for Wallaby.
     * Fix upstream gate.

   Changes in openstack-keystone:
     * Retry update\_user when sqlalchemy raises StaleDataErrors.
     * Pin keystone-tempest-plugin for py27 compatibility.

   Changes in openstack-neutron-gbp:
     * Fix update router API.
     * Fix HA IP DB migration.
     * Revert "Fix HA IP DB migration".
     * Fix HA IP DB migration.
     * Add network\_id column to apic\_ml2\_ha\_ipaddress\_to\_port\_owner
       table.
     * Use custom converter for extra attributes.
     * Validate network before creating or updating router.
     * Fix Data Migration query for HA IP table.
     * System security grp:Add system sg in port sg list.
     * Add vrf column to apic\_ml2\_ha\_ipaddress\_to\_port\_owner table.
     * [apic\_aim]: Fix HA IP UTs.
     * Fixing the exception msg for IPAddressGenerationFailure.
     * Enhancement regarding router/instance attachment to an external
       network floating ip and snat subnets.
     * Setting legacy-group-based-policy-dsvm-aim to non-voting gate.
     * Add support for Wallaby.
     * Bug fixes for gbp-validate.
     * [apic\_aim]: Filter endpoint details.
     * Bugfix: Policy Enforcement Pref.
     * Fix unit-tests for tenant-scope validation.
     * [AIM] Add Policy Enforcement Pref to network extension.

   Changes in openstack-nova:
     * [neutron] Get only ID and name of the SGs from Neutron.
     * Remove allocations before setting vm\_status to SHELVED\_OFFLOADED.
     * libvirt:driver:Disallow AIO=native when 'O\_DIRECT' is not available.
     * Update pci stat pools based on PCI device changes.
     * Use subqueryload() instead of joinedload() for (system\_)metadata.

   Changes in python-eventlet: Websocket: Limit maximum uncompressed frame
   length to 8MiB. (bsc#1185836 CVE-2021-21419)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3729=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3729=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      influxdb-1.3.8-4.6.1
      influxdb-debuginfo-1.3.8-4.6.1
      kibana-4.6.6-4.12.1
      kibana-debuginfo-4.6.6-4.12.1
      ruby2.1-rubygem-puma-2.16.0-4.15.1
      ruby2.1-rubygem-puma-debuginfo-2.16.0-4.15.1
      ruby2.1-rubygem-redcarpet-3.2.3-4.3.1
      ruby2.1-rubygem-redcarpet-debuginfo-3.2.3-4.3.1
      rubygem-puma-debugsource-2.16.0-4.15.1
      rubygem-redcarpet-debugsource-3.2.3-4.3.1

   - SUSE OpenStack Cloud Crowbar 9 (noarch):

      crowbar-openstack-6.0+git.1630614261.26948f746-3.37.2
      openstack-cinder-13.0.10~dev23-3.31.2
      openstack-cinder-api-13.0.10~dev23-3.31.2
      openstack-cinder-backup-13.0.10~dev23-3.31.2
      openstack-cinder-scheduler-13.0.10~dev23-3.31.2
      openstack-cinder-volume-13.0.10~dev23-3.31.2
      openstack-ec2-api-7.1.1~dev6-3.3.2
      openstack-ec2-api-api-7.1.1~dev6-3.3.2
      openstack-ec2-api-metadata-7.1.1~dev6-3.3.2
      openstack-ec2-api-s3-7.1.1~dev6-3.3.2
      openstack-heat-gbp-12.0.1~dev4-3.6.1
      openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1
      openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
      openstack-keystone-14.2.1~dev7-3.25.2
      openstack-neutron-gbp-14.0.1~dev19-3.28.1
      openstack-nova-18.3.1~dev91-3.40.1
      openstack-nova-api-18.3.1~dev91-3.40.1
      openstack-nova-cells-18.3.1~dev91-3.40.1
      openstack-nova-compute-18.3.1~dev91-3.40.1
      openstack-nova-conductor-18.3.1~dev91-3.40.1
      openstack-nova-console-18.3.1~dev91-3.40.1
      openstack-nova-novncproxy-18.3.1~dev91-3.40.1
      openstack-nova-placement-api-18.3.1~dev91-3.40.1
      openstack-nova-scheduler-18.3.1~dev91-3.40.1
      openstack-nova-serialproxy-18.3.1~dev91-3.40.1
      openstack-nova-vncproxy-18.3.1~dev91-3.40.1
      python-cinder-13.0.10~dev23-3.31.2
      python-ec2api-7.1.1~dev6-3.3.2
      python-eventlet-0.20.0-8.3.1
      python-heat-gbp-12.0.1~dev4-3.6.1
      python-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
      python-keystone-14.2.1~dev7-3.25.2
      python-neutron-gbp-14.0.1~dev19-3.28.1
      python-nova-18.3.1~dev91-3.40.1

   - SUSE OpenStack Cloud 9 (x86_64):

      influxdb-1.3.8-4.6.1
      influxdb-debuginfo-1.3.8-4.6.1
      kibana-4.6.6-4.12.1
      kibana-debuginfo-4.6.6-4.12.1

   - SUSE OpenStack Cloud 9 (noarch):

      ardana-ansible-9.0+git.1628097238.f6cbb0e-3.29.1
      ardana-monasca-9.0+git.1627995376.30bdf85-3.25.1
      openstack-cinder-13.0.10~dev23-3.31.2
      openstack-cinder-api-13.0.10~dev23-3.31.2
      openstack-cinder-backup-13.0.10~dev23-3.31.2
      openstack-cinder-scheduler-13.0.10~dev23-3.31.2
      openstack-cinder-volume-13.0.10~dev23-3.31.2
      openstack-ec2-api-7.1.1~dev6-3.3.2
      openstack-ec2-api-api-7.1.1~dev6-3.3.2
      openstack-ec2-api-metadata-7.1.1~dev6-3.3.2
      openstack-ec2-api-s3-7.1.1~dev6-3.3.2
      openstack-heat-gbp-12.0.1~dev4-3.6.1
      openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1
      openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
      openstack-keystone-14.2.1~dev7-3.25.2
      openstack-neutron-gbp-14.0.1~dev19-3.28.1
      openstack-nova-18.3.1~dev91-3.40.1
      openstack-nova-api-18.3.1~dev91-3.40.1
      openstack-nova-cells-18.3.1~dev91-3.40.1
      openstack-nova-compute-18.3.1~dev91-3.40.1
      openstack-nova-conductor-18.3.1~dev91-3.40.1
      openstack-nova-console-18.3.1~dev91-3.40.1
      openstack-nova-novncproxy-18.3.1~dev91-3.40.1
      openstack-nova-placement-api-18.3.1~dev91-3.40.1
      openstack-nova-scheduler-18.3.1~dev91-3.40.1
      openstack-nova-serialproxy-18.3.1~dev91-3.40.1
      openstack-nova-vncproxy-18.3.1~dev91-3.40.1
      python-cinder-13.0.10~dev23-3.31.2
      python-ec2api-7.1.1~dev6-3.3.2
      python-eventlet-0.20.0-8.3.1
      python-heat-gbp-12.0.1~dev4-3.6.1
      python-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1
      python-keystone-14.2.1~dev7-3.25.2
      python-neutron-gbp-14.0.1~dev19-3.28.1
      python-nova-18.3.1~dev91-3.40.1
      venv-openstack-barbican-x86_64-7.0.1~dev24-3.25.1
      venv-openstack-cinder-x86_64-13.0.10~dev23-3.28.1
      venv-openstack-designate-x86_64-7.0.2~dev2-3.25.1
      venv-openstack-glance-x86_64-17.0.1~dev30-3.23.1
      venv-openstack-heat-x86_64-11.0.4~dev4-3.25.1
      venv-openstack-horizon-x86_64-14.1.1~dev11-4.29.1
      venv-openstack-ironic-x86_64-11.1.5~dev17-4.23.1
      venv-openstack-keystone-x86_64-14.2.1~dev7-3.26.1
      venv-openstack-magnum-x86_64-7.2.1~dev1-4.25.1
      venv-openstack-manila-x86_64-7.4.2~dev60-3.31.1
      venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.25.1
      venv-openstack-monasca-x86_64-2.7.1~dev10-3.23.1
      venv-openstack-neutron-x86_64-13.0.8~dev164-6.29.1
      venv-openstack-nova-x86_64-18.3.1~dev91-3.29.1
      venv-openstack-octavia-x86_64-3.2.3~dev7-4.25.1
      venv-openstack-sahara-x86_64-9.0.2~dev15-3.25.1
      venv-openstack-swift-x86_64-2.19.2~dev48-2.20.1


References:

   https://www.suse.com/security/cve/CVE-2020-26298.html
   https://www.suse.com/security/cve/CVE-2021-21419.html
   https://www.suse.com/security/cve/CVE-2021-22141.html
   https://www.suse.com/security/cve/CVE-2021-41136.html
   https://bugzilla.suse.com/1180837
   https://bugzilla.suse.com/1185836
   https://bugzilla.suse.com/1186868
   https://bugzilla.suse.com/1189052
   https://bugzilla.suse.com/1191681



More information about the sle-updates mailing list