Mehrere Probleme in crowbar-openstack, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store und grafana
ID: | SUSE-SU-2021:1963-1 |
Distribution: | SUSE |
Plattformen: | SUSE OpenStack Cloud 7 |
Datum: | Fr, 11. Juni 2021, 22:30 |
Referenzen: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31542 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33203 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29651 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25025 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11481 |
Applikationen: | crowbar-openstack, kibana, monasca-installer, python-py, rubygem-activerecord-session_store, Django, Grafana |
Originalnachricht |
|
SUSE Security Update: Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1963-1 Rating: moderate References: #1044849 #1179805 #1181379 #1183803 #1184148 #1185623 #1186608 #1186611 SOC-11435 Cross-References: CVE-2017-11481 CVE-2017-11499 CVE-2019-25025 CVE-2020-29651 CVE-2021-27358 CVE-2021-28658 CVE-2021-31542 CVE-2021-3281 CVE-2021-33203 CVE-2021-33571 CVSS scores: CVE-2017-11481 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-11481 (SUSE): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2017-11499 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11499 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-25025 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-25025 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-29651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-29651 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-27358 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27358 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28658 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28658 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-31542 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-31542 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3281 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-3281 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2021-33571 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes 10 vulnerabilities, contains one feature is now available. Description: This update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store contains the following fixes: Security fixes included in this update: crowbar-openstack: - CVE-2016-8611: Added rate limiting for the '/images' API POST method (bsc#1005886). grafana: - CVE-2021-27358: Fixed a denial of service via remote API call (bsc#1183803) kibana: - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the HashTable implementation, which could cause a denial of service (bsc#1044849) - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL fields (bsc#1044849) python-Django: - CVE-2021-3281: Fixed a directory traversal via archive.extract() (bsc#1181379) - CVE-2021-28658: Fixed a directory traversal via uploaded files (bsc#1184148) - CVE-2021-31542: Fixed a directory traversal via uploaded files with suitably crafted file names (bsc#1185623) - CVE-2021-33203:Fixed potential path-traversal via admindocs' TemplateDetailView (bsc#1186608) - CVE-2021-33571: Tighten validator checks to not allow leading zeros in IPv4 addresses, which potentially leads to further attacks (bsc#1186611) python-py: - CVE-2020-29651: Fixed a denial of service via regular expressions (bsc#1179805) rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a timing attacks targeting the session id which could allow an attack to hijack sessions (bsc#1183174) Non-security fixes included in this update: Changes in crowbar-openstack: - Update to version 4.0+git.1616146720.44daffca0: * monasca: restart Kibana on update (bsc#1044849) Changes in grafana_Update: - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API. Changes in kibana_Update: - Ensure /etc/sysconfig/kibana is present - Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16) * [4.6] ignore forked code for babel transpile build phase (#13483) * Allow more than match queries in custom filters (#8614) (#10857) * [state] don't make extra $location.replace() calls (#9954) * [optimizer] move to querystring-browser package for up-to-date api * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls * server: refactor log_interceptor to be more DRY (#9617) * server: downgrade ECANCELED logs to debug (#9616) * server: do not treat logged warnings as errors (#8746) (#9610) * [server/logger] downgrade EPIPE errors to debug level (#9023) * Add basepath when redirecting from a trailling slash (#9035) * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968) * [server/shortUrl] validate urls before shortening them - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481) * This fixes an XSS vulnerability in URL fields - Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there - Exclude /opt/kibana/optimize from %fdupes - Restart service on upgrade - Do not copy LICENSE.txt and README.txt to /opt/kibana - Fix rpmlint warnings/errors - Switch to explicit patch application - Fix source URL - Fix logic for systemd/systemv detection Changes in monasca-installer_Update: - Add support-influxdb-1.2.patch (SOC-11435) Changes in python-Django_Update: - Fixed potential path-traversal via admindocs' TemplateDetailView.(bsc#1186608, CVE-2021-33203) - Prevented leading zeros in IPv4 addresses. (bsc#1186611, CVE-2021-33571) - Add delegate-os-path-filename-generation-to-storage.patch (bsc#1185623) * Needed for CVE-2021-31542.patch to apply - Tightened path & file name sanitation in file uploads. (bsc#1185623, CVE-2021-31542) - Fixed potential directory-traversal via uploaded files. (bsc#1184148, CVE-2021-28658) - Fixes a potential directory traversal when extracting archives. (bsc#1181379, CVE-2021-3281) Changes in python-py_Update: - Add CVE-2020-29651.patch (CVE-2020-29651, bsc#1179805) * svnwc: fix regular expression vulnerable to DoS in blame functionality - Ensure /usr/share/licenses exists Changes in rubygem-activerecord-session_store_Update: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1963=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-activerecord-session_store-0.1.2-3.4.2 - SUSE OpenStack Cloud 7 (x86_64): grafana-6.7.4-1.24.2 kibana-4.6.6-9.2 kibana-debuginfo-4.6.6-9.2 - SUSE OpenStack Cloud 7 (noarch): crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2 monasca-installer-20180608_12.47-16.2 python-Django-1.8.19-3.29.1 python-py-1.8.1-11.16.2 References: https://www.suse.com/security/cve/CVE-2017-11481.html https://www.suse.com/security/cve/CVE-2017-11499.html https://www.suse.com/security/cve/CVE-2019-25025.html https://www.suse.com/security/cve/CVE-2020-29651.html https://www.suse.com/security/cve/CVE-2021-27358.html https://www.suse.com/security/cve/CVE-2021-28658.html https://www.suse.com/security/cve/CVE-2021-31542.html https://www.suse.com/security/cve/CVE-2021-3281.html https://www.suse.com/security/cve/CVE-2021-33203.html https://www.suse.com/security/cve/CVE-2021-33571.html https://bugzilla.suse.com/1044849 https://bugzilla.suse.com/1179805 https://bugzilla.suse.com/1181379 https://bugzilla.suse.com/1183803 https://bugzilla.suse.com/1184148 https://bugzilla.suse.com/1185623 https://bugzilla.suse.com/1186608 https://bugzilla.suse.com/1186611 |