Sicherheit: Zwei Probleme in Cloud7 - Pro-Linux

   SUSE Security Update: Security update for Cloud7 packages
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:1450-1
Rating:             moderate
References:         #1063535 #1074662 #1112767 #1113107 #1118004 
                    #1120767 #1122053 #1122875 #1123709 #1127558 
                    #1127752 #1128954 #1128987 #1130414 #1131053 

Cross-References:   CVE-2017-1000433 CVE-2018-1000872
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Enterprise Storage 4
______________________________________________________________________________

   An update that solves two vulnerabilities and has 13 fixes
   is now available.

Description:

   This update provides fixes for the following packages issues:

   caasp-openstack-heat-templates:

   - Update to version 1.0+git.1553079189.3bf8922:
     * SCRD-2813 Add support for CPI parameters
   - Update to version 1.0+git.1547562889.43707e7:
     * Switch LB protocol from HTTP to HTTPS

   crowbar:

   - Update to version 4.0+git.1551088848.823bcaa3:
     * install-chef-suse: filter comments from  authorized_keys file

   crowbar-core:

   - Update to version 4.0+git.1556285635.ab602dd4d:
     * network: run wicked ifdown for interface cleanup (bsc#1063535)
   - Update to version 4.0+git.1554931881.d98412e0e:
     * Fix cloud-mkcloud9-job-backup-restore (SCRD-7126)
   - Update to version 4.0+git.1552239940.5bc9aaac4:
     * crowbar: Do not rely on Chef::Util::FileEdit to write the file
       (bsc#1127752)
   - Update to version 4.0+git.1550493400.9787ea9ad:
     * upgrade: Delay status switch after upgrade ends
   - Update to version 4.0+git.1549474445.d9a35cf52:
     * fix hound warning
     * Support RAID 0
   - Packaged default upgrade timeouts file
   - Update to version 4.0+git.1549136953.afcde921f:
     * apache2: enable sslsessioncache
   - Update to version 4.0+git.1548859099.0edbbfdc2:
     * upgrade: Add default upgrade timeouts file

   crowbar-ha:

   - Update to version 4.0+git.1556181005.47c643d:
     * pacemaker: wait more for founder if SBD is configured (SCRD-8462)
     * pacemaker: don't check cluster members on founder (SCRD-8462)
   - Update to version 4.0+git.1554215159.8a42a71:
     * improve galera HA setup (bsc#1122875)

   crowbar-openstack:

   - Update to version 4.0+git.1554887450.ff7c30c1c:
     * neutron: Added option to use L3 HA with Keepalived
   - Update to version 4.0+git.1554843756.5622551da:
     * ironic: Fix regression in helper
   - Update to version 4.0+git.1554814630.ec3c89f25:
     * ceilometer: Install package which contains cron file (bsc#1130414)
   - Update to version 4.0+git.1551459192.89433e13b:
     * rabbit: fix mirroring regex
   - Update to version 4.0+git.1550582615.f6b433ec7:
     * ceilometer: Use pacemaker to handle expirer cron link (bsc#1113107)
   - Update to version 4.0+git.1550262335.9667fa580:
     * mysql: Do not set a custom logfile for mysqld (bsc#1112767)
     * mysql: create .my.cnf in root home directory for mysql cmdline
   - Update to version 4.0+git.1549986893.df836d6cc:
     * mariadb: Remove installing the xtrabackup package
     * ssl: Fix ACL setup in ssl_setup provider (bsc#1123709)

   galera-python-clustercheck:

   - readtimeout.patch: Add socket read timeout (bsc#1122053)

   openstack-ceilometer:

   - Install openstack-ceilometer-expirer.cron into /usr/share/ceilometer
     This is needed in a clustered environment where multiple
     ceilometer-collector services are installed on different nodes (and due
     to that multiple expirer cron jobs installed). That can lead to
     deadlocks when the cron jobs run in parallel on the different nodes
     (bsc#1113107)

   openstack-heat-gbp:

   - switch to newton branch

   python-PyKMIP:

   - Fix a denial-of-service bug by setting the server socket timeout
     (bsc#1120767 CVE-2018-1000872)

   python-pysaml2:

   - Fix for the authentication bypass due to optimizations
     (CVE-2017-1000433, bsc#1074662)

   rubygem-crowbar-client:

   - Update to 3.9.0
    - Add support for the restricted APIs
    - Add --raw to "proposal show" and "proposal edit"
    - Correctly parse error messages that we don't handle natively
    - Better upgrade repocheck output
   - Update to 3.7.0
     - upgrade: Use cloud_version config for upgrade
     - ses: Add ses upload subcommand
     - Add cloud_version config field.
     - Wrap os-release file parsing for better reuse.
     - upgrade: Fix repocheck component in error message
     - upgrade: Better repocheck output
   - updated to version 3.6.1
     * Hide the database step when it is not used (bsc#1118004)
     * Fix help strings
     * Describe how to upgrade more nodes with one command

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
 methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1450=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2019-1450=1

Package List:

   - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):

      crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
      crowbar-core-branding-upstream-4.0+git.1556285635.ab602dd4d-9.46.3
      ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2

   - SUSE OpenStack Cloud 7 (noarch):

      caasp-openstack-heat-templates-1.0+git.1553079189.3bf8922-1.6.2
      crowbar-4.0+git.1551088848.823bcaa3-7.29.2
      crowbar-devel-4.0+git.1551088848.823bcaa3-7.29.2
      crowbar-ha-4.0+git.1556181005.47c643d-4.46.3
      crowbar-openstack-4.0+git.1554887450.ff7c30c1c-9.51.3
      galera-python-clustercheck-0.0+git.1506329536.8f5878c-1.6.2
      openstack-ceilometer-7.1.1~dev4-4.15.3
      openstack-ceilometer-agent-central-7.1.1~dev4-4.15.3
      openstack-ceilometer-agent-compute-7.1.1~dev4-4.15.3
      openstack-ceilometer-agent-ipmi-7.1.1~dev4-4.15.3
      openstack-ceilometer-agent-notification-7.1.1~dev4-4.15.3
      openstack-ceilometer-api-7.1.1~dev4-4.15.3
      openstack-ceilometer-collector-7.1.1~dev4-4.15.3
      openstack-ceilometer-doc-7.1.1~dev4-4.15.3
      openstack-ceilometer-polling-7.1.1~dev4-4.15.3
      openstack-heat-gbp-5.1.1~dev1-2.6.3
      python-PyKMIP-0.5.0-3.3.3
      python-ceilometer-7.1.1~dev4-4.15.3
      python-heat-gbp-5.1.1~dev1-2.6.3
      python-pysaml2-4.0.2-3.6.3

   - SUSE Enterprise Storage 4 (aarch64 x86_64):

      crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
      ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2

   - SUSE Enterprise Storage 4 (noarch):

      crowbar-4.0+git.1551088848.823bcaa3-7.29.2

References:

   https://www.suse.com/security/cve/CVE-2017-1000433.html
   https://www.suse.com/security/cve/CVE-2018-1000872.html
   https://bugzilla.suse.com/1063535
   https://bugzilla.suse.com/1074662
   https://bugzilla.suse.com/1112767
   https://bugzilla.suse.com/1113107
   https://bugzilla.suse.com/1118004
   https://bugzilla.suse.com/1120767
   https://bugzilla.suse.com/1122053
   https://bugzilla.suse.com/1122875
   https://bugzilla.suse.com/1123709
   https://bugzilla.suse.com/1127558
   https://bugzilla.suse.com/1127752
   https://bugzilla.suse.com/1128954
   https://bugzilla.suse.com/1128987
   https://bugzilla.suse.com/1130414
   https://bugzilla.suse.com/1131053

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates