Sicherheit: Mehrere Probleme in crowbar-openstack, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store und grafana

Lesezeichen hinzufügen

SUSE Security Update: Security update for crowbar-openstack, grafana,
kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store
______________________________________________________________________________

Announcement ID: SUSE-SU-2021:1963-1
Rating: moderate
References: #1044849 #1179805 #1181379 #1183803 #1184148
#1185623 #1186608 #1186611 SOC-11435
Cross-References: CVE-2017-11481 CVE-2017-11499 CVE-2019-25025
CVE-2020-29651 CVE-2021-27358 CVE-2021-28658
CVE-2021-31542 CVE-2021-3281 CVE-2021-33203
CVE-2021-33571
CVSS scores:
CVE-2017-11481 (NVD) : 6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2017-11481 (SUSE): 5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE-2017-11499 (NVD) : 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-11499 (SUSE): 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-25025 (NVD) : 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2019-25025 (SUSE): 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-29651 (NVD) : 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-29651 (SUSE): 5.5
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-27358 (NVD) : 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-27358 (SUSE): 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-28658 (NVD) : 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-28658 (SUSE): 3.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-31542 (NVD) : 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-31542 (SUSE): 6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-3281 (NVD) : 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2021-3281 (SUSE): 6.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2021-33571 (SUSE): 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
SUSE OpenStack Cloud 7
______________________________________________________________________________

An update that fixes 10 vulnerabilities, contains one
feature is now available.

Description:

This update for crowbar-openstack, grafana, kibana, monasca-installer,
python-Django, python-py, rubygem-activerecord-session_store contains the
following fixes:

Security fixes included in this update:

crowbar-openstack:
- CVE-2016-8611: Added rate limiting for the '/images' API POST
method
(bsc#1005886).

grafana:
- CVE-2021-27358: Fixed a denial of service via remote API call
(bsc#1183803)

kibana:
- CVE-2017-11499: Fixed a vulnerability in nodejs, related to the
HashTable implementation, which could cause a denial of service
(bsc#1044849)
- CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL
fields (bsc#1044849)

python-Django:
- CVE-2021-3281: Fixed a directory traversal via archive.extract()
(bsc#1181379)
- CVE-2021-28658: Fixed a directory traversal via uploaded files
(bsc#1184148)
- CVE-2021-31542: Fixed a directory traversal via uploaded files with
suitably crafted file names (bsc#1185623)
- CVE-2021-33203:Fixed potential path-traversal via admindocs'
TemplateDetailView (bsc#1186608)
- CVE-2021-33571: Tighten validator checks to not allow leading zeros in
IPv4 addresses, which potentially leads to further attacks (bsc#1186611)

python-py:
- CVE-2020-29651: Fixed a denial of service via regular expressions
(bsc#1179805)

rubygem-activerecord-session_store:
- CVE-2019-25025: Fixed a timing attacks targeting the session id which
could allow an attack to hijack sessions (bsc#1183174)

Non-security fixes included in this update:

Changes in crowbar-openstack:
- Update to version 4.0+git.1616146720.44daffca0:
* monasca: restart Kibana on update (bsc#1044849)

Changes in grafana_Update:
- Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358)
* Prevent unauthenticated remote attackers from causing a DoS through
the snapshots API.

Changes in kibana_Update:
- Ensure /etc/sysconfig/kibana is present

- Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14,
ESA-2017-16)
* [4.6] ignore forked code for babel transpile build phase (#13483)
* Allow more than match queries in custom filters (#8614) (#10857)
* [state] don't make extra $location.replace() calls (#9954)
* [optimizer] move to querystring-browser package for up-to-date api
* [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls
* server: refactor log_interceptor to be more DRY (#9617)
* server: downgrade ECANCELED logs to debug (#9616)
* server: do not treat logged warnings as errors (#8746) (#9610)
* [server/logger] downgrade EPIPE errors to debug level (#9023)
* Add basepath when redirecting from a trailling slash (#9035)
* [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968)
* [server/shortUrl] validate urls before shortening them
- Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481)
* This fixes an XSS vulnerability in URL fields
- Remove %dir declaration from /opt/kibana/optimize to ensure no files
owned by root end up in there
- Exclude /opt/kibana/optimize from %fdupes
- Restart service on upgrade
- Do not copy LICENSE.txt and README.txt to /opt/kibana
- Fix rpmlint warnings/errors
- Switch to explicit patch application
- Fix source URL
- Fix logic for systemd/systemv detection

Changes in monasca-installer_Update:
- Add support-influxdb-1.2.patch (SOC-11435)

Changes in python-Django_Update:
- Fixed potential path-traversal via admindocs'
TemplateDetailView.(bsc#1186608, CVE-2021-33203)
- Prevented leading zeros in IPv4 addresses. (bsc#1186611, CVE-2021-33571)
- Add delegate-os-path-filename-generation-to-storage.patch (bsc#1185623)
* Needed for CVE-2021-31542.patch to apply
- Tightened path & file name sanitation in file uploads. (bsc#1185623,
CVE-2021-31542)
- Fixed potential directory-traversal via uploaded files. (bsc#1184148,
CVE-2021-28658)
- Fixes a potential directory traversal when extracting archives.
(bsc#1181379, CVE-2021-3281)

Changes in python-py_Update:
- Add CVE-2020-29651.patch (CVE-2020-29651, bsc#1179805)
* svnwc: fix regular expression vulnerable to DoS in blame functionality
- Ensure /usr/share/licenses exists

Changes in rubygem-activerecord-session_store_Update:
- added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174)
* This requires CVE-2019-16782.patch to be included in
rubygem-actionpack-4_2 to work correctly.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE OpenStack Cloud 7:

zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1963=1

Package List:

- SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):

ruby2.1-rubygem-activerecord-session_store-0.1.2-3.4.2

- SUSE OpenStack Cloud 7 (x86_64):

grafana-6.7.4-1.24.2
kibana-4.6.6-9.2
kibana-debuginfo-4.6.6-9.2

- SUSE OpenStack Cloud 7 (noarch):

crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2
monasca-installer-20180608_12.47-16.2
python-Django-1.8.19-3.29.1
python-py-1.8.1-11.16.2

References:

https://www.suse.com/security/cve/CVE-2017-11481.html
https://www.suse.com/security/cve/CVE-2017-11499.html
https://www.suse.com/security/cve/CVE-2019-25025.html
https://www.suse.com/security/cve/CVE-2020-29651.html
https://www.suse.com/security/cve/CVE-2021-27358.html
https://www.suse.com/security/cve/CVE-2021-28658.html
https://www.suse.com/security/cve/CVE-2021-31542.html
https://www.suse.com/security/cve/CVE-2021-3281.html
https://www.suse.com/security/cve/CVE-2021-33203.html
https://www.suse.com/security/cve/CVE-2021-33571.html
https://bugzilla.suse.com/1044849
https://bugzilla.suse.com/1179805
https://bugzilla.suse.com/1181379
https://bugzilla.suse.com/1183803
https://bugzilla.suse.com/1184148
https://bugzilla.suse.com/1185623
https://bugzilla.suse.com/1186608
https://bugzilla.suse.com/1186611