ESB-2018.3392 - [SUSE] ardana-monasca, ardana-spark, kafka, kafka-kit and openstack-monasca-api: Delete arbitrary files - Existing account 2018-10-31

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3392
         SUSE Security Update: Security update for ardana-monasca,
           ardana-spark, kafka, kafka-kit, openstack-monasca-api
                              31 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ardana-monasca
                   Ardana-spark
                   kafka
                   kafka-kit
                   openstack-monasca-api
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Delete Arbitrary Files -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1288  

Reference:         ESB-2018.2952
                   ESB-2018.2701
                   ESB-2018.2546
                   ESB-2018.1946.2

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20183563-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3563-1
Rating:             important
References:         #1094851 #1094971 #1102662 #1102920 
Cross-References:   CVE-2018-1288
Affected Products:
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 8
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that solves one vulnerability and has three fixes
   is now available.

Description:

   This update for ardana-monasca, ardana-spark, kafka, kafka-kit,
   openstack-monasca-api fixes the following issues:

   This update for ardana-monasca to version 8.0+git.1535031421.9262a47 fixes
   these issues:

   - Requests Apache to reload on change (bsc#1102662)
   - Avoids managing non-Monasca users (bsc#1102662)
   - Line up perms on storm.conf to match rpm (bsc#1094971)

   This update for ardana-spark to version 8.0+git.1532114050.04654a8 fixes
   this issue:

   - Only set log dir perms on legacy install (bsc#1094851)

   This update for kafka to version 0.10.2.2 fixes this security issue:

   - CVE-2018-1288: Authenticated Kafka users may have performed action
     reserved for the Broker via a manually created fetch request interfering
     with data replication, resulting in data loss (bsc#1102920).

   This update for kafka to version 0.10.2.2 fixes these non-security issues:

   - set internal.leave.group.on.close to false in KafkaStreams
   - Improve message for Kafka failed startup with non-Kafka data in data.dirs
   - add max_number _of_retries to exponential backoff strategy
   - Mute logger for reflections.org at the warn level in system tests
   - Kafka connect: error with special characters in connector name
   - streams task gets stuck after re-balance due to LockException
   - CachingSessionStore doesn't use the default keySerde.
   - RocksDBSessionStore doesn't use default aggSerde.
   - Recommended values for Connect transformations contain the wrong class
     name
   - Kafka broker fails to start if a topic containing dot in its name is
     marked for delete but hasn't been deleted during previous uptime
   - GlobalKTable does not checkpoint offsets after restoring state
   - Log cleaning can increase message size and cause cleaner to crash with
     buffer overflow
   - Some socket connections not closed after restart of Kafka Streams
   - Distributed Herder Deadlocks on Shutdown
   - Log cleaner fails due to large offset in segment file
   - StreamsKafkaClient should not use StreamsConfig.POLL_MS_CONFIG
   - Refactor kafkatest docker support
   - ducktape kafka service: do not assume Service contains num_nodes
   - Using _DUCKTAPE_OPTIONS has no effect on executing tests
   - Connect WorkerSinkTask out of order offset commit can lead to
     inconsistent state
   - RocksDB segments not removed when store is closed causes
     re-initialization to fail
   - FetchMetadata creates unneeded Strings on instantiation
   - SourceTask#stop() not called after exception raised in poll()
   - Sink connectors that explicitly 'resume' topic partitions can resume a
     paused task
   - GlobalStateManagerImpl should not write offsets of in-memory stores in
     checkpoint file
   - Source KTable checkpoint is not correct
   - ConnectSchema#equals() broken for array-typed default values

   This update for openstack-monasca-api to version 2.2.1~dev24 fixes these
   issues:

   - devstack: download storm from archive.apache.org
   - Backport tempest test robustness improvements
   - 1724543-fixed kafka partition creation error in devstack installation
   - Fix:No alarms created if metric name in alarm def. expr. is mix case
   - Zuul: Remove project name
   - Run against Pike requirements


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-2523=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2018-2523=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2018-2523=1



Package List:

   - SUSE OpenStack Cloud Crowbar 8 (noarch):

      openstack-monasca-api-2.2.1~dev24-3.6.1
      python-monasca-api-2.2.1~dev24-3.6.1

   - SUSE OpenStack Cloud Crowbar 8 (x86_64):

      kafka-0.10.2.2-5.6.1

   - SUSE OpenStack Cloud 8 (noarch):

      ardana-monasca-8.0+git.1535031421.9262a47-3.12.1
      ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1
      openstack-monasca-api-2.2.1~dev24-3.6.1
      python-monasca-api-2.2.1~dev24-3.6.1

   - SUSE OpenStack Cloud 8 (x86_64):

      kafka-0.10.2.2-5.6.1

   - HPE Helion Openstack 8 (noarch):

      ardana-monasca-8.0+git.1535031421.9262a47-3.12.1
      ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1
      openstack-monasca-api-2.2.1~dev24-3.6.1
      python-monasca-api-2.2.1~dev24-3.6.1

   - HPE Helion Openstack 8 (x86_64):

      kafka-0.10.2.2-5.6.1


References:

   https://www.suse.com/security/cve/CVE-2018-1288.html
   https://bugzilla.suse.com/1094851
   https://bugzilla.suse.com/1094971
   https://bugzilla.suse.com/1102662
   https://bugzilla.suse.com/1102920

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9k5NmaOgq3Tt24GAQjXixAAo7pyQ3k4rhOD7J9qOtbixM4TouE526gK
yUd7NTKCgFDy9pltg5fhAbMetsRaIzuOdbeKrh+ogjESyAxH6Hx/PLjZ70tMJUiP
O/3UqB5BgRbj7WNPRYdnJJZChKuoQODEz7iTcQs5daq8dbt5AiERdOHGQzcSbQ3O
/Vqx41v/VdiHWSLAFUvtHSjRJF6IMSc+7sAzvaxkZiQKtwxjxNO0XIRVkbxM1JD4
yl39GecTZA0nUf2JQFq91SdB7ssVhOT4O3nGP+UpvlmeDG2Mn2PX/XqJmQ3vm0O4
QoOP8rS8C5+5UX8lr5aaKLmn+MuvaudNzlZeES0pgfz0GOYvSQ4s0WinhBJezoOV
/4R5UFk7gvdO+Fz1a59WFwHINhwII9XgzSg3OesPrKdoEXnjC3LkQVf7aoYi4kgo
5BRe8oVVpMXgJcU+dVixqLBN9UBK5g9nkzA76RA0j9LEBXnHpJu3k5gwOtlbyCUe
DTMSRL58qLguzRqoxDaJbPtZ0VoGxA+jWkBWY93/8sY1Zv/9lc0hICEcKru+/SwO
zkePtl3X5w+NC4J1KXAtvuv0LDk/zgrfTwHPD22hpL/aF13ehe/EoyQS5+vjl/QO
uuNSn0NkTi0csdjfEnt4w7TB4B4fYVCTY0yrrTZRfzfxSwD4ETvdhAuf9xQXD5O5
d7uqlB3XgRw=
=Wkj7
-----END PGP SIGNATURE-----

« Back to bulletins