Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3392 SUSE Security Update: Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api 31 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ardana-monasca Ardana-spark kafka kafka-kit openstack-monasca-api Publisher: SUSE Operating System: SUSE Impact/Access: Delete Arbitrary Files -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1288 Reference: ESB-2018.2952 ESB-2018.2701 ESB-2018.2546 ESB-2018.1946.2 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20183563-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3563-1 Rating: important References: #1094851 #1094971 #1102662 #1102920 Cross-References: CVE-2018-1288 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api fixes the following issues: This update for ardana-monasca to version 8.0+git.1535031421.9262a47 fixes these issues: - Requests Apache to reload on change (bsc#1102662) - Avoids managing non-Monasca users (bsc#1102662) - Line up perms on storm.conf to match rpm (bsc#1094971) This update for ardana-spark to version 8.0+git.1532114050.04654a8 fixes this issue: - Only set log dir perms on legacy install (bsc#1094851) This update for kafka to version 0.10.2.2 fixes this security issue: - CVE-2018-1288: Authenticated Kafka users may have performed action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss (bsc#1102920). This update for kafka to version 0.10.2.2 fixes these non-security issues: - set internal.leave.group.on.close to false in KafkaStreams - Improve message for Kafka failed startup with non-Kafka data in data.dirs - add max_number _of_retries to exponential backoff strategy - Mute logger for reflections.org at the warn level in system tests - Kafka connect: error with special characters in connector name - streams task gets stuck after re-balance due to LockException - CachingSessionStore doesn't use the default keySerde. - RocksDBSessionStore doesn't use default aggSerde. - Recommended values for Connect transformations contain the wrong class name - Kafka broker fails to start if a topic containing dot in its name is marked for delete but hasn't been deleted during previous uptime - GlobalKTable does not checkpoint offsets after restoring state - Log cleaning can increase message size and cause cleaner to crash with buffer overflow - Some socket connections not closed after restart of Kafka Streams - Distributed Herder Deadlocks on Shutdown - Log cleaner fails due to large offset in segment file - StreamsKafkaClient should not use StreamsConfig.POLL_MS_CONFIG - Refactor kafkatest docker support - ducktape kafka service: do not assume Service contains num_nodes - Using _DUCKTAPE_OPTIONS has no effect on executing tests - Connect WorkerSinkTask out of order offset commit can lead to inconsistent state - RocksDB segments not removed when store is closed causes re-initialization to fail - FetchMetadata creates unneeded Strings on instantiation - SourceTask#stop() not called after exception raised in poll() - Sink connectors that explicitly 'resume' topic partitions can resume a paused task - GlobalStateManagerImpl should not write offsets of in-memory stores in checkpoint file - Source KTable checkpoint is not correct - ConnectSchema#equals() broken for array-typed default values This update for openstack-monasca-api to version 2.2.1~dev24 fixes these issues: - devstack: download storm from archive.apache.org - Backport tempest test robustness improvements - 1724543-fixed kafka partition creation error in devstack installation - Fix:No alarms created if metric name in alarm def. expr. is mix case - Zuul: Remove project name - Run against Pike requirements Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2018-2523=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2018-2523=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2018-2523=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): openstack-monasca-api-2.2.1~dev24-3.6.1 python-monasca-api-2.2.1~dev24-3.6.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kafka-0.10.2.2-5.6.1 - SUSE OpenStack Cloud 8 (noarch): ardana-monasca-8.0+git.1535031421.9262a47-3.12.1 ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1 openstack-monasca-api-2.2.1~dev24-3.6.1 python-monasca-api-2.2.1~dev24-3.6.1 - SUSE OpenStack Cloud 8 (x86_64): kafka-0.10.2.2-5.6.1 - HPE Helion Openstack 8 (noarch): ardana-monasca-8.0+git.1535031421.9262a47-3.12.1 ardana-spark-8.0+git.1534267176.a5f3a22-3.6.1 openstack-monasca-api-2.2.1~dev24-3.6.1 python-monasca-api-2.2.1~dev24-3.6.1 - HPE Helion Openstack 8 (x86_64): kafka-0.10.2.2-5.6.1 References: https://www.suse.com/security/cve/CVE-2018-1288.html https://bugzilla.suse.com/1094851 https://bugzilla.suse.com/1094971 https://bugzilla.suse.com/1102662 https://bugzilla.suse.com/1102920 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW9k5NmaOgq3Tt24GAQjXixAAo7pyQ3k4rhOD7J9qOtbixM4TouE526gK yUd7NTKCgFDy9pltg5fhAbMetsRaIzuOdbeKrh+ogjESyAxH6Hx/PLjZ70tMJUiP O/3UqB5BgRbj7WNPRYdnJJZChKuoQODEz7iTcQs5daq8dbt5AiERdOHGQzcSbQ3O /Vqx41v/VdiHWSLAFUvtHSjRJF6IMSc+7sAzvaxkZiQKtwxjxNO0XIRVkbxM1JD4 yl39GecTZA0nUf2JQFq91SdB7ssVhOT4O3nGP+UpvlmeDG2Mn2PX/XqJmQ3vm0O4 QoOP8rS8C5+5UX8lr5aaKLmn+MuvaudNzlZeES0pgfz0GOYvSQ4s0WinhBJezoOV /4R5UFk7gvdO+Fz1a59WFwHINhwII9XgzSg3OesPrKdoEXnjC3LkQVf7aoYi4kgo 5BRe8oVVpMXgJcU+dVixqLBN9UBK5g9nkzA76RA0j9LEBXnHpJu3k5gwOtlbyCUe DTMSRL58qLguzRqoxDaJbPtZ0VoGxA+jWkBWY93/8sY1Zv/9lc0hICEcKru+/SwO zkePtl3X5w+NC4J1KXAtvuv0LDk/zgrfTwHPD22hpL/aF13ehe/EoyQS5+vjl/QO uuNSn0NkTi0csdjfEnt4w7TB4B4fYVCTY0yrrTZRfzfxSwD4ETvdhAuf9xQXD5O5 d7uqlB3XgRw= =Wkj7 -----END PGP SIGNATURE-----