-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0839
           Low: openstack-ceilometer security and bug fix update
                               15 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openstack-ceilometer
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
                   Linux variants
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3830  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:0566

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running openstack-ceilometer check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: openstack-ceilometer security and bug fix update
Advisory ID:       RHSA-2019:0566-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0566
Issue date:        2019-03-14
CVE Names:         CVE-2019-3830 
=====================================================================

1. Summary:

An update for openstack-ceilometer is now available for Red Hat OpenStack
Platform 13.0 (Queens).

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - noarch

3. Description:

OpenStack Telemetry (ceilometer) collects customer usage data for metering
purposes. Telemetry implements bus listener, push, and polling agents for
data collection. This data is stored in a database and presented via the
REST API. In addition, Telemetry's extensible design means it can be
optionally extended to gather customized data sets.

Security Fix(es):

* openstack-ceilometer: ceilometer-agent prints sensitive data from config
files through log files (CVE-2019-3830)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1659044 - Undercloud installation fails with --skip-metering-database when telemetry is enabled
1669296 - Rebase openstack-ceilometer to 8944142
1671037 - ceilometer writing snmp credentials to log file
1677389 - CVE-2019-3830 openstack-ceilometer: ceilometer-agent prints sensitive data from config files through log files

6. Package List:

Red Hat OpenStack Platform 13.0:

Source:
openstack-ceilometer-10.0.1-6.el7ost.src.rpm

noarch:
openstack-ceilometer-central-10.0.1-6.el7ost.noarch.rpm
openstack-ceilometer-common-10.0.1-6.el7ost.noarch.rpm
openstack-ceilometer-compute-10.0.1-6.el7ost.noarch.rpm
openstack-ceilometer-ipmi-10.0.1-6.el7ost.noarch.rpm
openstack-ceilometer-notification-10.0.1-6.el7ost.noarch.rpm
openstack-ceilometer-polling-10.0.1-6.el7ost.noarch.rpm
python-ceilometer-10.0.1-6.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-3830
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXIpX2NzjgjWX9erEAQgGog/+M7rUpzq67vZ+0WP9EBooybvrnlKHPxEQ
1Xqb7v5gWf6F5zUCuWhdP3ySNRAASVpqpEuW0uLKniA7Wyl00pZd3tYvBY+9uDni
0hnRZMHgQFipfBV9NYsrQEYq97KCnNscjx+0ToXhp+OXcDnARLTAx5K0XIiqYvWB
Vyf5fTjLq1CjhJpIBWxnyc9V2LPE8cFZvFOSQfvRELIldjbOGIPTG/OUA9UEuGam
6Vd/tFfMsU8YYN49E1Jr+fezM2NT1rbxOu+TKgcGdyxlRUTdJ2WolZkaC5pBmDkx
buaixokaYmhyAjsyhhurUKLCtLvfjLJakIBA651LLYTgziNJvC3/VNFXK94eKhFK
vy+KXTVQzk9Mu97YyNLOMKoLiTbuC6TuVcf7AQTmigO7dyclc24Zx4eNuFfUl6At
e2WO0FIq4xjPYPCCBI/8Bdi/EXf7aKlBlm6oOlzVXUOORcaI+UyqGgoFDHYjdqMz
w6T1hQ9/zsI8+Tbt+e5eZJtP5ZjfKIYiIGbGf+bnk7XFsdyuwQ08cSKg+5pK7+qy
RoMkDMss+nQNeBC3OvDB1fuRqP7N66qhc8i3KfJM5O91UhSpRQQuhlzNLtDboPSq
lGKG7NP/HfmnxK1P/29gJU5djDzMAUfIa4dhbeICClNQ9UXsbhODVgso6kXX9Q6Z
8AwYM/tYfo0=
=a8KE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIrEqmaOgq3Tt24GAQjaHQ/9E/WjXzKNMdKu1gfwWleVS/IsTnakhSFJ
At7YlprcKtuAZBwLNYUUagJNYNAU8eHzC3SBENVQYLXUNm3XyxR5ve4Z+qqaTmsk
OoDXHJEyTQTgXGzt0z37ie3a6XnXRUdReI9dF25uQSucGJsj4BfaG6n8F9JAkVXu
mY6wwQ2GkkL2P2SlAIhXoY1TfRBE8ToLED1xJhTAxU/9Nzfu1vLAPrnUN/YIFq+f
HF66oIDTHXdGz/bjhMIDMmdWUs3yG2FC/OBnxNNxrIGNKrG1l+8EhbFS105cPm+c
VU4ShPjQCGUbHx0iNurcrbLQO1RCsVFB20H3SHHFSTLWgbiEOvUNha80MPTaSOvP
ujdDyW8ro+qvve/uIsCsMz1J6jy63QB/uq+IjvK7kxj0Myv27hEl+hOxRiaI0I5N
pKNWMm2V8y1cR+4GnbHenFuFujd8r79G/obMdzdydMH0pexoJ8JJ72bPCTfuRUEW
McW06VLpSW1onhehOtd4ncwyGWSNHmXPdqhQwY1bOukr0cNMgbSq82CzFYeTwBDJ
D/iZyAs1fCGfePqeo5HWbZiYPOpDbYGwtb/LppCj4DQkrZP4KMJH4uQOSBR9wUjq
VJKY68WiwnLRyWiPkr9cypHcj7mM71W5BUaIlq+hKgDanwGzw8WdXg5X65DapESn
iasHifMz8SA=
=Cn+D
-----END PGP SIGNATURE-----