Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2053
SUSE-SU-2019:1450-1 Security update for Cloud7 packages
10 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cloud7
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-1000872 CVE-2017-1000433
Reference: ESB-2019.0485
ESB-2018.1908
ESB-2018.0093
Original Bulletin:
https://www.suse.com/support/update/announcement/2019/suse-su-20191450-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for Cloud7 packages
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:1450-1
Rating: moderate
References: #1063535 #1074662 #1112767 #1113107 #1118004 #1120767
#1122053 #1122875 #1123709 #1127558 #1127752 #1128954
#1128987 #1130414 #1131053
Cross-References: CVE-2017-1000433 CVE-2018-1000872
Affected Products:
SUSE OpenStack Cloud 7
SUSE Enterprise Storage 4
______________________________________________________________________________
An update that solves two vulnerabilities and has 13 fixes is now available.
Description:
This update provides fixes for the following packages issues:
caasp-openstack-heat-templates:
o Update to version 1.0+git.1553079189.3bf8922: * SCRD-2813 Add support for
CPI parameters
o Update to version 1.0+git.1547562889.43707e7: * Switch LB protocol from
HTTP to HTTPS
crowbar:
o Update to version 4.0+git.1551088848.823bcaa3: * install-chef-suse: filter
comments from authorized_keys file
crowbar-core:
o Update to version 4.0+git.1556285635.ab602dd4d: * network: run wicked
ifdown for interface cleanup (bsc#1063535)
o Update to version 4.0+git.1554931881.d98412e0e: * Fix
cloud-mkcloud9-job-backup-restore (SCRD-7126)
o Update to version 4.0+git.1552239940.5bc9aaac4: * crowbar: Do not rely on
Chef::Util::FileEdit to write the file (bsc#1127752)
o Update to version 4.0+git.1550493400.9787ea9ad: * upgrade: Delay status
switch after upgrade ends
o Update to version 4.0+git.1549474445.d9a35cf52: * fix hound warning *
Support RAID 0
o Packaged default upgrade timeouts file
o Update to version 4.0+git.1549136953.afcde921f: * apache2: enable
sslsessioncache
o Update to version 4.0+git.1548859099.0edbbfdc2: * upgrade: Add default
upgrade timeouts file
crowbar-ha:
o Update to version 4.0+git.1556181005.47c643d: * pacemaker: wait more for
founder if SBD is configured (SCRD-8462) * pacemaker: don't check cluster
members on founder (SCRD-8462)
o Update to version 4.0+git.1554215159.8a42a71: * improve galera HA setup
(bsc#1122875)
crowbar-openstack:
o Update to version 4.0+git.1554887450.ff7c30c1c: * neutron: Added option to
use L3 HA with Keepalived
o Update to version 4.0+git.1554843756.5622551da: * ironic: Fix regression in
helper
o Update to version 4.0+git.1554814630.ec3c89f25: * ceilometer: Install
package which contains cron file (bsc#1130414)
o Update to version 4.0+git.1551459192.89433e13b: * rabbit: fix mirroring
regex
o Update to version 4.0+git.1550582615.f6b433ec7: * ceilometer: Use pacemaker
to handle expirer cron link (bsc#1113107)
o Update to version 4.0+git.1550262335.9667fa580: * mysql: Do not set a
custom logfile for mysqld (bsc#1112767) * mysql: create .my.cnf in root
home directory for mysql cmdline
o Update to version 4.0+git.1549986893.df836d6cc: * mariadb: Remove
installing the xtrabackup package * ssl: Fix ACL setup in ssl_setup
provider (bsc#1123709)
galera-python-clustercheck:
o readtimeout.patch: Add socket read timeout (bsc#1122053)
openstack-ceilometer:
o Install openstack-ceilometer-expirer.cron into /usr/share/ceilometer This
is needed in a clustered environment where multiple ceilometer-collector
services are installed on different nodes (and due to that multiple expirer
cron jobs installed). That can lead to deadlocks when the cron jobs run in
parallel on the different nodes (bsc#1113107)
openstack-heat-gbp:
o switch to newton branch
python-PyKMIP:
o Fix a denial-of-service bug by setting the server socket timeout (bsc#
1120767 CVE-2018-1000872)
python-pysaml2:
o Fix for the authentication bypass due to optimizations (CVE-2017-1000433,
bsc#1074662)
rubygem-crowbar-client:
o Update to 3.9.0 - Add support for the restricted APIs - Add --raw to
"proposal show" and "proposal edit" - Correctly parse error messages that
we don't handle natively - Better upgrade repocheck output
o Update to 3.7.0 - upgrade: Use cloud_version config for upgrade - ses: Add
ses upload subcommand - Add cloud_version config field. - Wrap os-release
file parsing for better reuse. - upgrade: Fix repocheck component in error
message - upgrade: Better repocheck output
o updated to version 3.6.1 * Hide the database step when it is not used (bsc#
1118004) * Fix help strings * Describe how to upgrade more nodes with one
command
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1450=1
o SUSE Enterprise Storage 4:
zypper in -t patch SUSE-Storage-4-2019-1450=1
Package List:
o SUSE OpenStack Cloud 7 (aarch64 s390x x86_64):
crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
crowbar-core-branding-upstream-4.0+git.1556285635.ab602dd4d-9.46.3
ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2
o SUSE OpenStack Cloud 7 (noarch):
caasp-openstack-heat-templates-1.0+git.1553079189.3bf8922-1.6.2
crowbar-4.0+git.1551088848.823bcaa3-7.29.2
crowbar-devel-4.0+git.1551088848.823bcaa3-7.29.2
crowbar-ha-4.0+git.1556181005.47c643d-4.46.3
crowbar-openstack-4.0+git.1554887450.ff7c30c1c-9.51.3
galera-python-clustercheck-0.0+git.1506329536.8f5878c-1.6.2
openstack-ceilometer-7.1.1~dev4-4.15.3
openstack-ceilometer-agent-central-7.1.1~dev4-4.15.3
openstack-ceilometer-agent-compute-7.1.1~dev4-4.15.3
openstack-ceilometer-agent-ipmi-7.1.1~dev4-4.15.3
openstack-ceilometer-agent-notification-7.1.1~dev4-4.15.3
openstack-ceilometer-api-7.1.1~dev4-4.15.3
openstack-ceilometer-collector-7.1.1~dev4-4.15.3
openstack-ceilometer-doc-7.1.1~dev4-4.15.3
openstack-ceilometer-polling-7.1.1~dev4-4.15.3
openstack-heat-gbp-5.1.1~dev1-2.6.3
python-PyKMIP-0.5.0-3.3.3
python-ceilometer-7.1.1~dev4-4.15.3
python-heat-gbp-5.1.1~dev1-2.6.3
python-pysaml2-4.0.2-3.6.3
o SUSE Enterprise Storage 4 (aarch64 x86_64):
crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3
ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2
o SUSE Enterprise Storage 4 (noarch):
crowbar-4.0+git.1551088848.823bcaa3-7.29.2
References:
o https://www.suse.com/security/cve/CVE-2017-1000433.html
o https://www.suse.com/security/cve/CVE-2018-1000872.html
o https://bugzilla.suse.com/1063535
o https://bugzilla.suse.com/1074662
o https://bugzilla.suse.com/1112767
o https://bugzilla.suse.com/1113107
o https://bugzilla.suse.com/1118004
o https://bugzilla.suse.com/1120767
o https://bugzilla.suse.com/1122053
o https://bugzilla.suse.com/1122875
o https://bugzilla.suse.com/1123709
o https://bugzilla.suse.com/1127558
o https://bugzilla.suse.com/1127752
o https://bugzilla.suse.com/1128954
o https://bugzilla.suse.com/1128987
o https://bugzilla.suse.com/1130414
o https://bugzilla.suse.com/1131053
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXP2Z6GaOgq3Tt24GAQj0oxAAvKnPso1IlE6w8nI/W9HIxfRQPFniVn6e
y0YqUv20GDf+h1YNiuoH24PN4paHZ/p503TxZoO5YZZa1aLksTzbxyiUQffMFYPf
kvV7gR6c+/2zJvQw7+c1Nw/auMm1BRw3/lAZL8PUn2NgCP73z1zc62o7vfIK2kns
91oesGpc48EzbTsGS4UR1lY/BXYtm06rMxShmYDO6im3GOzXrItZ4MfjPt+hQNzg
KnkUeOwjfpMdnFr3Nej9jO1VvNj89To8+ZJjOlz2D+m9YQ5LFstVOa8F7E4NHryj
nrkAtve+ESfbx2nexq1F6evfzez/PDbMp5ZsDp6Bn+grYaqWaN2wDuHgXVEjpra/
1JLKAaE+WCLeFQjUIk9FVIgI4Dr6J/q6+zFa0RmrrB9+G42/wwyzihLpt5F39SIz
OSxpjvNr/fKC75gI6xL1wvViKFi4BvYcNoM13Ic8n80CfSJHPoxSeqQ4x8uq/0gc
fIlvh14hLHToP2IwZnJXPSoGiH/jdhZykYfxJMxHa5/38yMpmWWqE5KEpYv/qyy1
yPC+w9HEDa9tjmliODVtTR6mIWr7v6fIKcdL6zSEarO2CakZw7Lo3q07Z7rsmfeR
qha9cgxZtYX/TGitTMsaTyHWyD/9doouikMCCodhPJmFkxTIdZ6Pz5onXgefbNr1
gGT0eFlvY5Q=
=BRGE
-----END PGP SIGNATURE-----