Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2553 Moderate: openstack-tripleo-common security and bug fix update 11 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openstack-tripleo-common Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-3895 Reference: ESB-2019.2429 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1742 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-tripleo-common security and bug fix update Advisory ID: RHSA-2019:1742-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1742 Issue date: 2019-07-10 CVE Names: CVE-2019-3895 ===================================================================== 1. Summary: An update for openstack-tripleo-common is now available for Red Hat OpenStack Platform 13.0 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - noarch 3. Description: openstack-tripleo-common contains the python library for code common to the Red Hat OpenStack Platform director CLI and GUI (codename tripleo). Security Fix(es): * openstack-tripleo-common: Allows running new amphorae based on arbitrary images (CVE-2019-3895) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Introspection of baremetal nodes fail with 'No hypervisor matching' problem when node name used instead of uuid (BZ#1677016) * config-download backports from RHOSP 14 to RHOSP 13 (openstack-tripleo-common) (BZ#1688461) * RHOSP-13 Connection reset by peer: libvirtError: operation failed: Failed to connect to remote libvirt URI # Live Migration failure: operation failed: Failed to connect to remote libvirt URI (BZ#1712410) * There are two new CLI arguments you can use with `config-download`: - Monitor the deployment in a separate CLI session or with the API with `openstack overcloud status`. - Log and save Ansible errors for future analysis with `openstack overcloud failures`. (BZ#1688461) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1677016 - Introspection of baremetal nodes fail with 'No hypervisor matching' problem when node name used instead of uuid 1688461 - config-download backports from RHOSP 14 to RHOSP 13 (openstack-tripleo-common) 1694608 - CVE-2019-3895 openstack-tripleo-common: Allows running new amphorae based on arbitrary images 1717060 - Rebase openstack-tripleo-common to c42c360 1722738 - OSP12 to 13 upgrade - fail to upgrade controllers. 6. Package List: Red Hat OpenStack Platform 13.0: Source: openstack-tripleo-common-8.6.8-11.el7ost.src.rpm noarch: openstack-tripleo-common-8.6.8-11.el7ost.noarch.rpm openstack-tripleo-common-container-base-8.6.8-11.el7ost.noarch.rpm openstack-tripleo-common-containers-8.6.8-11.el7ost.noarch.rpm openstack-tripleo-common-devtools-8.6.8-11.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-3895 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSXigdzjgjWX9erEAQhzuQ/+NqhZR2xyNoCPzwOSOHy7OW/1LJJai/Na eTYtrXBO1aTbpJJ7vxcvAKVyGsHd1jomD4MHa6IkJdHtjGwcspa3COLh2ARhi6v3 egWsE3210926cFc2CccMTIl8WyeRPzofmeqV+ID09nrUPYouOBAyoyZhD+7LhPen wT2iSiTgQra8z9dFk+9Vk1b+IGAxkzKGw1Xbajr3apI0nKmtufeBti/ztDmpG0xp 1FZ+eTxguPUBuVRFs5NjLRNnZnalS/f9x8wBwC2Pz6iyVCrR1Vj0T7f3sIvPooxS eW06F+gjfBJ1ZGWwbPWYitwWrnOg28n69BB8QCekzzgV6alYR0Y3beUypp6zj/Le zoB8xptyi1gZ8CkWmqAIUshxig8wEtchamjZro3L+S8Ao8v5HLvTIeUj40Melq0G qCy/sFcLy306nJPVm3VsvjjE5mqiKTRgMqKfmPLFCgHR/00VrBMUq91dOUVTwtVC N+9wXUwwTRyf0iWTH8Y/cuRi4p4yu377OKRD0msnk431DT68HjHmojH9bD7fXvTQ VOQ+FoMdnY3rf1QTrkGrKemCFyCYGxaK279mRLhIKDlNofs5zmeMMLg4GvFQn/zF CsL+nAOvtiA5K1lVo/MiVejZhoXeMLvWDpGg9P7Cp5fNvdliZjUjKzLxiYnh8ea+ fjOEMm0+Xoc= =L+VI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSa/x2aOgq3Tt24GAQhLdQ/+PC7onkrZLb8zhDLVXRnad+Gad97fob+7 oRmFR0tFKL2OFLaSqwCvBXBSuSS1kenQqs06wBUgKJMuzAlDfTX86Kk2gLkJtCti qLIoQPEaOvWy+T9Lec2pk62S+ng1CbKYQwCmZ2e8lHr62/fBRB+kiDyZW0HITsrC pCiyqsYKm4BQqb8WCx18rkampL7I1SwK08/gR0gkaG6Uqk5EC4X2xLoQGMNyuiEg ti9DCpSNMqiZTug5BnoyABIEl/2shA2/UgNBaOnfYhl+gmqciuZ1hdrHnj8QoAiq 30ftqBg2aspvYfVtJ+SNw+OwB7XDGQWuwZldrBPYiVz1AOVCJip08lXzFitz6NqL hfZYnM8mfjoJH7ULbU/TqVnMuyIejkhYzcHBjP02MfuC9t5OAzsZyxxGxqQbZFTo BIatvrVxMFtcMPwtxVPqvPoXJjE09a/Im9W+x3D/cupakZzPc84O7xBZ6im5qvZy t4W9gnbV4YDGUPCpKT2wH4gmuMlVm19jEG6Rgp4UVqgcH4yN6WLg5C1jddms14V9 YvouQpUKHkhNoDyFoQws2uAjbDj8O0geWdIs16YqlVVk2mduxZfHa5bl9qITLHnO bsnCGwfZQ7UQACNQZneC8bkrKLgwoXw0uQUewNQ2hZvHkVHvRD4oK5zdjLD5eA3F +y3JmWwzsTk= =gKGY -----END PGP SIGNATURE-----