Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4473 SUSE-SU-2019:3068-1 Security update for suse-openstack-cloud dependencies 27 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: suse-openstack-cloud Publisher: SUSE Operating System: SUSE Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-18874 CVE-2019-17134 Reference: ESB-2019.4367 ESB-2019.4167 ESB-2019.3801 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20193068-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-not ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3068-1 Rating: moderate References: #1153304 #1155942 #1156525 Cross-References: CVE-2019-17134 CVE-2019-18874 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ es-suse-openstack-cloud An update that solves two vulnerabilities and has one errata is now available. Description: This update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud fixes the following issues: Security fix for openstack-octavia: o CVE-2019-17134: Fixed an issue where Octavia Amphora-Agent not requiring Client-Certificate (bsc#1153304). Security fix for python-psutil: o CVE-2019-18874: Fixed a double-free vulnerability occured during converting system data into a Python object (bsc#1155089). o Update to version 9.0+git.1572311426.a6dc2fd: * Align Crowbar and Ardana MariaDB configs (SOC-10094) o Update to version 9.0+git.1573069087.15ffd1c: * enable debug and insecure_debug on demand (SOC-10934) o Update to version 9.0+git.1572019823.6650494: * Correctly setup ardana_notify_... fact (SOC-10902) o Update to version 9.0+git.1572618171.4460843: * Update gerrit FQDN in .gitreview (SOC-9140) o Update to version 6.0+git.1573825081.b1caf60f1: * Update the testsuite for new upgrade method (SOC-10761) * upgrade: cold start nova before live migration (SOC-10761) o Update to version 6.0+git.1573131992.3c660b413: * [upgrade] Call finalize_nodes_upgrade at the very end (bsc#1155942) o Update to version 6.0+git.1573051151.3495e0e94: * Allow enabling bpdu-forwarding on OVS bridges (SOC-9172) o Update to version 6.0+git.1573754820.dd036ef77: * neutron: use octavia-api admin VIP URI for lbaasv2 (SOC-10906) * octavia: handle certificate ownership in barclamp (SOC-10906) * octavia: add SSL support to octavia-api (SOC-10906) o Update to version 6.0+git.1573174019.9965ae9b8: * designate: change default configuration (SOC-10899) o Update to version 6.0+git.1572855359.8efafea01: * Make sure the input file with ssh key exists (SOC-10133) o Update to version 6.0+git.1572636244.e12406629: * Change order of Octavia to 102 (SOC-10289) o Update to version 6.0+git.1572470261.49c0affe1: * designate: move keystone resource lookup to convergence (SOC-10887) o Update to version 1.3.0+git.1572871359.50fc6087: * Add title for XEN compute nodes precheck (SOC-10495) o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration Patch o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration Patch o remove 0001-Fix-duplicate-paths-in-secret-hrefs.patch as it had landed upstream o Replace openstack.org git:// URLs with https:// o Update to version keystone-14.1.1.dev28: * Allows to use application credentials through group membership o Update to version keystone-14.1.1.dev28: * Allows to use application credentials through group membership o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers and adding metering rules o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for dnsmasq enablement o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction creation o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers and adding metering rules o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for dnsmasq enablement o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction creation o Update to version group-based-policy-5.0.1.dev476: * Provide a control knob to use the internal EP interface * Send port notifications when host\_route is getting updated o Update to version group-based-policy-5.0.1.dev473: * Fix pep8 failures seen on submitted patches o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule" Parameter Passing Error o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule" Parameter Passing Error o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\ _state race o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions during post\_live\_migration o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to "nova boot" in nova docs * doc: fix and clarify --block-device usage in user docs o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\ _state race o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions during post\_live\_migration o Update to version octavia-3.2.1.dev3: * Improve the error message for bad pkcs12 bundles o Update to version octavia-3.2.1.dev2: * ipvsadm '--exact' arg to ensure outputs are ints o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check MariaDB installation o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check MariaDB installation o Update to version 9.20191025: * support OpenID Connect (SOC-10510) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3068=1 o SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3068=1 Package List: o SUSE OpenStack Cloud Crowbar 9 (x86_64): crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1 crowbar-core-branding-upstream-6.0+git.1573825081.b1caf60f1-3.16.1 python-psutil-5.4.6-3.3.1 python-psutil-debuginfo-5.4.6-3.3.1 python-psutil-debugsource-5.4.6-3.3.1 o SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1 crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1 openstack-barbican-7.0.1~dev21-3.3.1 openstack-barbican-api-7.0.1~dev21-3.3.1 openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1 openstack-barbican-retry-7.0.1~dev21-3.3.1 openstack-barbican-worker-7.0.1~dev21-3.3.1 openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1 openstack-keystone-14.1.1~dev28-3.16.1 openstack-neutron-13.0.6~dev8-3.16.2 openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2 openstack-neutron-gbp-5.0.1~dev476-3.13.1 openstack-neutron-ha-tool-13.0.6~dev8-3.16.2 openstack-neutron-l3-agent-13.0.6~dev8-3.16.2 openstack-neutron-lbaas-13.0.1~dev16-3.13.1 openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1 openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2 openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2 openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2 openstack-neutron-metering-agent-13.0.6~dev8-3.16.2 openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2 openstack-neutron-server-13.0.6~dev8-3.16.2 openstack-nova-18.2.4~dev22-3.16.2 openstack-nova-api-18.2.4~dev22-3.16.2 openstack-nova-cells-18.2.4~dev22-3.16.2 openstack-nova-compute-18.2.4~dev22-3.16.2 openstack-nova-conductor-18.2.4~dev22-3.16.2 openstack-nova-console-18.2.4~dev22-3.16.2 openstack-nova-novncproxy-18.2.4~dev22-3.16.2 openstack-nova-placement-api-18.2.4~dev22-3.16.2 openstack-nova-scheduler-18.2.4~dev22-3.16.2 openstack-nova-serialproxy-18.2.4~dev22-3.16.2 openstack-nova-vncproxy-18.2.4~dev22-3.16.2 openstack-octavia-3.2.1~dev3-3.16.1 openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1 openstack-octavia-api-3.2.1~dev3-3.16.1 openstack-octavia-health-manager-3.2.1~dev3-3.16.1 openstack-octavia-housekeeping-3.2.1~dev3-3.16.1 openstack-octavia-worker-3.2.1~dev3-3.16.1 openstack-sahara-9.0.2~dev14-3.6.1 openstack-sahara-api-9.0.2~dev14-3.6.1 openstack-sahara-engine-9.0.2~dev14-3.6.1 python-barbican-7.0.1~dev21-3.3.1 python-keystone-14.1.1~dev28-3.16.1 python-neutron-13.0.6~dev8-3.16.2 python-neutron-gbp-5.0.1~dev476-3.13.1 python-neutron-lbaas-13.0.1~dev16-3.13.1 python-nova-18.2.4~dev22-3.16.2 python-octavia-3.2.1~dev3-3.16.1 python-sahara-9.0.2~dev14-3.6.1 release-notes-suse-openstack-cloud-9.20191025-3.15.1 o SUSE OpenStack Cloud 9 (x86_64): python-psutil-5.4.6-3.3.1 python-psutil-debuginfo-5.4.6-3.3.1 python-psutil-debugsource-5.4.6-3.3.1 o SUSE OpenStack Cloud 9 (noarch): ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1 ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1 ardana-neutron-9.0+git.1572019823.6650494-3.16.1 ardana-nova-9.0+git.1572618171.4460843-3.13.1 openstack-barbican-7.0.1~dev21-3.3.1 openstack-barbican-api-7.0.1~dev21-3.3.1 openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1 openstack-barbican-retry-7.0.1~dev21-3.3.1 openstack-barbican-worker-7.0.1~dev21-3.3.1 openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1 openstack-keystone-14.1.1~dev28-3.16.1 openstack-neutron-13.0.6~dev8-3.16.2 openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2 openstack-neutron-gbp-5.0.1~dev476-3.13.1 openstack-neutron-ha-tool-13.0.6~dev8-3.16.2 openstack-neutron-l3-agent-13.0.6~dev8-3.16.2 openstack-neutron-lbaas-13.0.1~dev16-3.13.1 openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1 openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2 openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2 openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2 openstack-neutron-metering-agent-13.0.6~dev8-3.16.2 openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2 openstack-neutron-server-13.0.6~dev8-3.16.2 openstack-nova-18.2.4~dev22-3.16.2 openstack-nova-api-18.2.4~dev22-3.16.2 openstack-nova-cells-18.2.4~dev22-3.16.2 openstack-nova-compute-18.2.4~dev22-3.16.2 openstack-nova-conductor-18.2.4~dev22-3.16.2 openstack-nova-console-18.2.4~dev22-3.16.2 openstack-nova-novncproxy-18.2.4~dev22-3.16.2 openstack-nova-placement-api-18.2.4~dev22-3.16.2 openstack-nova-scheduler-18.2.4~dev22-3.16.2 openstack-nova-serialproxy-18.2.4~dev22-3.16.2 openstack-nova-vncproxy-18.2.4~dev22-3.16.2 openstack-octavia-3.2.1~dev3-3.16.1 openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1 openstack-octavia-api-3.2.1~dev3-3.16.1 openstack-octavia-health-manager-3.2.1~dev3-3.16.1 openstack-octavia-housekeeping-3.2.1~dev3-3.16.1 openstack-octavia-worker-3.2.1~dev3-3.16.1 openstack-sahara-9.0.2~dev14-3.6.1 openstack-sahara-api-9.0.2~dev14-3.6.1 openstack-sahara-engine-9.0.2~dev14-3.6.1 python-barbican-7.0.1~dev21-3.3.1 python-keystone-14.1.1~dev28-3.16.1 python-neutron-13.0.6~dev8-3.16.2 python-neutron-gbp-5.0.1~dev476-3.13.1 python-neutron-lbaas-13.0.1~dev16-3.13.1 python-nova-18.2.4~dev22-3.16.2 python-octavia-3.2.1~dev3-3.16.1 python-sahara-9.0.2~dev14-3.6.1 release-notes-suse-openstack-cloud-9.20191025-3.15.1 venv-openstack-barbican-x86_64-7.0.1~dev21-3.13.1 venv-openstack-cinder-x86_64-13.0.8~dev8-3.13.1 venv-openstack-designate-x86_64-7.0.1~dev22-3.13.1 venv-openstack-heat-x86_64-11.0.3~dev23-3.13.1 venv-openstack-keystone-x86_64-14.1.1~dev28-3.13.1 venv-openstack-magnum-x86_64-7.1.1~dev28-4.13.1 venv-openstack-manila-x86_64-7.3.1~dev15-3.13.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.13.1 venv-openstack-neutron-x86_64-13.0.6~dev8-6.13.1 venv-openstack-nova-x86_64-18.2.4~dev22-3.13.1 venv-openstack-octavia-x86_64-3.2.1~dev3-4.13.1 venv-openstack-sahara-x86_64-9.0.2~dev14-3.13.1 References: o https://www.suse.com/security/cve/CVE-2019-17134.html o https://www.suse.com/security/cve/CVE-2019-18874.html o https://bugzilla.suse.com/1153304 o https://bugzilla.suse.com/1155942 o https://bugzilla.suse.com/1156525 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd3QMmaOgq3Tt24GAQia6RAA04yE3ZDNUoVt3MjA4hrxkgVlQWRgKk6k 7tJrxe3i5H/BShAbeVZ8F/Avqg6l6fNG3E6CsjF16AS7eVVRnURq38/y4sdgPAUi 1Uvj4uM4WnZVzpMs7KmawO7KyhQf4tZqOAI4XNklPltP/Z7TIoP3m7Uvo/g8498M UdcHSFN0qUBgytX7RmvPHyMzfyc+jizZqB1RBD3HG1LUuUVHjCVd2Rnhgn4M3Sl1 DSnwIZXUke3xQxK9Y8Kffz5kGQCPxGGAUdyzdHeLAm+intN9o9rGYWbQlPGcHXPv vegwcVATXQUkL4iRpvLLAqNZGYdoaJrTptoRwfXMBXecYLNJHWGENRFxTXEnvpme Td4OSQFERNQRoQhjdgxX6Vc/zWovOvbGI5ehZMX84YJcEPXL9Vrr++lLYAUF1U0o X7kUzJDBf697ipbItnY7Cx3OPk+j746FLx4HLVSPqPSBpib3B5ZnNXLNQ6K4yAMB wFCmbhHNU5ZDOwuGg1Y+jJQ/LI7e+Tsscvym5yktjULa8+nWhhwUKEToE8rzx0cJ sB3M7AHz1DdYkHqTxp7RiHgONFk9cmxVyl1TR9iw2gPV3itcqVjeF80mTKuuGM94 Yp53XCN6+24ZYKfk9jOV3hjR6e3LZj9YO0MNWw+nsofKrlxTpo2GLj8B1ro7AKta lXnEbPlAqHs= =NFds -----END PGP SIGNATURE-----