Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2053 SUSE-SU-2019:1450-1 Security update for Cloud7 packages 10 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cloud7 Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000872 CVE-2017-1000433 Reference: ESB-2019.0485 ESB-2018.1908 ESB-2018.0093 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-20191450-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for Cloud7 packages ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:1450-1 Rating: moderate References: #1063535 #1074662 #1112767 #1113107 #1118004 #1120767 #1122053 #1122875 #1123709 #1127558 #1127752 #1128954 #1128987 #1130414 #1131053 Cross-References: CVE-2017-1000433 CVE-2018-1000872 Affected Products: SUSE OpenStack Cloud 7 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves two vulnerabilities and has 13 fixes is now available. Description: This update provides fixes for the following packages issues: caasp-openstack-heat-templates: o Update to version 1.0+git.1553079189.3bf8922: * SCRD-2813 Add support for CPI parameters o Update to version 1.0+git.1547562889.43707e7: * Switch LB protocol from HTTP to HTTPS crowbar: o Update to version 4.0+git.1551088848.823bcaa3: * install-chef-suse: filter comments from authorized_keys file crowbar-core: o Update to version 4.0+git.1556285635.ab602dd4d: * network: run wicked ifdown for interface cleanup (bsc#1063535) o Update to version 4.0+git.1554931881.d98412e0e: * Fix cloud-mkcloud9-job-backup-restore (SCRD-7126) o Update to version 4.0+git.1552239940.5bc9aaac4: * crowbar: Do not rely on Chef::Util::FileEdit to write the file (bsc#1127752) o Update to version 4.0+git.1550493400.9787ea9ad: * upgrade: Delay status switch after upgrade ends o Update to version 4.0+git.1549474445.d9a35cf52: * fix hound warning * Support RAID 0 o Packaged default upgrade timeouts file o Update to version 4.0+git.1549136953.afcde921f: * apache2: enable sslsessioncache o Update to version 4.0+git.1548859099.0edbbfdc2: * upgrade: Add default upgrade timeouts file crowbar-ha: o Update to version 4.0+git.1556181005.47c643d: * pacemaker: wait more for founder if SBD is configured (SCRD-8462) * pacemaker: don't check cluster members on founder (SCRD-8462) o Update to version 4.0+git.1554215159.8a42a71: * improve galera HA setup (bsc#1122875) crowbar-openstack: o Update to version 4.0+git.1554887450.ff7c30c1c: * neutron: Added option to use L3 HA with Keepalived o Update to version 4.0+git.1554843756.5622551da: * ironic: Fix regression in helper o Update to version 4.0+git.1554814630.ec3c89f25: * ceilometer: Install package which contains cron file (bsc#1130414) o Update to version 4.0+git.1551459192.89433e13b: * rabbit: fix mirroring regex o Update to version 4.0+git.1550582615.f6b433ec7: * ceilometer: Use pacemaker to handle expirer cron link (bsc#1113107) o Update to version 4.0+git.1550262335.9667fa580: * mysql: Do not set a custom logfile for mysqld (bsc#1112767) * mysql: create .my.cnf in root home directory for mysql cmdline o Update to version 4.0+git.1549986893.df836d6cc: * mariadb: Remove installing the xtrabackup package * ssl: Fix ACL setup in ssl_setup provider (bsc#1123709) galera-python-clustercheck: o readtimeout.patch: Add socket read timeout (bsc#1122053) openstack-ceilometer: o Install openstack-ceilometer-expirer.cron into /usr/share/ceilometer This is needed in a clustered environment where multiple ceilometer-collector services are installed on different nodes (and due to that multiple expirer cron jobs installed). That can lead to deadlocks when the cron jobs run in parallel on the different nodes (bsc#1113107) openstack-heat-gbp: o switch to newton branch python-PyKMIP: o Fix a denial-of-service bug by setting the server socket timeout (bsc# 1120767 CVE-2018-1000872) python-pysaml2: o Fix for the authentication bypass due to optimizations (CVE-2017-1000433, bsc#1074662) rubygem-crowbar-client: o Update to 3.9.0 - Add support for the restricted APIs - Add --raw to "proposal show" and "proposal edit" - Correctly parse error messages that we don't handle natively - Better upgrade repocheck output o Update to 3.7.0 - upgrade: Use cloud_version config for upgrade - ses: Add ses upload subcommand - Add cloud_version config field. - Wrap os-release file parsing for better reuse. - upgrade: Fix repocheck component in error message - upgrade: Better repocheck output o updated to version 3.6.1 * Hide the database step when it is not used (bsc# 1118004) * Fix help strings * Describe how to upgrade more nodes with one command Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1450=1 o SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2019-1450=1 Package List: o SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3 crowbar-core-branding-upstream-4.0+git.1556285635.ab602dd4d-9.46.3 ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2 o SUSE OpenStack Cloud 7 (noarch): caasp-openstack-heat-templates-1.0+git.1553079189.3bf8922-1.6.2 crowbar-4.0+git.1551088848.823bcaa3-7.29.2 crowbar-devel-4.0+git.1551088848.823bcaa3-7.29.2 crowbar-ha-4.0+git.1556181005.47c643d-4.46.3 crowbar-openstack-4.0+git.1554887450.ff7c30c1c-9.51.3 galera-python-clustercheck-0.0+git.1506329536.8f5878c-1.6.2 openstack-ceilometer-7.1.1~dev4-4.15.3 openstack-ceilometer-agent-central-7.1.1~dev4-4.15.3 openstack-ceilometer-agent-compute-7.1.1~dev4-4.15.3 openstack-ceilometer-agent-ipmi-7.1.1~dev4-4.15.3 openstack-ceilometer-agent-notification-7.1.1~dev4-4.15.3 openstack-ceilometer-api-7.1.1~dev4-4.15.3 openstack-ceilometer-collector-7.1.1~dev4-4.15.3 openstack-ceilometer-doc-7.1.1~dev4-4.15.3 openstack-ceilometer-polling-7.1.1~dev4-4.15.3 openstack-heat-gbp-5.1.1~dev1-2.6.3 python-PyKMIP-0.5.0-3.3.3 python-ceilometer-7.1.1~dev4-4.15.3 python-heat-gbp-5.1.1~dev1-2.6.3 python-pysaml2-4.0.2-3.6.3 o SUSE Enterprise Storage 4 (aarch64 x86_64): crowbar-core-4.0+git.1556285635.ab602dd4d-9.46.3 ruby2.1-rubygem-crowbar-client-3.9.0-7.14.2 o SUSE Enterprise Storage 4 (noarch): crowbar-4.0+git.1551088848.823bcaa3-7.29.2 References: o https://www.suse.com/security/cve/CVE-2017-1000433.html o https://www.suse.com/security/cve/CVE-2018-1000872.html o https://bugzilla.suse.com/1063535 o https://bugzilla.suse.com/1074662 o https://bugzilla.suse.com/1112767 o https://bugzilla.suse.com/1113107 o https://bugzilla.suse.com/1118004 o https://bugzilla.suse.com/1120767 o https://bugzilla.suse.com/1122053 o https://bugzilla.suse.com/1122875 o https://bugzilla.suse.com/1123709 o https://bugzilla.suse.com/1127558 o https://bugzilla.suse.com/1127752 o https://bugzilla.suse.com/1128954 o https://bugzilla.suse.com/1128987 o https://bugzilla.suse.com/1130414 o https://bugzilla.suse.com/1131053 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXP2Z6GaOgq3Tt24GAQj0oxAAvKnPso1IlE6w8nI/W9HIxfRQPFniVn6e y0YqUv20GDf+h1YNiuoH24PN4paHZ/p503TxZoO5YZZa1aLksTzbxyiUQffMFYPf kvV7gR6c+/2zJvQw7+c1Nw/auMm1BRw3/lAZL8PUn2NgCP73z1zc62o7vfIK2kns 91oesGpc48EzbTsGS4UR1lY/BXYtm06rMxShmYDO6im3GOzXrItZ4MfjPt+hQNzg KnkUeOwjfpMdnFr3Nej9jO1VvNj89To8+ZJjOlz2D+m9YQ5LFstVOa8F7E4NHryj nrkAtve+ESfbx2nexq1F6evfzez/PDbMp5ZsDp6Bn+grYaqWaN2wDuHgXVEjpra/ 1JLKAaE+WCLeFQjUIk9FVIgI4Dr6J/q6+zFa0RmrrB9+G42/wwyzihLpt5F39SIz OSxpjvNr/fKC75gI6xL1wvViKFi4BvYcNoM13Ic8n80CfSJHPoxSeqQ4x8uq/0gc fIlvh14hLHToP2IwZnJXPSoGiH/jdhZykYfxJMxHa5/38yMpmWWqE5KEpYv/qyy1 yPC+w9HEDa9tjmliODVtTR6mIWr7v6fIKcdL6zSEarO2CakZw7Lo3q07Z7rsmfeR qha9cgxZtYX/TGitTMsaTyHWyD/9doouikMCCodhPJmFkxTIdZ6Pz5onXgefbNr1 gGT0eFlvY5Q= =BRGE -----END PGP SIGNATURE-----