Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4473
SUSE-SU-2019:3068-1 Security update for suse-openstack-cloud dependencies
27 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: suse-openstack-cloud
Publisher: SUSE
Operating System: SUSE
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18874 CVE-2019-17134
Reference: ESB-2019.4367
ESB-2019.4167
ESB-2019.3801
Original Bulletin:
https://www.suse.com/support/update/announcement/2019/suse-su-20193068-1.html
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for ardana-db, ardana-keystone,
ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui,
openstack-barbican, openstack-heat-templates, openstack-keystone,
openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas,
openstack-nova, openstack-octavia, openstack-sahara, python-psutil,
release-not
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:3068-1
Rating: moderate
References: #1153304 #1155942 #1156525
Cross-References: CVE-2019-17134 CVE-2019-18874
Affected Products:
SUSE OpenStack Cloud Crowbar 9
SUSE OpenStack Cloud 9
______________________________________________________________________________
es-suse-openstack-cloud
An update that solves two vulnerabilities and has one errata is now available.
Description:
This update for ardana-db, ardana-keystone, ardana-neutron, ardana-nova,
crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican,
openstack-heat-templates, openstack-keystone, openstack-neutron,
openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova,
openstack-octavia, openstack-sahara, python-psutil,
release-notes-suse-openstack-cloud fixes the following issues:
Security fix for openstack-octavia:
o CVE-2019-17134: Fixed an issue where Octavia Amphora-Agent not requiring
Client-Certificate (bsc#1153304).
Security fix for python-psutil:
o CVE-2019-18874: Fixed a double-free vulnerability occured during converting
system data into a Python object (bsc#1155089).
o Update to version 9.0+git.1572311426.a6dc2fd: * Align Crowbar and Ardana
MariaDB configs (SOC-10094)
o Update to version 9.0+git.1573069087.15ffd1c: * enable debug and
insecure_debug on demand (SOC-10934)
o Update to version 9.0+git.1572019823.6650494: * Correctly setup
ardana_notify_... fact (SOC-10902)
o Update to version 9.0+git.1572618171.4460843: * Update gerrit FQDN in
.gitreview (SOC-9140)
o Update to version 6.0+git.1573825081.b1caf60f1: * Update the testsuite for
new upgrade method (SOC-10761) * upgrade: cold start nova before live
migration (SOC-10761)
o Update to version 6.0+git.1573131992.3c660b413: * [upgrade] Call
finalize_nodes_upgrade at the very end (bsc#1155942)
o Update to version 6.0+git.1573051151.3495e0e94: * Allow enabling
bpdu-forwarding on OVS bridges (SOC-9172)
o Update to version 6.0+git.1573754820.dd036ef77: * neutron: use octavia-api
admin VIP URI for lbaasv2 (SOC-10906) * octavia: handle certificate
ownership in barclamp (SOC-10906) * octavia: add SSL support to octavia-api
(SOC-10906)
o Update to version 6.0+git.1573174019.9965ae9b8: * designate: change default
configuration (SOC-10899)
o Update to version 6.0+git.1572855359.8efafea01: * Make sure the input file
with ssh key exists (SOC-10133)
o Update to version 6.0+git.1572636244.e12406629: * Change order of Octavia
to 102 (SOC-10289)
o Update to version 6.0+git.1572470261.49c0affe1: * designate: move keystone
resource lookup to convergence (SOC-10887)
o Update to version 1.3.0+git.1572871359.50fc6087: * Add title for XEN
compute nodes precheck (SOC-10495)
o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret
hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration
Patch
o Update to version barbican-7.0.1.dev21: * Fix duplicate paths in secret
hrefs * Fix the bug of pep8 and building api-guide * OpenDev Migration
Patch
o remove 0001-Fix-duplicate-paths-in-secret-hrefs.patch as it had landed
upstream
o Replace openstack.org git:// URLs with https://
o Update to version keystone-14.1.1.dev28: * Allows to use application
credentials through group membership
o Update to version keystone-14.1.1.dev28: * Allows to use application
credentials through group membership
o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers
and adding metering rules
o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for
dnsmasq enablement
o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction
creation
o Update to version neutron-13.0.6.dev8: * Retry creating iptables managers
and adding metering rules
o Update to version neutron-13.0.6.dev6: * Increase timeout when waiting for
dnsmasq enablement
o Update to version neutron-13.0.6.dev4: * Log OVS firewall conjunction
creation
o Update to version group-based-policy-5.0.1.dev476: * Provide a control knob
to use the internal EP interface * Send port notifications when host\_route
is getting updated
o Update to version group-based-policy-5.0.1.dev473: * Fix pep8 failures seen
on submitted patches
o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule"
Parameter Passing Error
o Update to version neutron-lbaas-13.0.1.dev16: * "lbaas delete l7 rule"
Parameter Passing Error
o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to
"nova boot" in nova docs * doc: fix and clarify --block-device usage in
user docs
o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\
_state race
o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions
during post\_live\_migration
o Update to version nova-18.2.4.dev22: * Revert "openstack server create" to
"nova boot" in nova docs * doc: fix and clarify --block-device usage in
user docs
o Update to version nova-18.2.4.dev20: * Avoid error 500 on shelve task\
_state race
o Update to version nova-18.2.4.dev19: * libvirt: Ignore volume exceptions
during post\_live\_migration
o Update to version octavia-3.2.1.dev3: * Improve the error message for bad
pkcs12 bundles
o Update to version octavia-3.2.1.dev2: * ipvsadm '--exact' arg to ensure
outputs are ints
o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check
MariaDB installation
o Update to version sahara-9.0.2.dev14: * Fixing image creation * Check
MariaDB installation
o Update to version 9.20191025: * support OpenID Connect (SOC-10510)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3068=1
o SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3068=1
Package List:
o SUSE OpenStack Cloud Crowbar 9 (x86_64):
crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1
crowbar-core-branding-upstream-6.0+git.1573825081.b1caf60f1-3.16.1
python-psutil-5.4.6-3.3.1
python-psutil-debuginfo-5.4.6-3.3.1
python-psutil-debugsource-5.4.6-3.3.1
o SUSE OpenStack Cloud Crowbar 9 (noarch):
crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1
crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1
openstack-barbican-7.0.1~dev21-3.3.1
openstack-barbican-api-7.0.1~dev21-3.3.1
openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
openstack-barbican-retry-7.0.1~dev21-3.3.1
openstack-barbican-worker-7.0.1~dev21-3.3.1
openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
openstack-keystone-14.1.1~dev28-3.16.1
openstack-neutron-13.0.6~dev8-3.16.2
openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
openstack-neutron-gbp-5.0.1~dev476-3.13.1
openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
openstack-neutron-lbaas-13.0.1~dev16-3.13.1
openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
openstack-neutron-server-13.0.6~dev8-3.16.2
openstack-nova-18.2.4~dev22-3.16.2
openstack-nova-api-18.2.4~dev22-3.16.2
openstack-nova-cells-18.2.4~dev22-3.16.2
openstack-nova-compute-18.2.4~dev22-3.16.2
openstack-nova-conductor-18.2.4~dev22-3.16.2
openstack-nova-console-18.2.4~dev22-3.16.2
openstack-nova-novncproxy-18.2.4~dev22-3.16.2
openstack-nova-placement-api-18.2.4~dev22-3.16.2
openstack-nova-scheduler-18.2.4~dev22-3.16.2
openstack-nova-serialproxy-18.2.4~dev22-3.16.2
openstack-nova-vncproxy-18.2.4~dev22-3.16.2
openstack-octavia-3.2.1~dev3-3.16.1
openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
openstack-octavia-api-3.2.1~dev3-3.16.1
openstack-octavia-health-manager-3.2.1~dev3-3.16.1
openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
openstack-octavia-worker-3.2.1~dev3-3.16.1
openstack-sahara-9.0.2~dev14-3.6.1
openstack-sahara-api-9.0.2~dev14-3.6.1
openstack-sahara-engine-9.0.2~dev14-3.6.1
python-barbican-7.0.1~dev21-3.3.1
python-keystone-14.1.1~dev28-3.16.1
python-neutron-13.0.6~dev8-3.16.2
python-neutron-gbp-5.0.1~dev476-3.13.1
python-neutron-lbaas-13.0.1~dev16-3.13.1
python-nova-18.2.4~dev22-3.16.2
python-octavia-3.2.1~dev3-3.16.1
python-sahara-9.0.2~dev14-3.6.1
release-notes-suse-openstack-cloud-9.20191025-3.15.1
o SUSE OpenStack Cloud 9 (x86_64):
python-psutil-5.4.6-3.3.1
python-psutil-debuginfo-5.4.6-3.3.1
python-psutil-debugsource-5.4.6-3.3.1
o SUSE OpenStack Cloud 9 (noarch):
ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1
ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1
ardana-neutron-9.0+git.1572019823.6650494-3.16.1
ardana-nova-9.0+git.1572618171.4460843-3.13.1
openstack-barbican-7.0.1~dev21-3.3.1
openstack-barbican-api-7.0.1~dev21-3.3.1
openstack-barbican-keystone-listener-7.0.1~dev21-3.3.1
openstack-barbican-retry-7.0.1~dev21-3.3.1
openstack-barbican-worker-7.0.1~dev21-3.3.1
openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1
openstack-keystone-14.1.1~dev28-3.16.1
openstack-neutron-13.0.6~dev8-3.16.2
openstack-neutron-dhcp-agent-13.0.6~dev8-3.16.2
openstack-neutron-gbp-5.0.1~dev476-3.13.1
openstack-neutron-ha-tool-13.0.6~dev8-3.16.2
openstack-neutron-l3-agent-13.0.6~dev8-3.16.2
openstack-neutron-lbaas-13.0.1~dev16-3.13.1
openstack-neutron-lbaas-agent-13.0.1~dev16-3.13.1
openstack-neutron-linuxbridge-agent-13.0.6~dev8-3.16.2
openstack-neutron-macvtap-agent-13.0.6~dev8-3.16.2
openstack-neutron-metadata-agent-13.0.6~dev8-3.16.2
openstack-neutron-metering-agent-13.0.6~dev8-3.16.2
openstack-neutron-openvswitch-agent-13.0.6~dev8-3.16.2
openstack-neutron-server-13.0.6~dev8-3.16.2
openstack-nova-18.2.4~dev22-3.16.2
openstack-nova-api-18.2.4~dev22-3.16.2
openstack-nova-cells-18.2.4~dev22-3.16.2
openstack-nova-compute-18.2.4~dev22-3.16.2
openstack-nova-conductor-18.2.4~dev22-3.16.2
openstack-nova-console-18.2.4~dev22-3.16.2
openstack-nova-novncproxy-18.2.4~dev22-3.16.2
openstack-nova-placement-api-18.2.4~dev22-3.16.2
openstack-nova-scheduler-18.2.4~dev22-3.16.2
openstack-nova-serialproxy-18.2.4~dev22-3.16.2
openstack-nova-vncproxy-18.2.4~dev22-3.16.2
openstack-octavia-3.2.1~dev3-3.16.1
openstack-octavia-amphora-agent-3.2.1~dev3-3.16.1
openstack-octavia-api-3.2.1~dev3-3.16.1
openstack-octavia-health-manager-3.2.1~dev3-3.16.1
openstack-octavia-housekeeping-3.2.1~dev3-3.16.1
openstack-octavia-worker-3.2.1~dev3-3.16.1
openstack-sahara-9.0.2~dev14-3.6.1
openstack-sahara-api-9.0.2~dev14-3.6.1
openstack-sahara-engine-9.0.2~dev14-3.6.1
python-barbican-7.0.1~dev21-3.3.1
python-keystone-14.1.1~dev28-3.16.1
python-neutron-13.0.6~dev8-3.16.2
python-neutron-gbp-5.0.1~dev476-3.13.1
python-neutron-lbaas-13.0.1~dev16-3.13.1
python-nova-18.2.4~dev22-3.16.2
python-octavia-3.2.1~dev3-3.16.1
python-sahara-9.0.2~dev14-3.6.1
release-notes-suse-openstack-cloud-9.20191025-3.15.1
venv-openstack-barbican-x86_64-7.0.1~dev21-3.13.1
venv-openstack-cinder-x86_64-13.0.8~dev8-3.13.1
venv-openstack-designate-x86_64-7.0.1~dev22-3.13.1
venv-openstack-heat-x86_64-11.0.3~dev23-3.13.1
venv-openstack-keystone-x86_64-14.1.1~dev28-3.13.1
venv-openstack-magnum-x86_64-7.1.1~dev28-4.13.1
venv-openstack-manila-x86_64-7.3.1~dev15-3.13.1
venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.13.1
venv-openstack-neutron-x86_64-13.0.6~dev8-6.13.1
venv-openstack-nova-x86_64-18.2.4~dev22-3.13.1
venv-openstack-octavia-x86_64-3.2.1~dev3-4.13.1
venv-openstack-sahara-x86_64-9.0.2~dev14-3.13.1
References:
o https://www.suse.com/security/cve/CVE-2019-17134.html
o https://www.suse.com/security/cve/CVE-2019-18874.html
o https://bugzilla.suse.com/1153304
o https://bugzilla.suse.com/1155942
o https://bugzilla.suse.com/1156525
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXd3QMmaOgq3Tt24GAQia6RAA04yE3ZDNUoVt3MjA4hrxkgVlQWRgKk6k
7tJrxe3i5H/BShAbeVZ8F/Avqg6l6fNG3E6CsjF16AS7eVVRnURq38/y4sdgPAUi
1Uvj4uM4WnZVzpMs7KmawO7KyhQf4tZqOAI4XNklPltP/Z7TIoP3m7Uvo/g8498M
UdcHSFN0qUBgytX7RmvPHyMzfyc+jizZqB1RBD3HG1LUuUVHjCVd2Rnhgn4M3Sl1
DSnwIZXUke3xQxK9Y8Kffz5kGQCPxGGAUdyzdHeLAm+intN9o9rGYWbQlPGcHXPv
vegwcVATXQUkL4iRpvLLAqNZGYdoaJrTptoRwfXMBXecYLNJHWGENRFxTXEnvpme
Td4OSQFERNQRoQhjdgxX6Vc/zWovOvbGI5ehZMX84YJcEPXL9Vrr++lLYAUF1U0o
X7kUzJDBf697ipbItnY7Cx3OPk+j746FLx4HLVSPqPSBpib3B5ZnNXLNQ6K4yAMB
wFCmbhHNU5ZDOwuGg1Y+jJQ/LI7e+Tsscvym5yktjULa8+nWhhwUKEToE8rzx0cJ
sB3M7AHz1DdYkHqTxp7RiHgONFk9cmxVyl1TR9iw2gPV3itcqVjeF80mTKuuGM94
Yp53XCN6+24ZYKfk9jOV3hjR6e3LZj9YO0MNWw+nsofKrlxTpo2GLj8B1ro7AKta
lXnEbPlAqHs=
=NFds
-----END PGP SIGNATURE-----